Internal Investigations and Whistleblowing Rules: Interplays and Best Practices

Written by Massella Ducci Teri, Bernardo, Checcacci, Giulia and Onorato, Paola Maria From Cleary Gottlieb Steen & Hamilton LLP on Sept 18, 2025

Introduction

Whistleblowing has become a cornerstone of modern corporate governance and regulatory compliance, allowing employees and stakeholders to report misconduct and fostering a culture of transparency, accountability and integrity. As organisations navigate increasingly complex regulatory environments, effective whistleblowing frameworks are more and more becoming strategic tools for risk mitigation and long-term value creation.

The importance of whistleblowing as a safeguard of integrity and accountability has been increasingly recognised at European level, with Directive (EU) 2019/1937 of 23 October 2019 (the Whistleblower Directive or the Directive), which requires both public and private sector organisations to establish robust internal reporting channels and sets out common standards for the protection of individuals reporting breaches of Union law. Italy transposed the Directive by virtue of Legislative Decree No. 24 of 10 March 2023 (the Decree), thereby strengthening the national framework and expanding the scope of protection for whistleblowers. The new rules require organisations to put in place clear and effective internal reporting channels and ensure that whistleblowers are shielded from retaliation.

However, compliance is not only about procedures on paper. The credibility and effectiveness of whistleblowing systems depend on how reports are followed up in practice, particularly through well-conducted internal investigations, while preserving confidentiality of the whistleblower and other individuals involved.

Neither the Directive nor the Decree provide detailed guidance on how such investigations should be carried out, apart from general requirements on response times and confidentiality. Nonetheless, to serve as effective instruments of risk management and prevention, reports must be investigated in a manner that is, and appears to be, fair, proportionate, confidential, and impartial. A structured and consistent approach to internal investigations – aligned with recognised best practices and international standards such as ISO 37008¹ – complements the existence of whistleblowing channels and helps ensure not only compliance with legal standards but also enhanced organisational governance.

This chapter explores the evolving Italian whistleblowing regime and its practical implications for internal investigations. It provides a concise yet comprehensive overview of the Decree’s key provisions and outlines essential principles for conducting credible, fair, and effective internal investigations thereby helping companies manage compliance, governance, and risk more effectively.

The Italian whistleblowing framework under Legislative Decree No. 24/2023

Scope and applicability

The enactment of the Decree reflects Italy’s commitment to implementing the Whistleblower Directive, which aims at ensuring adequate protection for individuals who report breaches of certain pieces of Union law. The Decree applies to a wide range of entities and violations, expanding the scope of the Directive in several key areas to establish a more robust framework for accountability and protection.

Unlike the Directive, the Decree’s objective scope is not limited to breaches of Union law in specific areas,² as it also allows for the reporting of breaches of national law that may adversely affect the public interest or the integrity of the reporting entity.³ Reports covered under the Decree may relate to violations in areas including:

• corruption and fraud;
• public procurement;
• environmental protection and workplace safety;
• product compliance and consumer protection;
• data protection and privacy;
• financial and banking regulations; and
• breaches of internal corporate policies and procedures, including breaches of the Organisational, Management and Control Model adopted under Legislative Decree No. 231 of 8 June 2001 (the Model 231).⁴

The Decree also broadens its personal and organisational scope beyond the requirements of the Directive. It applies to:

• public bodies at all levels;
• private entities with at least 50 employees (on a permanent or fixed-term basis), regardless of whether they have adopted a Model 231, provided that reports concern breaches of Union law within the areas listed in the Decree;
• private entities falling within the scope of specific Union acts (as identified in Parts 1.B and 2 of the Decree’s Annex), irrespective of workforce size and limited to the relevant breaches of Union law; and
• any private entity that has adopted a Model 231, irrespective of the number of workers employed, with respect to reports of:
  • breaches of Union law within the Decree’s scope; and
  • breaches of Model 231 or Legislative Decree No. 231/2001.

For such entities with fewer than 50 employees, obligations are limited to the latter category of reports.

