Law No. 179/2017 – which came into force on 29 December 2017 – introduced a public and private system of protection for whistleblowers in Italy. If a company that is incorporated in Italy or conducts business in Italy has adopted compliance policies and procedures, then those procedures must also set out an internal reporting channel for whistleblowing.

Law No. 179/2017 also establishes, inter alia, the following measures: (i) protection of the whistleblower’s identity; (ii) prohibition of demotion, dismissal or other retaliatory measures against the whistleblower; (iii) the entitlement of the whistleblower to report the adoption of discriminatory measures to the National Labor Inspectorate; and (iv) nullity of discriminatory or retaliatory dismissal of the whistleblower.

Whilst the Italian National Anti-bribery and Corruption Authority, has adopted guidelines and regulations which apply to the public sector, there are currently no such guidelines in the private sector.

Updates introduced by Legislative Decree No. 24/2023 (implementing EU Directive 2019/1937, effective from 30 March 2023):

• The whistleblowing framework now applies to both the public and private sectors, extending its scope to private entities with at least 50 employees or those that have adopted an organizational model under Decree 231.
• The category of protected persons has been significantly expanded to include not only employees, but also self-employed workers, consultants, volunteers, trainees, shareholders, members of administrative, management, supervisory, or representative bodies, and even former employees.
• Entities are required to establish internal reporting channels and, in some cases, external channels, ensuring confidentiality and data protection. They must also acknowledge receipt of a report within seven days and provide feedback within three months.
• The National Anti-Corruption Authority (ANAC) has been designated as the competent authority for external reports and has the power to impose administrative fines ranging from €10,000 to €50,000 for non-compliance (e.g., failure to establish internal channels, retaliation, or breach of confidentiality).
• The new rules became effective on 15 July 2023 for public entities and private companies with 250 or more employees, and on 17 December 2023 for private companies with 50–249 employees.