No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • Artificial Intelligence (AI)
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Downloads
    • Download Whitepapers & Reports
    • Download eBooks
  • Research
  • Books
    • CCI Press
    • New: Bribery Beyond Borders: The Story of the Foreign Corrupt Practices Act by Severin Wirz
    • CCI Press & Compliance Bookshelf
    • The Seven Elements Book Club
  • Podcasts
  • Webinars
  • Videos
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Operationalizing the EU Anti-Corruption Directive: A Practical Roadmap for Compliance Teams

Functions assessing their programs vs. the new directive typically fall into three maturity stages with different priorities

by Jan Stappers
July 7, 2026
in Compliance
eu flags

The EU Anti-Corruption Directive has familiar foundations. What’s different is its mandated compliance framework and penalties for programs that exist on paper and can’t show they work, writes Jan Stappers of Mitratech. The organizations transitioning the best will be those building and recording effective programs. 

Corruption imposes an enormous cost on the European economy and public trust. Fragmented, inconsistent national frameworks have created enforcement gaps that persistent wrongdoers have learned to exploit. The EU Anti-Corruption Directive 2026/1021 (ACD), in effect since May, responds to that structural weakness. It is the first EU-wide criminal law framework to harmonize anti-corruption obligations across all member states. It covers distinct offenses: bribery in the public and private sectors, trading in influence, conflicts of interest, misappropriation, unlawful exercise of public functions, obstruction of justice and enrichment derived from corruption.

For organizations operating across Europe, the directive creates a genuine opportunity alongside its well-publicized obligations. The compliance program that the directive incentivizes is precisely the program that reduces exposure to corruption in the first place: concerns raised before they become incidents, third-party relationships managed with rigor before they create liability and accountability embedded in governance rather than bolted on after a problem surfaces. Member states have until June 2028 to transpose the criminal law provisions and until June 2029 for the preventive measures. The practical preparation window opened in May, and organizations that use it well will find the transition less burdensome than those that wait.

The directive’s jurisdictional reach deserves early attention. An organization headquartered outside the EU does not sit beyond its scope by virtue of that fact alone. Where a non-EU parent operates through subsidiaries, maintains commercial relationships or conducts material business activity within the EU, conduct committed for the benefit of those interests may attract liability under the directive, irrespective of where that conduct took place. Any multinational with EU presence must treat the ACD as a group-level priority.

What the directive requires

The directive’s criminal law provisions establish the legal fundament. Its compliance program implications carry the greater practical weight, and two provisions in particular should anchor planning for every compliance leader.

The first is the introduction of a “failure to prevent” model of corporate liability. An organization may be held liable for a corruption offense committed for its benefit where it failed to put appropriate preventive measures in place. The second is the directive’s express recognition of genuinely implemented and effective compliance programs as a mitigating factor for legal persons. Where an organization can demonstrate structured preventive measures that go beyond mere formal documentation, the directive permits member states to reduce penalties that might otherwise reach 5% of worldwide annual turnover or fixed amounts of up to €40 million, depending on the offense. That combination creates a concrete incentive structure in which a well-designed program reduces the likelihood of an offense occurring and the consequences if one does.

The structural parallel to the UK Bribery Act’s Section 7 corporate offense is clear, though with an important distinction: Under the UK Bribery Act, adequate procedures can operate as a complete defense, but under the ACD, that is a mitigating factor for penalties. The existence and quality of a compliance program are nonetheless a direct element of legal exposure and the penalty calculus.

At the program level, the directive assumes the existence of five interconnected components:

  • Confidential reporting mechanisms through which employees and relevant third parties can raise concerns without fear of retaliation.
  • Regular training on anti-corruption obligations, tailored to role and exposure level across the organization.
  • Documented policies governing conflicts of interest, gifts, hospitality and interactions with public officials with evidence of acknowledgement and understanding across the workforce.
  • Due diligence on third parties, intermediaries and supply chain partners whose relationships create corruption exposure with documented monitoring over time.
  • Periodic risk assessments identifying where the organization’s activities and operating environments generate the greatest legal and reputational vulnerability.

These components are mutually reinforcing. A risk assessment that identifies high-risk third-party relationships should drive due diligence processes; due diligence findings should inform training design; training and policy acknowledgement produce the evidential record that a regulator or prosecutor will request when examining whether preventive measures were genuinely in place. A compliance program is evidenced by what it did when tested. The record of how a concern was raised and handled, how a third party that failed due diligence was managed and what was done when a training gap came to light is the substance behind the structure.

forced labor
Featured

The EU Is Making Forced Labor a Trade Compliance Problem, Not Just an ESG Issue

by Allison Raley and Nikita Kulkarni
May 20, 2026

Read moreDetails

The challenge of managing transpositions

A single liability standard will produce 27 distinct national implementations. The directive sets minimum standards; member states retain freedom to go further, and enforcement cultures will vary across jurisdictions as they have under every EU directive of comparable scope. A comparison of the current regulatory landscape across EU jurisdictions identifies material differences already anticipated in Belgium, Germany, Italy, France, Poland and the Netherlands, with penalty thresholds, corporate liability structures and sector-specific considerations varying in ways that will shape the compliance architecture organizations need in each market.