This broad framework ensures that the Decree reaches a wide range of organisations, embedding transparency and integrity across Italy’s institutional and corporate landscape.

The term ‘whistleblower’, in line with the Directive, includes not only current employees but also individuals whose employment has not yet begun (where relevant information regarding potential breaches was obtained during the recruitment process), as well as former employees who acquired knowledge of breaches during the course of their employment.

The Decree protects individuals who report concerns through internal or external reporting channels, as well as through public disclosures or reports made to judicial or audit authorities, provided the matter reported falls within the scope of the Decree and the report was made in good faith (ie, the whistleblower had reasonable grounds to believe that the information reported was true at the time of reporting). The protections also extend to those closely connected to the whistleblower – such as facilitators, colleagues, close family members and legal entities linked to the reporting person through professional relationships.

Reporting channels and handling procedures

The legislative framework established by the Decree has renewed focus on the crucial role of effective internal whistleblowing channels within organisations. In line with the Directive’s requirements, Member States must ensure that whistleblowers have access to both internal and external reporting mechanisms. Accordingly, the Decree mandates that public entities and private organisations falling within its scope establish internal whistleblowing channels, while also providing protections for individuals who report externally under specific circumstances.

Internal channels

Internal channels must be easily accessible and secure, and may be managed internally by a designated function or department, or externally by an independent third party with specifically trained personnel. The channel must allow reports to be submitted in writing (including through secure IT platforms), verbally via telephone hotlines or voice messaging systems, or in person upon request.⁵ The Decree provides that groups of companies with fewer than 250 employees may share a single internal whistleblowing reporting channel and its management.⁶

Central to this framework is the identification of the most suitable individual or body responsible for handling whistleblower reports. While many organisations naturally consider internal functions such as HR, compliance, or legal departments for this role, the challenges of internal management should not be underestimated. Allegations involving senior management or other key figures may give rise to conflicts of interest, jeopardising impartiality. Concerns about confidentiality and fear of retaliation may also discourage reporting, especially where trust in internal processes is lacking. Smaller organisations, in particular, may struggle due to resource constraints or a lack of specialised expertise necessary to handle complex or sensitive cases appropriately. Even the perception of bias can damage credibility of investigations and erode confidence in the whistleblowing system overall.

In this context, a possible solution that may be taken into consideration is the appointment of an independent external ombudsman. This channel has, in our experience, proven particularly effective in practice, offering a safer and more neutral reporting route, especially in cases where internal trust is limited. Among the persons who can be ombudsman, external legal consultants or law firms offer valuable expertise and a level of neutrality that may be difficult to ensure internally. Where the role is entrusted to a lawyer, the ombudsman can also bring specific legal expertise (as well as an additional level of confidentiality and, depending on jurisdiction, legal privilege) to the assessment of the report and to the identification of potential regulatory or criminal implications. For many whistleblowers, approaching an external party may feel safer, particularly in sensitive or high-level cases. This model has been widely adopted by multinational corporations and public bodies, who recognise its advantages in handling complex investigations impartially, building trust, and mitigating legal and reputational risks.

Of course, appointing an external ombudsman requires careful consideration of legal and ethical factors. Independence from company management, thorough conflict of interest checks, and full compliance with data protection requirements are essential. Strong communication skills and the capacity to deliver timely, confidential updates are also critical. When well selected, external ombudspersons can serve as trusted partners in upholding integrity and accountability.

Ultimately, the choice between an internal or external individual or body to manage whistleblowing reports depends on various factors, including the organisation’s size, complexity, and risk profile. Nonetheless, the benefits of engaging an independent external ombudsman, especially in cases involving sensitive or high-stakes reports, are increasingly recognised as best practice. A recommended approach, increasingly recognised as best practice, is to combine an internal reporting channel with an external ombudsman acting as a parallel and independent point of contact. This external channel does not replace the internal one, but rather complements it, providing whistleblowers with an additional, and often safer, option to report concerns. The appointment of the external ombudsman may be made on a standing basis, as a permanent component of the organisation’s whistleblowing system, or on an ad hoc basis, for example, in connection with a specific report that raises particularly sensitive or complex issues. This model contributes to fostering a trustworthy and legally compliant whistleblowing environment, while also strengthening the organisation’s ability to manage risk effectively.

