If your company operates in France, or you head a group with a parent company established in France, understanding compliance under Loi Sapin II is business critical. Article 17 of the law makes a structured anti-corruption program mandatory for large companies, and the French Anti‑Corruption Agency, the Agence Française Anticorruption (AFA), can audit and sanction non‑compliance. This guide explains why the law exists, who it applies to, what it requires in practice, and how it is enforced, with pragmatic steps for compliance leaders in intermediate-sized enterprises.
Why Loi Sapin II Exists: Context and Regulatory Pressure
Loi Sapin II, adopted on 9 December 2016, responded to a convergence of pressures, both domestic and international. France faced high‑profile integrity scandals and growing expectations for transparency in public life. At the same time, several French multinationals had been sanctioned abroad under extraterritorial anti‑corruption regimes. A widely cited example is Alstom’s 2014 plea agreement in the United States, which included a 772 million dollar criminal penalty related to foreign bribery cases, illustrating how enforcement risk had shifted outside France for French corporations. See the U.S. Department of Justice announcement for details: Alstom 2014 plea.
At the policy level, the OECD Working Group on Bribery had urged France to strengthen both enforcement and corporate prevention measures. Its Phase 4 report continued to emphasize the need for robust compliance programs and credible enforcement mechanisms in France, reinforcing the rationale for Sapin II’s architecture. See the OECD’s analysis: OECD Phase 4 Report on France.
Sapin II’s purpose was therefore threefold, reinforce transparency, fight corruption more effectively, and modernize economic life. The law introduced a mandatory anti‑corruption compliance framework for large companies through Article 17, created the AFA to both guide and control organizations, improved whistleblower protections, set rules on lobbying, and introduced the French deferred prosecution mechanism, the “convention judiciaire d’intérêt public” (CJIP). You can consult the law on Legifrance, the official French legal portal: Loi n° 2016‑1691, 9 Dec. 2016.
Who Does Loi Sapin II Apply To? Thresholds and Scope
Article 17 applies to companies and to groups that exceed specific thresholds and have their parent company headquartered in France. In practice, two alternative criteria trigger the obligation to implement an anti‑corruption program:
- A single company established in France that employs at least 500 employees and has annual revenue above 100 million euros.
- A parent company established in France that heads a group employing at least 500 employees in total, with consolidated revenue above 100 million euros. In that case, the parent company is responsible for rolling out the compliance program across the group’s controlled subsidiaries, in France and abroad.
A few important clarifications for scope and perimeter:
- The headcount and revenue thresholds are assessed on an annual basis, using the most recent approved accounts. For groups, use consolidated figures.
- Controlled subsidiaries are covered by the parent’s program. The legal duty sits with the French parent that meets the thresholds.
- A French subsidiary that itself meets both thresholds is in scope in its own right, even if its ultimate parent is foreign.
- Companies below the thresholds are not subject to Article 17’s mandatory program, but many adopt its components as best practice, or to meet partner and lender expectations.
Illustrative scenarios:
Situation | In scope under Article 17? | Why |
|---|---|---|
French company with 650 employees and 150 million euros in revenue | Yes | The single entity meets both thresholds in France |
French parent with 200 employees, but group totals 800 employees and 300 million euros | Yes | Group test applies because the parent is in France and consolidated thresholds are exceeded |
French subsidiary of a foreign parent, 450 employees and 120 million euros | No under the group test, unless the subsidiary itself reaches 500 employees | The entity does not reach the headcount threshold, and the parent is not in France for the group calculation |
When in doubt, document your interpretation, especially in years when the company is close to a threshold due to acquisitions or divestitures.
What Does Article 17 Require? The Eight Program Components
Article 17 requires eight concrete components that together form a documented, risk‑based anti‑corruption compliance program. The AFA’s 2021 Recommendations provide detailed expectations for each element and examples of good practice.
Pillar one: Code of conduct
Adopt and disseminate a code of conduct that defines and prohibits corruption and influence peddling, with clear examples tailored to your risk profile. It must be integrated into internal rules and be enforceable.
Pillar two: Internal whistleblowing system
Set up a confidential channel to collect and process alerts regarding suspected corruption or influence peddling. Ensure accessibility for employees and relevant third parties, clear procedures, protection against retaliation, and timely triage and investigation.
