Navigating US–Italy cross-border investigations: Enforcement priorities and practical steps

Evolving enforcement priorities in the United States and Italy create new considerations for companies navigating cross-border investigations. In the US, the Department of Justice (DOJ) has introduced a series of white collar enforcement policies focused on “focus, fairness, and efficiency,” with an emphasis on “America First” and prioritizing criminal enforcement of sanctions, money laundering, trade fraud, and national security-related offenses, as well as new incentives for cooperation.

In Rome and Milan, local prosecutors, the European Public Prosecutor’s Office (EPPO), and specialized investigative units have increased actions focused on fraud, supply chain labor abuses, cybersecurity breaches, and environmental, social, and governance (ESG) “greenwashing,” under an expanding catalog of predicate offenses for corporate liability pursuant to Legislative Decree 231/2001 (Decreto 231). For Italian companies operating globally and US companies operating in Italy, these developments mean that a US investigation may proceed in parallel with an Italian investigation, each governed by distinct procedural rules, privilege concepts, and timelines, and with coordination between authorities.

This alert summarizes the latest developments in US–Italy cross-border investigations, highlights key considerations for companies operating in Italy, and offers considerations for boards, in-house counsel, and compliance functions for addressing cross-border enforcement risks.

Key US enforcement updates

DOJ’s Criminal Division has recently rolled out a series of policy updates that reshape the white collar investigations and enforcement landscape for both US and foreign companies. In particular, DOJ is sharpening its focus to match the current US enforcement priorities under the Trump Administration’s “America First” policy, including cases that impact US national security and economic competitiveness, while also seeking to streamline investigations and encourage early disclosure and cooperation.

These changes are particularly relevant for Italian companies with US touchpoints, as even indirect connections can be sufficient to trigger US jurisdiction and enforcement risk. Traditional economic allies like Italy may find companies under scrutiny if they are competing with US companies.

The following are key developments shaping the current environment for corporate enforcement by US authorities:

• New White Collar Enforcement Plan: As discussed in a prior alert, DOJ’s Criminal Division published a White Collar Enforcement Plan in May 2025 that identifies certain “high-impact areas” that the Criminal Division will prioritize for investigation and prosecution, including fraud (e.g., trade fraud, securities fraud, supply chain fraud, and government procurement fraud), sanctions violations, tariff evasion, bribery that harms US economic competitiveness, support for foreign terrorist organizations, and complex money laundering – especially those involving networks tied to cartels, transnational criminal organizations (TCOs), and Chinese Money Laundering Organizations. In recent months, DOJ and the Department of Homeland Security have established a Trade Fraud Task Force that will seek to use both criminal and civil tools to respond to tariff evasion schemes, undervaluation, misclassification, false country-of-origin declarations, transshipment, and smuggling of prohibited goods. Underpinning these priorities is a commitment to the “focused, fairness, and efficiency” enforcement policy on promoting US economic and national security interests.
  
  
• Revised Corporate Enforcement and Voluntary Self-Disclosure Policy: In May 2025, DOJ’s Criminal Division issued a revised Corporate Enforcement and Voluntary Self-Disclosure Policy, which streamlines paths to corporate resolution in criminal matters. The updated policy provides that DOJ will decline to prosecute companies where they promptly self-disclose, fully cooperate, timely remediate, and where there are no aggravating circumstances related to misconduct. A new category of “near-misses” is also created under the policy, where companies will be offered a non-prosecution agreement in cases where the policy requirements are partially met. The updated policy caps resolutions at three years and limits the circumstances under which corporate monitorships are appropriate.
  
  
• New Foreign Corrupt Practices Act guidelines: As discussed in a prior alert, DOJ’s Criminal Division issued Guidelines for Investigations and Enforcement of the Foreign Corrupt Practices Act (FCPA) in June 2025, under which new FCPA cases must demonstrate (1) a nexus to US national security or economic interests, or (2) victimization of identifiable US companies. The guidelines prioritize enforcement of serious misconduct and corrupt schemes and indicate that DOJ will de-prioritize cases involving “routine” hospitality or facilitation payments. There have also been substantial personnel changes in DOJ’s Fraud Section, including reductions in the number of prosecutors staffed to FCPA matters.
  
