Compliance for a company: starting kit for 2026

If you are a mid‑size company planning to build or reboot a compliance program in 2026, you are doing it at a moment of heightened expectations and practical opportunity. Enforcement remains active in anti‑corruption and antitrust, EU AI Act obligations are phasing in for deployers and high‑risk use cases through 2026, and the EU AML package is moving from adoption to implementation. Boards expect measurable risk reduction from lean teams, with clear evidence that controls work. This starting kit is a pragmatic, risk‑based blueprint for intermediate‑sized enterprises that want to move fast in 2026 and stay credible with auditors and regulators.

What “good compliance” means in 2026

Good compliance is not a document set, it is a system that prevents, detects and responds to legal and ethical risks, with proportionality to your business model and footprint. The essential elements are stable across frameworks like Loi Sapin II, ISO 37001, UNE 19603, UNE 19601, AML rules and the EU AI Act. The differences sit in scope, depth and evidence.

• Prevention, codified expectations and training, includes your code of conduct plus targeted policies like anti‑bribery, antitrust and AML.
• Detection, risk mapping, monitoring and speak‑up, gives you early signals.
• Response, remediation and disciplinary actions, demonstrates control and learning.

Auditors will look for a risk‑based rationale, consistent execution and traceable evidence that controls operate as designed.

Your 2026 starting kit, the 12 deliverables to put in place

These are the minimum elements and workflows that make a credible, cross‑framework baseline for a mid‑market company. Keep them short, role‑based and updated.

1. Risk map with owners and review cadence, a single view of corruption, antitrust, criminal, AML and AI risks, scored for likelihood and impact, with named risk owners and a quarterly refresh. See our practical guide on a simple, actionable risk map.
2. Code of conduct, role‑based examples, translated where needed, acknowledged annually.
3. Anti‑bribery policy, gifts and hospitality thresholds, third‑party red flags, approvals and books‑and‑records expectations, aligned with ISO 37001 and Sapin II.
4. Antitrust do’s and don’ts, clear rules for pricing conversations, information sharing, trade association meetings and dawn raid readiness, aligned with UNE 19603. Context matters, the European Commission’s recent actions on resale price maintenance are a reminder, see our note on competition risk compliance.
5. Criminal compliance framework for Spain (if applicable), a UNE 19601‑aligned crime risk assessment, disciplinary system and supervisory model. For depth by article 31 bis, read our overview of UNE 19601.
6. Third‑party due diligence workflow, data you collect, screening criteria, escalation playbook and re‑assessment cadence. Integrate with procurement.
7. Speak‑up and investigation process, confidential intake channels, triage timelines, investigation steps, root‑cause and remediation tracking.
8. AML policy and KYC procedures (for obliged entities), risk‑based onboarding, screening, transaction monitoring thresholds and suspicious activity reporting.
9. AI governance starter pack, inventory of AI systems, risk classification against the EU AI Act, role and responsibility matrix, human oversight plan and technical documentation checklist for high‑risk uses.
10. Training plan and calendar, risk‑segmented curriculum, onboarding modules and annual refreshers with attestation and completion tracking.
11. Control library and monitoring plan, a small set of key controls per risk, what data proves operation and how often you monitor.
12. Remediation register, the single list of findings, actions, owners and deadlines, tied back to the risk map.

For deeper anti‑corruption risk scoping, you can borrow approaches from ISO 37001 risk determination. For Sapin II specifics and Article 17 expectations, see our guide to Sapin II program essentials.

Metrics that matter to your Board and auditors

Pick a handful, trend them monthly and tie them to actions.

• Risk coverage, percent of top risks with named control owners and monitoring cadence.
• Time to remediate, median days from issue logged to verified fix.
• Training effectiveness, completion and scenario quiz pass rates for high‑risk roles.
• Third‑party risk, percent of active high‑risk partners with completed due diligence and approvals.
• Policy adoption, acknowledgment rate and policy exceptions approved.
• Speak‑up timeliness, days to triage and days to close investigations.
• Control exceptions, number and severity trend, with root‑cause categories.
• AI and AML readiness, percent of AI systems inventoried and risk‑classified, percent of AML alerts triaged within service levels.

2025 regulatory context in one page

• EU AI Act, entered into force in 2024 with phased obligations, prohibited practices apply from early 2025, general‑purpose and high‑risk system obligations phase in through 2025 to 2027. The European Commission’s overview page is a good starting point, see the AI Act explained guidance.
• EU AML package, the new Anti‑Money Laundering Regulation, a 6th AML Directive and the AML Authority were adopted in 2024, with the authority ramping up and most uniform rules applying after a transition period. Expect harmonized customer due diligence and group‑wide standards.
• Antitrust enforcement, pricing restraints and information exchange remain high‑risk.
• Sapin II and ISO 37001, auditors still expect a risk‑based program with third‑party diligence, targeted training and reasonable accounting controls, proportionate to your corruption exposure.
• UNE 19601 and 19603 in Spain, prosecutors and competition authorities look for real governance in place, risk assessments, supervision and effective disciplinary systems.

FAQs

What is the smallest credible compliance program for a mid‑sized company in 2025? A risk map with owners, a concise code of conduct, two high‑risk playbooks (anti‑bribery and antitrust), third‑party due diligence, speak‑up and investigation process, a short training plan, a control library with basic monitoring and a remediation register.

Which framework should I prioritize first? Start with the one that reflects your highest inherent risk. For many commercial firms this is anti‑corruption and antitrust. If you operate in Spain, align your crime prevention system with UNE 19601. If you deploy or procure AI, start your AI system inventory and classification.

What makes compliance training stick? Change sticks when training is short, relevant and frequent. Pair a concise code of conduct with focused, role‑specific learning so people see exactly how expectations apply to their work.

How does the EU AI Act affect non‑tech companies? The Act applies to providers and deployers. Even if you are not a software company, you may deploy AI systems in HR, access control or quality inspection. Inventory systems, classify risk, and prepare oversight and documentation for any high‑risk uses.

Do all companies need AML programs? No, AML obligations attach to specific obliged entities, for example financial services, crypto asset service providers and certain professional services. If you qualify, you must implement risk‑based CDD, screening, monitoring and reporting, aligned with the EU AML package and local rules.

Will auditors accept AI‑assisted policies and evidence? Yes, auditors generally accept AI‑assisted drafting and data collection if you have human review, version control and can explain your methodology. The standard remains accuracy, completeness and consistency with your risk profile.

How much should we budget? It depends on footprint and risk. A lean, risk‑based starter program often focuses budget on training, third‑party diligence and automation that reduces manual work. Track time‑to‑remediate and exception rates to prove ROI.

Move faster with naltilia

If you want this kit operational in weeks, not quarters, Naltilia can help. Our AI platform accelerates regulatory risk assessment, drafts tailor‑made policies, automates data collection for control monitoring and orchestrates remediation with workflow automation. Speak with a Naltilia expert to see how you can launch a credible, audit‑ready baseline.