Eni: The compliance façade

Nearly 25 years after the events that profoundly impacted my professional trajectory, Eni formally acknowledged my whistleblowing report, accepting it in August 2025 within its internal system.

What one would expect at that point is a serious, independent investigation aligned with the very principles the company claims to uphold - including those embedded in its internal policies and international standards such as ISO 37301.

However, what has unfolded in practice is something quite different.

There has been no concrete evidence of a substantive investigation into the facts presented. Instead, the response has been limited to formal, template-based communications, with no real transparency regarding the investigative process, the criteria applied, or the conclusions effectively reached.

The situation becomes even more concerning when considering that:

✔️ no independent external review of the case was conducted, as formally confirmed by RINA;

✔️ the entire investigative process remained fully under the company’s control;

✔️ and yet, there is no access to the substantive content of the alleged findings.

More recently, by exercising my right of access under the GDPR, I requested access to the personal data processed in the context of this investigation - including those contained in the whistleblowing assessment report.

The response from the Data Protection Officer was clear in denying access to internal documentation.

This raises an unavoidable question:

📌 how can an effective investigation be asserted without any transparency regarding the elements that would substantiate it?

📌 If an investigation did take place, where are the verifiable elements that demonstrate it?

📌 If not, what exactly was assessed?

Facts, documents, and timelines speak for themselves.

This is not just an individual case.

It is a real test of what commonly used corporate terms truly mean: ethics, transparency, and accountability.

Because in the end, compliance is not what is written in policies or institutional reports.

Compliance is what can be proven when it is truly put to the test.

🛑 Note:

Learn more by accessing the Flinto Case:

✅ 1) Memorial (1999–2025);

✅ 2) Chronology of Facts for the Reconstruction of Events supported by documentary evidence;

Compliance cannot be a trophy on the wall. It must be real practice.

Over the past months, I have lived through an experience that exposes a serious structural weakness in corporate compliance models based solely on formal certifications.

When I requested that my concrete case - a formal complaint, officially accepted and investigated - be used as a practical compliance test, I received a clear response from the certification body responsible for ISO 37301:2021:

📌 No material analysis was carried out. No real case was audited. No investigation was examined.

This reveals a systemic problem:

Companies display sophisticated certifications, international seals, impeccable policies, extensive codes of ethics - but without any real-world validation of practice.

When compliance is not tested through real cases, it turns into:

✔️ institutional rhetoric

✔️ reputational marketing

✔️ formal shielding

✔️ and, ultimately, regulatory fiction

The question that remains is simple:

📌 What is the value of a compliance system that is not tested when it truly matters?

Certifications cannot be mere trophies on the wall.

They must be living instruments of control, transparency, and real accountability.

Without this, the gap between discourse and practice widens - and public trust disappears.

Compliance cannot be theater. And certification cannot be marketing.

What I have witnessed over the past months exposes a deep structural fragility in the current model of compliance certification, especially regarding ISO 37301:2021.

In practice, what should function as a robust instrument of governance, prevention, control, and protection of rights often reveals itself to be an empty bureaucratic ritual, aimed far more at building reputation than at verifying real-world conduct.

A surveillance audit that does not analyze a single real case, does not examine actual investigations, does not test operational mechanisms, and ignores documented situations of retaliation, SLAPP lawsuits, and professional destruction, is simply not an audit. It is formality. It is performance. It is cosmetic compliance.

When a standard is not accredited by national accreditation bodies, lacks effective independent public oversight, and relies almost exclusively on procedural and documentary checks, the risk becomes evident: a self-referential system emerges, in which organizations validate their own narratives, without any genuine confrontation with reality.

This picture becomes even more troubling when the certified company and the certification body operate within the same national corporate ecosystem, sharing institutional, economic, and cultural proximity - as in the case of Eni and RINA SERVICES.

The risk of corporate solidarity, structural complacency, and symbolic mutual validation is not theoretical - it is systemic.

The outcome is perverse:
✔️ impeccable policies on paper
✔️ sophisticated codes of ethics
✔️ international certifications displayed as trophies
✔️ and, at the same time, absolute silence in the face of real violations

This is not compliance.

This is reputation management.

Real compliance disturbs, questions, exposes weaknesses, tests limits, and protects whistleblowers.

When it fails to do so, it becomes an instrument of institutional shielding.

The essential - and uncomfortable - question is simple:

📌 What is the value of a compliance certification that cannot detect, analyze, and respond to concrete cases of abuse, retaliation, and systematic professional destruction?

If it cannot do that, then it serves only reputational marketing.

And that undermines not just the credibility of one standard, but public trust in the entire international compliance system.

Compliance cannot be a trophy on the wall.

It must be a living, concrete, tested, and verifiable practice.

Without that, all that remains is institutional hypocrisy with an international seal of approval.