What the Anti-Corruption Directive Means for Firms

Iratxe Gurpegui
Written by
Iratxe Gurpegui
7 min read
A wide landscape scene in a legal and compliance workroom, with one central wall map showing how anti-corruption obligations break down by jurisdiction, business unit, third party, approval path, and remediation owner; in the foreground are stacked risk assessments, a gifts register, a public procurement approval sheet, an investigation log, and a board reporting pack arranged in clear order; no screens visible and no people present, eye-level view, serious and practical mood, clean office environment focused on proving whether controls fit the business.

The awkward audit question will not be, “Does the company have an anti-corruption policy?” It will be, “Show the risk assessment that proves this policy fits the business.”

That is where the EU Anti-Corruption Directive changes the conversation for firms. The political headline is integrity in public life. The operational burden lands in corporate systems: third-party files, gifts registers, public procurement approvals, accounting controls, investigation logs, board reporting, and remediation evidence.

For companies, the Directive is not just another criminal-law text sitting with external counsel. It is a pressure test of whether anti-corruption compliance can survive contact with facts.

The Directive is aimed at corruption, but companies are clearly in scope

The EU initiative grew out of the Commission’s broader anti-corruption package, and became law when the Council adopted the Directive on combating corruption on 21 April 2026. It was published in the Official Journal on 11 May 2026 and is now in force, with Member States required to transpose it into national law by 1 June 2028. Its core move is simple: reduce the gaps between national regimes that have made cross-border enforcement uneven.

That matters for firms because the Directive covers conduct that commonly sits inside commercial activity, not only misconduct by public officials. Active bribery, private-sector bribery, trading in influence, misappropriation, obstruction of justice, and related conduct can all touch companies through employees, executives, agents, distributors, consultants, lobbyists, and joint-venture partners.

The company does not need to be “corrupt” as a cultural label to be exposed. A regional sales director can approve a sham consultancy agreement. A procurement manager can receive a personal benefit from a vendor. A customs broker can make an improper payment while “solving” a shipment issue. A finance team can book the expense under a vague service code. The Directive pushes Member States toward laws that make those fact patterns harder to treat as local anomalies.

For legal and compliance teams, the practical question becomes: can the company detect, prevent, escalate, and evidence its response to these scenarios?

A Directive is a floor, not a ceiling

This point matters more than many board decks admit. A directive is not a regulation. Under Article 288 of the Treaty on the Functioning of the European Union, a directive binds Member States as to the result to be achieved, while leaving national authorities to choose form and methods.

So firms should not expect one neat EU rulebook to replace national law. The Directive sets minimum outcomes. Member States may implement stricter rules, higher penalties, broader offence definitions, tighter limitation periods, or more aggressive corporate liability models, provided they remain compatible with EU law.

That is the compliance trap. A group operating in France, Germany, Spain, Poland, and the Netherlands cannot simply announce “Directive compliance” and move on. It must track how each Member State transposes the Directive and how local prosecutors, regulators, and courts interpret the new rules.

For French companies, this will sit alongside an already demanding architecture under Sapin II. Naltilia has covered the existing French framework in its guide to compliance under Loi Sapin II, which remains a useful benchmark for what a mature anti-corruption program looks like in practice.

Where the Directive bites in corporate compliance

The Directive will not affect every company in the same way. A mid-size manufacturer with distributors in several Member States faces a different risk profile from a software company bidding for public-sector contracts. But the pressure points are predictable.

Compliance area

What the Directive changes

Practical impact for firms

Corporate liability

Member States must ensure legal persons can be held liable in relevant circumstances

Senior management failure and poor supervision become harder to treat as “individual misconduct only”

Sanctions

National laws are expected to provide effective and dissuasive penalties, including significant corporate fines. Fines reach at least 5% of worldwide turnover (or €40M) for core offences such as bribery and misappropriation, and 3% (or €24M) for others

Boards need penalty exposure mapped by jurisdiction, not buried in legal memos

Private-sector bribery

Harmonization reduces gaps between national approaches

Commercial teams, procurement, and partner channels need clearer controls

Third parties

Agents, intermediaries, suppliers, and consultants remain a high-risk channel

Due diligence must be risk-based, current, and evidenced

Remediation

Detection without documented follow-through carries little weight

Firms need documented investigations, corrective actions, and follow-up testing

The biggest change is not that companies need policies. They already have policies. The change is that paper programs will age badly under a more harmonized enforcement environment. The Directive reinforces this directly: a genuine, effective and duly assessed compliance programme counts as a mitigating factor at sentencing, while a “window-dressing” programme can weigh against the company.

A policy that says “no facilitation payments” does little if the company cannot identify where customs brokers are used. A gifts rule is weak if no one can reconcile approvals against expenses. A whistleblowing channel is incomplete if investigation outcomes never feed risk assessments.

