Everything French organisations need to know about Sapin II compliance in 2026. Article 17 requirements, AFA audits, risk mapping, fines, and best practices.
France's corporate anti-corruption landscape has changed permanently since 2016. For organisations operating in France today, Sapin II compliance is not an optional governance exercise or a box-ticking formality. It is a binding legal obligation backed by audits, administrative sanctions, criminal prosecution, and penalties that can reach into the millions of euros.
In 2026, enforcement is more sophisticated, regulator expectations are higher, and international cooperation between the French Parquet National Financier (PNF), the US Department of Justice, and the UK Serious Fraud Office has never been more active. Organisations that treat compliance as a paper exercise are running out of room to hide.
The Sapin II law, enacted on 9 December 2016, represents France's comprehensive effort to overhaul its anti-corruption framework, aligning it with international standards set by legislation such as the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. It toughened corruption sanctions, introduced new negotiated resolution procedures, imposed stringent compliance obligations on large corporations, and created the French Anti-Corruption Agency (Agence Française Anticorruption, or AFA) to supervise efforts in both the private and public sectors.
This guide is designed for compliance officers, legal counsel, CFOs, and senior managers at companies subject to Loi Sapin II. It covers everything you need to know: who the law applies to, the eight mandatory Article 17 requirements, risk mapping, third-party due diligence, AFA audits, penalties, common pitfalls, and a practical 2026 compliance checklist.
Whether you are building a programme from scratch, preparing for an AFA audit, or reviewing your existing framework, this guide will give you the full picture.
On 9 December 2016, the French Parliament passed Law No. 2016-1691 on Transparency, Fighting Corruption, and Modernising Economic Life, known as "Sapin II," recognising the contributions of France's former Minister of Finance, Michel Sapin, who was largely responsible for its passage.
The law did not emerge in a vacuum. Prior to its enactment, the French legal framework for combating bribery and corruption had fallen considerably behind several of its European counterparts, prompting widespread calls for domestic reform aimed at aligning France's anti-bribery and corruption capacity with prevailing international norms. High-profile corporate scandals and international pressure from bodies including the OECD made reform inevitable.
Sapin II built on the original Sapin Act of 1993 (Sapin I), which had introduced basic rules around transparency in public contracts and political financing. Loi Sapin II went considerably further, establishing a modern, enforceable, and comprehensive anti-corruption regime for France.
Sapin II did three things that had previously been absent from French law: it created a binding obligation for large companies to actively prevent corruption; it established the French Anti-Corruption Agency (AFA) to supervise and enforce that obligation; and it introduced a general legal framework for the definition and protection of whistleblowers.
In practical terms, this means that qualifying organisations are no longer simply prohibited from committing acts of corruption. They are affirmatively required to build, implement, and continuously improve a documented compliance programme, regardless of whether any corruption has actually occurred. The obligation is proactive, not reactive.
Inspired by the US FCPA and the UK Bribery Act, Sapin II mandates strict regulations, including increased organisational transparency, stronger internal monitoring systems, robust whistleblower protections, and effective supply chain risk management due diligence.
|
Feature |
Sapin II (France) |
FCPA (USA) |
UK Bribery Act |
|
Enforcement body |
AFA + PNF |
DOJ + SEC |
SFO |
|
Compliance programme required |
Yes (Article 17) |
Encouraged (sentencing benefit) |
Adequate procedures defence |
|
Thresholds |
500 employees + €100M turnover |
No size threshold |
No size threshold |
|
Whistleblower protection |
Yes (Loi Waserman 2022) |
Limited |
Limited |
|
Extraterritorial scope |
Yes |
Yes |
Yes |
For organisations already compliant with the FCPA or the UK Bribery Act, Sapin II's framework will feel familiar. The eight pillars broadly mirror the compliance elements those laws encourage, though the French regime introduces specific legal obligations that are stricter in several areas.
