Overview

The technological revolution that the world has experienced over the past 50 years has had a disruptive impact on all areas of society. It is not hard to imagine that these new technologies are not necessarily always used for legitimate purposes. Indeed, it is an established fact that crimes are increasingly committed using IT tools. Cybernetic devices can very easily make an individual both the victim and perpetrator of an unlawful act, with a whole series of consequences in terms of prevention, detection and prosecution of crimes.

Considering that the Italian Criminal Code was published in 1930, for instance, it is easy to understand how important it is for the legislature and the interpreters of the law to make a continuous effort to keep legal matters up to date. The advent of cyberspace as a place of immediate interaction, even between people thousands of kilometres away from each other, has made it necessary to question both what innovative types of crime could come to characterise criminal law and which “classic” crimes can find new forms of commission through the use of the latest generation of technological means.

The authors and users of criminal law are therefore constantly called upon to adapt classic criminal schemes to modern reality or create new ones. This is a challenge, which it is impossible to fall behind on without leaving a more or less broad category of potentially unlawful conduct uncovered.

Today, more than ever, companies find themselves engaged in the dual task of protecting themselves from the risk of cyber-attacks and preventing the commission of criminal offences made possible by the use of these tools. On the one hand, companies could see their internal security undermined, while, on the other, they could face administrative liability arising from a crime (pursuant to Legislative Decree No 231/2001). Both scenarios could have serious impacts on business.

It is worth considering that in 2024 the average cost of a data breach reached an all-time high of USD4.88 million. This represents a 10% increase from the average cost of USD4.45 million in 2023. Taking a long-term view, the average cost has increased by 15.3% between 2020 and 2023. In Italy, 30% of big companies estimate the financial damage from cyber threats is at least USD50,000 according to Rapporto Clusit 2024.

Still, AI-provided security services allowed significant cost savings for organisations that relied on them for prevention (USD2.22 million saved with respect to organisations which did not use them). This shows that the use of AI and automation is becoming a fundamental asset to tackle data breaches (Cost of a Data Breach Report, 2023 and 2024, IBM, which recognises that “adopting security AI and automation can cut breach costs”).

However, the rise of AI-backed solutions has not yet slowed down the number of cyber-incidents, which in 2024 increased by 27.4% compared to the previous year. However, the trend has its roots further back than that. In 2020, 81% of companies said that “staying ahead of attackers is a constant battle and the cost is unsustainable” (State of Cybersecurity Resilience 2021, Accenture).

Cybercrime

When talking about cybercrimes, a distinction should be made. Cybercrimes in the strict sense are characterised, in terms of the specificity of the law, by the presence of elements of data or information automation, which constitute the essential core of the criminal offence. However, cybercrimes in the broader sense, are nothing more than common crimes committed using computer tools.

The first includes computer fraud pursuant to Section 640-ter of the Italian Criminal Code or unauthorised access to a computer or telematic system (Section 615-ter of the Italian Criminal Code, which has recently been amended to increase sanctions), or the new offence of cyber-extortion (Section 629(3) of the Italian Criminal Code).

The second category, as already mentioned, represents common crimes committed through the use of new technologies. The use of technology not only affects the way in which the conduct is carried out but also makes the work of investigative bodies even more complex, as they find themselves having to investigate criminal phenomena that are difficult to decipher.

By way of example, the offences of money laundering and self-laundering (Sections 648-bis and 648-ter.1 of the Italian Criminal Code respectively) become so-called cyber laundering if committed in the context of cyberspace. This is the case, for instance, in the transfer of money to current accounts opened at credit institutions based in offshore states or the use of so-called smart cards (ie, cards that can be reloaded and therefore used without a specific current account being opened).

Another relevant phenomenon that intersects with money laundering cases more than ever concerns the use of virtual currencies (or cryptocurrencies). The essential characteristics of the cryptocurrency system are as follows:

• decentralisation of negotiations: decisions are entrusted not to a bank or other regulatory body but to individual users, whose actions are implemented through the so-called blockchain;
• anonymity of market operators: the blockchain system actually makes it possible to trace transactions carried out on the network, but does not reveal the identity of those involved; and
• rapid circulation on the internet.

National Cybersecurity Perimeter

The legislative perimeter of cybersecurity has been reinforced in Italy and Europe over the course of the past year. Two main laws have been introduced to that end.