External reports

The Decree identifies the Italian Anticorruption Authority (ANAC) as the competent authority to receive external reports for both the public and private sectors. Whistleblowers are entitled to make an external report under the following circumstances:

• where no compliant internal channel is in place;
• where an internal report has not been followed up;
• where whistleblowers have reasonable grounds to believe the report will not be adequately addressed or that retaliation may occur; or
• where the breach is deemed to pose an imminent or manifest threat to the public interest.

The Decree also safeguards public disclosures (ie, those made through media or other public platforms) but only under specific conditions, such as:

• where a prior internal or external report was not appropriately followed up;
• where whistleblowers reasonably believe that the breach may constitute an imminent or manifest public danger; and
• where whistleblowers reasonably believe that external reporting would be ineffective or expose them to retaliation.

While the Decree ensures that whistleblowers always have access to a valid and protected reporting channel, it clearly expresses a preference for internal reporting mechanisms where feasible.

Handling a whistleblowing report

The Decree sets out clear procedural requirements to ensure that whistleblower reports are handled effectively, transparently, and in full compliance with confidentiality obligations. These rules are designed not only to protect individuals who report wrongdoing, but also to enable organisations to respond promptly and appropriately.

Key procedural elements include:

• Secure and accessible channels: organisations must establish secure reporting mechanisms that are easy to access, ensuring both data security and the protection of whistleblower identities.
• Timely acknowledgement: whistleblowers must receive written confirmation of receipt within seven calendar days, assuring them that their concerns have been duly recorded.
• Preliminary assessment: upon receipt, organisations conduct an initial review to determine whether the matter reported falls within the scope of protected reports and merits further investigation.
• Diligent follow-up: organisations must follow up diligently. This step is critical – not only to assess the validity of the report, but also to ensure that any misconduct is addressed appropriately. Where appropriate, an internal investigation must be launched promptly and conducted impartially. Confidentiality must be preserved and procedural fairness upheld throughout.
• Communication and feedback: whistleblowers must be kept reasonably informed of the progress and outcome. Feedback must be provided within three months from the date of acknowledgement, or where no acknowledgement was issued, within three months from the end of the seven-day period following submission.
• Data retention and documentation: the Decree also provides that reports and related records may be retained for up to five years from the date the final outcome is communicated.

Although the Decree does not expressly provide for anonymous reporting, ANAC’s guidelines⁷ allow for handling of anonymous reports provided they are sufficiently detailed, documented, and specific. Such reports must be formally recorded by the designated handler, with all related documentation retained. However, anonymity may limit the effectiveness of investigations, as well as the level of feedback and legal protections available to the whistleblower, which apply only if the individual is later identified and a victim of retaliation. Organisations that permit anonymous reporting are therefore encouraged to adopt appropriate measures to balance the confidentiality with investigative effectiveness.

Protections and rights for whistleblowers

A core aspect of the Decree is the robust framework of protections aimed at eliminating retaliation and ensuring that whistleblowers can report concerns within a secure and supportive environment. Key elements of this protective regime include:

