Raising the bar: The EU's new Anti-Corruption Directive

The Directive was first proposed by the Commission on 3 May 2023, but provisional agreement between the Commission, the Parliament and the Council was not reached until 2 December 2025. The negotiations were inherently tricky considering the subject matter, with some Member States reluctant to cede national sovereignty over criminal justice matters. The Council announced the adoption of the Directive's final text on 21 April 2026, and the final step of publication in the Official Journal is expected shortly.

The Directive will enter into force 20 days after publication. Member States then have 24 months to transpose it into their national law, with an extended deadline of 36 months for obligations relating to risk assessments and national anti-corruption strategies (Articles 20(5) and 21). The core obligations are therefore expected to be operational by approximately mid-2028, with certain prevention-related provisions following by mid-2029.

The Directive establishes minimum standards for Member States, who may adopt or maintain stricter rules. Some jurisdictions (such as France, under its Sapin II regime) already have robust legislation with significant overlap with the new requirements, while Denmark has secured a full opt-out from the legislation and is not bound by the Directive. Ireland has expressly notified the EU of its wish to participate in the Directive.

The Directive standardises a series of criminal offences across EU Member States, to strengthen the EU-wide fight against corruption. Specifically, the Directive aims to "criminalise corruption offences when committed intentionally". Bribery offences may occur directly or through an intermediary.

Key offences are as follows:

• Bribery in the public sector (Article 3): The offence covers active bribery (the promise, offering or giving of an undue advantage to a public official) and passive bribery (the request or receipt of such an advantage). The definition of "public official" is broad. It extends beyond formal officeholders to cover any person assigned and exercising a public service function, including employees of privately-owned companies performing public services that are subject to the control or supervision of a public authority (e.g., outsourced government contractors). "Undue advantage" can be tangible or intangible, pecuniary or non-pecuniary. Gifts of low value or those permitted by law are excluded.
  
  
• Bribery in the private sector (Article 4): Active and passive bribery in the course of business is criminalised where a person directing or working for a private sector entity acts (or refrains from acting) in breach of that person's duties. A "breach of duty" covers at a minimum any behaviour constituting a breach of a statutory duty, professional regulations or instructions applicable within a private sector entity.
  
  
• Trading in influence (Article 6): This is a new standalone offence that was not part of previous EU measures on anti-corruption. It criminalises the giving or receiving of an undue advantage (including through an intermediary) to exert improper influence over a public official, regardless of whether the influence was real, actually exerted or effective in changing behaviour. Legitimate interest representation that does not entail an "undue exchange of advantages" is carved out (for example, via lobbyists), though this boundary is likely to be difficult to draw in practice.
  
  
• Other offences: The Directive also harmonises offences of misappropriation by public officials (Article 5), unlawful exercise of public functions (Article 7), obstruction of justice in corruption proceedings (Article 8), enrichment from corruption offences (Article 9) and concealment of corruption proceeds (Article 10). Inciting, aiding and abetting, and (for certain offences) attempting to commit corruption offences is also criminalised (Article 11).

The Directive creates two new routes to corporate liability which will be particularly significant for businesses with EU operations:

• Primary liability (Article 13(1)): A legal person is liable where an offence is committed for its benefit by someone in a "leading position" – that is, a person acting individually or as part of an organ of the entity, who has the power to represent it, authority to take decisions on its behalf, or authority to exercise control within it. Who exactly occupies such a "leading position" is likely to be a subject of further debate and refinement at Member State level.
  
  
• Failure to supervise (Article 13(2)): A legal person is also liable where the lack of supervision or control by a person in a leading position has made possible the commission of an offence by a person under the entity's authority, for the benefit of that legal person.

In addition, the Directive makes clear that corporate liability under Article 13 does not preclude parallel criminal proceedings against individuals involved (i.e. those who commit, incite or are accessories to any of the offences).

The UK Bribery Act 2010 ("UKBA") is frequently considered the high watermark in terms of anti-bribery and corruption legislation. The Directive's bribery and corruption offences are broadly comparable in scope to those under the UKBA, and both have (at least the potential for) significant extraterritorial reach. Businesses with UKBA-compliant anti-bribery programmes will likely find that their existing frameworks substantially address the EU bribery offences. 

It is, however, worth noting some important areas of divergence:

• Trading in influence is a standalone offence under the Directive. The UKBA does not contain an equivalent discrete offence, though some such conduct could fall within the general bribery provisions, particularly given the ability for UKBA offences to be committed by "associated persons". The Directive's explicit criminalisation creates a distinct compliance risk, particularly for businesses engaging lobbyists, government affairs consultants or former public officials in EU jurisdictions, where good relationships between lobbying individuals and the officials they engage with can be a key selling point for their services.
  
  
• Corporate liability basis. The UKBA's section 7 offence (failure to prevent bribery) provides a defence if a company can prove it had "adequate procedures" in place. The Directive takes a different approach: effective compliance programmes are a mitigating factor in sentencing and are not a defence to liability. The Directive's "failure to supervise" liability route (Article 13(2)) more closely resembles a general corporate criminal liability model.
  