A compliance team reviews corruption risk maps, supplier files, investigation notes, and policy documents spread across a conference table for multiple EU jurisdictions, with a whiteboard of country-by-country obligations in the background and no screens visible.

Transposition status: Germany is the signal to watch

BBecause this is a Directive, the real legal effect for firms arrives through national transposition. With the transposition deadline set for 1 June 2028 (36 months for the risk-assessment and national-strategy requirements), Member States are only beginning to move as of mid-2026. Germany is the clearest example currently in motion. Commentary on Germany’s planned implementation highlights tighter corporate sanctions, including the kind of penalty shift discussed by Eversheds Sutherland in its analysis of Germany’s proposed corporate fine reforms.

That German example matters beyond Germany. It shows how transposition may work in practice: not just by adding offence wording to the criminal code, but by changing the economics of corporate exposure.

Other Member States may decide that parts of their existing anti-corruption regimes already satisfy the Directive. Some will need targeted amendments. Some may go further than the EU minimum. That is why the transposition tracker should not sit with legal alone. Compliance, finance, procurement, internal audit, and regional management all need to know where the local law is changing and which controls are affected.

The prudent position is controlled preparation, not panic.

What firms should do before the national laws land

A serious company does not wait until every Member State finishes transposition before improving its program. It starts with the areas most likely to fail under scrutiny.

First, the risk assessment must be current and business-specific. Generic corruption heat maps will not carry much weight. The assessment should reflect sales channels, public-official touchpoints, licensing exposure, state-owned customers, high-risk jurisdictions, procurement patterns, charitable donations, sponsorships, and intermediaries. Naltilia’s article on corruption risks in interactions with public officials is a useful practical reference for one of the most common risk zones.

Second, third-party due diligence needs discipline. The question is not whether the company collected a questionnaire once. The question is whether the company knows which third parties create corruption risk, what evidence was reviewed, who approved the relationship, which red flags were cleared, and whether the file was updated after adverse news or business changes. For a concrete operating model, Naltilia’s guide to third-party due diligence sets out how to structure and evidence that file.

Third, remediation must be operational. If an internal review finds weak approvals for consultants, the answer is not another training slide. The answer is a control change, an owner, a deadline, evidence of implementation, and later testing.

This is where AI can earn its seat at the table. Not by replacing legal judgment. Not by deciding whether conduct is criminal. But by helping teams collect evidence, map obligations to controls, flag missing files, maintain policy versions, and route remediation actions to accountable owners. A platform such as Naltilia fits that infrastructure layer: regulatory risk assessment, automated data collection, policy tailoring, and workflow automation where manual tracking usually breaks.

Humans still sign off. The system should make the work traceable.

The takeaway for firms

The Directive should not be treated as a public-sector ethics story. For companies, it is a corporate liability and evidence story.

The smart move is narrow and practical: pick the highest-risk business line, test ten third-party files, trace the approval path, check the payment evidence, and confirm whether the latest risk assessment would actually explain the controls in place.

If the answer is a polished policy and a silent file, the firm is not ready. Under the new fine levels, up to 5% of worldwide turnover, that gap is now expensive.It is pushing them to prove that anti-corruption controls work where money, pressure, and discretion meet.

Frequently Asked Questions

Does the Anti-Corruption Directive apply directly to companies?

Usually, no. As a Directive, it must be transposed into national law by Member States. Companies will feel the effect through amended criminal laws, corporate liability rules, sanctions, and enforcement practice in each jurisdiction.

Can Member States adopt stricter anti-corruption rules than the Directive?

Yes. The Directive sets minimum results. Member States may go further, including higher penalties, broader liability, or tighter procedural rules.

Is this only about bribery of public officials?

No. Public-sector bribery remains central, but companies should also watch private-sector bribery, trading in influence, third-party conduct, accounting concealment, and obstruction-related risks.

Which countries have transposed so far?

As of mid-2026, no Member State has fully transposed the Directive; the deadline is 1 June 2028. Germany is the most visible early mover, especially through proposed changes to corporate fines. A reliable EU-wide picture requires checking each Member State’s official legislation as it is adopted.

Should mid-size companies wait until all national rules are final?

No. Waiting creates a predictable scramble. Mid-size firms should start with risk assessment, third-party controls, policy gaps, investigation workflows, and remediation tracking.

About the Author

Iratxe Gurpegui

Iratxe Gurpegui

I've spent 20 years as a compliance and competition lawyer across Europe and Latin America, and throughout my career, I've seen firsthand how complex and costly regulations can hold companies back. But I've also learned that compliance doesn't have to be a burden, it can be a strategic advantage. My mission is to help companies harness the power of AI, transforming compliance into something faster, simpler, and most importantly, a real driver of growth for businesses.