As of early 2026, Sapin III has not been enacted. The Loi Waserman of 2022 addressed the whistleblowing dimension that Sapin III was expected to cover. Proposed Sapin III measures focused on extending Article 17 obligations to subsidiaries of large groups and strengthening the CJIP regime. Organisations should monitor legislative developments through the AFA's official publications and the Legifrance portal, but the current operative framework remains Sapin II as updated by the 2022 whistleblowing law.
Pursuant to Article 17 of the Sapin II Law, companies having more than 500 employees, their registered office in France, and a turnover exceeding EUR 100 million are required to implement a risk-based anti-corruption programme.
The 500-employee threshold applies in two ways. It can be met by a single French entity, or by a group of companies whose parent is headquartered in France and whose consolidated workforce reaches 500. This means that even a relatively small French subsidiary of a large group may be drawn into scope through the parent company's headcount.
This obligation extends to subsidiaries and companies controlled by these groups, both in France and abroad. The compliance obligation is therefore not confined to the French parent entity. It cascades down through the corporate structure.
Yes, and this is one of the most frequently misunderstood aspects of the law.
Sapin II's reach extends beyond companies headquartered in France. Any organisation with a work-related connection to France, including foreign subsidiaries operating in France or multinationals whose French operations meet the relevant thresholds, may fall within scope. The law also establishes extraterritorial reach for corruption offences: French courts can prosecute acts of corruption committed abroad where the company or individuals have economic activity in France.
This means that a US, UK, or German multinational with a French subsidiary of sufficient size cannot simply rely on its home-country compliance programme. It must ensure that its French operations have a Sapin II-compliant programme in place.
Even if your organisation falls below the Article 17 thresholds, Sapin II still applies to you in a meaningful way. Any company with at least 50 employees is required to establish appropriate legal mechanisms for implementing whistleblowing procedures. Following the Loi Waserman of 21 March 2022, whistleblower protections were significantly strengthened and expanded, transposing the EU Whistleblowing Directive into French law.
Preventing a whistleblower from making a report is itself a criminal offence under French law, punishable by two years of imprisonment and a €30,000 fine. Disclosing the identity of a whistleblower without their consent carries the same penalties.
Not sure whether Sapin II applies to your organisation? Understanding Sapin II: A Manager's Guide to Anti-Corruption Compliance breaks down the scope, thresholds, and practical implications in plain language for leaders at every level.
This is the operational heart of Sapin II compliance. The general obligation to prevent and detect bribery and influence peddling consists in the development and effective application of eight measures: a code of conduct; an internal reporting system; a risk mapping; third-party due diligence; accounting control procedures; a training programme for managers and staff most exposed to corruption risk; an internal monitoring and assessment system; and a disciplinary regime.
Each pillar must be documented, implemented in practice, and capable of withstanding scrutiny during an AFA audit. Having a policy on paper is not sufficient. The AFA evaluates the operational effectiveness of your programme, not merely its existence.
The code of conduct must specifically define and illustrate the different types of behaviour to be prohibited as likely to characterise corruption or influence peddling. It must go beyond generic statements. It should address gifts and hospitality policies, conflicts of interest, facilitation payments, and sector-specific risks relevant to your organisation.
The code must be integrated into the company's internal regulations, making it enforceable. It must be signed off by senior leadership and communicated to all relevant employees. The AFA guidance recognises that the code of conduct can be integrated into a broader ethics and compliance system and suggests how it might work alongside documents relating to risk mapping and internal policies and procedures.
A confidential internal alert system must allow employees to report breaches of the code of conduct safely and anonymously. This system must be accessible, clearly communicated, and protected from retaliation.
The whistleblowing procedures established under Sapin II are designed to work in tandem with the EU Whistleblower Protection Directive, effective from December 2021, by prohibiting retaliation against whistleblowers. Importantly, while Sapin II requires organisations to have an alert system, it does not require organisations to launch an internal investigation into every alert received. However, your triage and response procedures must be documented and proportionate.
Regularly updated risk maps are required to identify, analyse, and prioritise the company's exposure to corruption risks, considering factors such as business sector and geographic location.