  
• Turnover-based fines. The UKBA does not prescribe turnover-based fines for corporates, whereas the Directive introduces maximum fines of not less than 5% (for the core bribery offences) or 3% (including for trading in influence) of worldwide turnover. As an alternative to turnover-based fines, Member States may impose fixed fines, which should be not less than €40 million and €24 million depending on the offence, as above. The largest penalty ever imposed in connection with a UKBA case arose from the deferred prosecution agreement between Airbus and the Serious Fraud Office in 2020; the fine of €991 million represented just under 2% of Airbus's turnover of almost €50 billion in that year. As part of the same investigation, Airbus reached an agreement with the French prosecutor, the PNF, for additional penalties of just over 4% of its annual turnover. To illustrate the significance of the Directive's turnover-based penalties, both the French and the UK fines are below the level that Airbus could have faced had the Directive been in force at the time.

In addition to the financial penalties outlined above, the Directive also sets minimum levels for maximum terms of imprisonment for the new offences, ranging from 3 years for private sector bribery (amongst others) to 5 years for public sector bribery.

Additional penalties may include fines, disqualification from business activities, exclusion from public funding and tender procedures, and publication of judicial decisions.

The Directive prescribes a series of aggravating and mitigating circumstances for the relevant Member State authorities to consider when sentencing offenders.

a. Aggravating Circumstances (Article 15)

Commission of the offence within a criminal organisation is mandatory as an aggravating factor. Member States may also treat the following as aggravating (among others):

• Repeat offences.
  
  
• The offender obtained a substantial benefit or the offence caused substantial damage.
  
  
• The offender is an AML-obliged entity, or is an employee of or in a leading position at such an entity and acting in the exercise of their professional activities. This is of particular relevance to financial sector firms.

b. Mitigating Circumstances (Article 16)

The following may be treated by Member States as mitigating circumstances:

• The offender assisted the competent authorities by providing information they would not otherwise have had.
  
  
• The legal person, upon discovery, rapidly and voluntarily disclosed the offence and took remedial measures.
  
  
• The legal person had implemented effective internal controls, ethics awareness and compliance programmes to prevent corruption (whether before or after the offence). The emphasis here is on "effective" controls, and the recitals to the text explicitly provide that compliance programmes maintained only for cosmetic purposes ("window dressing") will not qualify.

Jurisdiction arises where an offence is committed in whole or in part in a Member State's territory, or where the offender is a national of that state. The Directive also envisages that Member States may choose to extend their jurisdiction in a number of other scenarios, including where offences are committed for the benefit of a legal person established in its territory, or for the benefit of a legal person in respect of any business done in whole or in part in its territory. This latter provision would be a considerable extension of jurisdiction.

The recitals also provide that Member States should extend territorial jurisdiction to offences committed via information systems used on their territory, though this is not clearly part of the operative provisions of the final text. If implemented by Member States, this provision could be problematic for the large number of businesses dependent on cloud-computing services or data centres, providing a tenuous link to the jurisdiction where those services are located or provided from.

In order to ensure that suspicions or knowledge of bribery and corruption can be effectively reported, strengthening anti-corruption enforcement action across the EU, the Directive provides that Member States must ensure that their national laws implementing the EU Whistleblowing Directive (2019/1937) cover the reporting of corruption offences. Whistleblowers should be able to use confidential channels and alert competent authorities of their suspicions without fear of retaliation. In addition, whistleblowing laws must ensure that protection, support and assistance is given to those providing evidence or otherwise cooperating with competent authorities in the context of criminal proceedings.

The tightening and harmonisation of the EU rules on bribery and corruption, together with high penalties for failing to meet them, means that most businesses with operations in the EU will want to review their anti-corruption policies and procedures to ensure that they can demonstrate compliance ahead of the transposition deadlines at the national level. Some of the key steps that businesses might consider are as follows.

• Update compliance programmes: The Directive does not formally require private sector organisations to train their staff, but effective compliance programmes (which will typically include training) are a formal mitigating factor. The absence of a well-documented training programme could therefore increase fines, if a successful prosecution is brought against the company. Many businesses will have existing anti-bribery and corruption compliance programmes and training in place, including for compliance with the UKBA and the US FCPA. These programmes should be reviewed and updated to ensure that they adequately cover the Directive's offences – in particular on trading in influence, which is novel in many jurisdictions.
  
  
• Identify individuals in "leading positions": Businesses should map which individuals across management structures and subsidiaries fall within the Directive's corporate liability trigger, given that liability attaches where an offence is committed by a person with the power to represent the entity, take decisions on its behalf or exercise control within it. To mitigate the risk of the corporate offences occurring, businesses may consider enhanced training for those in "leading positions"; this should include the importance of their supervisory obligations over staff who might commit bribery for the benefit of the business.
  
  
• Review anti-corruption policies: Existing policies should be assessed for coverage of the new offences, in particular trading in influence.
  
  
• Consider impacts on supplier onboarding: In particular, the trading in influence offence will require businesses to review how they select and due diligence consultants working on policy or government affairs or otherwise interacting with public officials on their behalf. Selection criteria should be objective and based on expertise, not the value of the personal relationships held by those within the firm.
  
  
• Update whistleblowing channels: Existing channels should explicitly cover corruption reporting, in line with the extended EU Whistleblowers Directive.
  
  
• Monitor differences in national transposition: The Directive sets minimum standards and Member States may go further than the terms of the Directive. 

We will continue to monitor the progression of the Directive and national transposition across key EU jurisdictions. To get ahead with your compliance preparations, or for questions on the Directive or its implications for your business, please get in touch.