The EU Anti-Corruption Directive has been published in the Official Journal of the European Union. That moment, which many compliance leaders have been anticipating since the Commission first proposed harmonized anti-corruption legislation back in 2023, has now passed.
The Directive enters into force 20 days after publication. Member states have 24 months to transpose it into national law, with an extended 36-month window for obligations tied to national anti-corruption strategies and risk assessments. The clock is running.
For organizations operating across the EU, this is not a future obligation to monitor. It is a present one to act on now.
What's Inside
What the Directive Actually Requires
The Directive establishes a harmonized baseline for anti-corruption criminal offences across all 27 EU member states. That is its foundational purpose: to close the enforcement gaps that fragmented national laws have permitted for decades. It covers common definitions of corruption offences, including bribery, misappropriation, obstruction of justice, trading in influence, unlawful exercise of functions, illicit enrichment linked to corruption, concealment, and private-sector corruption.
The trading in influence offence deserves particular attention. It is new in many member states. Any organization that employs lobbyists, government relations advisers, or intermediaries who interact with public officials in EU markets needs to examine those relationships carefully and document that examination.
For legal persons, the liability standard is broad. Organizations can be held liable where an offence was committed for their benefit by a person in a leading position, or where a failure to supervise or control made the offence possible. That second limb is the one that should concentrate leadership minds. The absence of adequate oversight is itself a route to liability, not merely a mitigating consideration.
The penalties reflect that intent and are substantial. Maximum fines for bribery and misappropriation must reach at least 5% of total worldwide turnover or EUR 40 million, whichever is higher. For trading in influence and related offences, the threshold is 3% of worldwide turnover or EUR 24 million. Beyond financial penalties, sanctions can include exclusion from public tenders, withdrawal of permits, disqualification from business activities, and judicial supervision. For a multinational, this is not just a compliance risk. It is a business continuity risk.
The Compliance Program Defense and Why It Matters Now
Here is the part that often gets underweighted in the initial read of a new regulation. The Directive does not formally require private sector organizations to train their staff, but effective compliance programs, which will typically include training, are a formal mitigating factor. The absence of a well-documented training program could therefore increase fines if a prosecution is brought.
That recognition is not a full defense against liability, but it is a material one. Regulators and courts will distinguish between organizations that can demonstrate a structured, operating program and those that cannot.
We have seen this dynamic play out before, under the UK Bribery Act, under the US FCPA, and through GDPR enforcement. The organizations that fare better are consistently those that invested in building the program before the examination, not those that scrambled to document it after the fact.
The question to ask today is not whether your program would pass a theoretical audit. The question is whether you could place the evidence of that program in front of a national competent authority and have it withstand scrutiny (training records, policy attestations, third-party due diligence documentation, incident reporting data, risk assessment outputs) with all of it connected, auditable, and current across every operating jurisdiction. The reputational cost of a corruption prosecution, even one that does not result in conviction, is considerable. The reputational cost of being unable to demonstrate that you took the obligation seriously is worse.
There is a pattern I see consistently across organizations of all sizes and sectors: the various pillars of GRC (ethics and compliance, third-party risk, policy management, incident reporting) are managed in isolation from one another. This Directive is another signal that a fragmented approach will not hold under scrutiny. When a competent authority asks for evidence of a functioning program, they are not examining each element separately. They are asking whether the program is coherent, connected, and evidence-based. Organizations still running disconnected systems will find that question much harder to answer.
The Complexity Problem No One Has Fully Mapped
The 24-month transposition period sounds manageable until you map what it actually produces: 27 national implementations, each with its own interpretation of concepts like “undue advantage,” minimum value thresholds for gifts and hospitality, and the precise boundaries of the trading in influence offence. The Directive establishes minimum harmonization where member states can go further, and various might. What is lawful lobbying in one member state may look very different from an enforcement perspective in another.
For multinational organizations, this is not a single compliance challenge. It is 27 overlapping ones, with a single group-level liability standard sitting across all of them. A failure in one operating market can become a group-level enforcement event.
Staying informed on national transposition developments across all operating jurisdictions will itself require sustained effort, given the Directive’s minimum-harmonization approach.
Managing that complexity through manual processes, country-by-country spreadsheets, or disconnected point solutions is not a compliance program. It is a documentation exercise that will not hold up when tested.
The Road to 2028: EU Anti-Corruption Directive
Why the most resilient compliance programs are starting their transformation today.
Obtenir le guideWhere to Start Right Now
If your organization has EU operations, EU customers, or EU supply chains, the Directive applies to you. The good news is that many organizations already have foundations to build on. The UK Bribery Act and FCPA have driven genuine ABC program development over the past decade. The task now is to assess where those programs meet the Directive’s requirements and where they fall short.
The organizations I see preparing well right now are not simply working through a compliance checklist. They are using this Directive as the prompt to build something more integrated and a GRC structure where risk data, policy compliance, third-party oversight, and incident reporting connect rather than operate in parallel. That kind of infrastructure takes time to build properly. The organizations that start in 2026 will have it operational and tested before enforcement begins. Those that wait until 2028 will be building under pressure, and regulators will be able to tell the difference.
The practical starting point is a gap assessment across five core program areas:
- Anonymous reporting channels: The Directive expects accessible, confidential mechanisms for employees and third parties to report suspected corruption. If your current whistleblowing infrastructure does not meet that standard across all EU markets, that is a first gap to close.
- Staff training: As noted, training is not formally mandated, but its absence will be noticed. Training records need to exist, be current, and cover the right populations, including anyone with exposure to public officials or third-party intermediaries.
- Documented and attested policies: Policies need to reflect the Directive’s scope, including the trading in influence offense. Attestation records matter. A policy that exists but has not been actively communicated provides limited mitigation.
- Third-party due diligence: The liability standard for failures to supervise makes third-party risk a direct corporate exposure. ABC due diligence processes need to be documented, proportionate to risk, and applied consistently.
- Enterprise risk and program oversight: This is where most organizations have the most work to do. The Directive requires compliance functions to demonstrate not just that policies exist but that the program is genuinely operating and subject to oversight at the appropriate level.
The European Commission’s EU legislation on anti-corruption and the European Parliament Think Tank’s analysis of the Directive are both worth reading in full. They set out the regulatory intent behind the text and are useful for calibrating the gap assessment.
For most organizations, at least one of those areas will be inadequate for the standard the Directive now requires. The organizations that close those gaps in 2026 will be in a materially stronger position when member states begin enforcement in 2028. Those that wait will be building their program under regulatory pressure rather than ahead of it.
One final point I will be tracking closely: how member states transpose this Directive into national law. Minimum harmonization has a consistent track record. GDPR, the Whistleblowing Directive, and successive Anti-Money Laundering Directives all produced material divergence between member state implementations over time. The same will happen here. The gap between the Directive’s baseline and what individual member states choose to require in practice will matter significantly for how multinational organizations calibrate their programs.
I will be sharing analysis here as national transpositions develop. By the time enforcement arrives in 2028, the landscape will already look considerably more complex than the Directive text alone suggests.
The Directive is now published. The program build starts now.