Law No 90/2024, focused specifically on cybercrimes, strengthened the national framework on cybersecurity, introducing a set of provisions aimed at ensuring an enhanced protection against cyber-attacks and facilitating an efficient response to these emergencies. Section 16 of the Law specifically intervened on the Italian Criminal Code and Section 17 of the Law specifically intervened on the Italian Code of Criminal Procedure, introducing new crimes (such as cyber-extortion) and changes to procedural rules that help prosecutors in the investigations phase (for example, the time limit for this phase has been extended to two years).

Legislative Decree No 138/2024 transposed the NIS2 Directive (EU 2022/2555) into the Italian legal system, by embodying its principles and rules in the following ways.

• National Cybersecurity Strategy: member states are required to adopt a national cybersecurity strategy and maintain an updated list of essential service operators, ensuring that these entities comply with the Directive’s requirements.
• Scope of application: in addition to the sectors already covered by the NIS1 Directive (such as energy, transport, healthcare, finance, water resource management and digital infrastructure), the NIS2 Directive introduces:
1. new sectors subject to cybersecurity obligations, classified as either “highly critical” or “critical”;
2. new categories of entities, classified as “essential” or “important”, based on their significance within the sector or the type of services they provide; and
3. medium and large entities in critical sectors must adopt adequate cybersecurity risk management measures and report significant incidents to national competent authorities (ie, incidents that may cause major disruptions or damage).

• Supervisory measures: the NIS2 Directive introduces stricter oversight mechanisms and a more severe sanctioning regime, aiming to strengthen mutual trust and cybersecurity capacities across the EU.
• Liability of senior management: the Directive establishes senior management liability for non-compliance with cybersecurity risk management measures, thereby encouraging corporate governance bodies to actively and continuously engage in cybersecurity-related decision-making.
• Cybersecurity response networks: the Directive establishes a network of computer security incident response teams (CSIRTs), tasked with sharing information on cyber threats and managing cyber-incidents. Furthermore, it creates the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) to facilitate the exchange of information among member states and EU institutions in the event of large-scale cyber-incidents and crises.

Corporate Vicarious Liability (Legislative Decree No 231/2001)

Law No 90/2024 has added a new crime to the list of offences triggering company liability: “Cyber-extortion” (Section 629(3) of the Italian Criminal Code).

The crime of “cyber-extortion” punishes “anyone who, through the conduct described in Sections 615-ter (“Unauthorized access to a computer or telematic system”), 617-quarter (“Unlawful interception, obstruction or disruption of computer or telematic communications”), 617-sexies (“Forgery, alteration, or suppression of the content of computer or telematic communications”), 635-bis (“Damage to information, data and computer programs”), 635-quarter (“Damage to computer or telematic systems”) and 635-quinquies (“Damage to computer or telematic systems of public interest”), or through the threat of committing such acts, forces another person to act or refrain from acting, obtaining an unjust profit for themselves or others to the detriment of the victim”.

The legislature, through the introduction of the crime of “cyber-extortion” among the offences triggering the liability of a company, aims to counter the concerning phenomenon of “ransomware”, a type of virus that blocks user access to files and demands a sum of money in exchange, usually in cryptocurrencies.

Entities convicted of “cyber-extortion” are subject to disqualifying sanctions, including the possibility of being banned from conducting business for a period of no less than two years. This provision underscores the legislature’s focus on preventing these crimes, which pose an increasing threat to businesses, particularly those operating in the critical digital infrastructure sector. Indeed, according to data from the National Cybercrime Centre for the Protection of Critical Infrastructure (C.N.A.I.P.I.C.) these attacks accounted for 34% of “serious attacks” in 2023.

Decree Law No 92/2024 (as amended and converted by Law No 112/2024) has added a new crime to the list of offences triggering corporate liability: “Misappropriation of money or movable property” in cases involving damage to the financial interests of the EU (Section 314-ter, paragraph 2, of the Italian Criminal Code).

The crime of “misappropriation of money or movable property” punishes “a public official or a person in charge of a public service who, by virtue of their office or service, has possession or availability of money or other movable property belonging to others and allocates it to a use different from that prescribed by specific legal provisions or acts having the force of law, leaving no margin for discretion, and who intentionally obtains an unfair financial advantage from themselves or others or causes unjust damage to others” (paragraph 1).

The penalty is increased “when the act affects the financial interests of the European Union and the unfair financial advantage or unjust damages exceeds €100,000” (paragraph 2).

The crime of “misappropriation of money or movable property” falls under offences triggering corporate liability only if the act affects the financial interests of the EU and causes damage exceeding EUR100,000. By setting this threshold, the legislature appears to have wanted to criminally punish the entity only when the harm to the EU is significant, leaving the enforcement of less severe offences to the administrative system.