Risk mapping is the structural backbone of your compliance programme. The AFA has confirmed the critical role of risk mapping, which should be the first step in any compliance programme and permeate the other measures, including the code of conduct, training, and accounting controls, based on the corruption risks it identifies.
One of the eight pillars of Sapin II is a requirement that covered entities adopt a third-party due diligence programme with respect to their customers, first-tier suppliers, and intermediaries. The AFA encourages companies to voluntarily expand the universe of due diligence to encompass any third party with whom a covered entity interacts.
The AFA published updated guidance on third-party due diligence in 2025 to help companies operationalise this requirement. This updated guidance reflects the growing sophistication expected of third-party screening processes.
Internal and external accounting controls must ensure that the company's books, registers, and accounts are not used to conceal acts of corruption or influence peddling.
Controls should be risk-based and proportionate to the company's exposure profile. This means the scope and intensity of your accounting controls should be informed by your risk map. Higher-risk jurisdictions, business lines, and transaction types should attract greater scrutiny.
Regular training must be provided to executives and employees most exposed to corruption risk. Training must be practical, targeted, and documented. Broad annual e-learning modules sent to all staff do not, on their own, satisfy this requirement for high-risk populations.
Targeted training and awareness must be delivered to leadership and to personnel exposed to corruption risks, for example in sales, procurement, government interactions, and finance. Attendance must be tracked and effectiveness measured.
Compliance programmes must be evaluated on an ongoing basis. The AFA recommends annual internal audits, random tests on sensitive processes such as public procurement and relations with third parties, and perception surveys among employees. This assessment enables the detection of weaknesses and their rapid correction.
The programme must demonstrate continuous improvement, not merely initial implementation.
Clear disciplinary consequences for violations of the code of conduct must be defined in advance and communicated to employees. The existence of enforceable consequences is considered a key indicator of programme effectiveness by the AFA.
The AFA guidance recommends in particular that sanctions are proportionate to the misconduct. A regime that punishes all violations with dismissal, regardless of severity, is as problematic as one that applies no consequences at all.
For a practitioner-level breakdown of all eight pillars, read The 8 Mandatory Sapin II Requirements Every Organisation Must Understand.
Does your management team truly understand their personal obligations under Sapin II? The Sapin II Compliance and Anti-Corruption for Managers course by the French Compliance Institute gives managers the practical knowledge they need to identify corruption risks, respond correctly, and protect both themselves and their organisation. Purpose-built for France, delivered in a format that works for busy professionals.
Risk mapping is the single most important pillar of any Sapin II compliance programme. It is not merely one requirement among eight; it is the foundation upon which all other measures are calibrated. Without a credible, up-to-date risk map, every other element of your programme, from the code of conduct to third-party due diligence, lacks a proper evidential basis.
Risk mapping identifies areas of exposure: sensitive countries, high-risk sectors, and types of partners. This analysis enables organisations to prioritise and allocate resources appropriately.
The AFA has been consistent in its findings across audit cycles. Risk assessments are often superficial according to the AFA. Many organisations do not update risk maps to reflect changing market or geographic conditions, and without a dynamic process, the effectiveness of the other pillars is reduced.
A risk map that was built three years ago and has never been updated is not a compliant risk map. The AFA expects your risk map to reflect your current business activities, any recent acquisitions or market entries, changes in your third-party relationships, and shifts in the geopolitical or sectoral risk environment.
The AFA has consolidated its guidance into three pillars: Leadership, Risk Mapping, and Risk Management. This consolidation signals that the AFA views leadership engagement and risk management as inseparable from the technical risk mapping exercise itself. A risk map produced by the compliance team in isolation, without senior leadership involvement and without being embedded in operational decision-making, does not meet AFA expectations.
A robust Sapin II risk map should follow these steps:
Step 1: Define the scope. Identify all business activities, geographic markets, client categories, distribution channels, and types of counterparties. Map your exposure by function: procurement, sales, public affairs, finance.
