Article

White-collar crime developments in Italy: trends and developments

Italy, Lombardy, Milan, Galleria Vittorio Emanuele II

Part of our report

Cross-border white-collar crime and investigations review 2025
Published Date
Jan 28 2025
There has been an increase in enforcement action and strategies relating to cybercrimes, supply-chain related offenses, VAT fraud, corruption, and money laundering. A significant shift has been prompted by the EU Corporate Sustainability Reporting Directive and its implementation at the national level. Italian Public Prosecutors have increased scrutiny of businesses operating in specific sectors, particularly those under investigation for illicit labour exploitation practices. Looking ahead, the regulatory environment for data protection and cybersecurity is expected to bring some new challenges. In-house legal and investigation teams/GCs will need to ensure effective control measures to mitigate new risks.

Enforcement trends 

Enforcement related to large-scale bribery schemes has intensified, particularly in public procurement and, more broadly, in dealings with public officials. The CEO of a listed IT company was arrested while allegedly giving a bribe to a prominent manager of an Italian IT corporation fully owned by the Ministry of Finance.

Illicit labour exploitation within supply chains has received growing attention by Public Prosecutors who have targeted not just the direct perpetrators but also many international businesses in the logistics, fashion, and distribution sectors that have allegedly benefited from or facilitated such practices, whether directly or indirectly, through their subcontractors or suppliers. To curb these practices, authorities have imposed preventive and monitoring measures, such as asset seizures and judicial administrations.

Tax crime enforcement has also risen, often linked to illicit exploitation of workers. Labour relations with the contracting company are often “shielded” by intermediary companies, which in turn use various cooperative companies that systematically fail to pay VAT and social security and welfare contributions.

The European Public Prosecutor’s Office (EPPO) in Italy has concentrated on combating tax frauds, money laundering, and frauds involving EU funds. Freezing of assets and other preventive measures have been imposed on affected businesses.

Cybercrimes and data breaches remain a focus. A significant investigation led by the District Anti-Mafia Directorate (DDA) of Milan is currently ongoing, targeting a vast illegal market for personal and confidential information, illicitly obtained from strategic Italian databases by former and current police officers, IT technicians, and hackers. This information was sold to clients, including entrepreneurs and others. The investigation led to several arrests and searches, revealing that sensitive data, including that of political figures, was accessed and sold. The investigation implicated high-profile individuals and companies, with allegations of data misuse for extortion, blackmail, and influencing political and business sectors.

Significant amendments to the Italian Code of Criminal Procedure concerning the limits and legitimacy of wiretapping during investigations and the confidentiality of the investigation phase have been introduced. This means:

  • enhanced protection for communications between defense counsel and the defendant, prohibiting judicial authorities from obtaining these communications unless they constitute the object of the crime; and
  • restrictions on the publication of wiretapped communications unless they are reported by a judge in a judicial decision or used during a hearing. Copies of such communications cannot be released to third parties unless required for another legal proceeding.

These reforms may mitigate challenges companies have previously faced with wiretapping during external investigations by ensuring greater confidentiality and limiting the dissemination of wiretapped information.

Significant law reforms impact corporate criminal liability

Recent legislative reforms in Italy have introduced significant changes that directly impact businesses. These have included new predicate offenses for corporate criminal liability and have influenced the way investigations are conducted.

Two developments regarding crimes against the public administration have been introduced:

  • A new criminal offense1 specifically targets public officials who misuse money or property for unauthorized purposes, resulting in unjust financial gain or harm.  The offense is a predicate offense that may trigger quasi-criminal corporate liability2, if the crime affects the financial interests of the EU and if it is committed in the interests or to the advantage of the company. Private companies may also be involved for complicity in the crime being committed by a public official. 
  • Amendments to the offense of “Undue trading of influence” (influence peddling) have tightened up the offense. The influence pedlar’s relationship with the public official must be intentionally exploited and must genuinely exist. Mere boasts or alleged relationships will no longer be considered relevant. The benefit given or promised to the public official must be of an economic nature. Influence peddling is already a predicate offense for corporate liability if the influence peddling is aimed at obtaining an advantage for the company. 

To enhance national cybersecurity and combat cybercrime,3 the list of predicate offenses for corporate criminal liability has been amended and sanctions for companies involved in cybercrimes have been increased. These amendments include:

  • Increased sanctions for companies in relation to cybercrimes listed in Article 24-bis Decree 231.
  • Introduction of new offenses covering the possession, distribution, and unauthorized installation of equipment or software designed to damage or disrupt computer or telematic systems, with additional aggravating circumstances, and extortion committed through cybercrimes, now included in the catalogue of predicate offenses for the quasi-criminal liability of entities.

Cybercrimes affect all business sectors, not just the cyber sector, especially when IT tools are used to commit other crimes, e.g., illegally accessing a former employer’s IT systems to steal confidential data for a new employer can be considered both a cybercrime and an industrial offense. Moreover, cybercrimes frequently coincide with personal data breaches. To mitigate these risks, companies must conduct thorough risk assessments and implement robust, risk-based control measures.