The scope of this provision within the offences triggering corporate liability is further limited, considering that it only punishes a public official or a person in charge of a public service. This means that corporate liability may only arise if the entity is a public economic body, is partially owned by a public administration or is under public control. Alternatively, liability may also be established if a private individual within the entity has contributed to the commission of the crime by the public official.

Beneficial Owner

Legislative Decree No 90/2017 was issued to implement EU Directive No 2015/849 (the so-called Fourth AML Directive). As required by Legislative Decree No 90/2017, Decree No 55/2022 of the Ministry of Economy and Finance (MEF) was then published in the Official Gazette on 25 May 2022. It contained “provisions relating to communication, access and consultation of data and information relating to beneficial ownership of businesses with legal personality, of private legal persons, of trusts producing legal effects relevant for tax purposes and legal institutions similar to trusts”.

With the aim of tackling the use of the economic and financial system for the purpose of money laundering and terrorism financing, this Decree introduced new measures regarding the collection of data relating to company owners through the register of beneficial owners (the “Register”).

Section 1, paragraph 2, letter pp) of Legislative Decree No 231/2007 defines the beneficial owner as “the natural person or natural persons, other than the customer, in whose interest or of which, ultimately, the continuous performance of an established professional relationship is rendered or the operation is executed”. The entities that must disclose the actual data controller in the company register are:

• companies with legal personality: ie, all LLCs (ordinary, simplified, innovative start-ups, among others), joint stock companies and other corporations;
• private legal entities (ie, foundations and recognised associations); and
• trusts and similar legal institutions.

The information must be confirmed every 12 months and any changes that may have occurred must be reported within 30 days. The persons responsible for making the specific disclosure are, respectively:

• for corporations, the directors;
• for private legal persons, the founders, representatives or directors; and
• for trusts, the trustees.

The data that must be communicated concerns entitlement to ownership of the company or the specific body. For example, in the case of companies, shares, methods of exercising control, powers of legal representation, administration and management data must be communicated. In this way, the Register will contain all the information on beneficial ownership of businesses, with the aim of countering illicit activities carried out related to money laundering in the business space.

The right of access to the Register, according to Sections 5 to 7 of Ministerial Decree No 55/2022, will be granted by the authorities, to persons pursuant to Section 3 of Legislative Decree No 231/2007 and to the public in different ways. With reference to public access, in particular, on 22 November 2022 the Grand Chamber of the ECJ held in joined cases C-37/20 and C-601/20 that the provision according to which the information relating to the beneficial owners included in the Register must be accessible to the public (Section 30(5) of the EU’s Fifth Anti-Money Laundering Directive) violated the fundamental rights to respect for private life and the protection of citizens’ personal data, which are protected by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

This principle was incorporated in the preamble to the Ministerial Decree of 12 April 2023 (by which the Ministry of Enterprises and Made in Italy (MIMIT)) approved the “technical specifications of the electronic format of the single corporate communication”, necessary for the transmission of the data of the beneficial owners to the business register (according to the provisions of Section 3(5) of Ministerial Decree No 55/2022)). The preamble points out that, in agreement with the MEF, Section 7(1) of Ministerial Decree No 55/2022 must be disapplied. Section 7(1) of Ministerial Decree No 55/2022 provides that the first name, surname, month and year of birth and country of residence and citizenship of the beneficial owners are accessible to the public without any kind of limitation.

In the course of 2023, two additional Implementing Decrees were published:

• the MIMT Decree of 16 March 2023 (published in the Official Gazette on 28 June 2023) and related annex, which define the models for the release of certificates and copies (including digital ones) relating to beneficial ownership information; and
• the MIMIT Decree, in agreement with the MEF, of 20 April 2023 (published in the Official Gazette on 28 June 2023) which defines the amounts of secretarial fees to be paid for practices and outputs on beneficial ownership.

In 2023, certain private associations filed an appeal with the Regional Administrative Tribunal or TAR of Lazio, seeking the annulment of these Decrees. Although the court initially accepted the request and suspended the deadline for submitting information for the Register, in April 2024 the TAR of Lazio rejected six appeals from some other associations, thereby lifting the suspension of the deadline.

On 15 October 2024, the Council of State suspended the operation of the Register with Order No 8248/2024. The Council of State found that the provisions of the Implementing Decree could potentially violate Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which protect the right to privacy and personal data. For this reason, the Council of State referred six preliminary questions to the Court of Justice of the European Union, concerning the interpretation and the validity of EU Directive No 2015/849.

