Whistleblowing

Legislative Decree No. 24 of 10 March 2023, implementing EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019, established:

  • The introduction of mandatory whistleblowing channels;
  • The extension of the scope of reportable matters;
  • The expansion of the categories of persons entitled to submit reports;
  • The procedures for handling reports;
  • Stronger confidentiality safeguards;
  • The conferral of powers on ANAC to manage external reports and impose sanctions.

Public sector

Public administrations, independent administrative authorities, public economic bodies, private-law entities subject to public control, in-house companies, bodies governed by public law, and public service concessionaires, effective from 15 July 2023.

Private sector

  • From 15 July 2023, private-sector entities with more than 250 employees, regardless of whether they have adopted an organisational model pursuant to Legislative Decree 231/2001;
  • From 15 July 2023, entities operating in the following supervised and regulated sectors: banking, credit, investment, insurance, occupational pensions, investment funds, and payment services, regardless of the average number of employees engaged;
  • From 17 December 2023, entities that in the previous year employed an average of between 50 and 249 employees, regardless of whether they have adopted an organisational model pursuant to Legislative Decree 231/2001.

Violations of national or EU legal provisions that harm the public interest or the integrity of a public administration or private entity, including:

  • Administrative, accounting, civil and criminal offences;
  • Unlawful conduct relevant under Legislative Decree 231/2001, or breaches of the 231 Model;
  • Offences in the fields of public procurement, services, food and feed safety, animal health and welfare, public health, consumer protection, and the application of EU or national acts;
  • Acts or omissions affecting the financial interests of the European Union under Article 325 of the Treaty on the Functioning of the European Union (e.g. fraud, illegal activities);
  • Acts or omissions concerning the internal market under Article 26(2) of the Treaty on the Functioning of the European Union (e.g. budget fraud and corrupt activities);
  • Acts or conduct that defeat the object or purpose of the provisions set out in EU acts in the sectors referred to in points 3), 4) and 5).

Whistleblower protection – Article 3:

Persons who submit reports, make public disclosures, or file complaints with judicial authorities regarding violations learned of in their work context;

  • Self-employed workers, collaborators, freelancers and consultants, volunteers and trainees (whether paid or unpaid);
  • Shareholders and persons with administrative, management, control, supervisory or representative functions, even where such functions are exercised de facto;
  • “Facilitators”, meaning colleagues, relatives or persons in a stable emotional relationship with the reporting person.

Reporting channel

  • The management of the reporting channel must be entrusted to an autonomous internal person or dedicated office with specifically trained staff, or to an autonomous and trained external party;
  • For public-sector entities that have appointed an RPCT, management of the channel is entrusted to that person, including in the event of shared management;
  • Model 231 frameworks must provide for internal reporting channels as required by the Decree.

The National Anti-Corruption Authority (“ANAC”) is identified, where the conditions set out in Article 6 of Legislative Decree No. 24/2023 are met, as the sole authority competent to receive and handle whistleblowing reports through dedicated external reporting channels.

In the event of failure to comply, ANAC may impose administrative financial penalties:

  • From €10,000 to €50,000 where it finds that retaliation has occurred, or that reporting has been obstructed or an attempt has been made to obstruct it, or that the duty of confidentiality has been breached;
  • From €10,000 to €50,000 where it finds that reporting channels have not been established, that procedures for submitting and managing reports have not been adopted, or that such procedures do not comply with the Decree, as well as where it finds that no verification and analysis of received reports has been carried out;
  • From €500 to €2,500 where the reporting person is found criminally liable for defamation or malicious false accusation.

Establish or implement appropriate internal reporting channels to allow reports to be submitted both in writing (through an online platform, an email address or by post) and orally (via a telephone hotline or voicemail system). If internal reporting channels are not implemented, reporting persons may turn only to public authorities or the media, with evident financial and reputational consequences for companies;

Protect the confidentiality of the reporting person and the content of the report, including through the implementation of technical and organisational measures in compliance with Regulation (EU) 679/2016 (“GDPR”) (for example, encryption tools);

Where an MOGC 231 has been adopted, update the reporting channels already in place;

Adopt a specific procedure governing the methods and recipients of reports, the relevant requirements and the functions involved, in order to regulate the management of reporting channels;

Inform and raise awareness among employees and relevant third parties regarding the purpose of the reporting channels, how they are to be used, and the procedures adopted.

  • Implementing an effective whistleblowing system is not merely a regulatory obligation, but also a concrete tool for prevention, transparency, and organizational accountability.
  • Companies that adopt secure, confidential, and accessible reporting channels demonstrate a genuine commitment to business ethics, strengthen stakeholder trust, and mitigate the risk of sanctions, reputational damage, and disputes.
  • A well-structured system is based on:
    ▪ clear and formalized procedures;
    ▪ GDPR-compliant digital platforms that ensure anonymity, traceability, and integrity of reports;
    ▪ targeted training for designated personnel and widespread awareness across all levels of the organization.
  • The RiCo – Risk and Compliance team at RSM supports companies in the design and implementation of whistleblowing systems fully compliant with Legislative Decree 24/2023 and EU Directive 2019/1937, offering integrated and multidisciplinary support including:
    ▪ risk analysis and assessment of the business processes involved;
    ▪ identification of the most suitable reporting channel (internal or outsourced);
    ▪ drafting of operational procedures and supporting documentation;
    ▪ development of training, information, and internal communication models;
    ▪ ongoing technical and legal support to ensure continued adequacy and compliance over time.
Lara Conticello
Partner
View profile
+39 02 83 42 14 90

Contact our experts

I declare that I have read and accept the terms of the privacy notice.
I consent to the processing of my data for marketing purposes, including the receipt of promotional messages via email, SMS, or other electronic communication methods.
I consent to the sharing of my data with RSM network companies for marketing purposes.