Legal Reform & Policy

Corporate Criminal Liability: Four Models for Deciding Where Corporate Blame Lives

For roughly two centuries, criminal law rested on a premise a corporation could never meet: only a human mind can hold mens rea, the guilty intent criminal law generally requires, and so a legal entity, societas delinquere non potest, cannot commit a crime. Every major jurisdiction has since broken with that maxim, but each broke differently, producing four distinct technical answers to the same underlying problem: how does a court locate a guilty mind inside an organization that has none of its own?

The United Kingdom narrowed liability to a single "directing mind" between 1915 and 1972, and only began dismantling that bottleneck between 2023 and 2026. The United States took the opposite route in 1909, importing respondeat superior wholesale from tort law, so that even a junior employee's crime can become the company's crime. Australia, in 1995, located fault in organizational culture and systems rather than in any one person's state of mind. Italy, in 2001, built a hybrid: formally "administrative" but functioning as criminal law, with a compliance defense, the Modello 231 and its Organismo di Vigilanza, that no other system offers in quite the same form. That hybrid is this article's central case study.

Once liability attaches, the United States, the United Kingdom, and France increasingly resolve corporate cases through negotiated settlement, deferred prosecution agreements and their national equivalents, rather than trial. 2026 alone brought the UK's final legislative break from the identification doctrine, a newly adopted EU-wide anti-corruption directive, and an expanded Italian predicate-offense catalogue, three independent developments landing within weeks of each other.

Four Ways to Find a Guilty Mind Inside a Company

The identification doctrine, respondeat superior, the organizational or corporate culture model, and the D.Lgs. 231/2001 hybrid are the four technical solutions this article compares. Each responds to the same historical pressure: as commerce industrialized and globalized, the actors capable of the most serious harm, market manipulation, mass-casualty safety failures, systemic bribery, environmental catastrophe, were increasingly organizations rather than individuals. Prosecuting only the employee left the organization that profited from, or negligently permitted, the harm untouched.

The United Kingdom's identification doctrine holds that only the acts and state of mind of a company's "directing mind and will" can be attributed to the company itself. It originated in Lennard's Carrying Co Ltd v Asiatic Petroleum Co Ltd [1915] AC 705, and the House of Lords entrenched it in Tesco Supermarkets Ltd v Nattrass [1972] AC 153, quashing a false-advertising conviction because the branch manager responsible for a mispriced display was not part of Tesco's "directing mind and will." The practical effect was to make large, decentralized companies almost prosecution-proof: the more devolved a company's decision-making, the harder it became to find one senior individual whose mind counted as the company's mind.

The United States solved the same problem by importing a civil concept wholesale. In New York Central & Hudson River Railroad Co. v. United States, 212 U.S. 481 (1909), the Supreme Court held a corporation criminally liable under the Elkins Act for the acts of its agents, applying respondeat superior, the tort doctrine imputing an agent's conduct to its principal, directly to criminal law. The structural difference from the UK model is stark: the wrongdoing employee need not be senior at all, a dramatically lower attribution bar than the UK's identification test.

Australia's Criminal Code Act 1995 (Cth), Part 2.5, took a third path: organizational fault. Rather than asking whose mind counts as the company's mind, or importing tort doctrine wholesale, it examines the organization's systems and culture, imputing fault where a corporation "expressly, tacitly or impliedly authorised or permitted" an offense, including through a corporate culture of non-compliance. Australia's own Law Reform Commission found in its 2020 Corporate Criminal Responsibility Final Report that these "corporate culture" provisions have been invoked rarely and inconsistently in practice.

Italy answered differently again. D.Lgs. 231/2001 introduces what Italian law calls administrative liability arising from a criminal offense, triggered only by a closed catalogue of predicate crimes and adjudicated in the same proceeding as the individual defendant. It is this article's centerpiece, and the next section covers its mechanics in full.

Italy's D.Lgs. 231/2001: A Hybrid Built on a Compliance Escape Hatch

Decreto Legislativo 8 giugno 2001, n. 231, was enacted under the delegation in Legge 29 settembre 2000, n. 300, article 11, itself legislation implementing the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (Paris, 17 December 1997) and the EU Convention on the Protection of the Communities' Financial Interests (Brussels, 26 July 1995). Often mistaken for a fine regime attached to Italy's criminal code, D.Lgs. 231/2001 in fact establishes administrative liability arising from a criminal offense, the category Italy's constitutional principle of personal criminal responsibility requires for any legal entity. The same criminal court that tries the individual defendant hears the entity's case in the same proceeding, and the available sanctions, quota-based fines and, for serious offenses, disqualification from public contracts, punish rather than compensate.