Whistle-Blowing

On 10 March 2023, the Italian government issued Legislative Decree No 24/2023 (“the Decree”), which comprehensively regulates “the protection of persons who report breaches of Union law” and “breaches of national legislation”.

The new legislation raised, and still raises, many interpretation and application issues, to which attempts have been made to find adequate solutions from several sides. Moreover, companies are called upon to make a complex adjustment to the new whistle-blowing legislation, in order to avoid the imposition of administrative fines, the extent of which (unlike many other issues regulated by the Decree) has been very clear from the outset.

In this scenario, of particular importance and support for companies are the Guidelines adopted by the Italian National Anti-Corruption Authority (Autorità Nazionale AntiCorruzione or ANAC) with Resolution No 311/2023 of 12 July 2023 and the Operational Guide for Private Entities issued by Confindustria in October 2023. These sources of soft law have been designed to provide guidance to companies which are subject to whistle-blowing regulations.

Moreover, on 7 November 2024, ANAC adopted further Guidelines on whistle-blowing and launched a consultation on them which ended in December 2024. The Guidelines aimed to provide further clarifications on the implementation and management of internal reporting channels.

In addition to public sector bodies, the whistle-blowing legislation is addressed to:

• entities that have employed an average of at least 50 employees in the past year (with fixed-term or open-ended contracts);
• entities operating in specific sectors (banking, credit, investment, insurance and reinsurance, professional pensions or individual pension products, securities, investment funds, payment services), even with an average number of fewer than 50 employees in the past year; and
• entities that have adopted organisational and management models pursuant to Legislative Decree No 231/2001 (“231 Models”), even with an average of fewer than 50 employees in the past year.

The requirements that the entities identified by the Decree must fulfil can be summarised as follows:

• identification of the reporting manager (internal or external, monocratic or collegial);
• identification of the internal reporting channel;
• adoption of a whistle-blowing policy;
• updating 231 Models, the Code of Ethics and any internal documentation mentioning the reporting channels;
• privacy obligations;
• information provided to persons inside and outside the organisation; and
• training of employees and the manager (if internal).

First of all, each entity must ensure the adoption of a policy that fully regulates whistle-blowing within the organisation itself. It is advisable for this activity to be entrusted to a lawyer or to a qualified person with specific expertise in the field (possibly outside the organisation). Specifically, the policy must:

• define the role and tasks of the individuals responsible for managing the reports;
• identify the methods and terms of data retention;
• provide and regulate different reporting methods (in written and oral form);
• provide for procedures that guarantee the confidentiality of the person making the report, of the other persons indicated by the Decree, and of the content of the report; and
• provide for staff awareness-raising and training initiatives to disseminate the purposes of the whistle-blowing policy and the procedure for its use.

At the same time, private sector entities that have adopted 231 Models will have to update them. The Decree has provided that the latter regulate the internal reporting channels, the prohibition of retaliation and the disciplinary system. Alternatively, 231 Models must contain an explicit reference to the policy.

European Public Prosecutor’s Office (EPPO)

The annual report of the EPPO for 2024 was published on 3 March 2025. As stated in the presentation of the Report, as of 31 December 2024, there were:

• 2,666 investigations underway, allegedly causing approximately EUR24.8 billion in financial damage to the EU;
• 205 indictments (47% more than in 2023); and
• asset freezing orders for EUR849 million requested and granted by judges.

In specific relation to Italy, 458 investigations were opened and 200 had a transnational dimension. 530 people were indicted in total and EUR605.3 million in frozen assets was accumulated. Finally, details of judicial activity showed 175 ongoing proceedings, 28 first instance judgments, 24 res judicata, 22 convictions and two acquittals. Of these proceedings, 131 were for money laundering, 51 for corruption, 12 for embezzlement and 715 for VAT fraud.

For example, on 24 October 2024, at the request of the EPPO in Rome, the Italian State Police conducted multiple house searches, arrests and asset seizures in the Lazio and Campania regions. The operation was part of an investigation into an alleged criminal organisation suspected of corruption in the awarding of EU-funded projects under Italy’s Recovery and Resilience Facility (RRF).

The investigations carried out uncovered that various individuals and a company secured public contracts worth EUR5 million. These contracts were financed by the RRF in exchange for bribes. Five civil servants, including a mayor, were potentially involved in this corruption scheme.