There are also:

  • New offenses related to excise duty evasion and smuggling crimes, imposing monetary and disqualifying sanctions such as prohibition of entering into agreements with public administrations and exclusion from public benefits, loans, contributions or subsidies, and possible revocation of those already granted.4
  • A significant revision of sanctions for tax evasion.5 Key amendments include the redefinition of offenses related to non-existent and undue credits for improper compensation, new exemptions for tax crimes, and changes to certain tax evasion offenses. Penalties can be reduced if a tax debt is settled before the conclusion of a first-degree trial. Criminal proceedings can be suspended if a tax debt is in the process of being extinguished before the trial’s conclusion. And asset seizure aimed at confiscation will not be ordered if a tax debt is being extinguished through instalment payments.
  • Implementation of the EU Corporate Sustainability Reporting Directive (CSRD) means that companies must disclose their sustainability impacts and efforts, and the influence of environmental, social, and governance (ESG) factors in their financial statements. Reporting false ESG-related information may potentially lead to criminal liability according to extensive interpretations of the scope of Article 2621 of the Italian Civil Code, which identifies disclosing “false corporate information” as a criminal offense.

The introduction of new predicate offenses and the emerging risks from the above regulations suggest that companies should update their risk assessments and update their Organization Management and Control Model under Decree 231.

Changes to rules on whistleblowing and data privacy relevant to internal investigations 

Changes to Italian whistleblowing law, implementing the EU Whistleblowing Directive, have significantly impacted internal investigations in Italy. Companies have had to review their policies to check that they have adequate internal whistleblowing channels, strict anti-retaliation policies, and training programs to foster a culture of transparency and accountability. Whistleblower reports must be responded to in a timely manner, necessitating prompt initiation and resolution of investigations, with adequate investigation record keeping. Many multinationals with global policies should take local advice to assess if they are compliant with these new local law rules.

There are new privacy guidelines from the Italian Data Protection Authority (DPA) on an employer’s access to employees’ email metadata. The guidelines remind employers that prolonged retention of email metadata regarding the use of the employees’ email accounts (e.g., date, hour, sender, recipient, subject, and email size) may violate Italian law, prohibiting investigations into matters unrelated to employees’ professional suitability.

An employer must conduct a Data Protection Impact Assessment (DPIA) before collecting email metadata, in line with the EU GDPR requirements. Compliance with GDPR also includes ensuring lawful, transparent, and fair data processing, with appropriate technical and organizational measures. Non-compliance could result in severe penalties.

Companies should establish a formal procedure for conducting internal investigations, dealing with any GDPR requirements and DPA guidelines in advance. This will help to prevent any potential actions resulting from the investigation from being compromised. Adhering to Italian laws on labor, data protection, and criminal procedure will help to ensure that an internal investigation will withstand later scrutiny by the authorities or courts.

Note that, under Italian law, legal privilege only applies to an internal investigation if a lawyer has been formally appointed and certain criteria and formalities provided for by the Italian Code of Criminal Procedure have been met.

Illicit labour and related tax frauds are enforcement priorities

Italian law reforms and criminal enforcement actions have targeted several sectors. Many fashion, distribution, and logistics companies have been subject to increasing regulatory pressure due to concerns over illicit labour exploitation in their supply chains and related tax offenses. Authorities have intensified enforcement actions to address these issues, and many major corporations have been subject to criminal investigations leading to preventive seizure of millions of euros. For example, a seizure of EUR 64.7 million was ordered against a well-known supermarket group for alleged tax fraud related to outsourced logistics workers (including transportation and warehouse management).

In some cases, the companies have been placed under judicial administration (amministrazione giudiziaria).6 This involves appointing a judicial director who exercises full control over the assets and operations of the affected businesses. Some fashion companies were placed under judicial administration due to ineffective organizational models (Models 231) that would have allowed labour exploitation within their supply chains.

In response, the Prefecture of Milan signed a protocol to ensure transparency in logistics contracts, improve working conditions, and combat illegal labour practices. A “Supply Chain Platform” will be established for voluntary company registration and data updates, including information on company structure, fiscal compliance, and labour practices. The platform’s data will be accessible to certain stakeholders. Additionally, a reward system will be implemented, granting a renewable “supply chain certificate” to compliant operators and enhancing their eligibility for regional incentives.

Looking ahead to 2025, these sectors will continue to be a priority for Italian authorities, who will maintain their focus on eradicating worker exploitation and associated tax frauds. Furthermore, additional business sectors might come under increased scrutiny by the Italian authorities.

European Prosecutor’s Office prosecutions in Italy for tax fraud

The European Public Prosecutor’s Office (EPPO) conducted various investigations across the European Union in 2024, primarily focused on VAT-related offenses and other frauds involving EU funds, including public projects and connections to organized crime.