The predicate-offense catalogue, reati presupposto, started narrow: crimes against the public administration, corruption and fraud against the state chief among them. It has expanded repeatedly since, now reaching corporate manslaughter and workplace safety, market abuse, money laundering, transnational organized crime, private-sector corruption, and tax offenses added in 2019 and 2020. The most recent addition is an expanded environmental catalogue introduced by D.Lgs. 21 aprile 2026, n. 81, transposing EU Directive (EU) 2024/1203 and in force since 2 June 2026. Commentators have flagged a risk in this pattern: folding in offense types as different as environmental pollution and tax fraud risks a growing mismatch between a company's compliance model and its actual operational risk.

The regime's distinguishing feature is not its administrative label. It is the compliance defense written into the statute from 2001: an entity avoids liability if, before the offense, it had adopted and effectively implemented an organizational and management model, the modello di organizzazione, gestione e controllo (commonly Modello 231), suited to preventing offenses of that kind; had entrusted monitoring of the model to an independent Organismo di Vigilanza (OdV) with autonomous powers; and can show that the individual perpetrator fraudulently circumvented the model while the OdV had not failed in its supervisory duties.

Italian courts have spent two decades working out what "suitable" means in practice. In the Thyssenkrupp case, the Corte di Cassazione found in September 2014 that Thyssen Krupp AST S.p.A. had not even adopted a functioning model at the time of the fatal fire of 6 December 2007: a total absence of a model, not a borderline suitability question. The Impregilo case, Cassazione, Sezione VI, sentenza n. 23401/2022, supplied the standard now widely cited: the mere occurrence of a crime does not by itself prove the model unsuitable, since courts must assess suitability concretely, in relation to crimes of the same type as the one that occurred, rather than abstractly.

D.Lgs. 231/2001 sits as special legislation outside Italy's codice penale, a placement this site's article on criminal law codification movements examines in depth.

Its administrative-rather-than-criminal characterization also sits on the same boundary question this site's article on decriminalization trends in Europe examines from the opposite direction: conduct moving out of the criminal law. An AI-specific extension of this organizational-fault logic, termed "colpa artificiale" in Italian scholarship, is covered in this site's article on artificial intelligence and criminal accountability.

The UK's Long Retreat from the Identification Doctrine

Does the identification doctrine from Tesco v Nattrass still apply in the UK? No, not in practice, since 29 June 2026.

The first legislative crack came with the Corporate Manslaughter and Corporate Homicide Act 2007, which received Royal Assent on 26 July 2007 and came into force on 6 April 2008, though it was scoped narrowly to manslaughter alone. The government's expectation at the time of passage was roughly ten prosecutions a year, a figure describing what lawmakers anticipated when the Act passed, not a confirmed historical rate; the confirmed first conviction under the Act illustrates its early reach instead: a small geotechnical engineering firm, eight employees, turnover of about GBP 250,000, was fined GBP 385,000, payable over ten years, after an employee died in an unsupported excavation.

The next major step was analytical rather than legislative. The Law Commission for England and Wales published a Corporate Criminal Liability Options Paper on 10 June 2022, following an eighteen-month consultation, setting out ten reform options for dismantling or narrowing the identification doctrine.

Parliament acted on economic crime first. The Economic Crime and Corporate Transparency Act 2023 (ECCTA) received Royal Assent on 26 October 2023, and section 196, in force from 26 December 2023, introduced a "senior manager" attribution rule for a defined list of economic-crime offenses, replacing "directing mind and will" for that list only. The Act separately created a strict-liability "failure to prevent fraud" offense, in force since 1 September 2025, applicable to large organizations, turnover above GBP 36 million, balance sheet above GBP 18 million, more than 250 employees, with a reasonable-procedures defense available. That defense is the UK's closest structural analogue to Italy's Modello 231, though considerably narrower, fraud only, and two decades newer.

The Crime and Policing Act 2026, Royal Assent 29 April 2026, generalized the senior-manager rule to all criminal offenses through section 250, in force since 29 June 2026. The senior manager test itself is substance over form: it asks whether an individual played a significant role in managing or organizing a substantial part of the organization's activities, not whether they held a board seat or a chief-executive title. Unlike the failure-to-prevent-fraud offense, this general rule carries no reasonable-procedures defense: it is a pure attribution rule, not a failure-to-prevent regime. For practical purposes, the identification doctrine no longer governs corporate criminal attribution in England and Wales.

Deferred Prosecution Agreements: How Corporate Cases Actually Get Resolved

What is a deferred prosecution agreement, and who uses them? A negotiated resolution that suspends prosecution in exchange for fines, compliance commitments, and cooperation, subject to a court's approval, and each of the three systems here operates its own version.

