With Resolution No. 478 of November 26, 2025, ANAC approved Guidelines No. 1/2025 on internal reporting channels, completing the regulatory framework initiated in 2023 with provisions on external channels.
The guidelines address the issues raised during the first phase of implementation of Legislative Decree No. 24/2023, with a particular focus on protecting the personal data involved in reports and harmonizing the organizational and management procedures for handling reports.
The obligation to ensure the confidentiality of those involved, the effective management of the reporting system, and the responsibility of the governing body is reaffirmed. Additionally, ANAC provides specific insights on the role of Supervisory Bodies, third sector entities, and the management of reports within corporate groups.
Guidelines on internal reporting channels
With Resolution No. 478 of November 26, 2025, the National Anti-Corruption Authority (“ANAC”) has definitively approved Guidelines No. 1/2025 on whistleblowing for internal reporting channels (“LLGG”), completing the regulatory framework initiated with Resolution No. 311/2023 concerning the guidelines for the external reporting channel, later updated and supplemented with Resolution No. 479 on November 26, 2025.
The new LLGG arise from the need to address the issues that emerged during the first two years of implementing Legislative Decree No. 24/2023, highlighted in ANAC’s 2024 monitoring and in public consultations on the same LLGG. These guidelines aim to provide uniform operational guidance, with particular attention to organizational aspects and the protection of personal data.
The new LLGG do not replace or modify the Guidelines for the external reporting channel contained in ANAC Resolution No. 311/2023 (as modified and integrated in 2025), but rather integrate and complete them, strengthening the principle and rationale behind the whistleblowing system, emphasizing the preference for using the internal channel as a „proximity“ tool for preventing unlawful conduct.
Guidelines and soft law
ANAC clarifies that the LLGG constitute an exercise of its general power of guidance in the field of corruption prevention, as well as a direct expression of Article 8, paragraph 1, letter a) of Legislative Decree No. 24/2023 regarding information on the use of the internal reporting channel. Therefore, the LLGG do not have the nature of a hard law instrument in the strict sense; however, they serve as a benchmark for verifying the conformity of internal procedures/organizational acts under Articles 4 and 5 of Legislative Decree No. 24/2023, from which entities may deviate by justifying their reasons.
As a result, the activation and management of internal reporting channels that differ from ANAC’s guidelines, if not adequately justified, constitutes a punishable violation under Article 21 of Legislative Decree No. 24/2023.
Role of trade unions
Legislative Decree No. 24/2023, Article 4, paragraph 1, requires that internal channels be established „after hearing“ the trade union representatives or organizations. ANAC confirms that this involvement is purely informative and non-binding: it is a preventive consultation—prior to the approval of the procedure for receiving and managing reports—aimed at collecting observations (which may be integrated) on the implementation of the internal reporting channel.
The entity must transmit, if applicable, (i) to the company’s RSA/RSU or, in their absence, (ii) to the territorial organizations of the most representative trade union associations at the national level, a preventive notice (preferably by certified email) on the main elements of the internal reporting system (including reporting methods, channel management, identification of the manager, training, etc.). The failure to initiate such consultation renders the procedure and the channel non-compliant with the regulations and, therefore, subject to sanction under Article 21 of Legislative Decree No. 24/2023.
Internal reporting methods: a return to using PEO/PEC?
The LLGG reiterate the obligation to ensure at least two reporting methods: (a) written and (b) oral.
Written method: it is strongly recommended, as before, to use dedicated IT platforms capable of encrypting data at rest and ensuring confidential communication with the whistleblower via a „key code„. ANAC also emphasizes the importance of proper due diligence on the platform provider, who must ensure adequate security measures and full compliance with personal data processing regulations. Where IT platforms are not used, ANAC recalls the possibility of using the analog method of „double-envelope“ confidential registration.
Regarding written reporting, ANAC also revisits the use of regular email (PEO) or certified email (PEC) as internal reporting channels, cautiously allowing their use. The LLGG, based on ANAC’s previous position, recall that using PEO and PEC alone is inadequate to ensure the confidentiality of the whistleblower’s identity, as email systems generate and store metadata that can reveal the whistleblower’s identity. Consequently, the LLGG allow the use of these tools only if accompanied by specific risk mitigation measures identified in a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR (e.g., end-to-end encryption).
Oral method: reporting can be done via phone lines, voicemail systems, or direct meetings, to be held within a reasonable time frame, with the possibility of recording with consent or a signed written transcript.
Responsibility of the governing body
ANAC clarifies that the sanctioning power under Article 21 of Legislative Decree No. 24/2023 is exercised, through the internal whistleblowing oversight office (UWHIB), against the governing body of the entity for failures to establish internal reporting channels or discrepancies in procedures for handling reports as per Articles 4 and 5 of Legislative Decree No. 24/2023. The administrative fine ranges from €10,000 to €50,000.
The governing body of the entity is jointly responsible with its members, except for recourse against responsible individuals, with a model of responsibility that strengthens the centrality of the entity’s organizational decisions.