Pillar three: Corruption risk mapping
Conduct a structured risk assessment that identifies, analyzes, and prioritizes corruption and influence peddling risks by business line, geography, transaction type, partners, and exposure level. The methodology should be formalized, regularly updated, and supported with traceable data and interview notes. This is the backbone of proportionality for all other measures of the compliance program.
Pillar four: Third‑party due diligence
Apply risk‑based due diligence to customers, suppliers, intermediaries, agents, and JV partners. Define criteria for risk tiers, perform initial and periodic reviews, verify beneficial ownership where appropriate, and escalate red flags with documented decisions.
Pillar five: Accounting controls
Design and operate accounting and internal control procedures that prevent and detect concealment of corrupt payments, for example, segregation of duties, invoice substantiation, gifts and hospitality tracking, controls over facilitation payments, channeling of sponsorships and donations, and exception monitoring.
Pillar six: Training of managers and exposed staff
Deliver targeted training and awareness to leadership and to personnel exposed to corruption risks, for example, sales, procurement, government interactions, finance. Track attendance and measure effectiveness.
Pillar seven: Disciplinary framework
Include specific disciplinary measures for breaches of the code of conduct, applicable to all levels of the organization and consistent with labor law. Ensure the framework is communicated and actually used when violations occur.
Pillar eight: Internal controls and program evaluation
Establish periodic testing and continuous improvement processes, including audits, KPIs, remediation tracking, and updates following incidents or organizational changes.
What good evidence looks like during an AFA audit:
Program element | Purpose | Typical evidence the AFA may request |
|---|---|---|
Code of conduct | Define expected behavior | Approved policy, dissemination records, translations, acknowledgment logs |
Whistleblowing | Enable safe reporting | Channel access details, case register, timelines, investigation protocols, outcomes without personal data |
Risk mapping | Proportionality basis | Methodology, risk universe, scoring criteria, interview minutes, heatmaps, approval trail |
Third‑party due diligence | Prevent risky relationships | Procedures, risk tiers, sample files, screening results, escalation memos |
Accounting controls | Detect and prevent concealment | Narrative of key controls, RACI, test plans, exception reports, remediation logs |
Training | Build competence | Annual plan, curricula, attendance, assessment results |
Disciplinary regime | Enforce standards | HR policy extracts, case anonymization, examples of applied measures |
Evaluation | Improve over time | Internal audit reports, KPI dashboards, management reviews |
How the AFA Enforces Article 17: Audits and Sanctions
The AFA is an administrative authority created by Sapin II to help organizations prevent and detect corruption, and to verify that large companies implement effective programs.
A typical AFA control includes document requests, interviews with leadership and operational teams, and testing of procedures and controls. At the end of the control, the AFA may issue recommendations, or it may refer the matter to its Sanctions Commission if it considers that Article 17 obligations are not met. The Commission can:
- Issue an injunction to implement or reinforce the program, with a defined timeline and under AFA oversight for a set period.
- Impose administrative fines up to 200,000 euros for individuals and up to 1,000,000 euros for legal entities, for breaches of Article 17 obligations.
Sanctions decisions are public, which raises reputational stakes in addition to legal exposure. See the Commission’s page for context: AFA Sanctions Commission.
Note that AFA’s role is preventive and administrative. Criminal investigations and prosecutions for corruption offenses remain the remit of judicial authorities. In some cases, a company may enter into a CJIP for criminal matters, separately from AFA’s administrative oversight.
How Sapin II compares to the FCPA and the UK Bribery Act
Many French companies face overlapping anti-corruption regimes — particularly multinationals listed in the United States, or with UK subsidiaries. The three frameworks share an objective but differ on scope, enforcement, and what a defensible program looks like.
Dimension | Loi Sapin II (France, 2016) | FCPA (US, 1977) | UK Bribery Act (UK, 2010) |
|---|---|---|---|
Prevention mandate | Article 17 - 8 mandatory pillars | No statutory prevention duty; DOJ ECCP guidance | Section 7 - "adequate procedures" as a defense |
Scope of bribery covered | Public and private sector | Foreign public officials only | Public and private sector |
Facilitation payments | Prohibited | Narrow statutory exception (permitted) | Prohibited |
Extraterritorial reach | Limited (French subsidiaries and groups) | Broad (issuers, domestic concerns, conduct in US) | Broadest of the three (any UK nexus) |
Primary enforcement body | AFA (administrative) + PNF (criminal) | DOJ + SEC | SFO |
Maximum corporate fine | €1M administrative; criminal up to 30% of average revenue via CJIP | Statutory caps per violation; typically negotiated up to nine-figure settlements | Unlimited |
Deferred prosecution tool | CJIP | DPA / NPA | DPA |
Self-reporting incentive | Material reduction via CJIP | Significant reduction via DOJ Corporate Enforcement Policy | Available but discretionary |
Sapin II is the most prescriptive of the three. The eight pillars of Article 17 are mandatory, not a defense. If a French company is in scope and lacks any pillar, the AFA can sanction even without proven corruption. The FCPA, by contrast, has no statutory prevention duty — what looks like one comes from prosecutorial guidance, not the law itself.
