Operationalizing the EU Anti-Corruption Directive: A Practical Roadmap for Compliance Teams
The EU Anti-Corruption Directive has familiar foundations. What’s different is its mandated compliance framework and penalties for programs that exist on paper and can’t show they work, writes Jan Stappers of Mitratech. The organizations transitioning the best will be those building and recording effective programs.
Corruption imposes an enormous cost on the European economy and public trust. Fragmented, inconsistent national frameworks have created enforcement gaps that persistent wrongdoers have learned to exploit. The EU Anti-Corruption Directive 2026/1021 (ACD), in effect since May, responds to that structural weakness. It is the first EU-wide criminal law framework to harmonize anti-corruption obligations across all member states. It covers distinct offenses: bribery in the public and private sectors, trading in influence, conflicts of interest, misappropriation, unlawful exercise of public functions, obstruction of justice and enrichment derived from corruption.
For organizations operating across Europe, the directive creates a genuine opportunity alongside its well-publicized obligations. The compliance program that the directive incentivizes is precisely the program that reduces exposure to corruption in the first place: concerns raised before they become incidents, third-party relationships managed with rigor before they create liability and accountability embedded in governance rather than bolted on after a problem surfaces. Member states have until June 2028 to transpose the criminal law provisions and until June 2029 for the preventive measures. The practical preparation window opened in May, and organizations that use it well will find the transition less burdensome than those that wait.
The directive’s jurisdictional reach deserves early attention. An organization headquartered outside the EU does not sit beyond its scope by virtue of that fact alone. Where a non-EU parent operates through subsidiaries, maintains commercial relationships or conducts material business activity within the EU, conduct committed for the benefit of those interests may attract liability under the directive, irrespective of where that conduct took place. Any multinational with EU presence must treat the ACD as a group-level priority.
What the directive requires
The directive’s criminal law provisions establish the legal fundament. Its compliance program implications carry the greater practical weight, and two provisions in particular should anchor planning for every compliance leader.
The first is the introduction of a “failure to prevent” model of corporate liability. An organization may be held liable for a corruption offense committed for its benefit where it failed to put appropriate preventive measures in place. The second is the directive’s express recognition of genuinely implemented and effective compliance programs as a mitigating factor for legal persons. Where an organization can demonstrate structured preventive measures that go beyond mere formal documentation, the directive permits member states to reduce penalties that might otherwise reach 5% of worldwide annual turnover or fixed amounts of up to €40 million, depending on the offense. That combination creates a concrete incentive structure in which a well-designed program reduces the likelihood of an offense occurring and the consequences if one does.
The structural parallel to the UK Bribery Act’s Section 7 corporate offense is clear, though with an important distinction: Under the UK Bribery Act, adequate procedures can operate as a complete defense, but under the ACD, that is a mitigating factor for penalties. The existence and quality of a compliance program are nonetheless a direct element of legal exposure and the penalty calculus.
At the program level, the directive assumes the existence of five interconnected components:
- Confidential reporting mechanisms through which employees and relevant third parties can raise concerns without fear of retaliation.
- Regular training on anti-corruption obligations, tailored to role and exposure level across the organization.
- Documented policies governing conflicts of interest, gifts, hospitality and interactions with public officials with evidence of acknowledgement and understanding across the workforce.
- Due diligence on third parties, intermediaries and supply chain partners whose relationships create corruption exposure with documented monitoring over time.
- Periodic risk assessments identifying where the organization’s activities and operating environments generate the greatest legal and reputational vulnerability.
These components are mutually reinforcing. A risk assessment that identifies high-risk third-party relationships should drive due diligence processes; due diligence findings should inform training design; training and policy acknowledgement produce the evidential record that a regulator or prosecutor will request when examining whether preventive measures were genuinely in place. A compliance program is evidenced by what it did when tested. The record of how a concern was raised and handled, how a third party that failed due diligence was managed and what was done when a training gap came to light is the substance behind the structure.
The challenge of managing transpositions
A single liability standard will produce 27 distinct national implementations. The directive sets minimum standards; member states retain freedom to go further, and enforcement cultures will vary across jurisdictions as they have under every EU directive of comparable scope. A comparison of the current regulatory landscape across EU jurisdictions identifies material differences already anticipated in Belgium, Germany, Italy, France, Poland and the Netherlands, with penalty thresholds, corporate liability structures and sector-specific considerations varying in ways that will shape the compliance architecture organizations need in each market.
The question of how to maintain consistent program standards across entities facing different national legal requirements, while evidencing compliance to the relevant regulator in each jurisdiction, is a design challenge rather than a compliance gap. Organizations best positioned to navigate it are those building against the highest likely standard rather than the lowest confirmed one, maintaining documentation and audit trail practices adaptable to local requirements and ensuring consolidated visibility across their European operations.
Organizations that have worked through EU Whistleblowing Directive compliance or GDPR program governance will recognize the architecture. The ACD adds a layer to a design problem with which many European compliance functions have substantial experience, and the approaches developed in those contexts translate directly.
A prioritized action framework
Most compliance functions assessing themselves against the directive fall into one of three maturity stages each with a different priority.
Early-stage programs, where the five components exist but are managed manually, inconsistently or without a consolidated audit trail, benefit most from prioritizing documentation and evidence architecture. The most useful starting point is a systematic gap analysis, mapping existing capabilities against the directive’s five requirement areas and establishing the strength of the evidential record currently available. The gaps most likely to attract regulatory attention in a “failure to prevent” context are the natural priority.
Mid-stage programs, where components are reasonably documented but managed across separate functions and systems, face a coherence challenge. The mitigation defense depends on a program that can be presented as an integrated whole. Consolidating the evidential trail into a navigable, auditable record is typically the highest-value investment at this stage, and it is the foundation on which the more sophisticated preventive measures the directive expects can be built.
Advanced programs, where integration exists but cross-jurisdictional consistency is the outstanding challenge, are well served by using the transposition period to stress-test against the June 2028 deadline in the jurisdictions carrying the most significant profile. Engaging local counsel in priority markets before national implementing legislation is finalized surfaces where the group standard will require supplementation.
Across all maturity stages, the evidential discipline that makes the difference comes down to recording decisions alongside policies. A policy document establishes the standard; the record of how that standard was applied when it mattered is what the compliance program actually demonstrates to an authority examining whether preventive measures were genuinely operational.
The EU Anti-Corruption Directive requirements draw on the architecture that practitioners have built under the UK Bribery Act, the FCPA and the frameworks established by the OECD and Council of Europe. What it adds is a mandatory legal framework across the EU, a statutory structure that penalizes the absence of genuine preventive measures through failure-to-prevent models while rewarding their presence through the mitigating factor for legal persons and a timeline that leaves considerably less room for deliberation than a “2028” headline suggests.