EU Adopts Anti-Corruption Directive: Takeaways for U.S. and Global Companies Overview

On April 21, 2026, the Council of the European Union adopted a long-anticipated directive on combating corruption (the “Directive”) that will reshape anti-corruption enforcement across the EU.¹Council adopts new EU-wide law to combat corruption, Council of the EU, Press Release (Apr. 21, 2026), Council adopts new EU-wide law to combat corruption - Consilium. First proposed in May 2023 against the backdrop of corruption scandals at various EU institutions, the Directive establishes minimum standards for corruption offenses, corporate liability, penalties, and jurisdiction, and is intended to close loopholes that have hampered coherent enforcement among EU Member States.²EU Law Tracker, Council of the EU, (last visited May 5, 2026), https://law-tracker.europa.eu/procedure/2023_135?lang=en. Member States must transpose the Directive’s provisions into national law within two years of its entry into force.³Twenty-four months for criminal law provisions. Thirty-six months for preventive measures. As a result, companies should expect domestic implementing legislation across the EU by mid-2028. For multinational companies such as U.S.-headquartered businesses with European operations, the Directive provides occasion for an immediate reassessment of compliance frameworks, third-party relationships, and cross-border investigation protocols.

Key Offenses and Penalties

The Directive reshapes the EU’s anti-corruption framework in three principal ways: harmonizing the definitions of certain core offenses, introducing new offenses, and mandating robust penalties for certain violations.

• Harmonizing Core Offenses. At a practical level, the Directive harmonizes the definition of core corruption offenses across the EU (e.g., bribery, misappropriation, and obstruction of justice), establishing common minimum standards for criminal conduct and penalties.⁴EU Adopts Landmark Anti-Corruption Directive 2026, Brussels Watch (Apr. 29, 2026), https://brusselswatch.org/eu-adopts-landmark-anti-corruption-directive-2026/.  Covered offenses include bribery in the public and private sectors, misappropriation, unlawful exercise of public functions, obstruction of justice, enrichment derived from corruption offenses, and concealment of corruption proceeds
  
  
• Introducing New Offenses. The Directive introduces new concepts companies should consider, including:
  • • Establishing a standalone offense for concealing proceeds or instrumentalities of corruption.
    • Establishing a standalone offense—trading in influence—which targets arrangements in which a person intentionally purchases improper influence over a public official to obtain an undue advantage.⁵Id. Although legitimate advocacy is carved out, this new offense creates heightened risk for companies that work with public affairs professionals, lobbyists, and/or political consultants.
    • As applicable to bribery-related offenses, the Directive also introduces a single, broad definition of “public official” that captures not only national officials but also staff of EU institutions, individuals in state-owned enterprises, privately owned entities performing public service functions, arbitrators, jurors, and persons in international organizations and courts.⁶Id.

• Mandating Robust Penalties. The Directive also requires Member States to establish significant penalties for companies and individuals. For companies, penalties must be “effective, proportionate, and dissuasive,” with maximum fines of at least 3% to 5% of a company’s annual global revenue or fixed amounts ranging from EUR 24 million (approx. USD 28 million) to EUR 40 million (approx. USD 47 million) depending on the offense.⁷Council of the EU, supra note 1. The Directive does expressly recognize a number of mitigating factors, including cooperation with authorities during an investigation, the implementation of effective internal controls and compliance programs before or after the misconduct, and voluntary disclosure and remediation upon discovery of the offense.⁸Brussels Watch, supra note 4.