• Confidentiality: the identity of the reporting person, as well as that of any individuals involved or implicated in the report, must be protected at all stages of the process, with any unauthorised disclosure potentially subject to both disciplinary and administrative sanction. Specifically, the Decree prohibits revealing the whistleblower’s identity to anyone not expressly authorised, unless the whistleblower has provided consent. Confidentiality is also safeguarded throughout criminal proceedings and proceedings before the Court of Auditors, at least until the conclusion of the investigative phase. In disciplinary proceedings, the identity of the whistleblower may only be disclosed – upon the whistleblower’s prior consent – if the allegation is wholly or partially based on the report and such disclosure is necessary for the accused’s defence.
• Prohibition of retaliation: retaliatory measures against whistleblowers or individuals connected to them are strictly forbidden. In legal or administrative proceedings concerning alleged retaliation, the Decree establishes a rebuttable presumption that the retaliatory action resulted from the report. It also shifts the burden of proof to the alleged perpetrator, who must demonstrate that such action was unrelated to the whistleblowing.
• Access to support: whistleblowers are entitled to free legal and procedural assistance, provided by non-profit organisations accredited by ANAC.
• Exemptions from liability: whistleblowers who act in good faith are exempt from liability (including criminal, civil and administrative liability) in cases involving breaches of secrecy, copyright, or data protection regulations, or reputational harm to the persons concerned by the report.
• Withdrawal of protections: if a report is made in bad faith or is manifestly unfounded, as determined by a court, the protections afforded under the Decree do not apply.

These protections apply broadly to all eligible individuals, including whistleblowers and those closely connected to them, reinforcing the Decree’s aim to foster a trustworthy and effective reporting environment.

Enforcement and sanctions by ANAC

ANAC plays a pivotal role in ensuring compliance with the Decree. Its responsibilities include overseeing the implementation of whistleblowing mechanisms, investigating alleged breaches, and imposing sanctions in cases of non-compliance.

In addition to penalising whistleblowers who act in bad faith, ANAC may impose administrative fines on individuals and (or) entities as follows:

• between €10,000 and €50,000 on individuals or legal entities that retaliate against whistleblowers or connected persons, obstruct reporting, or breach confidentiality obligations; and
• between €10,000 and €50,000 on entities that fail to implement reporting channels, establish procedures for handling reports, or adequately follow up on them, or whose procedures are non-compliant with the Decree.

It is therefore clear that the proper handling of whistleblowing reports – encompassing concrete actions to verify their validity and address any related issues – is not merely a theoretical obligation, but a practical duty for companies. Implementing well-structured procedures that comply with legal requirements is essential to ensure this effective management. Failure to meet this obligation may result in significant consequences, not only financial but, more importantly, reputational.

Recent case law and practical challenges

Although the Decree was introduced relatively recently, Italian case law and administrative decisions are beginning to shape its interpretation and practical application. Recent rulings have begun to clarify the scope of protection afforded to whistleblowers and have underscored the importance of properly implementing internal reporting mechanisms.

For instance, in Judgment No. 17715 of 27 June 2024, the Italian Supreme Court held that whistleblowing must serve the public or organisational interest, and cannot be used merely to pursue personal grievances. The case involved an employee who reported alleged corporate misconduct, which was ultimately deemed to stem from personal disputes with the employer. The Court ruled that the report was not protected under the Decree, highlighting the need for organisations to assess both the intent and substance of whistleblower reports.

In another case (Judgment No. 1070 of 25 January 2024), the Milan Court remarkably acquitted a company of charges relating to false corporate disclosures, noting the existence of a robust compliance model pursuant to Legislative Decree No. 231/2001. The Court placed particular emphasis on the company’s internal whistleblowing channel, named ‘Speak Up’, which was referenced in the company’s Code of Conduct and formed an integral part of its compliance framework. The channel enabled the prompt reporting of fraudulent conduct, initiated thorough internal investigations, and led to the removal of individuals deemed responsible. This decision highlights how the proper implementation of a whistleblowing system, as part of the Model 231, may positively influence judicial assessments of corporate compliance programmes.

Finally, in the public sector space, ANAC Decision No. 380 of 30 July 2024 imposed a €10,000 sanction on a public official for retaliatory behaviour against a subordinate who had submitted multiple reports of misconduct, including conflicts of interest. ANAC also declared the retaliatory measures null and void, reinforcing the centrality of non-retaliation principles and procedural fairness in whistleblowing matters.

These cases reflect the growing importance of whistleblowing frameworks in Italy and underscore the legal and reputational risks associated with non-compliance. Companies are therefore encouraged to seek expert guidance when designing or updating their whistleblowing systems to ensure that they are both legally sound and operationally effective.