The question of how to maintain consistent program standards across entities facing different national legal requirements, while evidencing compliance to the relevant regulator in each jurisdiction, is a design challenge rather than a compliance gap. Organizations best positioned to navigate it are those building against the highest likely standard rather than the lowest confirmed one, maintaining documentation and audit trail practices adaptable to local requirements and ensuring consolidated visibility across their European operations.

Organizations that have worked through EU Whistleblowing Directive compliance or GDPR program governance will recognize the architecture. The ACD adds a layer to a design problem with which many European compliance functions have substantial experience, and the approaches developed in those contexts translate directly.

A prioritized action framework

Most compliance functions assessing themselves against the directive fall into one of three maturity stages each with a different priority.  

Early-stage programs, where the five components exist but are managed manually, inconsistently or without a consolidated audit trail, benefit most from prioritizing documentation and evidence architecture. The most useful starting point is a systematic gap analysis, mapping existing capabilities against the directive’s five requirement areas and establishing the strength of the evidential record currently available. The gaps most likely to attract regulatory attention in a “failure to prevent” context are the natural priority.

Mid-stage programs, where components are reasonably documented but managed across separate functions and systems, face a coherence challenge. The mitigation defense depends on a program that can be presented as an integrated whole. Consolidating the evidential trail into a navigable, auditable record is typically the highest-value investment at this stage, and it is the foundation on which the more sophisticated preventive measures the directive expects can be built.

Advanced programs, where integration exists but cross-jurisdictional consistency is the outstanding challenge, are well served by using the transposition period to stress-test against the June 2028 deadline in the jurisdictions carrying the most significant profile. Engaging local counsel in priority markets before national implementing legislation is finalized surfaces where the group standard will require supplementation.

Across all maturity stages, the evidential discipline that makes the difference comes down to recording decisions alongside policies. A policy document establishes the standard; the record of how that standard was applied when it mattered is what the compliance program actually demonstrates to an authority examining whether preventive measures were genuinely operational.

The EU Anti-Corruption Directive requirements draw on the architecture that practitioners have built under the UK Bribery Act, the FCPA and the frameworks established by the OECD and Council of Europe. What it adds is a mandatory legal framework across the EU, a statutory structure that penalizes the absence of genuine preventive measures through failure-to-prevent models while rewarding their presence through the mitigating factor for legal persons and a timeline that leaves considerably less room for deliberation than a “2028” headline suggests.

Tags: Anti-Corruption
Previous Post

Anticipating & Acting on the Challenges for the Chair & Board of 2030

Jan Stappers

Jan Stappers

Jan Stappers is executive vice president of GRC strategy at Mitratech. He formerly was directly of regulatory solutions and NAVEX and has had a variety of advisory and expert appointments with European and international bodies working on AI, data protection and regulatory standards.

Related Posts

forced labor

The EU Is Making Forced Labor a Trade Compliance Problem, Not Just an ESG Issue

by Allison Raley and Nikita Kulkarni
May 20, 2026

Most forced labor compliance frameworks ask companies to publish statements and describe their policies. The EU's new forced labor regulation...

Richard Nixon Giving "V" Sign After Resignation

What Detractors Keep Getting Wrong About the FCPA

by Martin J. Weinstein
April 1, 2026

FCPA rewards companies; it doesn’t hamstring them

nathan gill former MEP

The UK Bribery Act Gets First Conviction of Politician After 15 Years

by Naomi Grossman
December 16, 2025

Messages with coded language like "Xmas gifts" and "postcards" show how bribery often hides in plain sight

fcpa blueprint

‘Bribery Beyond Borders’: How the FCPA Became a Global Anti-Corruption Blueprint

by Severin Wirz
December 2, 2025

The debut book by legal historian Severin Wirz, “Bribery Beyond Borders: The Story of the Foreign Corrupt Practices Act,” is...

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2026 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • Artificial Intelligence (AI)
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Downloads
    • Download Whitepapers & Reports
    • Download eBooks
  • Research
  • Books
    • CCI Press
    • New: Bribery Beyond Borders: The Story of the Foreign Corrupt Practices Act by Severin Wirz
    • CCI Press & Compliance Bookshelf
    • The Seven Elements Book Club
  • Podcasts
  • Webinars
  • Videos
  • Subscribe

© 2026 Corporate Compliance Insights