The EU Anti-Corruption DirectiveOJ L, 2026/1021, 11.5.2026, ELI: http://data.europa.eu/eli/dir/2026/1021/oj. (the Directive) is the most significant EU-level anti-corruption initiative in more than two decades. The Directive creates a harmonized enforcement framework with common public and private sector corruption offense definitions, minimum sanctions, and binding prevention obligations, significantly raising the compliance baseline across all 27 Member States.
On December 2, 2025, the European Council and the European Parliament reached a provisional agreement on the Directive, which was endorsed by the Parliament on March 26, 2026, and the Council formally adopted the Directive on April 21, 2026. It was published in the Official Journal on May 11, 2026. Member States have until June 1, 2028, to transpose most provisions.
The Directive establishes both mandatory jurisdiction (offense committed in Member State territory or by a Member State national) and optional grounds (habitual residence, offenses benefiting an EU-established entity, business activity in the Member State). Companies that are headquartered outside the EU but have subsidiaries or business interests within the EU could face enforcement action even for conduct that occurs elsewhere, provided it was committed for the benefit of the subsidiary or in respect of business activities within the EU.
This Alert covers the most pertinent features of the Directive and outlines practical takeaways to help in-house counsel and compliance officers in companies with EU operations assess their compliance frameworks, ahead of the 2028 deadline.
The Directive establishes a comprehensive catalog of corruption-related criminal offenses. Below, we summarize the offenses most relevant to companies.
The public sector bribery offense (Article 3) covers both active bribery (offering or giving an undue advantage) and passive bribery (requesting or accepting an undue advantage) involving public officials, defined broadly to include (i) Member State national, EU, and third-country officials, (ii) officials of international organizations, as well as (iii) arbitrators and jurors.
The core element is providing an “undue advantage” in order “to act or refrain from acting in the exercise of that official’s functions.” The Directive and Recitals provide only limited guidance on what constitutes an “undue advantage.” Advantages can be tangible or intangible, pecuniary or non-pecuniary, and are not “undue” if they are permitted by law or if they involve very low-value gifts (Recital 13). However, what qualifies as “low value” will vary by Member State. Importantly, the Directive does not require the official to act in breach of duty, which is a departure from the Commissions 2023 proposal. The distinction between lawful and unlawful official acts only becomes relevant at sentencing (Article 12). The broad offense definition and absence of a de minimis exception require clear corporate policies on hospitality and interactions with public officials.
The private sector bribery offense (Article 4) mirrors Article 3 but applies to persons “who in any capacity direct or work for” a private sector entity (e.g., executives, managers, employees, and even persons engaged under service or consultancy contracts). Unlike the public sector offense, it also requires a breach of duty, resulting in a narrower scope of application.
This offense targets “influence peddling,” meaning using intermediaries to improperly influence public decision-making. The active side criminalizes promising, offering, or giving an advantage to induce improper influence over a public official with a view to obtaining an undue advantage. The passive side covers requesting or accepting such an advantage. Under Article 6(2), the offense is complete regardless of whether influence is actually exerted or leads to the intended result. It applies even when claimed influence is merely asserted. Unlike bribery, the public official does not need to be party to the corrupt arrangement.
The recitals clarify that “legitimate exercise of acknowledged forms of interest or legal representation” (e.g., regulated lobbying) is excluded (Recital 16). However, remuneration for representation can still constitute an “undue advantage” when other offense elements are met, creating only a narrow safe harbor for transparent, rules-compliant lobbying. The practical scope of this exclusion will vary across Member States depending on whether and how lobbying is regulated and will need to be assessed for each Member State.
Third-party due diligence should address trading in influence risk for agents, consultants, and lobbyists. Success fees tied to government contracts or favorable regulatory decisions warrant heightened scrutiny.
This offense criminalizes intentional concealment or disguise of property known to derive from corruption offenses. “Property” is defined broadly to include funds and assets of any kind, expressly covering cryptoassets and digital instruments.
Unlike enrichment (Article 9), which applies only to public officials, concealment can be committed by any person, including companies and employees who knowingly conceal corruption proceeds even if the underlying corrupt act was committed by others.
