Alerts
The EU’s New Anti-Corruption Directive—What it Means for Global Companies as FCPA Enforcement Shifts
May 13 2026
Contributors
Key Takeaways
- On April 21, 2026, the Council of the European Union formally adopted the Directive on Combating Corruption, establishing for the first time a harmonized criminal law framework across all Member States.
- The Directive criminalizes a range of offenses – including bribery (in the public and private sector), trading in influence, misappropriation, obstruction of justice, and concealment of proceeds from corruption – and mandates corporate fines of up to 5% of worldwide turnover or €40 million.
- The Directive’s jurisdictional provisions are sweeping and extend to companies, including U.S. companies, with EU operations, business ties, or even digital connections to a Member State.
- Despite the perceived shift in FCPA enforcement priorities (see our alerts here, here, and here), the global anti-corruption enforcement landscape remains robust and is arguably intensifying (see our alerts here, here, and here).
- A strong compliance program is considered a substantive mitigating factor under the Directive, while a mere “paper program” will serve as an aggravating factor.
- Although national implementation will vary, the minimum standards established by the Directive represent a binding baseline that no Member State can fall below. Member States have 24 months from adoption to enter the Directive into national law, meaning companies should expect new national implementing legislation to take effect approximately by mid-2028.
Overview of the Directive
The Directive replaces two previous instruments – Council Framework Decision 2003/568/JHA on corruption in the private sector and the 1997 Convention on corruption involving EU officials – representing the most significant development in European anti-corruption law in over two decades. The European Parliament formally endorsed the Directive on March 26, 2026, and the EU Council’s recent adoption represents the final legislative step before publication in the Official Journal.
The Directive establishes “minimum rules,” meaning that “EU Member States remain free to adopt or maintain” stricter criminal provisions. Further, the Directive takes a multidisciplinary approach, combining criminal law harmonization with prevention measures, cross-border cooperation mechanisms, and whistleblower protections to more comprehensively address corruption.
Harmonized Criminal Offenses
The Directive mandates that Member States criminalize a comprehensive catalog of corruption offenses spanning both public and private sectors. In the public sector, the Directive covers both active bribery (promising, offering, or giving an undue advantage to a public official) and passive bribery (soliciting or receiving such an improper advantage). Public official is construed broadly, covering not just holders of formal government posts, but any individual who carries out public functions under any form of appointment, election, or contractual engagement – including personnel at state-owned enterprises and privately held companies that deliver public services, representatives of international bodies and EU institutions, as well as elected officials from the municipal to the national level. The Directive extends parallel prohibitions to the private sector, criminalizing the offer or acceptance of an undue advantage where the recipient acts contrary to professional obligations.
In addition, the Directive introduces a standalone trading in influence offense: it is an offense to promise, offer, or give an undue benefit in exchange for exerting improper influence over a public official’s actions for the purpose of obtaining an undue advantage, and it is equally an offense to solicit or accept such an improper advantage for that purpose. Liability attaches irrespective of whether the influence is real or produces the desired outcome; the agreement itself suffices. Legitimate advocacy is carved out, but the line between permissible lobbying and criminal influence-trading may be difficult to draw in practice.
The Directive goes further to require criminalization of other defined offenses, including misappropriation of public assets, abuse of official functions, obstruction of justice in corruption proceedings, enrichment from corruption, and concealment of proceeds derived from corruption – with “property” explicitly including crypto assets and digital instruments.
Penalties and Corporate Liability
The Directive exposes companies to liability on two fronts where:
- Persons authorized to represent the entity, make decisions on its behalf, or exercise managerial control commit an offense for the company’s benefit; and
- Deficient oversight by such senior persons facilitated the corrupt conduct transpiring. Effectively, the “failure to supervise” basis of liability extends corporate exposure beyond direct involvement by senior leadership to situations where inadequate oversight created the conditions that allowed for the wrongdoing to occur.
On the financial side, the most serious offenses (public and private sector bribery, misappropriation) expose companies to fines of at least 5% worldwide annual turnover or €40 million, whichever is greater. A second tier – trading in influence, obstruction of justice, and enrichment linked to corruption – sets the floor for maximum penalties at 3% of worldwide turnover or €24 million.
