Overview
The technological revolution that the world has experienced over the past 50 years has had a disruptive impact on all areas of society. It is not hard to imagine that these new technologies are not necessarily always used for legitimate purposes. Indeed, it is an established fact that crimes are increasingly committed using IT tools. Cybernetic devices can very easily make an individual both the victim and perpetrator of an unlawful act, with a whole series of consequences in terms of prevention, detection and prosecution of crimes.
Considering that the Italian Criminal Code was published in 1930, for instance, it is easy to understand how important it is for the legislature and the interpreters of the law to make a continuous effort to keep legal matters up to date. The advent of cyberspace as a place of immediate interaction, even between people thousands of kilometres away from each other, has made it necessary to question both what innovative types of crime could come to characterise criminal law and which “classic” crimes can find new forms of commission through the use of the latest generation of technological means.
The authors and users of criminal law are therefore constantly called upon to adapt classic criminal schemes to modern reality or create new ones. This is a challenge, which it is impossible to fall behind on without leaving a more or less broad category of potentially unlawful conduct uncovered.
Today, more than ever, companies find themselves engaged in the dual task of protecting themselves from the risk of cyber-attacks and preventing the commission of criminal offences made possible by the use of these tools. On the one hand, companies could see their internal security undermined, while, on the other, they could face administrative liability arising from a crime (pursuant to Legislative Decree No 231/2001). Both scenarios could have serious impacts on business.
It is worth considering that in 2024 the average cost of a data breach reached an all-time high of USD4.88 million. This represents a 10% increase from the average cost of USD4.45 million in 2023. Taking a long-term view, the average cost has increased by 15.3% between 2020 and 2023. In Italy, 30% of big companies estimate the financial damage from cyber threats is at least USD50,000 according to Rapporto Clusit 2024.
Still, AI-provided security services allowed significant cost savings for organisations that relied on them for prevention (USD2.22 million saved with respect to organisations which did not use them). This shows that the use of AI and automation is becoming a fundamental asset to tackle data breaches (Cost of a Data Breach Report, 2023 and 2024, IBM, which recognises that “adopting security AI and automation can cut breach costs”).
However, the rise of AI-backed solutions has not yet slowed down the number of cyber-incidents, which in 2024 increased by 27.4% compared to the previous year. However, the trend has its roots further back than that. In 2020, 81% of companies said that “staying ahead of attackers is a constant battle and the cost is unsustainable” (State of Cybersecurity Resilience 2021, Accenture).
Cybercrime
When talking about cybercrimes, a distinction should be made. Cybercrimes in the strict sense are characterised, in terms of the specificity of the law, by the presence of elements of data or information automation, which constitute the essential core of the criminal offence. However, cybercrimes in the broader sense, are nothing more than common crimes committed using computer tools.
The first includes computer fraud pursuant to Section 640-ter of the Italian Criminal Code or unauthorised access to a computer or telematic system (Section 615-ter of the Italian Criminal Code, which has recently been amended to increase sanctions), or the new offence of cyber-extortion (Section 629(3) of the Italian Criminal Code).
The second category, as already mentioned, represents common crimes committed through the use of new technologies. The use of technology not only affects the way in which the conduct is carried out but also makes the work of investigative bodies even more complex, as they find themselves having to investigate criminal phenomena that are difficult to decipher.
By way of example, the offences of money laundering and self-laundering (Sections 648-bis and 648-ter.1 of the Italian Criminal Code respectively) become so-called cyber laundering if committed in the context of cyberspace. This is the case, for instance, in the transfer of money to current accounts opened at credit institutions based in offshore states or the use of so-called smart cards (ie, cards that can be reloaded and therefore used without a specific current account being opened).
Another relevant phenomenon that intersects with money laundering cases more than ever concerns the use of virtual currencies (or cryptocurrencies). The essential characteristics of the cryptocurrency system are as follows:
National Cybersecurity Perimeter
The legislative perimeter of cybersecurity has been reinforced in Italy and Europe over the course of the past year. Two main laws have been introduced to that end.
Law No 90/2024, focused specifically on cybercrimes, strengthened the national framework on cybersecurity, introducing a set of provisions aimed at ensuring an enhanced protection against cyber-attacks and facilitating an efficient response to these emergencies. Section 16 of the Law specifically intervened on the Italian Criminal Code and Section 17 of the Law specifically intervened on the Italian Code of Criminal Procedure, introducing new crimes (such as cyber-extortion) and changes to procedural rules that help prosecutors in the investigations phase (for example, the time limit for this phase has been extended to two years).
Legislative Decree No 138/2024 transposed the NIS2 Directive (EU 2022/2555) into the Italian legal system, by embodying its principles and rules in the following ways.
