Article 2381 of the Italian Civil Code vests the chief executive officer (under the continuing supervision of the board of directors) with the task of ensuring the adequacy of the organisational, administrative and accounting setup of the corporation. The above provision, which is interpreted as a general principle and applies therefore to limited liability companies, is intended to establish the duty of directors to organise the company’s business in a way that reduces the risk of non-compliance.
Large undertakings are also subject to Legislative Decree 39/2010 (on the auditing of their accounts).
As far as listed companies are concerned, the Italian legal and regulatory framework provides for certain additional corporate bodies and procedures aimed at addressing corporate risk and compliance management. In particular:
- pursuant to article 154-bis of the Financial Act 58/1998, listed companies shall appoint a manager in charge of preparing the company’s financial reports and ensuring that appropriate administrative and accounting procedures are put in place in connection therewith;
- pursuant to article 123-bis of the Financial Act 58/1998, the board of directors of listed companies shall publish, on an annual basis, a report on corporate governance providing information on, among other things, the risk management and internal audit systems adopted by the company in relation to the financial reporting process; and
- article 7 of the Code of Conduct for Listed Companies - which sets forth best practice standards for listed companies’ corporate governance on a ‘comply or explain’ approach - recommends the adoption of an internal control and risk management system that consists of policies, procedures and organisational structures aimed at identifying, measuring, managing and monitoring the main risks concerning listed companies.
Moreover, pursuant to the above-mentioned provisions, it is recommended that a listed company sets up a control and risk committee. This committee shall be charged, among other things, with supporting the evaluations and decisions made by the board of directors in relation to the company’s internal control and risk management system.
For further information concerning the laws and regulations on corporate risk and compliance management of listed companies, see questions 6 and 7 below.
With respect to banks, the Bank of Italy’s Regulation 285/2013 establishes a comprehensive regulatory framework in connection with banks’ risk and compliance management. The general aim of the relevant provisions is setting up an integrated and effective internal control system in order to:
- regularly monitor business operations and ongoing compliance with the applicable laws and regulations, and check the adequacy of the banks’ organisation and accounting arrangements;
- adequately monitor all business risks; and
- ensure information flows that allow management to make informed decisions.
With regard to insurance companies and in line with the new Solvency II regulatory framework, Legislative Decree 209/2005 and Institute for the Supervision of Private Insurance and Collective Interest (ISVAP) Regulation 20/2008 provide for the implementation of an appropriate internal controls system, ensuring:
- the efficiency and effectiveness of corporate processes;
- adequate control of present and perspective risks;
- the reliability and integrity of accounting and management information;
- protection of assets from a medium and long-term perspective; and
- compliance of the insurance companies’ activities with the current legislation.
Compliance violations may trigger a broad range of consequences. First of all, pursuant to article 2049 of the Italian Civil Code and article 185 of the Italian Criminal Code, legal entities are liable for civil damages resulting from violations committed by their representatives and employees in the exercise of their functions or roles.
Moreover, pursuant to article 197 of the Italian Criminal Code and article 6 of Law 689/1981, legal entities are jointly liable for the fines levied against their representatives and employees for offences committed in the exercise of their functions or roles.
Since 2001, pursuant to Legislative Decree 231, a legal entity is also criminally liable for certain offences committed by its directors, representatives, executives, managers, agents and employees when the crime has been committed in the interests of, or to the benefit of, the legal entity. Legal entities may exculpate themselves from such criminal liability only when very strict conditions are satisfied. The list of crimes triggering criminal liability includes bribery, corporate crimes, forgery, money laundering, health and safety and environmental crimes, cybercrimes, conjuring, insider trading and market abuse, copyright crimes, and many others.
Legislative Decree 231 applies to legal entities incorporated in Italy, Italian branches of foreign legal entities, partnerships and associations with or without legal personality.
Specific additional rules apply to state-owned companies (Law 190/2012) that must adopt specific anti-corruption measures.
General Data Protection Regulation
From 25 May 2018, the GDPR directly applies in Italy.
Legislative Decree 101/2018 has harmonised Italian rules to the GDPR and reshaped the Italian Privacy Code. Data protection infringements trigger civil responsibility for damages, administrative fines and, in serious cases, criminal liability.
Cybersecurity gaps and failures may also trigger responsibility for essential facility operators and digital providers.
Back to top