Internal investigations: best practices and strategic advantages

Internal investigations play a vital role in translating whistleblower reports into actionable insights. They help validate allegations, establish facts, assess potential legal and reputational risks and consequences, and enable informed decision-making. Thanks to a properly conducted internal investigation, companies can shed light on whether a report points to a breach of the company’s policies, protocols or procedures, whether the unethical or improper behaviour may amount to a criminal offence, if broader organisational issues, such as lack of productivity or reputational damages may also be at stake, and inform their decisions accordingly (including as to which organisational measures, if any, implement to remediate individuals’ and (or) organisational shortcomings).

In turn, implementing sound investigative practices is essential to ensure the credibility, efficiency, and legal integrity of internal investigations. Whether triggered by whistleblower reports, compliance breaches or regulatory concerns, a well-structured investigation not only uncovers facts but also mitigates legal, reputational, and operational risks.

Timely action is critical. Once the plausibility of a report has been established, launching the investigation without delay helps preserve evidence integrity, and safeguard organisational reputation and legal standing. Early internal investigations may also help the organisation gain an early knowledge of potential regulatory exposure before any initiative by public enforcers and assess whether self-disclosure to external authorities is appropriate, based on a clearer understanding of the facts. Equally important is the clear definition of the investigation’s scope and objectives. This ensures that efforts remain targeted, resources are allocated effectively, and the process remains proportionate and relevant. Conversely, delays or superficial investigations risk exacerbating organisational harm, undermining employee trust, and potentially attracting regulatory scrutiny.

The decision on who should lead the investigation is also crucial and should be tailored to the complexity and sensitivity of the matter. Organisations may rely on internal resources – such as in-house counsel, compliance officers, or auditors – or appoint external professionals. The choice should be guided not only by internal capabilities, but also by the need for independence and subject-matter expertise, as well as preserve legal privilege in most sensitive matters.

In many cases, appointing external legal counsel can be advantageous. Their independence may help mitigate potential conflicts of interest, supporting the objectivity of the process. Communications with external lawyers, including the final report summarising the outcome of the investigation, may also be protected by legal privilege, affording a higher degree of confidentiality. Additionally, their expertise can assist in navigating regulatory frameworks, assessing legal risks, advising on remedial measures, and managing disclosure requirements, thereby strengthening both the credibility and effectiveness of the investigation.

Regardless of the approach adopted, internal investigations are most effective when they follow established methodologies and recognised international standards. Among these, ISO 37008 serves as a widely accepted benchmark for ensuring investigations are both ethical and effective, expressly defining them as ‘an integral part of organisational management’.⁸ The standard emphasises key principles such as investigator independence, impartiality and professionalism, strict confidentiality, consistent and transparent processes, the safeguarding of individuals’ rights, and responsible communication of outcomes.

Drawing from the above-mentioned international standard, internal investigations typically follow a structured sequence of phases:

• Preliminary assessment: this initial stage involves evaluating the seriousness and credibility of the allegations and defining the scope of the investigation. It includes the development of an investigation plan outlining:
  • the nature of the alleged misconduct or concerns raised, whether internally or via external sources;
  • the roles of internal or external individuals or bodies appointed to lead the investigation;
  • the investigative steps to be taken, including documentary reviews and interviews; and
  • the proposed timeline for completion.
• Investigative phase: this core stage focuses on the systematic collection and analysis of relevant evidence – such as documents, communications, and statements provided by key individuals. All activities must be conducted with full respect for the privacy rights of those involved, while ensuring the confidentiality and integrity of all information gathered.
• Post-investigation phase: upon completion, a formal report should be issued, documenting the procedures followed, the relevant investigation findings, and any recommendations for corrective or remedial action. These measures aim not only to address the specific issues identified but also to strengthen internal controls and reduce the risk of future violations.

The effectiveness of an internal investigation depends largely on the quality and reliability of its evidence-gathering process. Two core investigative activities during this phase are document review and interviews, which help clarify facts, verify allegations, and assess the credibility of the information obtained.