Corporate Liability Framework

The Directive’s corporate liability framework represents a significant development, particularly for Member States without robust existing corporate criminal exposure. All Member States must establish corporate liability for corruption offenses.⁹Id. A legal entity may be held liable where an offense is committed for its benefit by a person in a “leading position” —whether acting individually or as part of a governing body—with authority to represent, decide for, or exercise control within the entity.¹⁰Brussels Watch, supra note 4. The Directive also adopts a “failure to prevent” model of liability, under which a company may be held liable where a corruption offense is committed for its benefit and the company failed to put in place appropriate preventive measures. This model is not entirely new in Europe: France’s Sapin II Law (2016) already requires companies above certain thresholds to implement anti-corruption compliance programs, with enforcement overseen by the Agence Française Anticorruption (“AFA”). Germany has similarly adopted its Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz), which imposes analogous preventive obligations on covered companies. As under the UK Bribery Act—which, following Brexit, continues to apply as a separate, non-EU regime—the existence and quality of preventive controls will be the threshold question in any corporate case, with risk assessments, control design, training, and remediation documented contemporaneously to support the defense.¹¹Id.; see also The Bribery Act 2010 Guidance, Secretary of State for Justice (Mar. 2011), https://assets.publishing.service.gov.uk/media/5d80cfc3ed915d51e9aff85a/bribery-act-2010-guidance.pdf. Effective compliance programs may serve as a mitigating factor in enforcement where they are demonstrably genuine, effective, and independently assessed. Prompt cooperation and voluntary disclosure will reduce penalties, while “window dressing” will not.¹²Brussels Watch, supra note 4.

Jurisdictional Provisions

The Directive’s jurisdictional provisions extend well beyond traditional territorial and nationality bases. Jurisdiction attaches where an offense occurs in a Member State’s territory, is committed by its nationals, or is carried out through information systems located there.¹³Id. Critically, territorial jurisdiction may extend to misconduct carried out through information systems used within a Member State, regardless of where the underlying technology infrastructure is physically located, meaning a digital nexus (e.g., using cloud-based platforms or centralized IT systems hosted on servers physically located in a Member State to transmit communications or payment instructions related to bribery) alone may suffice.¹⁴Id. Member States may further assert jurisdiction over extraterritorial conduct where an accused person is a habitual resident, the offense is committed against one of their nationals, or the conduct benefits a legal person established in that Member State.¹⁵Id. For U.S.-headquartered companies, this means that the use of EU-based cloud, ERP, or communications platforms could draw conduct occurring elsewhere into a Member State’s jurisdiction. Companies should consider mapping their information-systems footprints against corruption risk geographies to understand potential exposure.

Additional Developments and Implementations

On the prevention side, Member States must adopt and regularly update national anti-corruption strategies with civil society involvement, conduct regular risk assessments, and establish systems for managing conflicts of interest, political financing transparency, and integrity standards.¹⁶Id. Dedicated, independent bodies for both prevention (i.e., stopping corruption before it occurs) and repression (i.e., investigating, prosecuting, and punishing corruption after it occurs) are required, with adequate staffing and protection from political interference. Several Member States already operate such dual structures such as France’s Agence Française Anticorruption (prevention) and Parquet National Financier (repression), or Italy’s Autorità Nazionale Anticorruzione (“ANAC”). Preventive measures include asset and interest declarations, revolving-door rules, and mandatory training for officials, the judiciary, and law enforcement. The Directive also requires Member States to apply the EU Whistleblowers Directive to reports of covered corruption offenses, entitling both internal and external reporters to the full protective regime established under that framework.¹⁷Id. Companies should consider pressure-testing reporting channels, anti-retaliation protocols, and case-management workflows to ensure alignment with these expanded protections.

