Compliance under Loi Sapin II explained

If your company operates in France, or you head a group with a parent company established in France, understanding compliance under Loi Sapin II is business critical. Article 17 of the law makes a structured anti-corruption program mandatory for large companies, and the French Anti‑Corruption Agency, the Agence Française Anticorruption (AFA), can audit and sanction non‑compliance. This guide explains why the law exists, who it applies to, what it requires in practice, and how it is enforced, with pragmatic steps for compliance leaders in intermediate-sized enterprises.

why sapin II exists

Loi Sapin II, adopted on 9 December 2016, responded to a convergence of pressures, both domestic and international. France faced high‑profile integrity scandals and growing expectations for transparency in public life. At the same time, several French multinationals had been sanctioned abroad under extraterritorial anti‑corruption regimes. A widely cited example is Alstom’s 2014 plea agreement in the United States, which included a 772 million dollar criminal penalty related to foreign bribery cases, illustrating how enforcement risk had shifted outside France for French corporations. See the U.S. Department of Justice announcement for details: Alstom 2014 plea.

At the policy level, the OECD Working Group on Bribery had urged France to strengthen both enforcement and corporate prevention measures. Its Phase 4 report continued to emphasize the need for robust compliance programs and credible enforcement mechanisms in France, reinforcing the rationale for Sapin II’s architecture. See the OECD’s analysis: OECD Phase 4 Report on France.

Sapin II’s purpose was therefore threefold, reinforce transparency, fight corruption more effectively, and modernize economic life. The law introduced a mandatory anti‑corruption compliance framework for large companies through Article 17, created the AFA to both guide and control organizations, improved whistleblower protections, set rules on lobbying, and introduced the French deferred prosecution mechanism, the “convention judiciaire d’intérêt public” (CJIP). You can consult the law on Legifrance, the official French legal portal: Loi n° 2016‑1691, 9 Dec. 2016.

Who Loi Sapin II applies to?

Article 17 applies to companies and to groups that exceed specific thresholds and have their parent company headquartered in France. In practice, two alternative criteria trigger the obligation to implement an anti‑corruption program:

• A single company established in France that employs at least 500 employees and has annual revenue above 100 million euros.
• A parent company established in France that heads a group employing at least 500 employees in total, with consolidated revenue above 100 million euros. In that case, the parent company is responsible for rolling out the compliance program across the group’s controlled subsidiaries, in France and abroad.

A few important clarifications for scope and perimeter:

• The headcount and revenue thresholds are assessed on an annual basis, using the most recent approved accounts. For groups, use consolidated figures.
• Controlled subsidiaries are covered by the parent’s program. The legal duty sits with the French parent that meets the thresholds.
• A French subsidiary that itself meets both thresholds is in scope in its own right, even if its ultimate parent is foreign.
• Companies below the thresholds are not subject to Article 17’s mandatory program, but many adopt its components as best practice, or to meet partner and lender expectations.

Illustrative scenarios:

When in doubt, document your interpretation, especially in years when the company is close to a threshold due to acquisitions or divestitures.

What does article 17 require?

Article 17 requires eight concrete components that together form a documented, risk‑based anti‑corruption compliance program. The AFA’s 2021 Recommendations provide detailed expectations for each element and examples of good practice.

1. Code of conduct

Adopt and disseminate a code of conduct that defines and prohibits corruption and influence peddling, with clear examples tailored to your risk profile. It must be integrated into internal rules and be enforceable.

1. Internal whistleblowing system

Set up a confidential channel to collect and process alerts regarding suspected corruption or influence peddling. Ensure accessibility for employees and relevant third parties, clear procedures, protection against retaliation, and timely triage and investigation.

1. Corruption risk mapping

Conduct a structured risk assessment that identifies, analyzes, and prioritizes corruption and influence peddling risks by business line, geography, transaction type, partners, and exposure level. The methodology should be formalized, regularly updated, and supported with traceable data and interview notes. This is the backbone of proportionality for all other measures of the compliance program.

1. Third‑party due diligence

Apply risk‑based due diligence to customers, suppliers, intermediaries, agents, and JV partners. Define criteria for risk tiers, perform initial and periodic reviews, verify beneficial ownership where appropriate, and escalate red flags with documented decisions.

1. Accounting controls

Design and operate accounting and internal control procedures that prevent and detect concealment of corrupt payments, for example, segregation of duties, invoice substantiation, gifts and hospitality tracking, controls over facilitation payments, channeling of sponsorships and donations, and exception monitoring.

1. Training of managers and exposed staff

Deliver targeted training and awareness to leadership and to personnel exposed to corruption risks, for example, sales, procurement, government interactions, finance. Track attendance and measure effectiveness.

1. Disciplinary framework

Include specific disciplinary measures for breaches of the code of conduct, applicable to all levels of the organization and consistent with labor law. Ensure the framework is communicated and actually used when violations occur.