The concealment offense creates corporate exposure where funds or assets passing through the business trace to corruption in treasury, M&A transactions, joint ventures, or supply chain payments. AML and anti-corruption frameworks should be coordinated with enhanced due diligence for transactions with a public procurement nexus or in high-risk jurisdictions.
Beyond the core corruption offenses, the Directive establishes several other criminal offenses:
Article 5 (Misappropriation) criminalizes intentional misuse of entrusted property. In the public sector, it covers public officials who commit, disburse, appropriate, or use property contrary to its intended purpose. In the private sector, Member States may extend the offense to directors/employees who misuse entrusted property in business activities.
Article 7 (Unlawful Exercise of Public Functions) targets “serious violations of law” by public officials in the exercise of their functions. This offense applies only to public officials and has limited relevance for companies.
Article 8 (Obstruction of Justice) prohibits interference with justice in proceedings relating to the Directive’s corruption offenses. Any person can be liable, including employees, executives, agents, or third parties, regardless of their connection to the underlying corruption.
Article 9 (Enrichment From Corruption Offenses) applies only to public officials who knowingly acquire, possess, or use property derived from another official’s corruption, unlike the concealment offense (Article 10, see above).
Article 11 (Incitement, Aiding/Abetting, Attempt) establishes secondary liability for all Directive offenses. Member States must criminalize attempted enrichment and concealment and may also criminalize attempted bribery, misappropriation, and trading in influence.
Illegal political financing is not regulated by the Directive, though Recital 21 encourages Member States to consider criminalization when it threatens democracy.
Article 12 sets thresholds for Member States to ensure that their national laws provide for maximum imprisonment terms of at least the specified durations, meaning the upper limit of the sentencing range must be no lower than these thresholds (Member States may set higher maximums). The required “maximum thresholds” depend on the offense severity. Public sector bribery involving a breach of duty requires a sentencing range maximum of at least five years; misappropriation and concealment requires a sentencing range maximum of at least four years; and public-sector bribery without breach of duty, private-sector bribery, and trading in influence require at least three years. Additional sanctions may include fines, removal, or suspension from public office.
The Directive establishes two tracks of corporate liability: first, offenses committed for the benefit of the legal person by persons in a “leading position” (based on power of representation, authority to take decisions, or authority to exercise control); and second, offenses committed by persons under the authority of leading persons, if the offense was made possible by a “lack of supervision or control.” Corporate liability does not preclude parallel criminal proceedings against natural persons.
The Directive introduces a tiered corporate fine structure, which brings EU corporate fines closer to the severe fines seen under the US Foreign Corrupt Practices Act (US FCPA) and UK Bribery Act.
Similar to data protection and cartel fines, corruption fines will be calculated based on total worldwide turnover in the business year preceding the offense or decision (depending on the severity of the offense). A fixed-amount alternative applies when turnover cannot be determined.
|
Offense Category |
Maximum Fine (% of Global Turnover) |
Alternative Fixed Amount |
|
Bribery (public and private), misappropriation (Articles 3-5) |
5% of total worldwide turnover |
€40 million |
|
Trading in influence, obstruction, enrichment (Articles 6, 8, 9) |
3% of total worldwide turnover |
€24 million |
Beyond fines, Article 14 authorizes additional corporate sanctions depending on the gravity of the conduct, including
Unlike the US and UK, where Deferred Prosecution Agreements are central to US FCPA and the UK Bribery Act enforcement, the Directive does not harmonize negotiated resolutions, leaving Member States to adopt their own frameworks (or no framework at all).
The Directive establishes specific aggravating and mitigating factors. In particular, maintaining compliance programs only for cosmetic purposes (window dressing programs) can be treated as an aggravating factor. Genuinely implemented and effective compliance programs constitute a mitigating circumstance, whether established before or after the offense. This “after the offense” recognition means that a company’s response to compliance incidents (e.g., internal investigations and cooperation with authorities) will have a mitigating effect on the imposed fines. Companies will therefore need to demonstrate not merely that a program existed on paper but that it was actively implemented, regularly assessed, and effective in practice. Voluntary self-disclosure coupled with prompt remedial measures is similarly mitigating.
The Directive requires Member States to ensure that competent authorities have the power to identify, trace, freeze, seize, and confiscate instrumentalities and proceeds of offenses covered by the Directive, in accordance with EU Freezing and Confiscation Directive (2014/42/EU). Companies should have procedures to respond to asset-freezing orders and factor confiscation exposure into risk assessments.