Step 2: Identify risk categories. Cover geographic risks (high-corruption-index countries), sector risks (public procurement, regulated sectors), transactional risks (large one-off payments, commissions, hospitality), and relational risks (agents, intermediaries, politically exposed persons).
Step 3: Assess likelihood and impact. Score each risk based on probability of occurrence and the severity of the potential consequence. Use both quantitative data (financial flows, transaction volumes) and qualitative inputs (interviews with business line managers).
Step 4: Prioritise and document. Rank risks and allocate compliance resources accordingly. Document your methodology, your evidence base, and your validation process.
Step 5: Validate with senior leadership. The risk map must be reviewed and formally approved by the company's governing body. Compliance team ownership alone is insufficient.
Step 6: Update regularly. The AFA recommends at least annual updates, plus ad hoc updates following significant organisational changes such as mergers, new market entries, or changes in third-party relationships.
The majority of significant corruption cases involve third parties: sales agents paid on commission, procurement intermediaries, joint venture partners, government relations consultants. The corruption risk in these relationships is real, it is well-documented by regulators globally, and it is precisely what the AFA expects your due diligence programme to address.
The express purpose of Sapin II due diligence is to ascertain whether a covered entity should enter into a new relationship with a third party, maintain such a relationship, or terminate the relationship altogether. This is not a compliance formality. It is a business decision with legal and reputational consequences.
The due diligence process involves data collection on legal, financial, reputational, and extra-financial information; integrity analysis covering legal history, beneficial owners, international sanctions, and political links; risk rating and classification according to the criticality of the third party; and ongoing monitoring with periodic data updates and monitoring of weak signals.
This due diligence process must be traceable, justifiable, and proportionate to the risk identified, in line with GDPR and compliance audit requirements. Each step must be documented.
The proportionality principle is important. Not every third party warrants the same depth of scrutiny. A low-value domestic supplier of office stationery does not require the same level of investigation as a sales agent operating in a high-risk jurisdiction on a commission basis. Your risk map should determine the intensity of your due diligence procedures.
The AFA opened a public consultation on draft practical guidance notes designed to help companies operationalise third-party due diligence set out in Article 17 of the Sapin II Law, with the consultation period running until 30 September 2025. This updated guidance reflects the AFA's expectation that third-party due diligence programmes evolve beyond basic sanctions screening to encompass genuine integrity assessments.
Acquisitions create a specific and severe Sapin II risk that is often underestimated. Following two landmark French Supreme Court rulings of November 2020 and May 2024, an acquiring company is now liable for the pre-merger criminal offences of a target company, regardless of its corporate form. Due diligence must include a full audit of the target's Sapin II compliance programme to avoid inheriting significant liabilities.
This means that standard financial and legal due diligence checklists are no longer sufficient for transactions involving French entities. Anti-corruption due diligence must be embedded as a mandatory workstream in every M&A process.
The AFA was created in 2016 to enhance transparency and modernise economic life in France. It operates under the joint authority of the Ministry of Justice and Ministry of Budget, with an independent director to ensure impartiality in fulfilling its missions. The AFA focuses on preventing and detecting corruption, influence peddling, misappropriation of public funds, and favouritism.
The AFA serves two functions: advisory and supervisory. On the advisory side, it publishes guidance, recommendations, and practical tools to help organisations build compliant programmes. On the supervisory side, it conducts formal audits and refers non-compliant organisations to its independent Sanctions Commission.
The management of companies subject to Sapin II are expected to play an active role in the implementation of the company's anti-corruption plan. They may not delegate their powers in this field and are expected to set the tone at the top.
In 2024, the AFA conducted 39 audits, including 10 on private companies, 17 on public entities, and 12 relating to the preparation of the Olympic Games. There are two types of AFA audits: proactive audits initiated on the AFA's own authority, and compliance audits following referral from judicial authorities.
During an audit, the AFA does not simply review your documentation. It evaluates whether your programme is genuinely operational and effective. Auditors will interview staff, test whether employees know how to use the whistleblowing system, review training records, examine the methodology behind your risk map, and assess the depth and consistency of your third-party assessments.
