The EU Now Treats a Paper Compliance Program as an Aggravating Factor

On April 21, 2026, the Council of the European Union formally adopted the Directive on Combating Corruption, establishing a harmonized criminal law framework across all 27 Member States. It replaces the 1997 Convention and the 2003 Framework Decision. EU Member States have until June 2028 to incorporate it into national law. Many will act before that deadline. For US companies with EU operations, the review of existing anti-bribery and corruption programs should not wait.

Four features warrant immediate attention from compliance programs calibrated to the FCPA and UK Bribery Act: a new trading in influence offense, a strengthened penalty structure with broad extraterritorial reach, explicit treatment of non-functional compliance programs as aggravating factors, and a self-disclosure framework that diverges from US practice.

The Directive introduces a new criminal offense called trading in influence. It criminalizes the brokering or purchasing of improper influence over a public official through agents, lobbyists, and consultants, regardless of whether the influence is exercised or produces any result. A consultant hired for access to officials rather than subject-matter expertise is enough. Success-based fees tied to regulatory outcomes, undisclosed relationships with officials, and retainers with vague deliverables all warrant review.

The penalty structure is materially stronger than most EU Member States have historically applied. Fines can reach 5% of worldwide annual turnover or 40 million euros. The reach extends further than many US companies realize: a company with no EU office but whose systems, data, or services operate through EU-based infrastructure may face exposure under the Directive’s jurisdictional provisions.

US compliance professionals will recognize the underlying logic. Under the Federal Sentencing Guidelines, an effective compliance program reduces organizational culpability at sentencing. A paper-only program provides no such benefit. The EU Directive goes further: it treats a non-functional program not merely as insufficient mitigation but as an explicit aggravating factor.

There is also a meaningful divergence in how the Directive treats voluntary self-disclosure. Self-disclosing misconduct to DOJ under its Corporate Enforcement Policy may produce a decision not to prosecute in the US, but the same result is not guaranteed where the same conduct has EU Member State exposure. The self-disclosure decision must be evaluated across all implicated jurisdictions.

EU Member States have until June 2028, but many will move before the deadline. The gap analysis should start now.