Legislative Decree no. 231 of 8 June 2001 (Lgs. Decree no. 231/2001) provides for a direct liability of legal entities, companies and associations for certain crimes committed by their representatives.

The law aims to encourage companies to adopt corporate governance structures and risk prevention systems to stop managers, executives, employees and external collaborators from committing crimes. In fact, only the adoption of an adequate organisational, management and control structure can exonerate a company from the severe liability which is provided by Lgs. Decree no. 231/2001. The failure to adopt such structure in a timely fashion has resulted in many Italian and foreign companies being held liable under Lgs. Decree no. 231/2001.

Since its introduction in 2001, the Italian legislator has constantly widened the scope of application of Lgs. Decree no. 231/2001 by ext ending the list of relevant crimes, a new list of crimes is currently in the pipeline. It is also becoming a frequent requirement in public procurement tenders that applicants must have adopted an organisational, management and control scheme in compliance with Lgs. Decree no. 231/2001. In 2008, an Italian region (Calabria) has for the first time declared it obligatory for any company operating within the Region to implement such a scheme.

The Grounds for Liability

Crimes triggering the company’s liability were initially limited to crimes to the detriment of the State, such as corruption and misappropriation of public funds. Over time the law has been extended, and the following crimes may trigger a company’s liability:

  • Crimes to the detriment of the State or public bodies
  • Corruption and misappropriation of public funds
  • Falsifications or counterfeiting of money, public credit cards and tax stamps
  • Money laundering
  • Corporate crimes
  • Market abuse
  • Crimes pertaining to terrorism and subversion of the democratic order
  • Mutilation of female genitals
  • Crimes against the person
  • IT crimes and illegal data treatment
  • Homicide and serious injuries through violation of the rules on safety in the workplace
  • Cross-border crimes

The company’s liability is triggered if such crimes have been committed by persons holding representative, administrative or (de facto) managerial positions in the company, or by persons working under their control, provided that these persons have committed the crimes at least “also” in the interest of or for the benefit of the company, and the company cannot demonstrate to have taken adequate measures to prevent the committal of such crimes.

Groups of Companies and Foreign Companies

In the case of a crime being committed by a manager or employee of a subsidiary of a group of companies, there is no automatic extension of liability to the head of the group or other group companies under Lgs. Decree no. 231/20011. However, companies of the same group can be held liable under Lgs. Decree no. 231/2001, if representatives of the group company or persons under their control contributed to the crime and if the crime was committed in the interest or to the advantage of the company2. This is often the case between subsidiaries and their controlling entities (also if they are foreign companies), and it is generally relevant where different companies of the same group are involved in the same operational activities.

Foreign companies can also be held liable under Lgs. Decree no. 231/2001 for crimes committed in Italy, irrespective of whether the laws of the companies home country contain similar rules or not3. If a crime is committed in Italy, Italian criminal law applies and, if the crime falls under the Lgs. Decree no. 231/2001, the judge involved in the proceeding against the individual also has the authority to decide on the possible liability of the foreign company in whose interest or to whose advantage the crime was committed.


Where crimes have been committed and the company cannot prove to have done what is necessary to prevent such crimes, the company may be subject to the following sanctions:

  • Pecuniary fines are based on a quota system, whereby a quota may range from EUR 258 to EUR 1,549. The fine may consist of between 100 and 1000 quotas so that the highest possible fine amounts to EUR 1,549,000. In the case of multiple crimes through the same action, the overall fine may amount to up to three times the fine issued for the most serious of the crimes (but not in excess of the aggregate of fines for the committed crimes) - which means that pecuniary fines could amount to EUR 4,647,000.
  • Debarments4 include the suspension or revocation of licenses, permits and authorisations; a temporary ban from engaging in business; disqualification from contracting with the Public Administration; disqualification from advertising goods and services and disqualification from financing, subsidies and other contributions. Debarments can last from three months to two years.
  • The price or profit or the equivalent deriving from the crime may be confiscated.
  • The court decision may be published in the media.

Companies’ Self-Protection: The Organisational Model

Articles 6 and 7 of Lgs. Decree no. 231/2001 provide specific exemptions from liability if the company can demonstrate that, before the crime was committed, it adopted and effectively implemented a model of organisation, management and control (the Organisational Model). In principle, the Organisational Model must be suitable for preventing the specific crime concerned, and the task of supervising the efficacy of the model must have been entrusted to an autonomous supervisory body, which adequately exercised its duties.

The ex post implementation of an Organisational Model, after a relevant crime has been committed, can no longer exempt the company from its liability, but it allows for a reduction of the applicable sanctions and it avoids the application of debarments. Italian courts have also ruled that the ex post implementation of an effective Organisational Model can exclude the risk of reoccurrence of the crime and therefore avoid the application of protective interim measures5.

Given the great variety of possible forms of organisation of a business, Lgs. Decree no. 231/2001 does not provide details on the structure and content of the Organisational Model. However, article 6 of Lgs. Decree no. 231/2001 requires that the Organisational Model must take the following action:

  • Identify the area in which it is most likely that crimes will be committed by managers or employees
  • Lay down special protocols aimed at planning the formation and enforcement of decisions adopted by the corporate body to prevent crimes
  • Identify the safest way to manage financial resources in order to avoid such crimes being committed
  • Make it compulsory for all officers and employees to supply the supervisory body responsible for monitoring the operation of the self-protection model with the necessary information to ensure their compliance with it
  • Introduce disciplinary measures necessary to sanction non-compliance with rules laid down in the model

Accordingly, a company must carry out an internal audit and risk assessment to verify the reliability of corporate governance control in preventing crime risks. Following this, the company must put in place specific risk prevention protocols, typically consisting of a code of ethics, a well developed internal organisational structure, a clear system for the distribution of powers and signature authorities, a system of internal control and an effective disciplinary system.

The task of monitoring the function and proposing necessary updates to the organisational model must be assigned to an independent supervisory body (organismo di vigilanza). In order to adequately supervise the actions of the top management, the supervisory body must remain fully autonomous.

Despite the existence of market standards and guidelines developed by industry associations, it is each company’s responsibility to develop an Organisational Model that is tailored to its individual specific needs. Italian courts have been clear in underlining that the mere execution of guidelines or reproduction of precedents is not sufficient to exempt the company from its liability under Lgs. Decree no. 231/2001, but that an Organisational Model must be tailored to the individual specifics of the company6.

De-Facto Duty to Adopt the Organisational Model

The implementation of an Organisational Model is not mandatory by law, but it is the only way for a company to avoid its liability under Lgs. Decree no. 231/2001. The management of a company is therefore responsible for preventing the company from future sanctions by adopting the Organisational Model in a timely fashion.

Given that managers have a general duty to act in the best interest of the company and to prevent it from damage, legal authors have long argued that failure to implement an Organisational Model in line with Lgs. Decree no. 231/2001 can be considered a breach of management duties. This opinion has recently been confirmed by the Tribunal of Milan7, which allowed a company to take damages action against its managing director who had failed to implement the Organisational Model and therefore suffered a sanction under Lgs. Decree no. 231/2001.

The adoption of an Organisational Model is therefore considered a de facto obligation of the management of a company. Given that the adoption of an Organisational Model has become more and more of a standard requirement for dealing with the Public Administration, it is not surprising that in a recent survey carried out by Assonime, the association of Italian corporations, 77 per cent of the companies declared to have adopted or be in the process of adopting such a model.