Companies are advised to conduct mock audits and ensure their French-specific risk maps are detailed, updated, and well-documented, maintaining a continuous state of audit readiness.
Based on publicly available AFA findings and guidance, the most frequent weaknesses identified during audits include:
Risk maps that are outdated or insufficiently documented
Training records that cannot evidence who was trained, when, and on what content
Whistleblowing systems that exist on paper but have never been tested or communicated
Third-party due diligence limited to a single sanctions database check
Senior management engagement limited to signing the code of conduct without deeper programme oversight
Disciplinary procedures that are undefined or inconsistently applied
The AFA notes that commitment by senior management is often limited to prefacing a firm's anti-corruption code of conduct. Deeper involvement throughout the programme is expected.
On 20 March 2025, the PNF, in partnership with the UK Serious Fraud Office and the Swiss Federal Prosecutor, announced the establishment of an International Action Group of Anti-Corruption Prosecutors, designed to enhance judicial cooperation by exchanging strategies, sharing best practices, and conducting joint operational projects.
This development signals clearly that French enforcement is no longer a purely domestic matter. Organisations with cross-border activities should assume that the PNF and its international partners are capable of identifying and prosecuting conduct that might previously have fallen below the enforcement radar.
AFA sanctions are applied by an independent sanctions committee, not the AFA itself. Penalties for non-compliance include a public reprimand, which may be published; fines of up to €200,000 for individuals including company directors; and fines of up to €1 million for legal entities.
The publication of a sanction decision is a penalty in itself. For listed companies and organisations operating in regulated sectors, a public reprimand by the AFA Sanctions Commission carries reputational consequences that can far exceed the financial fine.
The administrative penalty does not result in a criminal record for the legal person, but it does create a formal record of non-compliance that can be relevant in subsequent regulatory proceedings, contractual negotiations, and M&A due diligence processes.
The administrative penalties imposed by the AFA Sanctions Commission are separate from and additional to criminal liability under French law.
Executives and managers can face fines of up to €200,000, imprisonment for up to ten years, and potentially be banned from holding public office or serving as company directors.
Both active and passive bribery, facilitation payments, private bribery, and domestic influence peddling are criminal offences punishable by up to ten years imprisonment and fines of up to €1 million for individuals and €5 million for legal entities.
The PNF has shown increasing willingness to pursue international cases involving French-connected entities, including through coordinated enforcement with the US Department of Justice and UK Serious Fraud Office.
Sapin II introduced the convention judiciaire d'intérêt public (CJIP), France's deferred prosecution mechanism, enabling the Parquet National Financier to negotiate settlements in corruption cases.
The CJIP is not an amnesty. It is an alternative to criminal prosecution that requires the company to pay a financial penalty, implement or improve a compliance programme, and cooperate fully with investigators. It allows organisations to avoid a criminal conviction while acknowledging the misconduct.
For companies facing potential AFA or PNF scrutiny, voluntary self-disclosure and a demonstrably effective compliance programme are material factors in determining whether a CJIP is available and on what terms.
The scale of potential penalties is illustrated starkly by the most significant French enforcement action to date. The highest sanction imposed on a legal entity was EUR 3.6 billion on Airbus, which signed prosecution agreements in 2020 with the French PNF, the British Serious Fraud Office, and the US Department of Justice, of which EUR 2.8 billion were paid in France.
Most Sapin II enforcement failures trace back to managers who did not know what was expected of them, or who did not recognise the warning signs. The Sapin II Compliance and Anti-Corruption for Managers course from the French Compliance Institute changes that. It covers personal liability, how to handle corruption risk situations, what the AFA expects from management, and how to build a genuine compliance culture.
The most dangerous assumption in Sapin II compliance is that publishing a code of conduct and a whistleblowing procedure means you are compliant. The AFA has consistently found the opposite: organisations with extensive written policies and weak operational implementation are treated as non-compliant.
