Operationalising the EU Anti-Corruption Directive
Sponsored by Mitratech
Jan Stappers provides a practical roadmap for operationalizing the EU Anti-Corruption Directive, with a prioritized action framework based on program maturity.
The EU Anti-Corruption Directive (Directive 2026/1021, “ACD”) took effect on 31 May 2026, establishing the first harmonised criminal law framework for anti-corruption obligations across the EU. The directive covers bribery in the public and private sectors, trading in influence, misappropriation, unlawful exercise of public functions, obstruction of justice, enrichment from corruption offences, and concealment. Its defining contribution is the architecture of corporate accountability it creates: liability attaching to organisations as well as individuals, and a penalty structure that explicitly rewards the presence of genuine preventive measures.
For GRC professionals, the directive functions as a design brief. The programme it incentivises, with concerns raised before they become incidents, third-party relationships managed before they create liability, and accountability embedded in governance from the outset, is the integrated model the GRC Capability Framework describes. Member states have until 1 June 2028 to transpose the criminal law provisions and 1 June 2029 for the preventive measures. Organisations that treat the preparation window as a programme-building opportunity will be materially better positioned than those that treat it as a legislative countdown.
The Two Structural Features That Should Anchor Your Planning
The directive creates corporate liability through two routes. Article 13(1) holds a legal person liable for offences committed for its benefit by persons in leading positions. Article 13(2) extends that liability where a lack of supervision or control by such a person made it possible for someone under their authority to commit the offence for the organisation's benefit. The structural parallel to the UK Bribery Act's section 7 corporate offence is instructive, though with a consequential distinction. Under the UK Act, adequate procedures operate as a complete defence. Under the ACD, compliance programme quality functions as a mitigating factor in the penalty calculus under Article 16, a direct element of both legal exposure and the consequences that follow from it.
Penalties for legal persons are tiered by offence under Article 14(3). For bribery in the public sector, bribery in the private sector, and misappropriation (Articles 3 to 5), the maximum fine may reach 5% of worldwide annual turnover or €40 million. For trading in influence, obstruction of justice, and enrichment from corruption offences (Articles 6, 8, and 9), the ceiling is 3% of turnover or €24 million. Where an organisation can demonstrate genuinely implemented, effective preventive measures, with evidence of operational reality, member states are permitted under Article 16 to treat that as a mitigating circumstance. Article 16 also extends that benefit where the organisation rapidly disclosed the offence and took remedial action once it was discovered.
Two implications follow from this architecture. The operative standard is substantive: a programme that demonstrably functions as intended. Separately, the mitigation benefit requires evidence of programme effectiveness, which places the audit trail at the centre of the compliance design problem.
The Five Components the Directive Assumes You Have
At programme level, the directive assumes five interconnected components. GRC practitioners will recognise each of them. The compliance challenge is evidencing that they are genuinely operational:
- Confidential reporting mechanisms through which employees and relevant third parties can raise concerns without fear of retaliation
- Role-tailored training on anti-corruption obligations, calibrated to exposure level across the organisation
- Documented policies governing conflicts of interest, gifts, hospitality, and interactions with public officials, with evidence of acknowledgement and understanding across the organisation
- Third-party due diligence on intermediaries and supply chain partners whose relationships create corruption exposure, with documented monitoring over time
- Periodic risk assessments identifying where operating activities and environments generate the greatest legal and reputational vulnerability
These components are mutually reinforcing. A risk assessment identifying high-risk third-party relationships should drive due diligence processes; due diligence findings should inform training design; training and policy acknowledgement together produce the evidential record a regulator will request.
Consider a mid-size manufacturer with three EU subsidiaries that discovers its third-party due diligence lives in a spreadsheet maintained by one compliance officer. The policy exists; the monitoring has lapsed. Under an Article 13(2) examination, the regulator will ask what the programme did when it was tested: how a concern was raised and handled, how a third party that failed due diligence was managed, and what remediation followed when a training gap came to light. That record is the substance behind the structure.
Managing 26 Transpositions
A single liability standard will produce 26 distinct national implementations (not 27, as Denmark is excluded from the directive's scope under Protocol No 22 annexed to the Treaties). For the member states within scope, the directive sets minimum requirements; member states retain freedom to exceed them, and enforcement cultures will vary as they have under every EU directive of comparable scope. Material differences are already anticipated in Belgium, Germany, Italy, France, Poland, and the Netherlands, varying across penalty thresholds, corporate liability structures, and sector-specific requirements.
The design question is how to maintain consistent programme standards across entities subject to different national legal requirements, while producing compliance evidence suited to the relevant regulator in each jurisdiction. Organisations best positioned to navigate this are those building against the highest credible standard, maintaining documentation and audit trail practices adaptable to local requirements, and ensuring consolidated visibility across their European operations.
Organisations with EU Whistleblowing Directive or GDPR programme governance experience will recognise the challenge. The ACD adds a layer to a design problem with which many European compliance functions already have substantial exposure. The lesson from those programmes is that early architecture decisions, about where evidence sits and how it is retrieved, carry a disproportionate effect on regulatory readiness years later.
A Prioritised Action Framework by Maturity Stage
The right starting point depends on where a programme currently stands.
Early-stage programmes
Where the five components exist but are managed manually, inconsistently, or without a consolidated audit trail, the priority is documentation and evidence architecture. A systematic gap analysis, mapping existing capabilities against the directive's five requirement areas and assessing the strength of the evidential record currently available, is the natural first step. The question is whether each component would satisfy regulatory scrutiny.
Mid-stage programmes
Where components are reasonably documented but managed across separate functions and systems, the challenge is coherence. The Article 16 mitigation benefit depends on a programme presentable as an integrated whole. Consolidating the evidential trail into a navigable, auditable record is typically the highest-value investment at this stage. The programme needs to tell a single, consistent story.
Advanced programmes
Where integration exists but cross-jurisdictional consistency is the outstanding challenge, the transposition period is well used by stress-testing against the 1 June 2028 deadline in priority jurisdictions. Engaging local counsel in key markets before national implementing legislation is finalised surfaces where the group standard will require supplementation, and allows those adjustments to be planned in advance.
Across all maturity stages, the evidential discipline that makes the difference is recording decisions alongside policies. A policy document establishes the standard; the record of how that standard was applied when it mattered is what the compliance programme actually demonstrates.
Where to Start
The EU Anti-Corruption Directive builds on familiar foundations: the UK Bribery Act, the FCPA, and the frameworks established by the OECD Anti-Bribery Convention and Council of Europe. Its addition is a mandatory legal framework across the EU, a statutory structure that penalises the absence of genuine preventive measures while rewarding their presence, and a transposition timeline that leaves considerably less room for deliberation than the 2028 headline suggests.
The organisations best positioned when the directive takes full effect will be those that used the preparation period to build genuinely effective programmes and kept the record to demonstrate it. The place to start is the gap analysis: map what you have against the components, assess where the evidential record is weakest, and prioritise from there.
About The Author
Jan Stappers is EVP GRC Solutions Strategy at Mitratech. He has contributed to publications including the United Nations, International Bar Association, Springer Nature’s ERA Forum and the Association of Certified Fraud Examiners.
Featured in: Anti-Corruption