The UK Bribery Act has the harshest extraterritorial reach. Any commercial organization carrying on business in the UK can be prosecuted for failing to prevent bribery anywhere in the world, by anyone associated with it. A French company exporting to the UK is meaningfully exposed.
Facilitation payments — small "grease" payments to expedite routine government action — are permitted under the FCPA's narrow exception but prohibited under both Sapin II and the UK Bribery Act. Multinationals subject to all three should adopt the strictest standard and prohibit them outright.
The three regimes increasingly cross-reference each other in joint settlements. Airbus's 2020 resolution involved coordinated agreements with the French PNF, the UK SFO, and the US DOJ — €3.6 billion total, the largest cross-jurisdictional anti-corruption settlement to date.
The practical takeaway: a program built to satisfy Sapin II Article 17 with proper risk mapping and third-party due diligence is well-positioned to demonstrate "adequate procedures" under the UK Bribery Act and meet DOJ Evaluation of Corporate Compliance Programs expectations. The reverse is not true — an FCPA-only program will almost certainly miss several Sapin II pillars, particularly the disciplinary framework and the formalized risk map.
How the EU Whistleblower Directive reshaped Pillar 2
Pillar 2 of Article 17 — the internal alert system — was substantially strengthened by France's transposition of the EU Whistleblower Directive (Directive (EU) 2019/1937), enacted as the law of 21 March 2022 (commonly called the Waserman Law).
The changes that affect Sapin II program design:
- Broader protected reporters. Protection now covers not only employees but also former employees, candidates, contractors, suppliers, shareholders, and members of administrative or supervisory bodies, when they report in good faith.
- Broader protected reports. Sapin II originally focused on corruption and influence peddling. The 2022 transposition extended protection to reports of EU law breaches, threats to public health or the environment, and other categories.
- Faster feedback timelines. Acknowledgment within 7 days. Substantive feedback within 3 months.
- Explicit external reporting rights. Reporters can now bypass internal channels and report directly to the Défenseur des droits, the AFA, the AMF, or another competent regulator, without losing protection.
- Strengthened anti-retaliation. The burden of proof has shifted to the employer, and a broader range of detrimental measures is presumed retaliatory.
What this means in practice for an existing Sapin II program: most companies that built their alert system before 2022 need to refresh policies, expand the scope of receivable reports, update intake forms, retrain triage and investigation teams, and document the new 7-day and 3-month timelines.
The strategic point is harder to enforce but more important. Reporters who feel internal channels are inadequate can now go external without losing protection. That makes internal credibility a competitive necessity — a hotline that does not produce visible outcomes will simply be bypassed.
What is a CJIP, and when is it used?
The Convention Judiciaire d'Intérêt Public, or CJIP, is the French equivalent of a deferred prosecution agreement. Sapin II introduced it in 2016 to allow legal persons accused of corruption, influence peddling, tax fraud, and certain related offenses to resolve cases without a trial.
How a CJIP works:
- The Parquet National Financier (PNF) — or another prosecutor — proposes the convention.
- The company admits the facts (without formal admission of guilt) and accepts conditions, typically a public-interest fine, AFA-supervised compliance monitorship, victim compensation, and a remediation program.
- A judge (the President of the Tribunal Judiciaire) validates the agreement publicly.
- The convention is published on the PNF website. There is no criminal conviction, but reputational exposure is significant.
The fine is proportionate to the benefit derived from the misconduct, capped at 30% of the company's average annual revenue over the prior three years.
Notable CJIPs since 2016:
Year | Company | Public-interest fine | Subject |
|---|---|---|---|
2017 | €300M | Tax-related | |
2019 | €500M | Tax-related | |
2020 | €2.08B | Foreign bribery — coordinated with US DOJ and UK SFO | |
2022 | €508M | Tax-related |
A CJIP is not an admission of criminal liability and does not produce a conviction, but it almost always requires the company to implement or strengthen its Sapin II Article 17 program under AFA monitorship for two to three years. In practice, a CJIP and a Sapin II compliance overhaul become the same project. The reputational exposure is significant enough that the cost of remediation is often dwarfed by the cost of the publicity.
