Updated EU anti-corruption and anti-bribery framework – New incentives for compliance management and internal investigations in Europe

The Directive's central achievement is replacing the previous patchwork of national approaches with uniform corruption offenses across all Member States. Articles 3 through 11 define the offenses that must be criminalized throughout the EU.

In the public sector, Article 3 establishes bribery as the central offense. Active bribery covers the promise, offering, or giving of an undue advantage of any kind to a public official – directly or through an intermediary – in order for that official to act or refrain from acting in the exercise of their functions. Passive bribery mirrors this from the official's perspective. The definition of "public official" is deliberately broad, encompassing not only traditional civil servants but also EU officials, officials of third countries, persons exercising public service functions, legislators at all levels, as well as arbitrators and jurors.

Article 5 penalizes the misappropriation of property through public officials and private individuals alike when committed for that person's advantage or for the advantage of another person or entity, or when damaging the financial interests of the public or private entity concerned.

Article 5 makes it punishable to trading in influence, i.e., cases in which individuals can use their position and proximity to decision makers to exert influence.

In the private sector, Article 4 criminalizes bribery of persons directing or working for private-sector entities where they act in breach of their duties. This is notably narrower than some national laws – German law, for instance, additionally criminalizes competition-distorting bribery even absent a breach of duty. Since the Directive establishes minimum standards, Member States may maintain stricter approaches.

The Directive further criminalizes concealment under Article 10 – the hiding of proceeds or instrumentalities of corruption offenses – as a standalone offense alongside the underlying corruption act, harmonizes the criminal offences of obstruction of justice (Article 8), enrichment from corruption offences (Article 9) and establishes under Article 7 the criminalization of certain serious violations involving the unlawful exercise of public functions.

For natural persons, the Directive establishes harmonized minimum maximum penalties scaled by offense severity: five years’ imprisonment for public-sector bribery involving breach of official duties, four years for misappropriation, enrichment, and concealment, and three years for other offenses. Member States may provide that misappropriation involving less than EUR 10,000 does not constitute a criminal offense, though this threshold can be reached through a series of linked acts.

The sanctions regime for legal persons represents perhaps the Directive's most significant practical development. Under Article 13, corporate liability attaches where offenses are committed for a company's benefit by persons in leading positions – those with power of representation, decision-making authority, or control – or where lack of supervision by such persons enabled the offense. The fine framework under Article 14 is calibrated to offense severity: for the most serious offenses – bribery in the public and private sectors and misappropriation (Articles 3 to 5) – minimum maximum fines are set at five percent of worldwide annual turnover of the legal person concerned or EUR 40 million. For trading in influence, obstruction of justice, and enrichment from corruption (Articles 6, 8, and 9), the thresholds are set at three percent of worldwide turnover of the legal person concerned or EUR 24 million.

For companies, this differentiation matters in two directions. On the one hand, the lower end of the range reduces maximum exposure for less severe offenses. On the other hand, the fixed monetary alternative ensures that even companies with limited turnover – including special purpose vehicles, joint ventures, and subsidiaries structured to minimize revenue – cannot escape sharp sanctions. Companies should map their corporate structures against both calculation methods to understand worst-case exposure.

Article 14 stipulates other possible sanctions, such as

• exclusion from entitlement to public benefits or aid;
• exclusion from access to public funding, including tenders, grants, concessions and licenses;
• withdrawal of permits and authorisations to pursue activities which have resulted in or enabled the relevant offence;
• possibility for public authorities to annul or rescind a contract, in the context of which the offence was committed; and
• closure of establishments used for committing the offence.

The Directive also contains provisions on jurisdiction. Article 18 establishes mandatory jurisdiction where offenses are committed wholly or partly within a Member State's territory or by its nationals. Of particular consequence for corporate compliance is Article 18(2), which allows Member States to extend jurisdiction to offenses committed outside their territory where the offense benefits a legal person established there – regardless of where the offense took place or the nationality of the perpetrators. Where offenses fall within multiple jurisdictions, Member States must cooperate to determine which conducts criminal proceedings, referring matters to Eurojust where appropriate. The Directive mandates use of Europol's SIENA system for information exchange, and prosecution is not dependent on a report being filed where the crime was committed.

For companies, this means that jurisdictional exposure must be assessed individually on a case-by-case basis.

Article 17 of the Directive describes detailed mitigating circumstances for legal persons to reduce sanctions, relating to compliance management systems (“CMS”) and internal investigations. The mitigating circumstances framework has profound implications for how companies should structure their CMS and internal investigations in light of this new Directive.

The Directive requires that corporate measures deliver concrete results:

• provide the competent authorities with information which they would not otherwise have been able to obtain, helping them to identify or bring to justice the other offenders;
• provide the competent authorities with information they would not otherwise have been able to obtain, helping them to find evidence;
• implement effective internal controls, ethics awareness, and compliance programmes to prevent corruption prior to or after the commission of the offence (unless this constitutes a ground for exclusion of liability);
• once the offence has been discovered, rapidly and voluntarily disclosed the offence to the competent authorities and taken remedial measures.

All this creates specific operational requirements. The explicit reference to identifying "other offenders" means investigations must increasingly focus on individual culpability – a significant shift from approaches that prioritize company-level resolutions. Amnesty programs and settlement agreements could potentially become more difficult to sustain where they conflict with the disclosure expectations underlying mitigation.

Companies should establish vetted processes in advance that enable rapid response. These processes should include clear escalation paths, defined decision-making authorities, documentation protocols (as evidence of cooperative behavior), and strategies for coordinating internal investigation with authority communication while preserving defense rights.

The Directive's explicit recognition that post-offense compliance measures can still be valued as mitigating factor offers a second chance to companies if prevention failed. This is important to foster compliance culture in companies and in particular during internal investigations, e.g., when designing immediate measures to stop the breach. But the emphasis on genuine effectiveness makes clear that superficial responses will not suffice, instead, effective and comprehensive measures are required.

In summary, the Directive’s provisions underpin that compliance and internal investigation processes and policies are a key asset to mitigate potential compliance risks. This puts compliance audits to test effectiveness at the center of attention as recital 29 establishes a “genuine, effective and duly assessed” standard for compliance (internal controls). While it is not yet clear whether authorities will require a mandatory certification of compliance management systems (e.g., IDW PS 980 or ISO 27001), companies are well advised to at least consult these resources along with other resources (e.g., from relevant authorities) when reviewing their compliance measures.