AFA guidance aims to evolve from tick-box rules to values-based programmes, aligning France with international anti-corruption best practice. This philosophical shift is reflected in the way the AFA now approaches audits. The question is no longer "do you have a policy?" The question is "does your policy change how people behave?"
A Sapin II-compliant anti-corruption policy framework goes beyond the code of conduct itself. It should encompass:
Gifts and hospitality policy. Clear monetary thresholds, prohibited categories, mandatory registration requirements, and a centralised approval process for anything above the threshold. Policies must be role-specific and reflect actual risk exposure.
Conflicts of interest policy. A formal declaration process, a review mechanism, and clear rules about how identified conflicts are managed and documented.
Facilitation payments policy. A clear prohibition, with guidance on what to do when a payment is demanded by a foreign official and how to escalate the situation safely.
Political donations and lobbying policy. Sapin II introduced specific transparency requirements for lobbying. Organisations that engage with public officials must have robust controls in this area.
Anti-corruption clause requirements. Contracts with third parties must include appropriate anti-corruption representations and warranties. These contractual protections must be operationally enforced, not merely inserted as boilerplate.
The management of companies subject to Sapin II are expected to play an active role in the implementation of the company's anti-corruption plan. They may not delegate their powers in this field and are expected to set the tone at the top.
Tone at the top is not a slogan. It means that the CEO and executive committee visibly champion the compliance programme, that senior leaders complete training before asking their teams to do so, that compliance resources are adequately funded, and that no exception is made to anti-corruption standards for any individual regardless of their seniority or commercial importance.
Anti-corruption efforts are now closely aligned with broader Environmental, Social, and Governance (ESG) mandates, particularly the Corporate Sustainability Due Diligence Directive (CSDDD), and third-party management increasingly requires a comprehensive assessment of supply chain integrity beyond sanctions screening.
For organisations subject to both Sapin II and the CSDDD, there is a significant opportunity to align due diligence processes, risk mapping methodologies, and governance frameworks across both regimes, reducing duplication and creating a more integrated compliance function.
The AFA has been conducting audits since 2017. Patterns in what goes wrong are well established. These are the most frequent and consequential mistakes organisations make.
Sapin II compliance is not a project with a start date and an end date. It is an ongoing operational commitment. Risk maps must be updated when your business changes. Due diligence processes must evolve as third-party relationships change. Training must be refreshed as new risks emerge. Organisations that treat their initial compliance build as a finished product and fail to maintain it are routinely found non-compliant during AFA audits.
The AFA notes that commitment by senior management is often limited to prefacing a firm's anti-corruption code of conduct. Deeper involvement throughout the programme is expected. Senior executives must be actively involved in risk mapping validation, training completion, and regular programme reviews. The compliance function cannot carry this responsibility alone.
A single database check against a sanctions list does not constitute third-party due diligence under Sapin II. The AFA expects a proportionate, risk-based process that considers legal history, beneficial ownership, political connections, and reputational indicators. For high-risk third parties, this means detailed investigation, not automated screening.
An acquiring company is now liable for the pre-merger criminal offences of a target company, regardless of its corporate form. Due diligence must include a full audit of the target's Sapin II compliance programme to avoid inheriting significant liabilities. Organisations that have completed acquisitions in recent years without a thorough anti-corruption review of their targets are carrying unquantified legacy risk.
Broad annual e-learning modules sent to all staff do not, on their own, satisfy the training requirement for high-risk populations. Neglecting mandatory training sessions for employees regarding Sapin II compliance and ethical business practices can significantly expose your organisation to legal and reputational risks. Training must be role-specific, scenario-based, and documented in a way that demonstrates who was trained, on what content, and when.
Many organisations have a whistleblowing system that exists technically but is unknown to employees, untested, and effectively non-functional. The AFA tests whether staff know how to use the system and whether reported alerts are processed with appropriate confidentiality and timeliness.