1. Internal controls and program evaluation

Establish periodic testing and continuous improvement processes, including audits, KPIs, remediation tracking, and updates following incidents or organizational changes.

What good evidence looks like during an AFA audit:

How does the AFA enforce article 17?

The AFA is an administrative authority created by Sapin II to help organizations prevent and detect corruption, and to verify that large companies implement effective programs.

A typical AFA control includes document requests, interviews with leadership and operational teams, and testing of procedures and controls. At the end of the control, the AFA may issue recommendations, or it may refer the matter to its Sanctions Commission if it considers that Article 17 obligations are not met. The Commission can:

• Issue an injunction to implement or reinforce the program, with a defined timeline and under AFA oversight for a set period.
• Impose administrative fines up to 200,000 euros for individuals and up to 1,000,000 euros for legal entities, for breaches of Article 17 obligations.

Sanctions decisions are public, which raises reputational stakes in addition to legal exposure. See the Commission’s page for context: AFA Sanctions Commission.

Note that AFA’s role is preventive and administrative. Criminal investigations and prosecutions for corruption offenses remain the remit of judicial authorities. In some cases, a company may enter into a CJIP for criminal matters, separately from AFA’s administrative oversight.

Practical steps to reach compliance maturity

If you need to structure or refresh your program, a phased, risk‑based plan is more realistic than a one‑shot rollout. Below is a pragmatic sequence that meets AFA expectations while keeping workload manageable for intermediate-sized enterprises.

Days 0 to 30, set the foundation

• Confirm scope against thresholds, document perimeters, and identify controlled entities to be covered.
• Appoint a clear program owner and governance, with a steering committee that includes finance, procurement, sales, HR, and legal.
• Baseline what exists, code of conduct, policies, whistleblowing channel, training, controls, and recent incidents. Capture gaps.

Days 30 to 90, build your proportionality

• Run corruption risk mapping interviews by function and country, supported by data on transactions, public interactions, intermediaries, and donations or sponsorships.
• Approve risk criteria and scoring, define risk appetite, and generate a prioritized action plan that links each high risk to program measures.
• Update your code of conduct and disciplinary framework to embed anti‑corruption provisions aligned with the risk map, then communicate to all staff.

Days 90 to 120, operationalize controls

• Deploy your third‑party due diligence procedure with tiering, screening, questionnaires, and an escalation committee for red flags.
• Strengthen accounting and internal controls most relevant to your risk map, for example, invoice substantiation rules, approval thresholds, gifts and hospitality registers, and monitoring of high‑risk payments.
• Launch targeted training for leadership and exposed roles, record attendance, and test understanding.
• Stand up your evaluation loop, define KPIs, schedule periodic testing, and put remediation actions into a tracked workflow.

This sequence ensures your prevention system is traceable and proportional, which aligns with how the AFA assesses effectiveness.

Where AI can help, and how Naltilia supports article 17 compliance?

AI does not replace legal judgment, but it accelerates the heavy lifting that often slows Article 17 anti-corruption programs reducing implementation process by weeks. For example:

• Risk mapping at scale, machine‑assisted analysis of transaction data, public exposure, third‑party profiles, and country indices can speed up a robust corruption risk mapping, the foundation for proportional controls.
• Evidence collection and monitoring, automated retrieval of invoices, approvals, and exception logs reduces manual effort, maintains an auditable trail, and supports periodic control testing.
• Workflow and remediation, intelligent routing of corrective actions keeps your program moving and documented.
• Policy generation and maintenance, templated but tailored policies reduce drafting time and improve consistency across entities.

Naltilia provides an AI‑powered platform built for compliance teams that aligns with these needs, with capabilities for regulatory risk assessment, remediation actions, tailor‑made policies, automated data collection, and compliance workflow automation. This enables teams to build and maintain a proportional Article 17 anti-corruption program faster, with stronger traceability for AFA audits.

To learn more about how Naltilia can help you streamline Sapin II compliance,

Key takeaways

• Sapin II emerged from a need to restore trust, respond to OECD recommendations and requirements, and reduce reliance on foreign enforcement. It created the AFA and made prevention programs mandatory for large companies.
• Article 17 applies to companies and groups with a parent established in France that exceed 500 employees and 100 million euros in revenue. French subsidiaries that meet these thresholds themselves are also in scope.
• The eight required pillars cover code of conduct, alerts, risk mapping, due diligence, accounting controls, training, discipline, and evaluation. Proportionality, documentation, and traceability are central.
• The AFA audits, issues recommendations, and can sanction non‑compliance, including fines and injunctions to implement or enhance programs under its oversight.
• A structured 120‑day plan and targeted use of AI for regulatory risk assessment, evidence collection, and workflow orchestration can materially reduce compliance burden while improving effectiveness.

References and further reading:

• Law text, Loi n° 2016‑1691 du 9 décembre 2016
• AFA, Recommendations, 2021
• AFA, Who we are
• OECD, Phase 4 Report on France
• DOJ, Alstom 2014 plea announcement