Practical steps to reach compliance maturity
If you need to structure or refresh your program, a phased, risk‑based plan is more realistic than a one‑shot rollout. Below is a pragmatic sequence that meets AFA expectations while keeping workload manageable for intermediate-sized enterprises.
Days 0 to 30, set the foundation
- Confirm scope against thresholds, document perimeters, and identify controlled entities to be covered.
- Appoint a clear program owner and governance, with a steering committee that includes finance, procurement, sales, HR, and legal.
- Baseline what exists, code of conduct, policies, whistleblowing channel, training, controls, and recent incidents. Capture gaps.
Days 30 to 90, build your proportionality
- Run corruption risk mapping interviews by function and country, supported by data on transactions, public interactions, intermediaries, and donations or sponsorships.
- Approve risk criteria and scoring, define risk appetite, and generate a prioritized action plan that links each high risk to program measures.
- Update your code of conduct and disciplinary framework to embed anti‑corruption provisions aligned with the risk map, then communicate to all staff.
Days 90 to 120, operationalize controls
- Deploy your third‑party due diligence procedure with tiering, screening, questionnaires, and an escalation committee for red flags.
- Strengthen accounting and internal controls most relevant to your risk map, for example, invoice substantiation rules, approval thresholds, gifts and hospitality registers, and monitoring of high‑risk payments.
- Launch targeted training for leadership and exposed roles, record attendance, and test understanding.
- Stand up your evaluation loop, define KPIs, schedule periodic testing, and put remediation actions into a tracked workflow.
This sequence ensures your prevention system is traceable and proportional, which aligns with how the AFA assesses effectiveness.
Where AI Can Help: Streamlining Article 17 Compliance
AI does not replace legal judgment, but it accelerates the heavy lifting that often slows Article 17 anti-corruption programs reducing implementation process by weeks. For example:
- Risk mapping at scale, machine‑assisted analysis of transaction data, public exposure, third‑party profiles, and country indices can speed up a robust corruption risk mapping, the foundation for proportional controls.
- Evidence collection and monitoring, automated retrieval of invoices, approvals, and exception logs reduces manual effort, maintains an auditable trail, and supports periodic control testing.
- Workflow and remediation, intelligent routing of corrective actions keeps your program moving and documented.
- Policy generation and maintenance, templated but tailored policies reduce drafting time and improve consistency across entities.
Naltilia provides an AI‑powered platform built for compliance teams that aligns with these needs, with capabilities for regulatory risk assessment, remediation actions, tailor‑made policies, automated data collection, and compliance workflow automation. This enables teams to build and maintain a proportional Article 17 anti-corruption program faster, with stronger traceability for AFA audits.
To learn more about how Naltilia can help you streamline Sapin II compliance, contact our experts.
Is Sapin III coming?
Discussions about a Sapin III have been active in French parliamentary and academic circles since 2021. No bill has been formally introduced as of 2026, but several proposals are gathering political momentum and worth tracking.
The most-discussed potential changes:
- Lowering Article 17 thresholds — extending mandatory anti-corruption programs to companies with 250 employees and €50 million in revenue, down from 500 / €100M. A 2024 Senate proposal pushed in this direction.
- Strengthening AFA powers — particularly around sanction levels, audit reach into subsidiaries, and consolidated oversight at group level.
- Integrating duty of vigilance and ESG — aligning Sapin II program design with the 2017 Loi sur le devoir de vigilance and the EU Corporate Sustainability Due Diligence Directive (CS3D), adopted in 2024.
- Expanding the AFA's preventive mission — to cover broader integrity risks, including conflicts of interest in public procurement and AI governance.
- Refining the whistleblower framework — although the 2022 Waserman Law already addressed most of this layer.
The realistic outlook for compliance teams:
A formal Sapin III bill is plausible but not imminent. Most experts expect changes to arrive piecemeal — via EU directive transpositions and AFA Recommendations updates — rather than through a single major reform. The AFA's 2021 Recommendations remain the authoritative reference until the next refresh, which is expected within the current AFA cycle.
The smart move for a company below the current thresholds is to design programs as if the thresholds will lower. A 300-employee company today that builds a Sapin II-aligned program now pays a modest pre-emption cost. The same company retrofitting under audit pressure pays a much larger one. The asymmetry favors early action.
