Navigating US–Italian Cross-Border Investigations

Evolving enforcement priorities and approaches by authorities in both the United States and Italy prompt new considerations for cross-border investigations for companies operating in Italy. In Washington, DC, the Trump Administration’s Department of Justice (DOJ) has introduced a series of white-collar enforcement policies focused on “focus, fairness and efficiency,” with an emphasis on “America First” and prioritizing criminal enforcement of sanctions, money laundering, trade fraud, and national security-related offenses, as well as new incentives for cooperation. In Rome and Milan, local prosecutors, the European Public Prosecutor’s Office (EPPO), and specialized investigative units have increased actions targeting fraud, supply chain labor abuses, cybersecurity breaches, and environmental, social, and governance (ESG) “greenwashing,” under an expanding catalog of predicate offenses for corporate liability pursuant to Legislative Decree 231/2001 (Decreto 231).

For Italian companies operating globally and US companies operating in Italy, these developments mean that a US investigation may proceed in parallel with an Italian investigation, each governed by distinct procedural rules, privilege concepts, and timelines, and with coordination between authorities. This alert summarizes the latest developments in US and Italian cross-border investigations, highlights key considerations for companies operating in Italy, and offers practical steps for boards, in-house counsel, and compliance functions to consider for addressing cross-border enforcement risks.

 

Key US enforcement updates

The DOJ Criminal Division has recently rolled out a series of policy updates that reshape the white-collar investigations and enforcement landscape for both US and foreign companies. In particular, DOJ is sharpening its focus to match the Trump Administration’s priorities of “America First” and prioritize cases that impact US national security and economic competitiveness, while also seeking to streamline investigations and encourage early disclosure and cooperation. These changes are particularly relevant for Italian companies with US touchpoints, as even indirect connections can be sufficient to trigger US jurisdiction and enforcement risk. Even traditional economic allies like Italy may find its companies under particular scrutiny if they are competing with US companies. The following are the most notable developments shaping the current environment for corporate enforcement by US authorities:

• New White-Collar Enforcement Plan: As discussed in a prior alert, the DOJ Criminal Division published a White Collar Enforcement Plan in May 2025 that identifies certain “high-impact areas” that the Criminal Division will prioritize for investigation and prosecution, including fraud (including trade fraud, securities fraud, supply chain fraud, and government procurement fraud), sanctions violations, tariff evasion, bribery that harms US economic competitiveness, support for foreign terrorist organizations, and complex money laundering – especially that involving networks tied to cartels, transnational criminal organizations (TCOs), and Chinese Money Laundering Organizations. In recent months, the DOJ and the Department of Homeland Security have established a Trade Fraud Task Force that will seek to use both criminal and civil tools to respond to tariff evasion schemes, undervaluation, misclassification, false country-of-origin declarations, transshipment, and smuggling of prohibited goods. Underpinning these priorities is a commitment to “focused, fair, and efficient” enforcement focused on promoting US economic and national security interests.
• Revised Corporate Enforcement & Voluntary Self-Disclosure Policy: In May 2025, the DOJ Criminal Division issued a revised Corporate Enforcement and Voluntary Self-Disclosure Policy, which streamlines paths to corporate resolution in criminal matters. The updated policy provides that DOJ will decline to prosecute companies where they promptly self-disclose, fully cooperate, timely remediate, and there are no aggravating circumstances related to the misconduct. A new category of “near-misses” is also created under the policy, where companies will be offered a non-prosecution agreement (NPA) in cases where the policy requirements are partially met. The updated policy caps resolutions at three years and limits the circumstances where corporate monitorships are appropriate.
• New FCPA Guidelines: As discussed in a prior alert, the DOJ Criminal Division issued Guidelines for Investigations and Enforcement of the Foreign Corrupt Practices Act (FCPA) in June 2025, under which new FCPA cases must demonstrate (i) a nexus to US national security or economic interests, or (ii) victimization of identifiable US companies. “Routine” hospitality or facilitation payments are unlikely to attract prosecution, whereas corrupt schemes that distort tender processes to the detriment of US bidders remain prime targets.
• Expanded Corporate Whistleblower Awards Pilot Program: In May 2025, DOJ revised its Corporate Whistleblower Awards Pilot Program to add additional “Subject Areas” that a tip must pertain to in order to qualify for a whistleblower award. These new areas include corporate sanctions offenses; trade, tariff, and customs fraud; procurement fraud; material support of terrorism; violations of federal immigration law; and violations related to cartels or TCOs. With this expansion of covered (mis)conduct, parallel internal and external whistleblowing is expected to surge.
• Increases in immigration enforcement: Combating illegal immigration remains a top priority of the Trump administration, and US authorities are taking aggressive steps to identify persons who are located in the United States illegally, including those on expired visas or in violation of the restrictions of the visa waiver program. Italian companies with a US operating or manufacturing presence may face increased scrutiny – including raids at US locations – by US law enforcement like the US Department of Homeland Security to identify companies employing foreign nationals that are not in compliance with US visa requirements. Such actions have the potential to generate significant legal and business repercussions.
• Expedited timelines: Prosecutors are instructed to reach charging decisions within two to three years. Evidence requests (including data stored abroad) are expected within weeks of an inquiry, absent applicable blocking statutes or local data transfer restrictions. 