Corporate Vicarious Liability (Legislative Decree No 231/2001)
Law No 90/2024 has added a new crime to the list of offences triggering company liability: “Cyber-extortion” (Section 629(3) of the Italian Criminal Code).
The crime of “cyber-extortion” punishes “anyone who, through the conduct described in Sections 615-ter (“Unauthorized access to a computer or telematic system”), 617-quarter (“Unlawful interception, obstruction or disruption of computer or telematic communications”), 617-sexies (“Forgery, alteration, or suppression of the content of computer or telematic communications”), 635-bis (“Damage to information, data and computer programs”), 635-quarter (“Damage to computer or telematic systems”) and 635-quinquies (“Damage to computer or telematic systems of public interest”), or through the threat of committing such acts, forces another person to act or refrain from acting, obtaining an unjust profit for themselves or others to the detriment of the victim”.
The legislature, through the introduction of the crime of “cyber-extortion” among the offences triggering the liability of a company, aims to counter the concerning phenomenon of “ransomware”, a type of virus that blocks user access to files and demands a sum of money in exchange, usually in cryptocurrencies.
Entities convicted of “cyber-extortion” are subject to disqualifying sanctions, including the possibility of being banned from conducting business for a period of no less than two years. This provision underscores the legislature’s focus on preventing these crimes, which pose an increasing threat to businesses, particularly those operating in the critical digital infrastructure sector. Indeed, according to data from the National Cybercrime Centre for the Protection of Critical Infrastructure (C.N.A.I.P.I.C.) these attacks accounted for 34% of “serious attacks” in 2023.
Decree Law No 92/2024 (as amended and converted by Law No 112/2024) has added a new crime to the list of offences triggering corporate liability: “Misappropriation of money or movable property” in cases involving damage to the financial interests of the EU (Section 314-ter, paragraph 2, of the Italian Criminal Code).
The crime of “misappropriation of money or movable property” punishes “a public official or a person in charge of a public service who, by virtue of their office or service, has possession or availability of money or other movable property belonging to others and allocates it to a use different from that prescribed by specific legal provisions or acts having the force of law, leaving no margin for discretion, and who intentionally obtains an unfair financial advantage from themselves or others or causes unjust damage to others” (paragraph 1).
The penalty is increased “when the act affects the financial interests of the European Union and the unfair financial advantage or unjust damages exceeds €100,000” (paragraph 2).
The crime of “misappropriation of money or movable property” falls under offences triggering corporate liability only if the act affects the financial interests of the EU and causes damage exceeding EUR100,000. By setting this threshold, the legislature appears to have wanted to criminally punish the entity only when the harm to the EU is significant, leaving the enforcement of less severe offences to the administrative system.
The scope of this provision within the offences triggering corporate liability is further limited, considering that it only punishes a public official or a person in charge of a public service. This means that corporate liability may only arise if the entity is a public economic body, is partially owned by a public administration or is under public control. Alternatively, liability may also be established if a private individual within the entity has contributed to the commission of the crime by the public official.
Beneficial Owner
Legislative Decree No 90/2017 was issued to implement EU Directive No 2015/849 (the so-called Fourth AML Directive). As required by Legislative Decree No 90/2017, Decree No 55/2022 of the Ministry of Economy and Finance (MEF) was then published in the Official Gazette on 25 May 2022. It contained “provisions relating to communication, access and consultation of data and information relating to beneficial ownership of businesses with legal personality, of private legal persons, of trusts producing legal effects relevant for tax purposes and legal institutions similar to trusts”.
With the aim of tackling the use of the economic and financial system for the purpose of money laundering and terrorism financing, this Decree introduced new measures regarding the collection of data relating to company owners through the register of beneficial owners (the “Register”).
Section 1, paragraph 2, letter pp) of Legislative Decree No 231/2007 defines the beneficial owner as “the natural person or natural persons, other than the customer, in whose interest or of which, ultimately, the continuous performance of an established professional relationship is rendered or the operation is executed”. The entities that must disclose the actual data controller in the company register are:
The information must be confirmed every 12 months and any changes that may have occurred must be reported within 30 days. The persons responsible for making the specific disclosure are, respectively:
The data that must be communicated concerns entitlement to ownership of the company or the specific body. For example, in the case of companies, shares, methods of exercising control, powers of legal representation, administration and management data must be communicated. In this way, the Register will contain all the information on beneficial ownership of businesses, with the aim of countering illicit activities carried out related to money laundering in the business space.
