Before the entry into force of Law no. 179 of 2017 on 29 December 2017, in Italy a regulation of whistleblowing existed only with reference to the public sector (article 54-bis of Legislative Decree no. 165/2001 as amended by Law no. 190/2012), banking and finance sector (Legislative Decree no. 72/2015) and for listed companies (art. 7 of the Corporate Governance Code).

Law no. 179/2017 amended article 6 of Legislative Decree no. 231/2001 (the law governing corporate criminal liability in Italy – or, more precisely, the administrative liability resulting from the commission of certain criminal offences, listed in Legislative Decree no. 231/2001, by the company’s managers, employees and associates) by introducing new requirements for private companies’ organizational and management models (i.e. compliance programs aimed at preventing illegal or otherwise non-compliant conducts within the organization, also called “231 Models”) to be sound and effective. Specifically, the company 231 Model must now provide for: (i) a specific confidential channel for whistleblowing reporting (including an electronic one); (ii) confidentiality obligations related to the identity of the whistleblower; (iii) prohibition of retaliatory or discriminatory actions against the whistleblower; and (iv) specific disciplinary sanctions against those who breach the protection measures for whistleblowers, but also those who wilfully or through gross negligence make groundless reports (see article 6, par. 2-bis, Legislative Decree no. 231/2001). 

In other words, according to the new Law no. 179/2017, private companies are not legally required to have a whistleblowing system in place, but when they decided to adopt a 231 Model on a voluntary basis, to keep it sound and effective (and being therefore exempted from corporate criminal liability) they now have to adjust it by implementing a whistleblower protection scheme consistently with the above mentioned requirements.

To this end, the company should define roles and responsibilities in relation to the receipt and handling of whistleblower reports (usually assigned to the company Supervisory Body, already in charge of monitoring and supervising the correct implementation  of the company 231 Model), devise and adopt a specific whistleblowing policy that describes the steps that will be followed once a whistleblowing report of potential misconducts (criminal offences relevant under Legislative Decree no. 231/2001 or any other breaches of the 231 Model or anomalies) is received, in addition to the protections and sanctions associated with it, and  inform the people within the organization about the whistleblowing policy (also by means of training programmes).

National legislation, including the Italian one, will likely be updated following the approval of the EU whistleblowing directive on the “protection of persons who report breaches of Union law” (the “Directive”) this year. Once the Directive will be published in the Official Journal, EU Member States, including Italy, will have two years to transpose it into national law, and thus to apply and comply with new EU-wide common minimum standards ensuring effective whistleblower protection, both in the public and private sector, set out therein.