The sanctions toolkit, however, extends well beyond fines: Member States must also provide for a range of non-monetary consequences, including debarment from public procurement, license and permit revocations, contract annulments, judicial oversight, and forced closure of tainted operations.
For individuals, Member States must ensure their sentencing frameworks permit imprisonment of at least five years for public sector bribery, four years for misappropriation and related offenses, and three years for private sector bribery, trading in influence, and the remaining crimes – with latitude to go higher. To that end, Member States remain free to impose higher maximum sentences under their respective domestic laws.
Jurisdictional Reach
The Directive casts a deliberately wide jurisdictional net. At a minimum, every Member State must assert authority over offenses occurring in its territory or committed by its nationals – and prosecution of nationals may not be blocked by a requirement that a foreign state where the conduct took place first lodged a complaint; this helps ensure that nationals do not escape accountability simply because a foreign state declines to act.
Member States have the discretion to reach further. Grounds to extend include claiming jurisdiction over habitual residents, offenses targeting their nationals or habitual residents, offenses committed for the benefit of a legal person in the territory, or offenses committed in connection with any business activity in whole or in part in the territory. The Directive also requires jurisdiction over offenses “committed by means of information systems used” in a Member State’s territory, regardless of whether “that technology is based in their territory.”
The practical takeaway for multinational companies is clear. Any operational footprint, commercial nexus, or digital presence in a Member State may be sufficient to bring a company within the enforcement reach of the Directive’s national implementing legislation.
Whistleblower Protections
Member States are required under the Directive to apply the existing EU Whistleblower Protection Directive to the Directive’s corruption offenses, reinforcing the role that reporting persons play in uncovering corruption. Individuals who report offenses covered by the Directive are entitled to secure reporting channels and legal safeguards against retaliation (e.g., dismissal, demotion, and other forms of professional or personal reprisal). For companies, this underscores the importance of maintaining robust internal reporting mechanisms that comply with the Whistleblower Directive’s requirements, as the new anti-corruption framework will likely increase the volume and significance of corruption-related disclosures.
Limitation Periods
The Directive mandates minimum limitation periods to ensure that corruption offenses remain prosecutable for a meaningful duration. Member States must provide for limitation periods of at least eight years or five years, as determined by the category of offense under the Directive, from when the offense was committed, with discretion to adopt longer windows. These extended limitation periods ultimately expand the timeframe during which historical conduct may give rise to enforcement exposure.
Compliance as Mitigation
Notably, the Directive formally recognizes effective compliance programs as a mitigating factor. Specifically, where a company has implemented “genuine, effective and duly assessed internal controls, ethics, and compliance programs,” this constitutes a recognized mitigating circumstance. Conversely, compliance programs only for “window dressing” serve as aggravating factors under the Directive when considering the appropriate resolution. This creates a renewed and powerful incentive for organizations to invest in compliance infrastructure that is functional and measurable, rather than merely cosmetic.
The Directive Compared to the FCPA: Going Further in Critical Respects
While the FCPA has long served as the dominant international anti-corruption enforcement framework, the Directive goes beyond the FCPA in several material respects. Companies accustomed to FCPA-calibrated compliance programs should understand these differences and assess whether their existing compliance frameworks are adequate.