 

Trends in Italian white-collar enforcement

Italy has seen a marked increase in white-collar enforcement activity, with authorities expanding both the scope of corporate criminal liability and the intensity of investigations. Italian prosecutors, the EPPO, and regulatory agencies are targeting a broad range of misconduct, from tax evasion and labor exploitation to cybercrime and ESG-related offenses. Like under the US framework, companies in Italy can face civil, administrative, and criminal liability. However, criminal liability for corporate entities is limited to certain predicate criminal offenses committed by persons holding representative, administrative, or managerial roles in a company, where the crime is committed in the interests of (or for the benefit of) the company, and where the company cannot demonstrate that it has adequate measures to prevent the misconduct. Consequently, companies may face limited liability in Italy but could have expansive exposure in the United States.

Legislative reforms have broadened the list of predicate corporate criminal offenses under Decreto 231, and recent high-profile cases demonstrate a willingness to impose severe measures – including judicial administration – on companies found lacking in compliance. Italian enforcement trends are also shaped by EU directives and a growing emphasis on transparency, sustainability, and data protection. Key developments include:

• Expansion of Decreto 231 predicate offenses: Decreto 231, which provides for administrative liability and potential criminal penalties for companies for certain offenses committed by their representatives, was expanded under 2024–2025 legislative reforms to cover additional predicate offenses including cyber-enabled offenses (such as unlawful intrusion, malware distribution, cyber-extortion); smuggling and excise-duty evasion; new corruption-related crimes, including undue trading of influence and misappropriation by public officials; and tax-evasion offenses with stiffer sanctions and asset-freezes. To mitigate enforcement risks under Decreto 231, companies must adopt corporate governance structures in compliance with the Organizational and Management Model (Model 231) to prevent such offenses, including by appointing a Supervisory Board to monitor compliance.
• EPPO and domestic prosecutorial focus on VAT and NRRP fraud: EPPO-Venice and the Milan District Attorney (DDA) have seized over EUR 600 million over 2024–2025 from schemes abusing EU recovery-fund incentives and carousel VAT fraud, often implicating multinational supply chains. Investigations and enforcement actions have heavily focused on fraud relating to the National Recovery and Resilience Plan (NRRP) post-pandemic recovery program, with cases related to the misuse of Recovery Fund monies often spanning multiple jurisdictions across the EU (and beyond) and involving coordination between the EPPO and local prosecutors.
• Labor exploitation in logistics, fashion, and agri-food: High-profile judicial administrations (amministrazione giudiziaria) imposed on marquee brands signal willingness to disrupt operations where compliance programs are deemed ineffective. Companies subject to judicial administrations are expected to assess and enhance their compliance programs to the satisfaction of an appointed special commissioner, who reports to the relevant magistrates. Milan prosecutors have been particularly focused on investigating allegations of tax evasion, illegal employment schemes, labor law violations, and supply chain misconduct.
• ESG and greenwashing scrutiny: Following the EU Corporate Sustainability Reporting Directive (CSRD) and corresponding Italian implementing decrees, Italian prosecutors increasingly frame false ESG statements as “false corporate communications” under the Civil Code, triggering criminal liability under Decreto 231.
• Data privacy and whistleblowing framework: The 2023 Whistleblowing Decree requires companies with at least 50 employees to maintain channels for anonymous reporting and establishes strict retaliation safeguards. Violations of the decree can result in administrative fines up to EUR 50,000. As discussed in a prior alert, the Italian Data Protection Authority (the Garante) issued guidelines in 2024 regarding the retention of employee email metadata and issued its first fine for General Data Protection Regulation (GDPR) noncompliance regarding employee metadata in June 2025.