Internal investigations are not without challenges. Risks include breaches of confidentiality and real or perceived investigator bias. These risks must be proactively managed through appropriate safeguards: enforceable confidentiality protocols, clear internal policies, bias and ethics training, and, where appropriate, the involvement of independent experts. Indeed, more complex investigations benefit from a multidisciplinary approach. Legal professionals contribute by ensuring procedural fairness, confidentiality, and legal risk management, while forensic experts – such as IT specialists or accountants – bring technical capabilities that support deeper evidence analysis. This collaboration strengthens the quality, defensibility, and impartiality of the investigative process.

Document and data review

A comprehensive document review is often the first step of the investigative process. This involves identifying relevant categories of records that are most likely to contain useful information. A targeted and forensic approach can assist in reconstructing timelines, corroborating claims, and detecting behavioural patterns.

Clear and consistent review protocols should be established in advance, outlining the purpose, scope, and methodology to ensure both consistency and legal defensibility. Digital evidence may include emails, instant messaging, internal databases, and metadata, all of which should be preserved and analysed. Such reviews must be conducted in compliance with applicable data protection laws and should be limited in scope through the use of filters such as date ranges, keywords or relevant custodians. In this respect, engaging external forensic specialists and legal advisers can help maintain the integrity of the process and ensure that all legal and technical requirements are met.

Where relevant, data analysis (including through AI tools) can significantly strengthen the investigation by providing objective, quantifiable insights that may not emerge through interviews or document review alone. Analysing structured datasets can help reconstruct events, identify discrepancies or irregularities, and detect patterns that may indicate misconduct or areas of concern warranting further inquiry. Examples of relevant data include system access logs – which can help verify unauthorised or unusual activity – and document metadata, useful to track the creation, modification, or access history of key files.

Conducting interviews

Interviews often represent the most delicate and revealing stage of the investigation. When properly conducted, they can offer valuable insight, guide further document collection, and clarify inconsistencies. To be effective, interviews shall adhere to established best practices, even in the absence of specific statutory regulation – such as in the Italian context.

Interviews should be carefully planned, with participants selected based on their potential knowledge of the issues. Key elements of a well-executed interview include:

• ensuring informed consent and explaining confidentiality measures, data rights, and the purpose of the interview;
• clarifying roles (including, in case external counsel is involved, that the interviewer represents the company, not the interviewee, and therefore does not act in the interviewee’s interest);
• avoiding any form of coercion, inducement, or suggestive questioning;
• involving at least two interviewers, for consistency and accountability; and
• advising interviewees not to disclose the content of the discussion.

Employees or executives are generally required to cooperate with internal investigations as part of their employment obligations. They are expected to answer questions truthfully and assist the investigation team. Particular caution is needed, however, where a parallel criminal proceeding is pending or likely. In such cases, care must be taken to avoid interfering with prosecutorial investigations, and it may be advisable to involve legal counsel to ensure that the rights of the person under investigation – including the right against self-incrimination – are fully respected.

Maintaining an investigation record

Maintaining a detailed and secure record of all investigative steps is essential throughout the process. This serves multiple purposes: it promotes transparency and accountability by ensuring verifiability, and enables effective communication with relevant stakeholders. It also provides a reliable point of reference in the event that regulatory or prosecutorial authorities request information at a later stage. Proper documentation also facilitates internal coordination and ensures that parallel or related investigations – whether internal or external – are identified and managed in a coordinated manner.

Concluding remarks

Ultimately, whistleblowing frameworks and internal investigations should be regarded not only as compliance tools, but as strategic levers for organisational resilience. By encouraging employees to speak up and ensuring that concerns are addressed through structured and fair investigative processes, companies can detect risks early, take timely remedial action, and strengthen internal governance.

Beyond resolving individual cases, well-managed investigations may help identify broader structural issues and reinforce a culture of integrity and accountability. When supported by clear policies, appropriate safeguards, and multidisciplinary expertise, internal investigations become a key component of effective risk management and long-term value creation.

