Skip to main content


Italy: Covid-19 and Companies’ Liability, also under Decree 231/2001

Exceptional times call for exceptional measures.  The ongoing Covid-19 outbreak is pressuring companies around the world to act quickly and to make radical changes to readjust.  Yet, companies should not forget that quick changes may result in overlooking liability risks.  Further, in Italy legal entities may face a quasi-criminal liability under Decree 231/2001, possibly leading to monetary sanctions, interdictory measures and seizure of profits, if certain crimes are committed, in the interest or for the benefit of the companies themselves, by their directors, managers, and employees.  Unfortunately, even well-intentioned decisions may be skewed by fear and distraction and result in corporate misconduct.   

Keep your guard up

During the Covid-19 outbreak, areas of potential higher risk of corporate misconduct (potentially leading to liability or quasi-criminal liability for the company) include:

  • Bribery and corruption: Public authorities are launching new tenders subject to simplified procedures thereby creating more opportunities for informal contacts and improper conduct.  Furthermore, disruptions in the supply chain may cause companies to seek (or propose themselves as) new suppliers, which can expose companies to bribery and corruption risks if the new suppliers are not properly vetted and/or their employees cut corners.  Similarly, in a transactional context, due diligence may become more difficult in a time of crisis, leading to increased bribery and corruption risks.
  • Cybercrime: Remote working increases the exposure to attacks by cybercriminals.  It may also create more instances of cybercrimes committed by employees.  
  • Disclosures and financial reporting: The outbreak coincided with reporting periods for a number of companies, requiring them to decide which disclosures were necessary to address the potential impact of the pandemic on their operations.  In financially difficult times, management should exercise caution in the valuation of its own assets.  Making false statements bears the risk of criminal liability.
  • Fraud in commerce: Although to secure the supply of surgical masks and other personal protective equipment these can be marketed in derogation to current marketing regulations, companies should never make false or misleading representations to consumers or official bodies in charge of evaluating the products.
  • Market manipulation risk: Traders at financial institutions faced with steep losses resulting from the market downturn may feel pressure to resort to market manipulation to generate returns.  They might also make efforts to overstate performance, even for internal purposes.
  • Insider trading risk: In connection with public financial reports that are either better or worse than anticipated, employees stressed by falling markets may be tempted to trade on inside information before it is made public.

Health and safety in the workplace  

Special attention should also be paid to the health and safety of employees.  Under art. 2087 of the Civil Code, all employers have a general obligation to safeguard employees’ health and moral integrity.  This general obligation is coupled with specific regulations contained inter alia in Legislative Decree 81/2008.  Failure to comply with these obligations carries sanctions and it may even result in quasi-criminal liability for the company in the unfortunate event that employees die or suffer severe physical injury for work accidents caused by inadequate safety measures.

1. Can Covid-19 contagion amount to a “work accident”?

For businesses exempted from the shutdown, the issue is whether workers who contracted the Covid-19 virus at work may be deemed to have suffered a “work accident”.  The new emergency legislation enacted by the Government appears to equate a Covid-19 infection in the workplace with an accident at work and therefore to provide a positive answer (see art. 42 (2) Law Decree 18/2020).  This leaves open the (difficult) question of establishing that the worker contracted the virus in the workplace as opposed to elsewhere.  The risk of facing quasi-criminal liability provided by Decree 231/2001 exists if:

  • the employee dies or suffers severe personal injury (e.g. disease lasting over 40 days) due to the Covid-19 virus contracted at work;
  • the contagion occurs at work for the failure of the employer to fulfil the health and safety obligations and to adopt adequate protective measures;  
  • the company benefits from the offence (for example, due to cost savings for not having adopted all necessary safeguards or on one view due to the continuity in business operations notwithstanding the risks faced by employees).

2. What steps should companies take to mitigate the risk of liability?

Even businesses that are currently exempted from the shutdown must limit as much as possible the physical presence of employees at the company premises.  To this end, companies should maximize remote working and, employees shall have recourse, whenever possible, to holidays and days off.  The infection of an employee whose physical presence in the workplace was not strictly necessary could itself amount to a failure to minimize the risk of contagion and give rise to liability regardless of the adequacy of the safety measures in place at the company premises.     

Safety protocols

To protect the health of all workers whose physical presence is not avoidable, employers must adopt safety protocols aimed at containing the spread of the Covid-19 virus in the workplace.  On 14 March 2020, trade unions and employers’ organizations issued specific guidelines to support companies in adopting these protocols.  A protocol facsimile based on the guidelines has also been published.  According to the guidelines, employers must, inter alia:

  • inform all employees of the existing risks, the protective measures in place as well as the measures imposed by the public authorities;
  • control entry to the company premises possibly by checking the body temperature of personnel in accordance with data protection rules;
  • establish entry, transit and exit procedures for external suppliers' so as to minimize contact with employees;
  • provide hand sanitizer;
  • implement daily cleaning and periodic sanitisation;
  • guarantee at least one meter between workstations;
  • provide face masks and other personal protective equipment (e.g. gloves, glasses);
  • establish a new corporate body (Crisis Committee) responsible for applying and monitoring compliance with the safety protocol.

The guidelines crystalize the best practices to mitigate the risk of Covid-19 contagion in the workplace.  Since 10 April 2020, they have also become binding for all undertakings which activities are not suspended (see art. 2 (10) DPCM 10 April 2020).  Yet, the guidelines are not exhaustive, and it is expressly stated that they should be supplemented with additional measures tailored to each company.

Updating the risk assessment

As part of their overall compliance programs, companies should consider conducting a new risk assessment and updating their risk assessment document in light of the Covid-19 outbreak.  It is highly advisable to carefully document the implementation of the safety protocol possibly by including a specific addendum to the risk assessment document.

Active role of the Supervisory Body

The ongoing emergency can be a stress test for all compliance models adopted under Decree 231/2001.  Accordingly, this phase calls for a significant involvement of the Supervisory Board as the corporate body responsible for monitoring the functioning of and compliance with the model and for its necessary updates.  The Supervisory Board can play a crucial role in this phase especially by:

  • keeping management informed about all new measures and legislation adopted by the Government and other public authorities to respond to the outbreak;
  • verifying that the company adopted safety protocols in line with the guidelines available, including the institution of a Crisis Committee, and by assessing the adequacy of such safety protocols and compliance with them.  To this end, there should be a timely and effective information flow allowing the Supervisory Board to be kept updated about all initiatives taken within the company and to request clarifications when needed;
  • monitoring whether the compliance model keeps up with the epidemiological and legal developments;
  • recommending any needed amendments and updates of the model;
  • analysing and addressing reports and complaints received through the internal communication/whistleblowing channels.

Looking Forward

The threat posed by Covid-19 and the relevant government containment measures come with a higher risk of corporate misconduct.  To address this risk, formal compliance with emergency legislation in terms of drafting safety protocols and reviewing risk assessment documents is not sufficient.  Companies must implement actual preventive measures to safeguard employees’ health and to avoid quasi-criminal liability as provided by Decree 231/2001.  All company bodies, including the Supervisory Board, and personnel, especially those covering managerial roles, must act responsibly and within their competences while ensuring cooperation between different departments in order to synergistically overcome this critical phase.