 

Challenges for companies facing US-Italian cross-border investigations

Navigating simultaneous investigations by US and Italian authorities presents a host of practical and legal challenges for multinational companies. The US system is characterized by rapid timelines, aggressive evidence demands, and broad concepts of privilege and cooperation, while the Italian system is often more expansive in scope, with unique procedural requirements and a different approach to corporate liability (and less explicit programs for voluntary self-disclosures and cooperation). These differences can create significant friction, especially when investigations overlap or when authorities coordinate efforts. Companies and their executives must be prepared to address conflicting disclosure and cooperation strategies, legal obligations, data privacy restrictions, and the risk of duplicative penalties. Key challenges in this cross-border environment include:

• “America First” Enforcement: Given the Trump Administration’s priorities and stated intent to use both criminal and civil tools to assist US companies and American economic success, companies should be aware of unpredictable enforcement and investigations that may not be predicated on traditional evidentiary standards. Italian companies may be at greater risk, whereas Italian subsidiaries of US companies may benefit from less scrutiny and find a willing audience in DOJ regarding evidence of misconduct by their competitors.
• Evidence collection and GDPR friction: Subpoenas from US authorities may demand rapid production of chat logs and cloud data, yet Italian and EU privacy rules impose notice, proportionality, and, at times, Data Protection Impact Assessment (DPIA) requirements. Missteps risk GDPR fines in Italy or “obstruction” characterizations in the US.
• Privilege mismatch: The US attorney–client privilege is broad, covering in-house counsel; in Italy, privilege generally attaches only to external lawyers and may not shield internal investigation files. A voluntary production in one jurisdiction can waive privilege protections in the other. In addition, compliance with Decreto 231 such as creating signed employee interview transcripts, memorializing internal findings, and sharing those materials with prosecutors to demonstrate cooperation – may undermine or even waive US attorney‑client privilege and work‑product protections.
• Double-counting of penalties: In the United States, DOJ’s “no-piling-on” credit is discretionary and typically confined to victim-compensation scenarios; Italian courts rarely credit foreign penalties, and the principle of ne bis in idem (double jeopardy) is applied only in the event of a final judgment. Absent strategic coordination, corporate entities may face cumulative fines, asset forfeiture, and suspended-business prohibitions across both (or either) jurisdictions. Where US authorities have historically worked closely with certain foreign authorities to coordinate multi-jurisdictional settlements regarding investigations of the same conduct, there is not extensive coordination between the United States and Italy.
• Compliance monitors vs. judicial administrators: Under revised guidance, the US DOJ disfavors long-term corporate compliance monitorships, whereas Italian courts readily impose judicial administration upon corporate entities, effectively placing a court-appointed commissioner in charge of company operations until it can demonstrate adequate compliance policies and processes. Thus, where both US and Italian interests are at stake, conflicting compliance requirements, remediation timelines, and reporting duties can arise.
• Whistleblower race to report: The DOJ Corporate Whistleblower Awards Pilot Program in the US incentivizes whistleblowers to bypass internal hotlines and instead report violations or misconduct directly to DOJ reporting channels for investigation in return for potentially sizeable financial rewards. Although there are not monetary incentives, Italian whistleblowers can simultaneously report to the EPPO, potentially triggering dual US/Italian investigations before the company is aware of potential misconduct and before internal investigation or remediation takes shape.
• Board and management liability: Executives and corporate management can face individual criminal liability for misconduct in both the US and Italy. In the US, DOJ white collar enforcement guidance emphasizes individual accountability, and DOJ has continued to focus on holding culpable corporate leadership accountable for criminal misconduct. Liability extends even further in Italy, where Italian directors face personal criminal exposure for failure to prevent offenses under Decreto 231, although such prosecutions are infrequent.
• Defensive monitoring: In Italy, employers’ ability to monitor employee communications or devices to detect misconduct is tightly restricted by Article 4 of the Workers’ Statute. Such monitoring is generally only allowed with prior union agreement or labor inspectorate approval and requires prior notification to the employee. Even so, so-called “strictly defensive” monitoring – where the goal is to uncover wrongdoing – can only begin after the employer has a well-founded suspicion of specific misconduct and cannot be used to review data or communications from before that suspicion arose. The Italian Supreme Court has recently reinforced that retroactive monitoring is unlawful and can even result in criminal liability for the company. This approach stands in sharp contrast to US DOJ expectations, which often require companies to quickly collect and produce historical off-channel communications (such as WhatsApp or Signal messages) during investigations. As a result, companies operating in both jurisdictions face a real dilemma: aggressive evidence collection to satisfy US authorities may violate Italian law, while strict compliance with Italian rules may frustrate US enforcement demands.