This vision aligns with recent regulatory changes in Italy and the EU, especially the introduction of the Decree and the Directive, which has provided a strong foundation for boosting transparency and accountability within organisations. By putting effective whistleblowing systems in place and carrying out thorough internal investigations that follow recognised best practices, organisations reduce risks, prevent repeat problems, and take corrective action that strengthens overall governance. Appointing external legal and technical experts ensures compliance with changing rules, protects the confidentiality and rights of everyone involved, and builds greater trust among stakeholders.

Footnotes

1. ^ ISO/TS 37008:2023 ‘Internal Investigations of Organizations – Guidance’, published in July 2023.
2. ^ The Decree provides for the protection of persons reporting the following breaches of Union law: (1) breaches falling within the scope of Union acts concerning the following areas: public procurement; financial services, prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; privacy and personal data protection, and security of network and information systems; (2) breaches affecting the financial interests of the Union as referred to in article 325 of the Treaty on the Functioning of the European Union (TFEU) and, as further specified in relevant Union measures; (3) breaches relating to the internal market, as referred to in article 26(2) TFEU, including breaches of Union competition and State aid rules and breaches of State corporate tax law; and (4) breaches that frustrate the object or purpose of the provisions set forth in the acts of the Union in all of the above areas.
3. ^ The material scope of the Decree instead does not include: (1) disputes, claims or requests in relation to a reporting person’s personal interest such as issues exclusively concerning his or her employment relationship, or relationship with senior colleagues; (2) reports of breaches that are already mandatorily governed by Union or national acts falling within Part 2 of the Annex to the Decree (such as acts concerning financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety, and environmental protection), or national acts implementing Union acts which fall within Part 2 of the Annex to the Directive, although not expressly mentioned in Part 2 of the Annex to the Decree; and (3) reports of breaches involving national security aspects, such as procurement rules involving defence or national security, unless they are covered by the Union’s relevant acts.
4. ^ Legislative Decree No. 231/2001 introduced corporate administrative liability in Italy for certain crimes committed in the interest or to the benefit of a legal entity by its directors or employees. Under such regulation, companies may shield themselves from administrative liability if: (1) prior to a crime’s commission, the company has adopted and effectively implemented a Model 231 for the prevention of crimes of the same kind as that committed, meeting specific requirements (including the establishment of a whistleblowing channel); (2) the company has assigned to an independent body (referred to as the ‘Supervisory Body’) powers to supervise the implementation of the Model 231 and ensure its constant updating and compliance therewith; (3) the Supervisory Body did not fail to perform its supervising powers; and (4) in case a crime was committed by persons at the top of the corporate organisation (such as directors and top managers), such crime was committed through a fraudulent violation of the Model 231.
5. ^ In this regard, the latest draft guidelines (‘Guidelines on whistleblowing regarding internal reporting channels’) published by the Italian Anticorruption Authority (ANAC) on 7 November 2024 specify that (1) with respect to written reports, the implementation of a dedicated IT platform represents the best method to ensure cybersecurity and enhanced protection of the personal data of the individuals involved; (2) oral reports may alternatively be made via telephone lines or voice messaging systems, or through a direct meeting with the reporting officer (therefore, it is not necessary to provide all three options). The publication of the final version of these guidelines is currently awaited.
6. ^ The Decree does not contain any provisions concerning groups of companies with more than 250 employees. However, the aforementioned draft guidelines allow such groups to implement a single reporting channel managed by the parent company (eg, a unified IT platform), structured into sub-channels corresponding to each company within the group. This arrangement should enable whistleblowers to choose whether to report to the parent company or to their own subsidiary.
7. ^ ANAC, ‘Guidelines on the protection of persons reporting breaches of Union law and of persons reporting violations of national legislative provisions: procedures for the submission and management of external reports’, approved on 12 July 2023.
8. ^ ISO/TS 37008:2023 ‘Internal Investigations of Organizations – Guidance’, Introduction.