| Element | FCPA | Directive |
|---|---|---|
| Scope of Bribery | Criminalizes "supply side" bribery of foreign government officials (i.e., the offer, promise, payment, etc.). Does not cover passive bribery (i.e., the "demand side") or private sector bribery. | Criminalizes both active and passive bribery in the public and private sector under a single instrument. |
| Trading in Influence | No standalone trading in influence offense. The intent to bribe provides analogous coverage, but the concept of improper influence-trading over public decision-making is not separately criminalized. | Trading in influence is a defined criminal offense. |
| Corporate Liability Trigger | Liability based on acts of officers, directors, employees, or agents acting on behalf of the company. No standalone "failure to supervise" offense. | Liability when those in "leading positions" commit an offense or enable gaps in managerial oversight allowing the offense to occur. |
| Penalties | Criminal and civil penalties for individuals and corporate entities; Alternative Fines Act considerations; disgorgement of profits. No turnover-based fines. | Turnover-based fines of 3% to 5% of worldwide annual turnover (or €24 million to €40 million). |
| Self-Disclosure | DOJ's Corporate Enforcement Policy (March 2026, see our alert here) sets forth a clear path to declination – absent aggravating circumstances – for timely self-disclosure, cooperation, and remediation. | Self-disclosure recognized as a mitigating circumstance for reduced penalties but does not provide a pathway to full declination of prosecution. |
| Jurisdictional Reach | Covers conduct both inside and outside the United States. Extends to domestic concerns, issuers, those physically present in the United States, and those U.S. persons or companies acting outside the United States. | Established over offenses committed in whole or in part in a Member State’s territory, or where the offender is a Member State national. Member States may extend their reach on several grounds. |
| Compliance Credit | Existence and effectiveness of a compliance program considered in charging and sentencing decisions but not formally codified as statutory mitigation. | Effective compliance programs constitute a statutory mitigating factor; paper only programs are a statutory aggravating factor. |
The inclusion of private sector bribery coverage, the trading in influence offense, turnover-based fines, and the “failure to supervise” corporate liability basis indicates that the Directive captures conduct and creates exposure that sits squarely outside the FCPA’s reach. To that end, an FCPA-focused compliance program, standing alone, will likely fall short of adequately addressing these additional risk dimensions.
Why the Perceived Shift in FCPA Enforcement Does Not Justify Reduced ABAC Investment
In June 2025, the U.S. Department of Justice (“DOJ”) issued new FCPA guidelines (“FCPA Guidance”), “to ensure that FCPA investigations and prosecutions…(1) limit[] undue burdens on American companies that operate abroad and (2) target[] enforcement actions against conduct that directly undermines U.S. national interests.”
The FCPA Guidance also set forth certain criteria to aid prosecutors in determining whether to initiate or pursue FCPA matters, including the total elimination of cartels and transnational criminal organizations, safeguarding fair opportunities for U.S. companies, advancing U.S. national security, and prioritizing investigations of serious misconduct (see our alert here).
While this recalibration narrows the categories of conduct most likely to trigger DOJ enforcement, it would be a strategic error for global companies to interpret these developments as a basis for reducing anti-corruption compliance investment. Notably, the FCPA remains fully intact as a federal statute. Further, the statute of limitations under the FCPA is five years, meaning conduct occurring today could be prosecuted under the next administration. In addition, the FCPA remains a top white-collar crime enforcement priority (see our alert here). Not to mention that conduct that might formerly have been investigated as an FCPA violation can also constitute a violation under other domestic U.S. laws, including the Travel Act, mail or wire fraud, money laundering statutes, or competition laws.
Most critically for multinational companies, the global enforcement landscape is intensifying, not receding. The International Anti-Corruption Prosecutorial Taskforce, launched in March 2025, by Swiss, French, and U.K. law enforcement agencies, signals that foreign jurisdictions are prepared to fill any perceived enforcement vacuum left by the United States (see our alert here). The U.K. Serious Fraud Office continues active prosecution of bribery offenses under the U.K. Bribery Act 2010, while France’s Parquet National Financier continues to resolve corruption cases through its CJIP mechanism (see our alert here). Moreover, the Directive will now introduce harmonized enforcement capabilities across 26 Member States – with mandatory turnover-based penalties that could dwarf those historically imposed under the FCPA.
Going forward, companies that interpret U.S. enforcement shifts as license to relax compliance standards may find themselves exposed to aggressive enforcement by European authorities that are both willing and increasingly well-equipped to act.
What Should Companies Do Now
Companies operating in or with connections to EU markets should begin preparing now, rather than waiting for national transposition. The 24-month implementation window will pass quickly, and organizations that proactively assess and adapt their compliance frameworks will be best positioned when the new rules take effect.
Conduct a gap analysis. Review existing anti-corruption compliance programs against the Directive’s requirements. Identify specific areas where policies, procedures, and training may need to be supplemented or revised.