Failing to establish robust internal controls and monitoring mechanisms under Sapin II can lead to ethical breaches, such as bribery and corruption. Inadequate measures to prevent such misconduct may damage your company's reputation, erode stakeholder trust, and incur substantial fines and legal consequences. Accounting controls must be specifically designed to detect off-book transactions and irregular payments, not simply to satisfy financial reporting requirements.
Use this checklist as a programme health check. Each item maps to one of the eight Article 17 pillars and to the AFA's current enforcement priorities. Work through it with your compliance team, legal counsel, and relevant business line managers.
Code of conduct reviewed and updated within the last 12 months
Code reflects your current risk profile, including relevant geographic and sectoral risks
Code integrated into internal regulations and enforceable
Code signed off by senior leadership and formally communicated to all relevant employees
Gifts and hospitality thresholds clearly defined and up to date
Internal alert system operational and accessible to all relevant employees
System updated to comply with the Loi Waserman 2022 requirements
Confidentiality and anonymity protections tested and documented
Alert triage and investigation procedures defined
System communicated through internal channels in the last 12 months
Risk map updated within the last 12 months, or following any significant organisational change
Risk map covers all relevant geographic markets, business lines, and third-party categories
Methodology documented and consistent with AFA guidance
Risk map validated by the governing body or senior leadership
Risk map outputs used to calibrate other programme elements
Due diligence procedures documented and risk-based
Process covers customers, first-tier suppliers, and intermediaries at minimum
Proportionality framework in place: higher-risk third parties receive deeper scrutiny
Ongoing monitoring in place, not just onboarding screening
2025 AFA updated guidance on third-party due diligence reviewed and incorporated
M&A due diligence process includes Sapin II compliance audit of targets
Specific accounting controls designed to detect off-book transactions and fictitious invoices
Controls reviewed by internal audit within the last 12 months
Controls risk-calibrated based on current risk map
Training delivered to all executives and high-risk employees within the last 12 months
Training is role-specific and scenario-based
Training attendance and completion documented
Effectiveness of training evaluated (testing, surveys, or assessments)
Annual internal audit of compliance programme conducted
Mock AFA audit conducted or scheduled
Programme weaknesses identified and remediation plans in place
Programme review findings reported to senior leadership
Disciplinary consequences for code of conduct breaches defined and documented
Disciplinary procedures communicated to all employees
Procedures applied consistently and proportionately
Legal counsel assessment of potential AFA or PNF exposure conducted
Self-disclosure considerations reviewed with legal advisors
Voluntary improvement measures documented where relevant
Sapin II is not just a corporate compliance obligation. It creates direct personal liability for the individuals at the top of organisations subject to Article 17.
Executives and managers can face fines of up to €200,000, imprisonment for up to ten years, and potentially be banned from holding public office or serving as company directors. The personal consequences of non-compliance are therefore potentially career-ending and life-altering for the individuals concerned, regardless of whether they were personally aware of the specific corrupt act.
Management may not delegate their powers in the field of anti-corruption compliance and are expected to set the tone at the top. This is a critically important legal point. A director cannot avoid personal liability by pointing to the compliance department and claiming no personal responsibility. The obligation sits with the director personally.
Corruption risk does not distribute evenly across an organisation. The following functions carry elevated exposure under Sapin II:
Procurement and supply chain. Relationships with suppliers, contractors, and service providers, particularly in high-risk jurisdictions or sectors, carry significant exposure to bribery and kickback risk.
Sales and business development. Use of agents, intermediaries, and commercial partners, especially when commission-based arrangements are involved, requires careful management.
Finance and treasury. Unusual payment requests, off-balance-sheet transactions, and payments to third-party accounts are classic red flags that finance managers must be trained to recognise and escalate.
Public affairs and government relations. Any interaction with public officials in France or abroad is a high-risk area under Sapin II and must be governed by clear, documented procedures.
International operations. Managers working in countries with elevated scores on the Transparency International Corruption Perceptions Index carry specific responsibilities for ensuring that local practices do not expose the group to liability under French law.