In the United States, Department of Justice policy channels corporate cases toward declination, a non-prosecution agreement, a guilty plea, or a deferred prosecution agreement, depending on whether a company voluntarily disclosed its own misconduct, cooperated, and remediated. On 10 March 2026, the DOJ announced a new Corporate Enforcement and Voluntary Self-Disclosure Policy, unifying self-disclosure incentives across all its components and US Attorney's Offices. The individual-accountability side of that policy traces to Deputy Attorney General Sally Yates's memorandum of 9 September 2015, which conditioned a corporation's cooperation credit on identifying culpable individuals; the policy was subsequently reinstated and codified into the Justice Manual in 2021.

The United Kingdom's Crime and Courts Act 2013, Schedule 17, created its own DPA regime, available since 24 February 2014 to the Serious Fraud Office and Crown Prosecution Service, and requiring judicial approval that a DPA's terms are "fair, reasonable and proportionate." Standard Bank's DPA, approved in November 2015, was the first of its kind; Rolls-Royce's, approved by Sir Brian Leveson on 17 January 2017, remains the largest, resolving twelve counts of conspiracy to corrupt, false accounting, and failure to prevent bribery under the UK Bribery Act 2010, spanning a 24-year period of alleged conduct. Its settlement total is not stated here; readers should consult the primary judgment or a Serious Fraud Office release for that figure.

France took a similar approach: Sapin II, Loi n. 2016-1691 du 9 decembre 2016, in force from 1 June 2017, created the Agence Francaise Anticorruption and the Convention Judiciaire d'Interet Public (CJIP), explicitly modeled on the US and UK mechanisms and proposed by the public prosecutor for a judge's approval, typically requiring a public-interest fine, a compliance program, and victim compensation. A follow-on bill known in French commentary as "Sapin III" has reportedly been reintroduced since 2024, but no confirmed parliamentary record establishes its current status here; treat it as unenacted pending fresh verification.

The Rolls-Royce DPA's 24-year conduct period is a comparative time-limits question this site's article on how legal systems set time limits on prosecuting corporate conduct covers.

DPA terms, fines, disgorgement, compliance monitorships, are a form of negotiated corporate sentencing; this site's article on sentencing reform covers the proportionality framework.

Two Landmark Cases: Arthur Andersen and Volkswagen's Dieselgate

Did the collapse of Arthur Andersen's conviction mean the prosecution failed? No. The conviction was vacated, but the firm had already ended, and that gap between verdict and consequence is the point the case is built to illustrate.

Arthur Andersen LLP v. United States, 544 U.S. 696 (2005), arose after Andersen, Enron's auditor, instructed employees to follow its document-retention policy once the firm learned the SEC was investigating Enron, resulting in mass destruction of records. Andersen was convicted of obstruction of justice, but the Supreme Court unanimously vacated the conviction because the jury instructions had not required proof that Andersen knew its conduct was unlawful or tied to a specific proceeding. By the time the Court ruled, Andersen had already collapsed as a firm: federal rules bar felons from auditing public companies, so the indictment alone had ended a firm employing tens of thousands of people. The case is the standard illustration that a criminal charge alone can function as a corporate death sentence, a major reason DOJ policy has since leaned on deferred and non-prosecution agreements rather than indictments against large financial institutions.

Volkswagen's "Dieselgate" adds a second dimension to the same problem: individual prosecutions running alongside the corporate one, across two jurisdictions. In January 2017, Volkswagen AG pleaded guilty in the United States to conspiracy to defraud the United States and to violate the Clean Air Act, agreeing to a combined penalty package the Department of Justice's own announcement placed at approximately USD 4.3 billion: a USD 2.8 billion criminal fine plus USD 1.5 billion in civil penalties. Engineers Oliver Schmidt and James Liang pleaded guilty in the United States, sentenced to 84 and 40 months respectively. A Braunschweig court sentenced Germany's former head of diesel engine development to four years and six months and the former head of powertrain electronics to two years and seven months, with two other former executives receiving suspended sentences. Former CEO Martin Winterkorn was indicted on fraud and conspiracy charges on 3 May 2018; this article states no conviction, acquittal, or fugitive status beyond that indictment, since his case's subsequent status went unverified here. German authorities were separately reported to be investigating as many as 40 executives and engineers across the group, a figure describing investigative scope, not a conviction count.

Dieselgate shows parallel, non-duplicative corporate and individual criminal exposure operating at once across two jurisdictions, exactly the kind of cross-border layering the EU's Anti-Corruption Directive, covered next, is partly designed to formalize going forward.

The EU's New Anti-Corruption Floor, and a Civil-Liability Retreat Alongside It

Does the EU regulate corporate wrongdoing consistently across criminal and civil law? No. The same year, 2026, saw the EU harmonize and raise penalties on the criminal and administrative anti-corruption side while retreating from EU-wide harmonization on the civil due-diligence side.

