EU Whistleblowing Directive – Italy

Whistleblowers protection already in place

Before the Directive

Italy has a Whistleblowing Protection legislation in place since 2017. However, it needs to be improved in order to meet the minimum requirements of the Directive.

The current legislation only applies within the scope of a legal entity’s administrative liability, in terms of reporting channels and a prohibition on discrimination. The content of the disclosure is also very narrow in contrast to the EU Directive, concerning specific crimes, including corporate or environmental crime.

Current implementation status

Since April 2021, the Italian Government is mandated to begin the transposition of the Directive into national law.

Very little public information is available and there is no draft proposal published for public consultation or analysis.

After being drafted behind closed doors, the Council of Ministers definitively approved the Legislative Decree implementing EU Directive on March 9, 2023.

The new law will enter into force four months after its publication in the official Gazette, so by July 15, 2023.

New Requirements

All companies with more than 250 employees will have to have whistleblowing channels set up starting from 15 July 2023. Companies with more than 50 employees will have to comply with these legal obligations starting from 17 December 2023.

Very few information about specific requirements regarding the new Legislative Decree have been made public, and the final text is yet to be published.

Scope of the new Decree

Public and private entities (companies and municipalities) must set up internal reporting channels allowing reports of wrongdoing and misconduct.

One option for managing these channels is to have an autonomous and specially trained person or department in charge. Alternatively, an external person or office could be appointed. Reports can be submitted in writing, through IT solutions, or orally via hotlines or voice messaging. The reporting person also has the option to request a face-to-face meeting.

Anonymity and data security requirements

It’s not mandatory to accept anonymous reports, but there is an obligation of confidentiality.

Internal whistleblowing channels must ensure data protection and confidentiality throughout the entire process, using an appropriate encryption system.

In the case of oral reports, either the telephone call or voice message should be documented on a suitable device for storage and listening or through a transcript. If there is no recording available, the report must be documented in writing. If a transcript is used, the whistleblower has the option to verify, rectify, or confirm its contents by providing their signature.

When reports are made in-person, the meeting should be recorded (with the whistleblower’s consent) on appropriate devices for storage and listening, or transcribed and confirmed by the whistleblower’s signature.

Accessibility and extended protection against retaliation

The company must ensure that the internal whistleblowing channels are easily accessible to all stakeholders and featured in a dedicated section of the website. Moreover, a policy on how to use the internal channel, how to submit a report, what information to include in a report, and how the reports will be handled must be established.

Protection against retaliation is extended to:

• All persons assisting the whistleblower during the reporting process
• All relatives or people in the close social circle of the whistleblower, working or not with them
• All colleagues with a regular and current relationship with the whistleblower
• All entities owned by the whistleblower or by one of the categories of person mentioned above

Penalties for non-compliance

The national anti-corruption authority (ANAC) is responsible for enforcing all relevant sanctions, including fines ranging from €10,000 to €50,000 in cases where the company has committed retaliation against the whistleblower, hindered or obstructed the reporting process, or breached confidentiality requirements.

Fines may also range from €10,000 to €50,000 when the company has not established a whistleblowing channel, failed to adopt procedures for submitting and handling cases in compliance with legal requirements, or neglected to verify, analyze, and investigate cases received.

Sharing whistleblowing functions for Groups and global companies

In the case of company groups, the whistleblowing function and website may be shared if the combined number of employees in all subsidiaries does not exceed 249.

However, if any single subsidiary has more than 249 employees, a separate whistleblowing function and website must be established for that subsidiary.

Get a Head Start 

Having a flexible platform that can adapt to any legislation and regulations can give you a great head start. With Whispli, you can build up your solution according to your current needs, and modify it at any time. 

You can start by complying to the minimum requirement of the EU Directive today and adjust to your local legislation later. 

Get in touch with one of our expert and get a guided demo to see how Whispli can help your Organization to comply with the Directive.