Managers regularly encounter situations that carry corruption risk, from a client requesting an unusually large "facilitation" payment, to a supplier offering lavish hospitality, to a public official suggesting that a contract outcome depends on a personal favour. Training matters enormously here. Knowing what to do in the moment, how to document the situation, how to escalate through the whistleblowing system, and how to protect yourself from false accusations all depends on preparation.
Looking ahead to 2025 through 2027, enforcement is expected to become more proactive and preventive rather than purely punitive. Authorities increasingly evaluate whether companies have effective anti-corruption programmes in place before misconduct occurs. Sapin II requires organisations to implement structured compliance systems, including risk mapping, internal reporting channels, and third-party due diligence procedures. In practical terms, this means regulators will continue to focus on the quality and effectiveness of compliance programmes, not just whether companies formally adopted policies.
For a complete manager's guide to Sapin II obligations, risks, and practical responses, read Understanding Sapin II: A Manager's Guide to Anti-Corruption Compliance.
Personal liability under Sapin II is real. The Sapin II Compliance and Anti-Corruption for Managers course from the French Compliance Institute gives your managers the legal knowledge, practical frameworks, and decision-making confidence to navigate corruption risk situations correctly. Built specifically for the French regulatory environment, the course covers all eight Sapin II pillars from a management perspective.
Organisations that approach Sapin II compliance as a cost to be minimised will always struggle. They will do the minimum required, fail to embed the programme operationally, and face recurring audit findings. Organisations that treat compliance as a genuine asset, as protection for their people, their reputation, their contracts, and their licence to operate, will build programmes that hold up under scrutiny and deliver long-term value.
An effective Sapin II compliance programme enables your organisation to participate in regulated procurement processes, enter into partnerships with multinationals that impose their own due diligence standards, access financing from institutions that require anti-corruption warranties, and respond credibly to AFA or PNF inquiries when they arise.
The French government's multi-year plan for 2025 through 2029 marks a significant shift in anti-corruption efforts. The focus is expanding beyond traditional bribery to address emerging challenges including infiltration by organised crime, crypto-assets, and complex financial transactions. The PNF and AFA are increasing collaboration with TRACFIN to monitor complex financial transactions.
This means that the Sapin II compliance landscape will not remain static. Organisations must build programmes capable of adapting to new risk categories, including digital asset transactions, supply chain integrity in the context of ESG obligations, and the emerging intersection between organised crime and corporate corruption.
1. Leadership ownership. The compliance programme must have genuine, visible, and documented executive sponsorship. The board and executive committee must review programme performance regularly.
2. Risk-based proportionality. Your programme must be calibrated to your actual risk profile, not to a generic template. Resources must go where the risks are highest.
3. Operational integration. Compliance must be embedded in day-to-day business processes, not managed as a separate overhead function. Risk assessment must inform procurement decisions. Due diligence must be part of the business development process.
4. Continuous improvement. Your programme must evolve. Annual reviews, mock audits, training refreshes, and risk map updates are not optional extras. They are the mechanism by which your programme stays effective.
5. Documented evidence. Everything the AFA will want to see during an audit must be documented, retrievable, and comprehensible to someone seeing it for the first time. If it is not documented, it did not happen.
Sapin II compliance in 2026 is not a choice between cost and benefit. It is a choice between building a programme that protects your organisation, your people, and your reputation, or accepting the risk of AFA sanctions, criminal prosecution, reputational damage, and exclusion from business opportunities that require demonstrated compliance.
The law is clear. The regulator is active. The enforcement environment is increasingly international. Organisations that invest in building genuinely effective compliance programmes will be positioned to operate with confidence. Those that do not will find the consequences increasingly difficult to manage.
Learn the 8 mandatory Sapin II requirements for French organizations, from risk mapping and third-party due diligence to anti-corruption policies and audits.
Discover why ESG strategy is essential for French businesses. Learn about regulations, board accountability, ESG risks, and reporting requirements for sustainable growth.
Data Protection Officers (DPOs) play a pivotal role in ensuring organizations comply with data protection laws, particularly the General Data Protection Regulation (GDPR). As privacy...