The EU Anti-Corruption Directive was first proposed by the Commission in May 2023 and formally adopted by the Council on 21 April 2026 as Directive (EU) 2026/1021, published in the Official Journal on 11 May 2026 and in force from 1 June 2026, with a transposition window of 24 months, up to 36 months for provisions on national anti-corruption strategies. Its liability structure, drawn from law-firm summaries of the 2023 proposal rather than a confirmed reading of the final text, reportedly runs on two tracks: entities liable for offenses committed for their benefit by a leading-position person, and for offenses a subordinate committed that a leading person's lack of supervision made possible, echoing without replicating Italy's OdV-supervision logic. Reported penalty floors reach at least 3 to 5 percent of worldwide turnover, or EUR 24 to 40 million depending on the offense; both figures need confirmation against the Official Journal text before being treated as settled.

The Corporate Sustainability Due Diligence Directive, Directive (EU) 2024/1760, in force since 25 July 2024, runs on a separate track entirely: civil, not criminal, liability for large EU and non-EU companies with net turnover above EUR 450 million, over human-rights and environmental due-diligence failures. The 2026 "Omnibus" amendments removed the Directive's EU-wide harmonized civil-liability standard, deferring instead to Member State law, and deleted its mandatory climate transition plan requirement, a retreat that runs opposite the Anti-Corruption Directive's expansion the same year.

Why 2026 Is a Hinge Year for Corporate Criminal Liability

Why did so much change in corporate criminal liability in 2026 alone? Because three independent legislative processes converged on the same underlying argument within a ten-week span. The UK's Crime and Policing Act, section 250, took effect 29 June. The EU's Anti-Corruption Directive was adopted 21 April and took effect 1 June. Italy's D.Lgs. 21 aprile 2026, n. 81, expanding the environmental predicate-offense catalogue, took effect 2 June. None of the three legislatures coordinated with the others. The UK, the EU, and Italy each answered a domestic or institutional question on its own timeline, and the three answers happened to land in the same season, a sign of how live this argument still is.

Frequently Asked Questions About Corporate Criminal Liability

Is D.Lgs. 231/2001 a criminal law in Italy?

Formally, no. The decree creates administrative liability arising from a criminal offense, a category Italy's constitutional personal-responsibility principle requires for legal entities, since criminal responsibility cannot attach to a company under Article 27. In substance, it is adjudicated by criminal courts alongside the individual defendant's trial and carries punitive sanctions, which is why most commentators treat it as criminal law under an administrative label.

Does the UK's identification doctrine from Tesco v Nattrass still apply?

For practical purposes, no. The Crime and Policing Act 2026 extended a "senior manager" attribution test to every criminal offense starting 29 June 2026, following a narrower version ECCTA 2023 had applied only to a defined list of economic crimes beginning in late 2023.

What is a deferred prosecution agreement?

It is a court-approved arrangement that suspends a prosecution while a company pays fines, meets compliance commitments, and cooperates with investigators. The United States operates one version through Department of Justice policy, the United Kingdom another under the Crime and Courts Act 2013 since 2014, and France a third, the CJIP, created by the Sapin II law in 2016.

Can the same corporate conduct trigger both criminal and civil liability under EU law?

Yes, and the two EU instruments compared in this article show why, in the same year. The Anti-Corruption Directive raised criminal and administrative penalty floors the same year the Corporate Sustainability Due Diligence Directive's Omnibus amendments pulled back from an EU-wide civil-liability standard, leaving that side of the picture to individual Member States.

Where the Argument Stands Now

The identification doctrine, respondeat superior, the organizational culture model, and the Italian hybrid were never a settled comparative-law consensus. They are four independent technical answers to the same question: how should the law locate blame inside an organization that has no mind of its own? The 2026 convergence across the UK, the EU, and Italy shows that argument is still actively moving, not resolved, and there is no reason to expect the next reform to come from any single one of these systems rather than another.

One pattern cuts across all four models once liability attaches: negotiated resolution, deferred prosecution agreements, non-prosecution agreements, and their national equivalents, has become the dominant way these systems process corporate criminal exposure, regardless of which attribution model produced it.

The Legal Reform and Policy series extends the argument further: how special legislation like D.Lgs. 231/2001 sits alongside a jurisdiction's formal penal code, the subject of this site's article on criminal law codification movements; the broader administrative-versus-criminal boundary question, examined from the opposite direction, in this site's coverage of decriminalization trends in Europe; the proportionality framework behind negotiated corporate penalties, in this site's article on sentencing reform; and how legal systems set time limits on prosecuting corporate conduct, in this site's article on statute of limitations in comparative perspective. This site's article on artificial intelligence and criminal accountability extends the same organizational-fault logic examined here to AI-mediated harm.