Featured image

What the EU's new Anti-Corruption Directive is really about

The EU's New Anti-Corruption Directive is being presented as a Criminal Law reform. I think Compliance Officers should read it as a prevention framework.

When a new anti-corruption law is published, most of us instinctively look for the headlines.

  • What are the new offenses?

  • How severe are the penalties?

  • When do organizations need to comply?

The new EU Anti-Corruption Directive (EU) 2026/1021 certainly gives us plenty to discuss. It expands the scope of corruption offences, introduces common minimum sentencing across Member States, significantly increases corporate liability and raises financial exposure for organizations.

Among the headline changes are:

  • Minimum prison sentences of at least five years for the most serious public bribery offenses.

  • Corporate fines of up to 5% of worldwide annual turnover or €40 million for the most serious offenses (and 3% or €24 million for others).

  • Broader sanctions for legal persons, including exclusion from public procurement, withdrawal of permits, judicial supervision and, in exceptional cases, judicial winding-up.

  • A broader catalog of corruption offences, including trading in influence, obstruction of justice, concealment of corruption proceeds and enrichment from corruption offenses.

Member States now have until 1 June 2028 to transpose most of the Directive into national law.

Those changes are important. But they are not, I'd argue, the most interesting part of the Directive.

The real story is hidden in the recitals 

What surprised me wasn't the criminal law. It was the language. Throughout the Directive, lawmakers repeatedly return to prevention, integrity, transparency, accountability, ethics awareness and effective compliance programs. That's not accidental.

One recital in particular deserves more attention than it has received:

“Failings in integrity, undisclosed conflicts of interest or serious breaches of integrity rules can result in corruption offences if left unaddressed.”

That sentence changes how I read the rest of the Directive. Rather than treating corruption purely as a criminal act to be punished, the Commission is recognizing something compliance professionals have understood for years: corruption often starts long before anyone pays a bribe.

It starts with unmanaged conflicts. Weak governance. Poor oversight. Questionable decisions that nobody challenges. The Directive acknowledges that preventing those failures reduces the need for criminal enforcement; and it encourages Member States to strengthen integrity, regulate conflicts of interest, improve transparency and support robust compliance mechanisms. To me, that's the real shift.

One paragraph every Compliance Officer should read twice

I don't think the most important provision sits in the sections defining corruption offenses. It's buried in the discussion on mitigating circumstances.

The Directive allows Member States to consider whether a company had implemented effective internal controls, ethics awareness and compliance programs before misconduct occurred. It also recognizes voluntary disclosure and meaningful remedial action after an offense is identified. At the same time, it includes an unusually direct warning against compliance programs that amount to little more than “window dressing.”

Notice what the Directive doesn't prescribe. It doesn't mandate a specific Code of Conduct, a fixed training cadence, or a particular due diligence process. Instead, it keeps returning to one word: effective. That is a much higher bar than simply having policies.

Any organization can publish procedures, deploy mandatory e-learning, or ask suppliers to complete questionnaires. Demonstrating that those activities genuinely reduce corruption risk is considerably harder, and that's exactly where I think the Directive becomes interesting for Compliance Officers.

Governance is becoming part of anti-corruption compliance

Historically, anti-corruption legislation has focused on defining offenses and setting penalties. This Directive spends real time on the systems that prevent corruption from occurring in the first place. Member States are expected to develop national anti-corruption strategies, establish specialized anti-corruption bodies, and conduct regular corruption risk assessments.

Most of these obligations apply to governments, not private companies. Even so, I don't think Compliance Officers should dismiss them: public-sector expectations have a habit of migrating into private-sector expectations. We saw this with anti-money-laundering rules; obligations first imposed on state institutions gradually became the baseline private firms were expected to meet in their own due diligence. As Member States build out these governance frameworks, organizations that interact with public authorities - through procurement, licensing, or public-private partnerships - should expect closer scrutiny of transparency, conflicts of interest and third-party oversight.

In other words, the compliance implications may not come directly from the Directive's text. They may come from how Member States choose to implement it.

One omission surprised me

There is one aspect of the Directive I find particularly interesting, not for what it says, but for what it doesn't.

Throughout the text, lawmakers repeatedly invoke integrity, transparency, accountability, ethics awareness, prevention and effective compliance programs. They explicitly acknowledge that corruption often begins with failings in integrity, and they reward organizations that build genuine compliance programs rather than cosmetic window dressing.

Yet the Directive never explicitly mentions organizational culture. I don't see that as a flaw - legislation can require controls, reporting channels and training; culture is far harder to define, let alone regulate. But the omission is notable because other international frameworks have moved further in that direction. The U.S. Department of Justice's Evaluation of Corporate Compliance Programs (ECCP) already asks prosecutors to assess whether a program is “adequately resourced and empowered to function effectively” - language that echoes this Directive's own emphasis almost exactly. The UK Ministry of Justice's guidance on adequate procedures under the Bribery Act points in the same direction.

Neither framework explicitly requires companies to demonstrate an “ethical culture.” But both recognize that preventing misconduct depends on far more than documented controls. The EU Directive feels like another step along that same path, but it simply stops one step earlier.

So what should Compliance Officers be doing now?

There is still time before Member States transpose the Directive. That doesn't mean organizations should wait. If I were reviewing an anti-corruption program today, I wouldn't start by rewriting the gifts and hospitality policy. I'd start with more fundamental questions:

  • Could we demonstrate that our program is effective, not simply documented?

  • Do our corruption risk assessments reflect how corruption actually develops, rather than focusing only on bribery?

  • Would regulators see evidence that our controls influence behavior — or simply that they exist?

  • If misconduct occurred tomorrow, could we demonstrate that we took reasonable steps to prevent it?

Those questions are harder to answer than updating a policy document. They're also likely to matter far more.

A final thought

Most commentary on Directive (EU) 2026/1021 will focus on the expanded offences, tougher penalties and larger fines. Those changes matter. But I suspect that's not how we'll remember this Directive in a few years. Its lasting significance may be that it marks another step in the evolution of compliance: from responding to misconduct, to demonstrating effective prevention.

Regulators can require organizations to implement controls. They can mandate training. They can encourage effective compliance programs. What they cannot legislate is trust.

Yet every experienced Compliance Officer knows that trust is often what determines whether people speak up, challenge questionable decisions, disclose conflicts of interest, and do the right thing when nobody is watching.

The Directive doesn't call that an ethical culture. It probably doesn't need to. But if the last decade of compliance evolution is any guide, culture won't stay unnamed for long.

Ready to upgrade your ethics and compliance program?

We’re excited to give you a personalized demo of the LRN solution. We’ve been a trusted ethics and compliance partner for over 25 years. With over 30 million learners trained each year, we optimize ethics and compliance programs across the globe to help save your team time, increase engagement, and align with regulation.