Organization, Management and Control Model

Approved by the Board of Directors on May 8, 2025

The “Organization, Management and Control Model pursuant to Italian Legislative Decree No. 231/2001” of CDP S.p.A. (hereinafter “Model 231”) finds its basis in the regulations on the “Responsibility of entities for administrative offences dependent on crime” (Legislative Decree No. 231 of June 8, 2001), which provides that companies may be sanctioned in relation to certain types of offences (generally intentional, sometimes culpable) committed in the interest or for the benefit thereof by:

• natural persons holding representation, administration or management positions in the Entity or in a financially and functionally independent organisational unit thereof; and by natural persons who exercise, also de facto, powers of management and control in the Entity (“Senior Managers”);
• natural persons subject to the management or supervision of one of the persons indicated above (“Subordinate Persons”).

The Entity is not liable if the persons indicated above have acted in the exclusive interest of themselves or third parties.

A key aspect of the regulations is the attribution of an exempting value to Model 231. Italian Legislative Decree No. 231/2001 identifies the grounds for the Entity’s exemption from liability depending on whether the predicate offence was committed by a Senior Manager or a Subordinate Person (Articles 6 Legislative Decree No. 231/2001). Specifically, if the predicate offence is committed by a Senior Manager, the Entity must demonstrate the following in order to be exempt from liability:

• the adoption and effective implementation of an organisational model capable of preventing the unlawful conduct committed;
• the establishment of the so-called Supervisory Body;
• the Supervisory Body’s actual performance of its tasks and duties;
• the Senior Manager’s fraudulent circumvention of the organisational model.

If, on the other hand, the predicate offence is committed by a Subordinate Person, the breach of management and supervisory obligations is deemed excluded if prior to the offence the Entity adopted and effectively implemented a model capable of preventing offences of the type that occurred (Articles 7 Legislative Decree No. 231/2001).

CDP S.p.A. has prepared its Model 231 drawing inspiration from the Guidelines drawn up by the relevant trade associations (ABI and Confindustria), taking into account the relevant jurisprudential and doctrinal guidelines (including the guidelines of ANAC and Confindustria in the area of Whistleblowing), as well as enhancing its own internal control and risk management system.