The right of access to the Register, according to Sections 5 to 7 of Ministerial Decree No 55/2022, will be granted by the authorities, to persons pursuant to Section 3 of Legislative Decree No 231/2007 and to the public in different ways. With reference to public access, in particular, on 22 November 2022 the Grand Chamber of the ECJ held in joined cases C-37/20 and C-601/20 that the provision according to which the information relating to the beneficial owners included in the Register must be accessible to the public (Section 30(5) of the EU’s Fifth Anti-Money Laundering Directive) violated the fundamental rights to respect for private life and the protection of citizens’ personal data, which are protected by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
This principle was incorporated in the preamble to the Ministerial Decree of 12 April 2023 (by which the Ministry of Enterprises and Made in Italy (MIMIT)) approved the “technical specifications of the electronic format of the single corporate communication”, necessary for the transmission of the data of the beneficial owners to the business register (according to the provisions of Section 3(5) of Ministerial Decree No 55/2022)). The preamble points out that, in agreement with the MEF, Section 7(1) of Ministerial Decree No 55/2022 must be disapplied. Section 7(1) of Ministerial Decree No 55/2022 provides that the first name, surname, month and year of birth and country of residence and citizenship of the beneficial owners are accessible to the public without any kind of limitation.
In the course of 2023, two additional Implementing Decrees were published:
In 2023, certain private associations filed an appeal with the Regional Administrative Tribunal or TAR of Lazio, seeking the annulment of these Decrees. Although the court initially accepted the request and suspended the deadline for submitting information for the Register, in April 2024 the TAR of Lazio rejected six appeals from some other associations, thereby lifting the suspension of the deadline.
On 15 October 2024, the Council of State suspended the operation of the Register with Order No 8248/2024. The Council of State found that the provisions of the Implementing Decree could potentially violate Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which protect the right to privacy and personal data. For this reason, the Council of State referred six preliminary questions to the Court of Justice of the European Union, concerning the interpretation and the validity of EU Directive No 2015/849.
Whistle-Blowing
On 10 March 2023, the Italian government issued Legislative Decree No 24/2023 (“the Decree”), which comprehensively regulates “the protection of persons who report breaches of Union law” and “breaches of national legislation”.
The new legislation raised, and still raises, many interpretation and application issues, to which attempts have been made to find adequate solutions from several sides. Moreover, companies are called upon to make a complex adjustment to the new whistle-blowing legislation, in order to avoid the imposition of administrative fines, the extent of which (unlike many other issues regulated by the Decree) has been very clear from the outset.
In this scenario, of particular importance and support for companies are the Guidelines adopted by the Italian National Anti-Corruption Authority (Autorità Nazionale AntiCorruzione or ANAC) with Resolution No 311/2023 of 12 July 2023 and the Operational Guide for Private Entities issued by Confindustria in October 2023. These sources of soft law have been designed to provide guidance to companies which are subject to whistle-blowing regulations.
Moreover, on 7 November 2024, ANAC adopted further Guidelines on whistle-blowing and launched a consultation on them which ended in December 2024. The Guidelines aimed to provide further clarifications on the implementation and management of internal reporting channels.
In addition to public sector bodies, the whistle-blowing legislation is addressed to:
The requirements that the entities identified by the Decree must fulfil can be summarised as follows:
First of all, each entity must ensure the adoption of a policy that fully regulates whistle-blowing within the organisation itself. It is advisable for this activity to be entrusted to a lawyer or to a qualified person with specific expertise in the field (possibly outside the organisation). Specifically, the policy must:
At the same time, private sector entities that have adopted 231 Models will have to update them. The Decree has provided that the latter regulate the internal reporting channels, the prohibition of retaliation and the disciplinary system. Alternatively, 231 Models must contain an explicit reference to the policy.
European Public Prosecutor’s Office (EPPO)
The annual report of the EPPO for 2024 was published on 3 March 2025. As stated in the presentation of the Report, as of 31 December 2024, there were:
In specific relation to Italy, 458 investigations were opened and 200 had a transnational dimension. 530 people were indicted in total and EUR605.3 million in frozen assets was accumulated. Finally, details of judicial activity showed 175 ongoing proceedings, 28 first instance judgments, 24 res judicata, 22 convictions and two acquittals. Of these proceedings, 131 were for money laundering, 51 for corruption, 12 for embezzlement and 715 for VAT fraud.
For example, on 24 October 2024, at the request of the EPPO in Rome, the Italian State Police conducted multiple house searches, arrests and asset seizures in the Lazio and Campania regions. The operation was part of an investigation into an alleged criminal organisation suspected of corruption in the awarding of EU-funded projects under Italy’s Recovery and Resilience Facility (RRF).
The investigations carried out uncovered that various individuals and a company secured public contracts worth EUR5 million. These contracts were financed by the RRF in exchange for bribes. Five civil servants, including a mayor, were potentially involved in this corruption scheme.
Via Chiossetto 18
20122 Milan
Italy
+39 025 412 2206
info@fornarieassociati.com www.fornarieassociati.com