The Directive adopts penalty-tier-based limitation periods. Member States must ensure that limitation periods are at least:
However, Member States may (within limits) establish shorter limitation periods if national law allows for interruption or suspension of the limitation period (for example, when charges are filed or when the accused flees the jurisdiction).
The enforcement landscape will become considerably more aggressive. The EU has a track record of imposing substantial fines under other directives requiring national transposition (triple-digit million-euro penalties are common in areas such as antitrust and data protection) and similar enforcement can now be anticipated also in the area of corruption.
Member States must maintain independent anti-corruption bodies with adequate resources and ensure that investigative tools comparable to those used against organized crime are available, including undercover operations, surveillance, and wiretapping.
A corruption incident in one Member State can rapidly escalate into multi-jurisdictional enforcement. Europol, Eurojust, the European Public Prosecutor’s Office, the European Anti-Fraud Office, and national authorities must coordinate, and cross-border investigations will become the norm rather than the exception (Articles 28 and 32).
Member States are legally obligated to transpose the Directive by June 1, 2028. Failure or delays may result in infringement proceedings and financial penalties imposed by the European Commission — a mechanism actively used in connection with other directives (e.g., the Whistleblower Protection Directive).
France approaches transposition from a comparatively advanced position. French law already criminalizes active and passive bribery of domestic, foreign, and international public officials and private-sector actors, along with trading in influence, obstruction of justice, misappropriation, concealment and money laundering. Limitation periods, asset recovery proceedings, and anti-corruption bodies are on par or stricter than the Directive’s provisions.
Several targeted adjustments may nonetheless be required. Although concealment of corruption proceeds is captured by general money-laundering offenses, French law lacks a dedicated offense of enrichment derived from another person’s corruption; a stand-alone incrimination or specific aggravating circumstance may therefore be required.
Moreover, although general corporate criminal liability has long been recognized in France, the Directive’s reliance on liability arising from a “lack of supervision or control” by persons in a leading position may call for legislative clarification, as French corporate liability can be triggered by a wide array of individuals, not only those in “leading positions.”
More significant adjustments can be expected on the sanctions side. The current corporate fine framework (fixed statutory fines multiplied by five, capped at €10 million for aggravated offenses) does not fit the Directive’s turnover-based model, which requires a threshold of 5% of the worldwide turnover threshold and a fine of up to €40 million for serious offenses.
On the prevention side, French law already imposes compliance obligations on companies meeting statutory thresholds. Transposition will nonetheless require express criminal law recognition of mitigating factors (effective compliance programs, voluntary cooperation) and aggravating factors (purely formal window dressing programs). This represents a significant modification, as French criminal law currently includes no mitigating circumstances other than the specific circumstance related to mental illness.
Although these factors are already considered by the National Financial Prosecutor’s Office within judicial public interest agreements and published as guidelines, formal codification may be required to ensure legal certainty and full alignment with the Directive’s mitigating and aggravating regime, including the express valuation of voluntary self-disclosure and cooperation with the authorities.
Germany faces substantial transposition challenges. The current anti-corruption framework rests on distinct public sector and private sector bribery offenses, which are broadly similar to the Directive. However, trading in influence has no direct equivalent in German law. The concealment offense must also be created as a stand-alone provision or integrated into existing money-laundering rules. The limitation period framework will require alignment with the Directive’s minimum periods.
Most importantly, Germany lacks general corporate criminal liability. Corporate sanctions are imposed through administrative fines capped at €10 million for intentional misconduct, with any excess recovered through disgorgement of profits. Fines of up to 5% of worldwide turnover will often exceed current thresholds. Mitigating and aggravating factors are not codified. While German courts have recognized the relevance of compliance programs to sentencing (as confirmed by the Federal Court (BGH) in 2022), this recognition currently rests on case law alone.