Comparison to U.S. Anti-Corruption Measures

For U.S.-based companies familiar with the Foreign Corrupt Practices Act (“FCPA”), the Directive will feel familiar in some respects and foreign in others. For example, the Directive’s harmonized bribery prohibitions and companion offenses overlap conceptually with the FCPA, which criminalizes the “supply side” of bribery by reaching those who offer or pay bribes to foreign officials.¹⁸Foreign Extortion Prevention Act (FEPA), King & Spalding (Jan. 4, 2024), Foreign Extortion Prevention Act (FEPA) - King & Spalding. The Foreign Extortion Prevention Act (“FEPA”), enacted in 2023, addresses the “demand side” by criminalizing solicitation or receipt of bribes by foreign officials. Id. In addition to its anti-bribery provisions, the FCPA imposes standalone accounting provisions that require issuers to maintain accurate books and records and a system of internal accounting controls.¹⁹Ch. 3, The FCPA: Accounting Provisions, FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, (Nov. 14, 2012), https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf. The Directive, however, has no counterpart to these standalone accounting provisions and does not permit enforcement on that basis alone. Additionally, the Directive’s trading in influence offense has no direct U.S. federal analog, although similar offenses could be pursued through honest-services fraud, the Travel Act, or money laundering theories.

The corporate liability frameworks of the Directive and in the U.S. diverge in important respects. The Directive requires all Member States to recognize corporate liability and adopt a “failure to prevent” model, while U.S. corporate criminal liability is broad and well established, with effective compliance operating as a factor relevant to the exercise of prosecutorial discretion under DOJ policy rather than a statutory defense.²⁰Brussels Watch, supra note 4; see also A New Era of FCPA Enforcement, King & Spalding (Jun. 12, 2025), https://www.kslaw.com/news-and-insights/a-new-era-of-fcpa-enforcement In both frameworks, penalties are significant: up to 5% of annual global revenue or EUR 40 million under the Directive, while FCPA penalties are less prescribed with fines, disgorgement, and civil liability in parallel proceedings possible, with individuals facing up to five years per count.²¹A New Era of FCPA Enforcement, King & Spalding (Jun. 12, 2025), https://www.kslaw.com/news-and-insights/a-new-era-of-fcpa-enforcement; see also FCPA A Resource Guide to the U.S. Foreign Corrupt Practices Act, DOJ Criminal Division (Nov. 14, 2012), https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf. Compliance as a mitigating factor is now codified in the Directive and reflected on the U.S. side in the DOJ Corporate Enforcement Policy and the June 2025 Blanche Memorandum, which credit self-disclosure and cooperation.²²Id.

The regimes also project extraterritorially in different ways. The Directive grounds jurisdiction in nationality, residence, victim-nationality, benefit to an EU-established legal person, and a novel “digital nexus,” while the FCPA reaches issuers, domestic concerns, and foreign persons acting in U.S. territory or using U.S. instrumentalities.²³Foreign Corrupt Practices Act Unit, DOJ (Jan. 9, 2025), https://www.justice.gov/criminal/criminal-fraud/foreign-corrupt-practices-act. Enforcement postures are moving in opposite directions: the EU is expanding through harmonized offenses, higher penalties, and stronger cooperation, while U.S. federal enforcement is in flux following the June 2025 Blanche Memorandum narrowing DOJ’s focus to cartel-linked, national-security, and competitive-harm cases.²⁴King & Spalding, supra note 21.

The practical upshot is that as U.S. federal FCPA enforcement focuses more narrowly for the time being, EU Member States could be positioned to take the lead on global anti-corruption enforcement.

Conclusion

The Directive represents a turning point in EU anti-corruption enforcement, introducing harmonized offense definitions, expansive jurisdictional reach, significant penalties, and a corporate “failure to prevent” liability model that will demand attention from any company with operations, personnel, or digital infrastructure touching the EU. In light of this development, companies with EU touchpoints should consider taking four key steps. First, reassess the design and effectiveness of their compliance programs against the Directive’s harmonized standards and “failure to prevent” framework, benchmarking against existing national regimes such as France’s Sapin II and the UK Bribery Act’s adequate procedures defense. Second, update training for EU-based personnel and third-party intermediaries to reflect the new offense definitions such as the trading in influence and concealment offenses. Third, map information-systems and digital footprints across EU Member States to identify potential jurisdictional exposure under the Directive’s novel “digital nexus” provisions. Fourth and finally, companies should closely monitor Member States’ transposition processes, as implementing legislation may go beyond the Directive’s minimum standards and introduce additional national requirements.