  
• Expanded Corporate Whistleblower Awards Pilot Program: In May 2025, DOJ revised its Corporate Whistleblower Awards Pilot Program to add additional “Subject Areas” to which a tip must pertain in order to qualify for a whistleblower award. These new areas include corporate sanctions offenses; trade, tariff, and customs fraud; procurement fraud; material support of terrorism; violations of federal immigration law; and violations related to cartels or TCOs. With this expansion of covered (mis)conduct, parallel internal and external whistleblower reports may surge.
  
  
• Increases in immigration enforcement: Combating illegal immigration remains a top priority of the Trump Administration, and US authorities are taking steps to identify persons who are located in the US illegally, including those on expired visas or in violation of the restrictions of the visa waiver program. Italian companies with US operations or manufacturing presence may face increased scrutiny by US law enforcement such as the US Department of Homeland Security, particularly regarding compliance with US visa requirements for employing foreign nationals.
  
  
• Expedited timelines: Prosecutors are instructed to reach charging decisions within two to three years. Evidence requests (including data stored abroad) are expected within weeks of an inquiry, absent applicable blocking statutes or local data transfer restrictions.

Trends in Italian white collar enforcement

Italy has seen a marked increase in white collar enforcement activity, with authorities expanding both the scope of corporate criminal liability and the intensity of investigations. Italian prosecutors, the EPPO, and regulatory agencies are targeting a broad range of misconduct, from tax evasion and labor exploitation to cybercrime and ESG-related offenses. Similar to the US framework, companies in Italy may face civil, administrative, and criminal liability. However, criminal liability for corporate entities is limited to certain predicate criminal offenses committed by persons holding representative, administrative, or managerial roles in a company, where the crime is committed in the interests of (or for the benefit of) the company, and where the company cannot demonstrate that it has adequate measures to prevent misconduct. Consequently, companies may face limited liability in Italy but could have expansive exposure in the US.

Legislative reforms have broadened the list of predicate corporate criminal offenses under Decreto 231, and recent high-profile cases demonstrate a willingness to impose severe measures – including judicial administration – on companies lacking in compliance. Italian enforcement trends are also shaped by EU directives and a growing emphasis on transparency, sustainability, and data protection.

Key developments include:

• Expansion of Decreto 231 predicate offenses: Decreto 231, which provides for administrative liability and potential criminal penalties for companies for certain offenses committed by their representatives, was expanded under the 2024–2025 legislative reforms to cover additional predicate offenses, including cyber-enabled offenses (e.g., unlawful intrusion, malware distribution, cyber-extortion); smuggling and excise-duty evasion; new corruption-related crimes (e.g., undue trading of influence and misappropriation by public officials); and tax-evasion offenses with stiffer sanctions and asset freezes. To mitigate enforcement risks under Decreto 231, companies may consider adopting corporate governance structures in compliance with the Organizational and Management Model (Model 231), including appointing a Supervisory Board to monitor compliance.
  
  
• EPPO and domestic prosecutorial focus on value-added tax and National Recovery and Resilience Plan fraud: EPPO-Venice and the Milan District Attorney (DDA) have seized more than EUR600 million between 2024 and 2025 from schemes abusing EU recovery-fund incentives and carousel value-added tax (VAT) fraud, often implicating multinational supply chains. Investigations and enforcement actions have heavily focused on fraud relating to the National Recovery and Resilience Plan post-pandemic recovery program, with cases related to the misuse of Recovery Fund monies often spanning multiple jurisdictions across the EU (and beyond) and involving coordination between the EPPO and local prosecutors.
  
  
• Labor exploitation in logistics, fashion, and agri-food: High-profile judicial administrations (e.g., amministrazione giudiziaria) imposed on marquee brands signal willingness to disrupt operations where compliance programs are deemed ineffective. Companies subject to judicial administrations are expected to assess and enhance their compliance programs to the satisfaction of an appointed special commissioner, who reports to the relevant magistrates. Milan prosecutors have been focused on investigating allegations of tax evasion, illegal employment schemes, labor law violations, and supply chain misconduct.
  
  
• ESG and greenwashing scrutiny: Following the EU Corporate Sustainability Reporting Directive and corresponding Italian implementing decrees, Italian prosecutors increasingly frame false ESG statements as “false corporate communications” under the Civil Code, triggering criminal liability under Decreto 231.
  
  
• Data privacy and whistleblowing framework: The 2023 Whistleblowing Decree requires companies with at least 50 employees to maintain channels for anonymous reporting and establishes strict retaliation safeguards. Violations of the decree may result in administrative fines up to EUR50,000. As discussed in a prior alert, the Italian Data Protection Authority (Garante) issued guidelines in 2024 regarding the retention of employee email metadata and issued its first fine for General Data Protection Regulation (GDPR) noncompliance regarding employee metadata in June 2025.

Challenges for companies facing US–Italian cross-border investigations

Navigating simultaneous investigations by US and Italian authorities presents an array of practical and legal challenges for multinational companies. The US system utilizes rapid timelines, significant evidence demands, and broad concepts of privilege and cooperation. In contrast, the Italian system is often more expansive in scope, with specific procedural requirements and a different approach to corporate liability (including less explicit programs for voluntary self-disclosures and cooperation). These differences can create friction, especially when investigations overlap or when authorities coordinate efforts.

Companies and their executives are encouraged to prepare to address conflicting disclosure and cooperation strategies, legal obligations, data privacy restrictions, and the risk of duplicative penalties.

Key challenges in this cross-border environment include:

• “America First” enforcement policies: Given the Trump Administration’s priorities and stated intent to use both criminal and civil tools to assist US companies and economic success, companies should be aware of enforcement and investigations that may not be predicated on traditional evidentiary standards. Italian companies may be at greater risk, whereas Italian subsidiaries of US companies may incur less scrutiny regarding evidence of misconduct by their competitors.
  
  
• Evidence collection and GDPR friction: Subpoenas from US authorities may demand rapid production of chat logs and cloud data, yet Italian and EU privacy rules impose notice, proportionality, and, at times, Data Protection Impact Assessment requirements. Missteps risk GDPR fines in Italy or “obstruction” characterizations in the US, or both.
  
  
• Privilege mismatch: US attorney-client privilege is broad, often covering in-house counsel. In Italy, privilege generally attaches only to external lawyers and may not shield internal investigation files. Voluntary production in one jurisdiction may waive privilege protections in the other. In addition, compliance with Decreto 231, such as creating signed employee interview transcripts, memorializing internal findings, and sharing those materials with prosecutors to demonstrate cooperation, may undermine or waive US attorney client privilege and work product protections.
  
  
• Double-counting penalties: In the US, DOJ’s “no-piling-on” credit is discretionary and typically confined to victim-compensation scenarios. On the other hand, Italian courts rarely credit foreign penalties, and the principle of ne bis in idem (double jeopardy) is applied only in the event of a final judgment. Absent strategic coordination, corporate entities may face cumulative fines, asset forfeiture, and suspended business prohibitions across both (or either) jurisdictions. Where US authorities have historically worked closely with certain foreign authorities to coordinate multi-jurisdictional settlements regarding investigations of the same conduct, there is no extensive coordination between the US and Italy.
  
  
• Compliance monitors versus judicial administrators: Under revised guidance, DOJ disfavors long-term corporate compliance monitorships, whereas Italian courts readily impose judicial administration upon corporate entities, effectively placing a court-appointed commissioner in charge of company operations until it can demonstrate adequate compliance policies and processes. Thus, where both US and Italian interests are at stake, conflicting compliance requirements, remediation timelines, and reporting duties may arise.
  
  
• Whistleblower race to report: DOJ’s Corporate Whistleblower Awards Pilot Program incentivizes whistleblowers to bypass internal hotlines and instead report violations or misconduct directly to DOJ reporting channels for investigation in return for potentially sizeable financial rewards. Although there are no monetary incentives, Italian whistleblowers may simultaneously report to the EPPO, potentially triggering dual US or Italian investigations before the company is aware of potential misconduct, and before internal investigation or remediation takes shape.
  
  
• Board and management liability: Executives and corporate management may face individual criminal liability for misconduct in both the US and Italy. In the US, DOJ white collar enforcement guidance emphasizes individual accountability, and DOJ has continued to focus on holding corporate leadership accountable for criminal misconduct. Liability extends further in Italy, where Italian directors face personal criminal exposure for failure to prevent offenses under Decreto 231, although such prosecutions are infrequent.
  
  
• Defensive monitoring: An employer’s ability to monitor employee communications or devices to detect misconduct is tightly restricted by Article 4 of the Workers’ Statute. Such monitoring is generally only allowed with prior union agreement or labor inspectorate approval and requires prior notification to the employee. Even so, so-called “strictly defensive” monitoring – where the goal is to uncover wrongdoing – can only begin after the employer has a well-founded suspicion of specific misconduct and cannot be used to review data or communications from before that suspicion arose. The Italian Supreme Court has recently reinforced that retroactive monitoring is unlawful and may result in criminal liability for the company. This approach stands in sharp contrast to DOJ expectations, which often require companies to quickly collect and produce historical off-channel communications (such as WhatsApp or Signal messages) during investigations. As a result, companies operating in both jurisdictions face a dilemma: aggressive evidence collection to satisfy US authorities may violate Italian law, while strict compliance with Italian rules may frustrate US enforcement demands.

Key takeaways for Italian companies before and during an investigation

Given the increasingly complex enforcement environment, Italian companies may consider proactive steps to strengthen compliance frameworks and investigation response protocols. Boards, statutory auditors, and compliance officers may view the current climate as an opportunity to stress-test cross-border risk management strategies and ensure readiness for simultaneous investigations by US and Italian authorities.

The following considerations may help mitigate exposure and position companies for more favorable outcomes in the event of a cross-border government investigation or enforcement action:

1. Refresh risk mapping: Overlay DOJ’s high-impact areas (sanctions, TCO-linked money laundering, tariff evasion) onto Italian priority sectors (VAT fraud, labor exploitation, ESG disclosures) to pinpoint cross-border “hot spots” specific to the business and industry. Consider engaging experienced outside counsel to advise on proactive risk mapping and identify areas of compliance enhancements.
   
   
2. Implement early-warning protocols: Establish integrated US–EU alert triggers so that potential misconduct, whistleblower allegations, or dawn-raid indications escalate to a cross-functional response team.
   
   
3. Coordinate counsel up front: Retain experienced US and Italian white collar counsel to assist in understanding risks before an investigation and, at the outset of any investigation, to harmonize privilege strategy, document hold notices, data protection compliance, and de-confliction with prosecutors. In Italy, appointing external defense counsel to conduct “defensive investigations” under the Code of Criminal Procedure may unlock lawful evidence-gathering options that are outside the scope of Article 4 of the Workers’ Statute (which governs employee monitoring), potentially helping to avoid legal pitfalls while meeting investigative needs.
   
   
4. Document board oversight: Ensure supervisory boards (and, where applicable, a Board of Auditors or collegio sindacale) receive periodic compliance reports and that minutes reflect active challenge and follow-up on red flags. These records are pivotal both under Decreto 231 and in DOJ cooperation analyses.
   
   
5. Prepare for speed: Consider developing an investigation “sprint” template, such as dawn raid protocols, an immediate custodian list, information technology forensic protocol, privacy impact checklist, and strategic analyses of what type of investigations pose enterprise risks. Consider building Italy specific guardrails into the sprint, including documenting the date and basis for “well founded suspicion,” time box collections to post suspicion data where strictly defensive monitoring is used, and maintaining an audit trail of proportionality and necessity assessments.
   
   
6. Train the front line: Conduct scenario-based training for procurement, logistics, and finance teams on red flags for sanctions circumvention, VAT fraud structures, terrorist financing, money laundering, and labor-contracting risks, emphasizing recordkeeping and prompt escalation through appropriate internal channels.
   
   
7. Leverage monitor-mitigation tactics: Launch internal remediation (including policy updates, third-party due diligence enhancements, and claw-back clauses) contemporaneously with investigation to demonstrate a judicial administrator or US monitor is not required.
   
   
8. Quantify forfeiture exposure early: After the investigation has begun, work with forensic accountants to isolate potentially tainted revenue streams and be ready to propose victim-compensation frameworks to both DOJ and Italian prosecutors to maximize penalty offsets.

Converging enforcement priorities, accelerated timelines, and increased cross-border coordination demand a proactive, integrated approach by companies working with experienced counsel. By aligning US and Italian compliance expectations, preserving the integrity of privilege and data privacy, and demonstrating swift, good-faith remediation, Italian companies may navigate the complexities of the dual-track investigative landscape while minimizing financial, operational, and reputational fallout.

For more information, please contact the authors.