Key takeaways
- Sapin II emerged from a need to restore trust, respond to OECD recommendations and requirements, and reduce reliance on foreign enforcement. It created the AFA and made prevention programs mandatory for large companies.
- Article 17 applies to companies and groups with a parent established in France that exceed 500 employees and 100 million euros in revenue. French subsidiaries that meet these thresholds themselves are also in scope.
- The eight required pillars cover code of conduct, alerts, risk mapping, due diligence, accounting controls, training, discipline, and evaluation. Proportionality, documentation, and traceability are central.
- The AFA audits, issues recommendations, and can sanction non‑compliance, including fines and injunctions to implement or enhance programs under its oversight.
- A structured 120‑day plan and targeted use of AI for regulatory risk assessment, evidence collection, and workflow orchestration can materially reduce compliance burden while improving effectiveness.
References and further reading:
- Law text, Loi n° 2016‑1691 du 9 décembre 2016
- AFA, Recommendations, 2021
- AFA, About us
- OECD, Phase 4 Report on France
- DOJ, Alstom 2014 plea announcement
Frequently Asked Questions
What is Loi Sapin II?
Loi Sapin II is a French law adopted on 9 December 2016 that introduced mandatory anti-corruption compliance obligations for large companies, strengthened whistleblower protections, created the French Anti-Corruption Agency (AFA), and established the CJIP deferred prosecution mechanism. Article 17 is its core corporate compliance requirement.
Who does Loi Sapin II apply to?
Article 17 applies to companies and groups with a parent established in France that exceed 500 employees and 100 million euros in annual revenue. For groups, both thresholds are assessed on consolidated figures. A French subsidiary that meets both thresholds in its own right is also in scope, regardless of where its ultimate parent is headquartered.
What are the eight pillars of Article 17?
Article 17 requires: (1) a code of conduct, (2) an internal whistleblowing system, (3) a corruption risk mapping, (4) third-party due diligence, (5) accounting controls, (6) training of managers and exposed staff, (7) a disciplinary framework, and (8) periodic internal controls and program evaluation.
What does the AFA look for during an audit?
The AFA assesses whether each of the eight program components exists, is proportionate to the company's risk profile, is actually applied in practice, and is supported by traceable evidence. Auditors typically request policy documents, risk mapping methodology, training records, third-party due diligence files, and remediation logs.
What are the sanctions for non-compliance with Article 17?
The AFA's Sanctions Commission can issue injunctions to implement or reinforce a program, impose fines of up to 200,000 euros on individuals, and up to 1,000,000 euros on legal entities. Sanctions decisions are made public, adding reputational exposure on top of the financial penalty.
How long does it take to build a compliant Article 17 program?
A structured rollout can be achieved in approximately 120 days: the first 30 days to baseline existing controls and confirm scope, days 30 to 90 to complete risk mapping and update core policies, and days 90 to 120 to operationalize third-party due diligence, accounting controls, training, and the evaluation loop.
Does Loi Sapin II apply to foreign subsidiaries of French companies?
Yes. When a French parent meets the thresholds, the obligation to implement an anti-corruption program extends to its controlled subsidiaries, including those located outside France. The French parent is legally responsible for rolling out the program across the group.
What is the difference between the AFA and judicial authorities under Sapin II?
The AFA's role is preventive and administrative — it verifies program compliance and can sanction Article 17 breaches. Criminal investigations and prosecutions for corruption offenses remain the remit of judicial authorities. A company may face both AFA administrative oversight and a separate CJIP negotiation for criminal matters.
What is a CJIP under Sapin II?
The Convention Judiciaire d'Intérêt Public is the French deferred prosecution agreement introduced by Sapin II for corruption and tax-related offenses. The company admits the facts (without formal admission of guilt), pays a public-interest fine of up to 30% of average annual revenue, funds victim compensation, and accepts AFA monitorship without a formal criminal conviction. The agreement is publicly validated by a court and published on the PNF website.
Is Sapin III coming?
A formal Sapin III bill has not been introduced as of 2026, but several reforms are under discussion: lowering Article 17 thresholds, strengthening AFA powers, and integrating duty of vigilance and ESG obligations. Most changes are likely to arrive incrementally, through EU directive transposition and AFA Recommendations updates, rather than as a single new law. Designing current programs as if the thresholds will lower is a defensible pre-emption.
