The implementation of European whistleblowing regulations


by Salvatore Providenti, Francesca Tanzi Marlotti

Following a long process, Italy has finally transposed the EU Directive 2019/1937 on whistleblowing (the “Directive“), a phenomenon originating in common law countries, which regulates, pursuant to Legislative Decree no. 24 of 10 March 2023, implementing the Directive, published in the Official Gazette no. 63 of 15 March 2023 (the “Decree“), the protection of so-called whistleblowers.

Purpose of the Decree

The purpose of the Decree is to regulate the protection of individuals (whistleblowers) who report violations of national or European Union regulatory provisions that harm the public interest or the integrity of the public administration or private entity, of which they have become aware in a public or private work context. Pursuant to the Decree, reporting entities and persons are protected by protective and supportive measures and may not suffer retaliation.


The provisions of the Decree apply to individuals in the public and private sectors who: (i) have employed, in the last year, an average of 50 workers, even irrespective of the adoption of a 231 Model; (ii) fall within the scope of Union acts relating to certain specific sectors (e.g. banking, credit, investment, insurance, occupational pensions, investment funds, payment services) even if in the last year they did not reach the average number of employees indicated above; (iii) are different from the individuals referred to in point (ii), fall within the scope of application of Legislative Decree 231/2001 and adopt Models 231, even if in the last year they did not reach the average number of employees indicated above.

To which subjects do the protective measures apply?

The protection measures apply not only to the whistleblower, employee of the public body or employee of private sector entities, but also to self-employed workers, freelancers and consultants, volunteers and paid and unpaid trainees, shareholders and members of the board of directors, management or supervisory body of a company including non-executive members, as well as extending to facilitators (i.e. those who assist the employee in the whistleblowing process), colleagues and relatives of whistleblowers, and legal entities that whistleblowers own, work for or are otherwise connected to in a work context.

What are the reporting channels regulated by the Decree?

The Decree implementing the Directive, in force as from 30 March 2023, provides for three different reporting channels with guarantees of confidentiality and security of the personal data processed within the reports collected (internal, external and through public disclosure). In particular,

internal reports are made in written or oral form through internal channels implemented by private-sector entities or public administrations, managed by a person, an internal office or independent, specifically trained external staff;

external reports are made in writing, subject to certain conditions, through channels implemented by the National Anti-Corruption Authority (ANAC);

reports to the public are made, under certain conditions, through the press or electronic means or, in any case, through means of dissemination capable of reaching a large number of people.


Article 21 of the Decree provides that, without prejudice to other liability profiles, ANAC may apply administrative fines of up to EUR 50,000 for violations of the provisions of the Decree.

Deadlines for companies to comply and guidelines

The Decree came into force as of 15 July 2023 (except for a longer deadline of 17 December 2023 for private sector companies that employed an average of up to 249 workers in the last year) and obliged the National Anti-Corruption Authority (ANAC) to adopt, within three months of its entry into force, guidelines on the procedures for submitting and handling external reports. These guidelines were approved by the ANAC Council in its meeting of 12 July 2023 with Resolution No. 311 and are now available for consultation. Pursuant to Articles 36(4) and 58(3)(b) of the European Regulation 679/2016 (GDPR), the Privacy Guarantor issued a favourable opinion on them.