The internal reporting channel manager and their activities
ANAC confirms that the manager of the internal reporting channel—whether internal or external to the entity and whether acting collegially or as a single body—must be specifically trained and autonomous: this last requirement is fundamental and should be defined as a characteristic of impartiality and independence.
The LLGG also stress that, unlike current practice, the reporting manager is the only person authorized to receive and manage reports, with specific powers defined in the organizational procedure and the ability to involve internal or external structures, while respecting the confidentiality of the identities involved. In this regard, the governing body cannot be assigned supervisory or influencing powers over the investigation but only general monitoring functions on the proper functioning of the organizational procedure. Therefore, the governing body should only be involved after the investigation for decisions within its competence (e.g., starting disciplinary procedures).
The LLGG confirm the need for a substitute for the main reporting manager in case of a conflict of interest and for a backup function in case of prolonged absence (more than seven days) to ensure the effectiveness of the system.
Finally, ANAC confirms that the Data Protection Officer (DPO) should generally not coincide with the reporting manager, especially in large or complex entities.
Phases of handling the report
Based on Article 5 of Legislative Decree No. 24/2023, ANAC identifies five essential phases of the manager’s activities, as outlined below.
| Phase | Description |
| Receipt of the report and acknowledgment of receipt | The manager receives the report through the internal channel and issues an acknowledgment of receipt to the whistleblower within seven days of submission, without any assessment of the merits. |
| Verification of proceedability and admissibility of the report | The manager verifies the subjective and objective requirements of the report, ensuring it comes from an authorized party and falls within the scope of Legislative Decree No. 24/2023, as well as meeting the minimum requirements for a substantive evaluation (e.g., containing a brief description of the facts). |
| Investigation | The manager conducts the necessary checks; maintains communication with the whistleblower; requests any additional information and, if necessary, involves internal or external structures, with due care to protect the identities of those involved, acting independently and impartially. |
| Definition of outcomes and feedback to the whistleblower | At the end of the investigation, the manager independently determines the subsequent actions: archiving, providing reasons for it; transmitting the documents to the competent internal offices/bodies and/or the relevant authorities. Within three months from the acknowledgment of receipt (or the expiry of the seven days), the manager provides feedback to the whistleblower on the outcome of the investigation. |
| Document retention | The manager may retain the reports and documentation for a maximum of five years from the communication to the whistleblower of the final outcome of the reporting procedure. |
Data protection aspects of whistleblowing report management
The LLGG confirm the privacy roles related to the management of internal reporting channels, with a new element in the context of corporate groups:
- Platform providers and external managers of reports are qualified as Data Processors under Article 28 of the GDPR, through a specific appointment;
- Entities sharing reporting channels and their management (e.g., through a single platform, branching into independent channels for each entity) are qualified as Joint Controllers under Article 26 of the GDPR, formalized through an internal agreement;
- Within corporate groups, where the reporting channel is shared among group companies through internal management and utilization of the parent company’s investigative capacity, the parent company must be appointed as Data Processor under Article 28 of the GDPR; if the channel is outsourced, the third-party manager of the channel will be appointed as Data Processor under Article 28 of the GDPR.
ANAC emphasizes the importance of activating the reporting channel, preceded by a DPIA under Article 35 of the GDPR, potentially with the support of a third-party provider, and implementing security measures to mitigate risks.
The LLGG, noting a lack of training and awareness plans in practice, remind that specific training, periodically delivered, must be directed at the report managers and the personnel involved, focusing on whistleblowing regulations, data protection, and the operational procedures adopted by the entity.
In parallel, the entity must ensure training and widespread information to all staff, clarifying what can be reported, the protections provided, and which channels to use. Data protection thus becomes an integral part of the corruption prevention measures.
Whistleblowing regulations and organizational model 231
The LLGG dedicate a specific section to the adjustment of Legislative Decree No. 24/2023 for entities that adopt an Organizational, Management, and Control Model under Legislative Decree No. 231/2001 (“MOG 231”).
ANAC reminds that entities adopting an MOG 231, pursuant to Article 21, paragraph 2 of Legislative Decree No. 24/2023 and Article 6, paragraph 2-bis of Legislative Decree No. 231/2001, are required to intervene on the MOG 231 to ensure it fully complies with the new whistleblowing regulations.
The adjustment of the MOG 231 is necessary under three aspects:
- Provision of an internal reporting channel or adjustment of the previously activated channel;
- Explicit prohibition of retaliation and prohibition of hindering (or attempting to hinder) the whistleblower;
- Updating the disciplinary system with possible sanctions against those responsible for misconduct punished by ANAC.
The LLGG underline that an MOG 231 that is not effectively adjusted cannot demonstrate its capacity to exonerate the administrative liability of entities for crimes.
Concluding remarks
ANAC Guidelines No. 1/2025 on the internal reporting channel represent the final piece in the implementation of whistleblowing in Italy, shifting the focus from formal compliance to building truly effective, secure, and privacy-compliant organizational systems.
Entities wishing to reduce sanction risks must now confront a mature model of governance for the internal reporting channel, in which technology, training, and the responsibility of the governing body work together to ensure effective protection of the whistleblower and the pursuit of illicit prevention goals.