An amendment of the relevant section in the Administrative Offences Act (Sec. 30 OWiG) could be sufficient to implement the Directive’s requirements, and it would avoid the complexities of introducing full corporate criminal liability regime in Germany. Whether Germany pursues this route or attempts a more comprehensive corporate sanctions statute remains an open question, but the German legislator is seemingly in favor of adjusting the Administrative Offences Act accordingly. In late April 2026, the German government adopted a draft bill that will increase the maximum corporate penalty to €40 million and introduce binding criteria for prosecutors when assessing corporate fines, including the severity of the offense, the company’s financial circumstances, and its cooperation efforts. The draft bill has to still pass the German Parliament (Bundestag) and the Federal Council (Bundesrat).
Moreover, several of the Directive’s other corporate sanctions, including judicial supervision and judicial winding-up, are novel to the German legal system.
Italy’s criminal framework already covers most of the Directive’s core offenses. However, Article 7 of the Directive (Unlawful Exercise of Public Functions) has sparked discussions about the need to reinstate the offense of “Abuse of Office” (Abuso d’ufficio), which was abolished in 2024, or to introduce other offenses targeting at least certain intentional and “serious violations of law” by public officials in the exercise of their functions. In addition, certain offenses already provided for under the Italian Criminal Code may need to be reviewed in light of the Directive’s broader definitions of, among others, “Misappropriation” (Article 5) and “Trading in Influence.” Penalties and limitation periods may also require review against the Directive’s minimum requirements.
Italy already has a structured corporate liability regime under Legislative Decree No. 231/2001, generally aligned with the provisions of the Directive, providing for both monetary and other types of sanctions (such as disqualifications, temporary or permanent operative bans or prohibitions, confiscation of the price or profits of the crime, and publication of the judgment). To avoid or mitigate liability under this regime, a company must have adopted and implemented, before the commission of the relevant crime, a corporate criminal compliance system (a so-called “231 Model”) that is adequate to prevent the commission of the relevant crimes. However, the sanctioning framework for legal persons presents compatibility challenges, as the currently envisaged monetary fines are based on a quota system that also takes into account the company’s financial conditions, but without any specific reference to the company’s turnover as provided for under the Directive. Most notably, the current maximum monetary fines on legal entities for non-aggravated offenses under the current regime amount to approximately €1.5 million (as opposed to the alternative fixed amount of €40 million for bribery and misappropriation under the Directive).
Finally, companies adopting a 231 Model are already expected to implement a whistleblowing policy covering corruption offenses. However, Italy may need to review its Whistleblowing Directive implementing acts, as well as the role and powers of the Italian National Anti-Corruption Authority, in light of the Directive’s extended prevention, reporting, and investigation requirements.
Spain’s criminal framework already covers most of the Directive’s core offenses. However, targeted legislative amendments that require an Organic Law approved by an absolute majority of Congress will likely be necessary in several areas. The offense of trading in influence may need to be broadened or clarified to fully align with the Directive’s harmonized definition. Moreover, the regulation of abuse of functions (prevaricación) may require adjustment to ensure it captures serious breaches of duty by public officials in line with the Directive’s scope and sanctioning requirements. Obstruction of justice may need to be refined to explicitly cover interference — including through violence, threats, or inducements — with witnesses, evidence, or proceedings in corruption cases. Finally, Spain may need to assess whether its framework adequately addresses conduct comparable to illicit enrichment linked to corruption, whether through the introduction of a specific offense or equivalent legal mechanisms.
Penalties and limitation periods will also require review against the Directive’s minimums, with the current absence of any custodial penalty for the abuse of functions offense (prevaricación) being the most significant gap.
Spain already has a general corporate criminal liability regime (Article 31 bis of the Criminal Code, in force since 2010). Nevertheless, the catalog of offenses giving rise to corporate liability may need to be reviewed and, where necessary, expanded to ensure it fully covers the offenses harmonized under the Directive, including any adjustments to trading in influence and abuse of functions. More significantly, the sanctions framework applicable to legal persons may require recalibration. Spanish law currently relies primarily on fines linked to the benefit obtained or on fixed statutory ranges, and does not systematically incorporate turnover-based criteria, which may need to be included.
Beyond criminal law reform, Spain will likely need to adopt governance and institutional measures, such as adopting a comprehensive national anti-corruption strategy, strengthening existing institutional frameworks — including those relating to whistleblower protection and conflicts of interest — and further development of transparency and integrity rules, potentially including a more structured approach to the regulation of lobbying activities.
For general counsel and chief compliance officers, the Directive demands immediate attention: