Liability of entities, boom of predicate offences

The second block, in terms of size, is that of corporate offences (Article 25-ter): 21 cases guard against a risk that is not episodic, but structural, because it is grafted onto the physiological processes of governance (financial statements, corporate communications, capital transactions, controls and information flows). It is an area that requires not only procedures, but also appropriate organisational arrangements - moreover imposed by Article 2086, paragraph 2, of the Civil Code - segregation of duties, endo-consiliar controls and decision traceability, because the responsibility of the entity is played out on 'how' it governs itself.

This is followed by tax offences (Article 25-quinquiesdecies), with 15 relevant offences. The impact is twofold, because on the one hand it extends the risk areas to the sensitive activities of ordinary tax management (declarations, invoices, credits, etc.), and on the other hand it forces the integration of typical tax compliance safeguards into the model, such as controls on data, processes and suppliers, audit trails, governance of credits and sensitive transactions.

Then there is an area that we could call technological, which is less niche than the original text of Legislative Decree 231/2001. Information technology offences and unlawful processing of data (Article 24-bis) count 13 offences; those relating to non-cash means of payment (Article 25-octies.1) another ten.

The quantitative increase is matched, in the age of artificial intelligence, by the shift of the risk axis to systems (access, credentials, logs, security, business continuity) and digital financial flows. In order to remain effectively implemented, the entity's organisational model must constantly dialogue with new technologies, cybersecurity and the system of internal controls, otherwise it remains a document that describes risks without governing them.

The original publicistic vocation of Legislative Decree 231/2001 has not disappeared, but today offences against the Pa represent one family among others. The offences are divided into two blocks:
1) Article 24 (disbursements, frauds and frauds), with eight cases that have in common the protection of public assets and the correct use of resources;
2) Article 25 (corruption and related offences), with ten cases that protect the correctness of relations between private individuals and the administration.

The total is 18 offences: a relevant core, but no longer barycentric. In the current catalogue, public-administrative risk coexists (and often recedes) with environmental, corporate, fiscal and digital risk, a sign of a system that has shifted its focus from the 'temptation of contact' with the Pa to the structural management of the core processes, decisional and operational, of the company.

Alongside the major protagonists, the decree contains offences that belong to less numerous families, but are no less important in terms of risk profile or legal assets protected. These include offences in the areas of health and safety at work (two), industry and trade (eight), forgery of money and signs (nine), copyright (six), illegal immigration (five), racism and xenophobia (one) smuggling (eight), cultural heritage (ten) and animal protection (five).

Lastly, and certainly not because of the lesser importance of the interests protected, there remain 'non-census' areas, such as for terrorism offences and organised crime.

The result is that the catalogue of offences has become an inhomogeneous skein 'with a moving perimeter' that has made the preparation of exemplary organisational models increasingly complex.