Italian whistleblower protection law "Decreto Legislativo 24/2023"

Legislative Decree 24/2023 is Italy's single whistleblower law. It took effect on 15 July 2023. It put EU Directive 2019/1937 into Italian law. One text now covers both public bodies and private firms. Below we cover who it binds, what to set up, and the fines.

What is Legislative Decree 24/2023?

Legislative Decree 24/2023 is Italy's version of the EU Whistleblower Directive. It pulls the old, scattered rules into one law. That law covers both the public and private sectors. Before it, public workers leaned on Article 54-bis of Decree 165/2001. Private firms leaned on Decree 231/2001. The new decree scrapped those old rules.

The decree took effect on 15 July 2023. It sets one framework for reports, channels, and protection. It also widens who counts as a whistleblower and what they can report. The watchdog is ANAC, the National Anti-Corruption Authority. People often call the law the Italian whistleblowing decree.

Who must comply, and by when?

Every public body must comply. In the private sector, the duty starts at 50 staff. That means an average of 50 workers over the last year. Smaller firms still fall in scope in two cases: regulated work like finance or product safety, or running a Decree 231/2001 model.

Small bodies got room to share. Towns that aren't provincial capitals can share one internal channel. Private firms with up to 249 workers can share too. They can share both the channel and the staff who run it.

The duty came in two waves. Public bodies and bigger private firms had to be ready by 15 July 2023. Firms with 50 to 249 workers got until 17 December 2023.

"For private-sector entities that employed, on average over the last year, up to two hundred and forty-nine subordinate workers, the obligation to set up the internal reporting channel takes effect from 17 December 2023."
Article 24(2) of Legislative Decree 24/2023

What can you report?

You can report breaches of national or EU law that harm the public interest or a body's integrity. These include crimes, accounting offences, and breaches of Decree 231 models. The decree also reaches EU-law areas, such as public procurement, finance, money laundering, product and transport safety, the environment, and data protection.

"This decree governs the protection of persons who report breaches of national or European Union law that harm the public interest or the integrity of the public administration or the private entity, which they have become aware of in a public or private work context."
Article 1(1) of Legislative Decree 24/2023

Some matters sit outside the law. It doesn't cover national security, defence deals, or classified information. It also leaves out legal and medical privilege, and the secrecy of court rulings. A personal gripe about your own job, like a pay dispute, isn't whistleblowing either.

Who is protected?

Protection covers far more than the paid worker. It also reaches the self-employed, freelancers, and consultants. Volunteers and trainees count too, paid or not, as do shareholders and people who manage or oversee the work. The cover holds at every stage of a working tie: before the job starts, during a probation period, and after it ends.

The shield also covers the people around the reporter:

• facilitators who help with the report;
• co-workers with a regular, current tie to the reporter;
• relatives up to the fourth degree;
• entities the reporter owns or works for.

How do the three reporting channels work?

The decree sets three routes: an internal channel, an external channel run by ANAC, and public disclosure. The internal channel comes first. ANAC and public disclosure open up only under set rules. So a worker can step up the ladder when the internal route fails or isn't safe.

The internal channel

Every body in scope must run its own internal channel. It has to keep the reporter, the accused, and the report confidential, using encryption where needed. A trained internal office can run the channel, or an outside provider can do it instead. Public bodies hand the job to their anti-corruption officer, the RPCT.

A worker can report in writing or by voice. They can also ask for a meeting in person. The channel must confirm receipt within 7 days. It must give the reporter feedback within 3 months.

WeMoral is encrypted, audit-ready whistleblowing software built to satisfy Legislative Decree 24/2023. Article 4 wants a channel that keeps names secret. WeMoral does just that. It seals each report so only the named handler can open it. A trained internal office can run it, or you can hand the channel to WeMoral as your outside provider. For firms with a Decree 231 model, it slots in as the reporting channel that model must now include. It ships with a policy template and a guide to build the internal reporting channel.

The external channel to ANAC

A worker can go to ANAC instead of, or after, the internal channel. But this works only when set rules hold. Reports reach ANAC through a secure online platform. A worker can also use the phone or ask for a meeting. ANAC keeps the same confidentiality and encryption. It also handles cases where payback has already happened.

"A reporting person may make an external report if, at the time it is submitted, one of the following conditions is met: there is no mandatory internal channel, or it is not active or does not comply with Article 4; an internal report has already been made and was not followed up; the person has reasonable grounds to believe that an internal report would not be effectively followed up or could lead to a risk of retaliation; the person has reasonable grounds to believe that the breach may pose an imminent or obvious danger to the public interest."
Article 6 of Legislative Decree 24/2023

Public disclosure

As a last step, a worker can go public, for example to the press. This is protected only in narrow cases: the internal and external channels didn't answer in time, there's an imminent danger to the public, or an external report would risk payback or get buried.

How are confidentiality and anonymity handled?

The reporter's identity is protected throughout, and only the people running the channel may see it. The decree backs this with encryption and with data rules under the GDPR and the Garante, Italy's data watchdog. Leaking who the reporter is counts as a breach ANAC can fine. Anonymous reports are allowed.

Anonymity doesn't end protection. An anonymous reporter may be named later. If they then suffer payback, the law's shield still covers them.

How are whistleblowers protected from retaliation?

Retaliation is banned outright. The decree lists 17 forms of it, including dismissal, demotion, a pay cut, harassment, a bad reference, and harm to your name online. The ban also covers threats and attempts.

"In judicial or administrative proceedings [...] it is presumed that [the acts] were carried out because of the report, the public disclosure or the complaint. The burden of proving that such conduct or acts are based on grounds unrelated to the report [...] lies with the person who carried them out."
Article 17(2) of Legislative Decree 24/2023

Such acts are null. A worker fired for reporting has the right to get their job back. The court can also order the harm repaired and the conduct stopped.

The decree also limits what the reporter can be blamed for. To reveal a breach, they may have to share protected data. If the report met the law's rules, they aren't punished for that. Any waiver of these protections is void.

What fines can ANAC impose?

ANAC is the only body that fines breaches of the decree. These are money fines. They target the organisation, not the worker who reports in good faith. The amount depends on what went wrong.

For private-sector retaliation, ANAC tells the National Labour Inspectorate, which acts within its own powers. For public-sector cases, it informs the Department of Public Function. Firms that run a Decree 231 model must also build these breaches into their own discipline rules.

The 17 December 2023 deadline has passed. So every Italian employer in scope should already have a working channel. They should also have a published procedure. ANAC's guidelines spell out how reports must be received and handled. A missing or sloppy channel is itself a finable breach. For the wider picture, our list of whistleblowing laws by country shows how Italy lines up with the rest of the EU. The first practical move is simple. Pick a channel that meets Articles 4 and 5. Then tell your staff it exists.