  • The EPPO in Venice ordered 23 personal preventive measures and seized EUR600 million in the context of fraud against the European Union. The EPPO uncovered a criminal organization operating across several countries, including Italy, Austria, Slovakia, and Romania. The fraudulent activities involved project initiatives worth tens of millions of euros, funded under the NRRP for Digitalization, Innovation, and Competitiveness in the production system. Out of EUR2.7 billion allocated to support 6,900 Italian companies, suspicious operations involved 80 companies receiving EUR17 million. The suspects also created non-existent credits in the construction sector related to various grants and subsidies, amounting to approximately EUR600 million, which have been seized.
  • The EPPO is investigating a EUR520 million VAT fraud, with significant involvement from several mafia groups. 160 searches are being carried out in more than ten countries, including Bulgaria, Croatia, Cyprus, Czechia, Italy, Luxembourg, the Netherlands, Slovakia, and Spain, as well as non-EU countries. A total of 195 individuals are under investigation, with more than 400 companies involved. A freezing order of over EUR520 million has been made to compensate for the damage to the EU and national budgets. In Italy alone, 129 bank accounts are being frozen, and 192 real estate properties seized, along with 44 luxury cars and boats. According to the investigation, individuals linked to several mafia clans invested in a criminal syndicate that set up a highly profitable tax evasion scheme.

Multinational corporations operating across various jurisdictions may find themselves entangled in fraudulent schemes, either through direct involvement or through their subsidiaries, clients, and/or partners. To mitigate these risks, companies must have robust compliance and due diligence processes. These include comprehensive due diligence on third parties and related transactions to identify any red flags from a tax or money laundering standpoint and to verify the legitimacy and compliance of all parties involved to prevent fraudulent activities, as well as regular audits to monitor the execution of contracts, invoicing, and payment processes. Moreover, the process followed by companies for obtaining EU funds should be adequately regulated and monitored, paying special attention to the submission of declarations and documentation to ensure accuracy and compliance.

Predictions for 2025

  • Internal investigations: In-house legal and investigations teams/GCs in Italy will increasingly need to manage whistleblowing and to conduct proper internal investigations. These functions must establish clear policies and procedures for handling whistleblower reports, conducting thorough investigations and ensuring proper feedback to whistleblowers. It is also crucial to maintain confidentiality, protect the rights of all parties involved, and ensure compliance with data protection regulations.
  • Cybercrime and data breaches: In-house legal teams will need to collaborate closely with IT departments to develop robust cybersecurity measures and respond effectively to data breaches and cyber-attacks. This collaboration will also involve understanding the legal implications of cybersecurity incidents and ensuring compliance with data protection regulations.
  • Environmental, social, and governance (ESG) issues: The growing emphasis on ESG factors will demand higher standards of corporate responsibility, with significant legal and reputational risks for non-compliance. Legal teams will need to ensure that ESG initiatives are genuinely implemented and monitored. They must proactively manage risks and adapt to new technologies and regulations to uphold corporate integrity.
  • Governance and compliance: There will be an increasing emphasis on corporate governance and ethical business practices, particularly concerning the supply chain. The risk of third-party related issues will grow. Legal and compliance teams will need to implement robust compliance measures, including adequate due diligence processes and continuous monitoring of third-party activities to prevent potential liabilities.

Directory quotes

  • "Her [Francesca Petronio] smart approach is very management-friendly. She is very easy to understand and makes concepts simple to grasp.” Chambers & Partners Europe 2024 (Compliance, Italy)
  • “We receive excellent service from the team in Milan. They are very responsive to clients’ needs.” Chambers & Partners Global and Europe 2024 (Dispute Resolution, Italy)
  • “The team handles matters in a very efficient and comprehensive way. They are also incredibly proactive in anticipating questions and needs.” Chambers & Partners Global and Europe 2024 (Dispute Resolution, Italy)
  • “The firm has an outstanding litigation team based in Milan. It’s always supportive, proactive and ready to assist in any circumstances. Very professional and committed to success.” Legal 500 2024 (Dispute Resolution, Italy)
Footnotes

1. Article 314-bis of the Italian Criminal Code (ICC) has been introduced by Law 112/2024.

2. Under Article 25 of Legislative Decree No. 231/2001.

3. Law No. 90/2024, titled “Provisions on Strengthening National Cybersecurity and Cybercrimes.”

4. Legislative Decree No 141/2024.

5. Legislative Decree no. 87/2024, New Consolidated Act on Administrative and Criminal Tax Sanctions (Legislative Decree no. 173/2024) and Article 130 of the Consolidated Act on Tax Justice (Legislative Decree no. 175/2024)

6. Under Article 34 of Legislative Decree No 159/2011 (“Italian Anti-Mafia Code”).
 

This article is part of the A&O Shearman Cross-Border White-Collar Crime and Investigations Review. Please click here for our overviews and insights in other jurisdictions.

Related capabilities