New whistleblowing legislation in Italy provides that companies must adopt a whistleblower policy as part of their compliance procedures and grants whistleblowing protection to employees of all Italian companies, irrespective of their industries.

According to Law no. 179/2017, a compliance program must provide for:

The law also requires that companies ensure the confidentiality of a whistleblower’s identity.  

According to the law, employers that receive complaints must escalate them when raised by an identified whistleblower, but they may choose not to escalate reports raised anonymously.

Companies must investigate whistleblowing that is grounded on “accurate and consistent elements of fact,” and the law requires that companies also adopt a screening mechanism for evaluating whether less obvious whistleblowing deserves  formal and in-depth investigation.

Some of the most important provisions of the new law are those dealing with the protection of whistleblowers against retaliation. Whistleblowers and/or trade unions may report to the Labor Inspectorate (Ispettorato del Lavoro) retaliatory and discriminatory acts committed against whistleblowers because of their whistleblowing. The law also provides that any dismissal, change of duties, or any other adverse measure adopted by the employer toward the whistleblower in retaliation and/or for discriminatory reasons is null and void. Moreover, in the event of a dispute between an employer and whistleblower concerning sanctions, dismissals, transfers,  or changes of duties, the employer must satisfy the burden of proving that the reasons for such measure(s) has nothing to do with  the whistleblowing. 


Companies operating in Italy may want to update their compliance programs, adopt new whistleblowing policies, and set up specific training programs for employees as a result of this new legislation.

Unfortunately, the law does not specify how whistleblowing reports must be escalated and who within an organization must review them. In the absence of such clarification, organizations may want to escalate borderline matters and ensure that the person investigating complaints has sufficient authority within the organization to insist on change and remedial measures if an allegation is proven.

Companies dealing with complaints will also need to ensure compliance with the EU General Data Protection Regulation through the adoption of measures to protect the personal data of both complainants and alleged offenders that is processed and/or transferred and/or stored in connection with reporting activities.

Written by Renato Scorcelli of Scorcelli, Rosa & Partners and Roger James of Ogletree Deakins