Assess trading in influence exposure. Scrutinize existing arrangements with consultants, government affairs advisors, and other intermediaries to identify compensation structures that may signal influence-trading risk, such as payments contingent on securing a favorable regulatory outcome, bonus arrangements triggered by government contract awards, or open-ended advisory retainers where the scope of services is vague and/or the intermediary’s value appears limited to proximity to officials rather than substantive expertise. Due diligence protocols for onboarding and monitoring third parties should also be evaluated and recalibrated accordingly, ensuring that the intermediary is providing bona fide services.
Document compliance program effectiveness. The Directive’s requirement that a compliance program be “genuine, effective, and dully assessed” to qualify for mitigating credit means that companies must be prepared to demonstrate – not merely assert – that their programs work in practice. This calls for documenting how compliance risks are identified and prioritized, how polices are tested and updated in response to evolving threats, and what concrete results the program has produced (e.g., investigations initiated, training completion and comprehension rates, third-party audit findings, and remedial actions taken). Programs that exist on paper without evidence of functional implementation will not only fail to mitigate – they will aggravate.
Map jurisdictional exposure. Assess the company’s connection to each Member State where it conducts business – whether through subsidiaries, branch offices, agents, joint ventures, supply chains, or digital platforms. The Directive’s jurisdictional framework is broad, even a digital connection to a Member State may be sufficient to establish enforcement jurisdiction.
Update training programs. Training should be assessed and revised to address the full spectrum of offenses under the Directive. Effective training should not be one-size-fits all: directors and senior executives need to understand, for instance, the governance and oversight expectations that underpin failure-to-supervise liability, while operational personnel in higher risk functions – procurement, government-facing sales, regulatory affairs – require scenario-based instruction tailored to the corruption risks most likely to arise in their day-to-day activities and geographic markets.
Revisit self-reporting and incident response protocols. Under DOJ’s Corporate Enforcement Policy framework, companies that self-disclose, cooperate fully, remediate, and have no aggravating circumstances may avoid prosecution by declination. The Directive offers no equivalent off-ramp; self-reporting may reduce a penalty but will not necessarily eliminate the prospect of criminal proceedings. Effectively, a decision to disclose in the U.S. may have cascading consequences in another jurisdiction. Incident response and investigations playbooks should be designed to manage multi-jurisdictional complexity, anticipating engagement with enforcement authorities in the United States, one or more Member States, and potentially other jurisdictions as well, each operating under different procedural rules, cooperation expectations, and disclosure incentives.
Strengthen internal controls and supervision. Given the Directive’s corporate liability provisions for “failure to supervise,” companies should ensure that governance frameworks clearly assign responsibility for compliance oversight to persons in leading positions – and that those individuals have the tools, authority, and information necessary to exercise effective control.
Monitor national transposition. Because the Directive establishes a floor rather than a ceiling, individual Member States retain full authority to go further – whether by criminalizing additional conduct, imposing harsher penalties, or adopting broader jurisdictional rules. The resulting national landscape will be uneven: countries like France, which already operates a mature anti-corruption enforcement framework under Sapin II, may need only incremental adjustments, whereas other Member States with less developed frameworks will face more sweeping legislative overhauls. Companies should monitor transposition developments across all jurisdictions in which they operate to understand their actual country-by-country exposure.
Conclusion
The adoption of the Directive fundamentally reshapes the global anti-corruption enforcement landscape. For multinational companies, it introduces enforceable standards across 26 Member States that in key respects exceed the scope and penalties of the FCPA. Companies that maintain and strengthen their compliance programs will be best positioned to navigate this evolving environment and manage risk. Those that allow programs to atrophy in reliance on a perceived U.S. pullback will face heightened exposure at a time where enforcement ambition globally is growing most rapidly.
Womble Bond Dickinson (US) LLP’s White Collar Defense and Criminal Investigations Team navigates domestic and international clients in all manner of white collar, regulatory, corporate and congressional investigations. Our team includes a distinguished roster of veteran defense attorneys, former federal prosecutors and U.S. Attorneys who served at the highest levels of the Department of Justice and at leading United States Attorneys’ Offices. Our team includes Chambers Ranked (Band 1) lawyers and alumni of the U.S. Department of Justice, the SEC’s Enforcement Division, the U.S. Senate, House of Representatives, and in-house compliance specialists of publicly traded companies.