 

Practical takeaways for Italian companies before and during an investigation

Given the increasingly complex enforcement environment, Italian companies may consider proactive steps to strengthen their compliance frameworks and investigation response protocols. Boards, statutory auditors, and compliance officers should view the current climate as an opportunity to stress-test their cross-border risk management strategies and ensure readiness for simultaneous investigations by US and Italian authorities. The following practical measures can help mitigate exposure and position companies for more favorable outcomes in the event of a cross-border government investigation or enforcement action:

1. Refresh risk mapping: Overlay DOJ’s high-impact areas (sanctions, TCO-linked money laundering, tariff evasion) onto Italian priority sectors (VAT fraud, labor exploitation, ESG disclosures) to pinpoint cross-border “hot spots” specific to your business and industry. Consider engaging experienced outside counsel to advise on proactive risk mapping and identify areas of compliance enhancements.
2. Implement early-warning protocols: Establish integrated US-EU alert triggers so that potential misconduct, whistleblower allegations, or dawn-raid indications escalate to a cross-functional response team.
3. Coordinate counsel up front: Retain experienced US and Italian white-collar counsel to assist in understanding risks before an investigation and, at the outset of any investigation, to harmonize privilege strategy, document hold notices, data protection compliance, and de-confliction with prosecutors. In Italy, appointing external defense counsel to conduct “defensive investigations” under the Code of Criminal Procedure can unlock lawful evidence-gathering options that are outside the scope of Article 4 of the Workers’ Statute (which governs employee monitoring), helping avoid legal pitfalls while still meeting investigative needs.
4. Document board oversight: Ensure supervisory boards (and, where applicable, a Board of Auditors or Collegio Sindacale) receive periodic compliance reports and that minutes reflect active challenge and follow-up on red flags. These records are pivotal both under Decreto 231 and in DOJ cooperation analyses.
5. Prepare for speed: Develop an investigation “sprint” template: dawn raid protocols, immediate custodian list, IT forensic protocol, privacy impact checklist, and strategic analyses of what type of investigations pose enterprise risks. Build Italy‑specific guardrails into the sprint: document the date and basis for “well‑founded suspicion,” time‑box collections to post‑suspicion data where strictly defensive monitoring is used, and maintain an audit trail of proportionality and necessity assessments.
6. Train the front line: Conduct scenario-based training for procurement, logistics, and finance teams on red flags for sanctions circumvention, VAT fraud structures, terrorist financing, money laundering, and labor-contracting risks, emphasizing recordkeeping and prompt escalation through appropriate internal channels.
7. Leverage monitor-mitigation tactics: Launch internal remediation (including policy updates, third-party due diligence enhancements, and claw-back clauses) contemporaneously with investigation to argue against the need for a judicial administrator or US monitor.
8. Quantify forfeiture exposure early: After the investigation has begun, work with forensic accountants to isolate potentially tainted revenue streams and be ready to propose victim-compensation frameworks to both DOJ and Italian prosecutors to maximize penalty offsets.

Converging enforcement priorities, accelerated timelines, and sophisticated cross-border coordination demand a proactive, integrated approach by sophisticated companies working with experienced counsel. By aligning US and Italian compliance expectations, preserving privilege and data privacy integrity, and demonstrating swift, good faith remediation, Italian companies can navigate the complexities of the dual-track investigative landscape while minimizing financial, operational, and reputational fallout.

For more information, please contact the authors.