Whistleblowing | Workplace Compliance
EU Anti-Corruption Directive (2026/1021)
A landmark regulation that creates the EU’s first harmonized criminal law framework for corruption, setting common offense definitions and minimum penalties for individuals and companies across all member states.
Table of contents
What Is the EU Anti-Corruption Directive
Directive (EU) 2026/1021, also known as the EU Anti-Corruption Directive, replaces the EU’s previous, fragmented anti-corruption instruments. This includes the Council Framework Decision 2003/568/JHA on corruption in the private sector and the 1997 Convention on the Fight Against Corruption involving EU and member state officials. It also amends Directive (EU) 2017/1371.
The Directive criminalizes public- and private-sector corruption, protecting the integrity of public institutions and markets rather than a defined class of individuals. It explicitly encourages whistleblower protection in a manner consistent with the EU Whistleblower Directive. Covered organizations under the eventual national laws include both public and private entities.
Adopted by the European Parliament and Council on 21 April 2026, it was published in the Official Journal on 11 May 2026 and entered into force on 31 May 2026. Member states must transpose most of their obligations into national law by 1 June 2028, with a longer deadline of 1 June 2029 for national anti-corruption strategies and risk assessment requirements.
Key EU Anti-Corruption Directive Provisions | |
Harmonized Corruption Offenses | Common minimum definitions for bribery, misappropriation, trading in influence, obstruction of justice, illicit enrichment, concealment, and private-sector corruption. |
Corporate Liability | Companies are liable when an offense is committed for their benefit by a person in a position of authority, or enabled by a lack of supervision or control. |
National Anti-Corruption Strategies | Member states must adopt, publish, and regularly update a national strategy developed in consultation with civil society and stakeholders. |
Minimum Limitation Periods | At least five or eight years for prosecution, depending on the offense, to account for how long corruption typically takes to detect. |
Cross-Border Cooperation | Reinforced cooperation and data-sharing between national authorities and EU bodies, including OLAF, Europol, Eurojust, and the European Public Prosecutor's Office. |
Who Is Responsible for the EU Anti-Corruption Directive?
Enforcement sits with national authorities once each Member State transposes the Directive, following the same delegated pattern as other EU criminal law directives. Germany, France, and Italy will each need to amend their existing criminal codes and designate or reinforce a national anti-corruption body with adequate independence and staffing.
At the EU level, the European Anti-Fraud Office (OLAF), the European Public Prosecutor’s Office (EPPO), Europol, and Eurojust coordinate cross-border investigations and help resolve jurisdictional disputes between member states.
What Are the Possible Penalties Under the EU Anti-Corruption Directive?
For natural persons, member states must establish prison sentences ranging from three to five years, depending on the offense. For legal entities, the Directive requires fines of either 3% to 5% of a company’s total worldwide turnover or fixed alternative sums of €24 million to €40 million, depending on the severity of the violation.
National law may add further consequences, including exclusion from public procurement and EU funding, withdrawal of licenses or authorizations, judicial winding-up, closure of the establishment where the offense occurred, and publication of the judgment.
What Does the EU Anti-Corruption Directive Require?
The Directive will require organizations to account for a broader and more precisely defined set of corruption offenses than most member states currently criminalize, including private-sector bribery and misappropriation carried out for a company’s benefit.
Organizations should expect exposure to increase, specifically where a person in a leading position, meaning someone with the power to represent the company, make decisions, or exercise control, commits an offense on the company’s behalf, or where inadequate supervision allows a subordinate to do so.
Member states must also publish comparable, machine-readable annual data on corruption offenses, prosecutions, convictions, and fines. This gives the public greater visibility into how actively each jurisdiction enforces the rules.
Because the Directive treats detection as a governance issue, not just a criminal law issue, organizations should expect national implementing laws to place greater emphasis on internal controls, conflict-of-interest management, and whistleblower channels. These measures may help demonstrate that an effective compliance program was in place if corruption allegations arise.
If your organization is already subject to the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act, the EU Anti-Corruption Directive introduces materially similar corporate liability logic across the EU. This means existing anti-bribery controls provide a strong starting point, but will need to be updated to reflect jurisdiction-specific offense definitions once national transposition is finalized.
Why Is the EU Anti-Corruption Directive Important?
A 2025 Eurobarometer survey found that 69% of Europeans believe corruption is widespread in their country, and 66% believe high-level cases go unpunished. The Directive is a direct political response to that gap, and its two-year transposition period gives organizations a head start in preparing, rather than reacting once national laws take effect.
The Directive raises both individual and corporate exposure while increasing cross-border investigative cooperation between member states. Companies operating in more than one EU jurisdiction can no longer assume that gaps in one country’s enforcement will shield conduct that would be caught elsewhere.
Building anti-corruption controls now, ahead of the mid-2028 deadline, is more cost-effective than retrofitting them once national laws and enforcement priorities are set.
How FaceUp Helps Comply with the EU Anti-Corruption Directive
The Directive does not directly require a specific reporting platform. However, it does emphasize the importance of internal anti-corruption controls, including whistleblowing channels that allow employees and third parties to raise concerns before issues escalate to national regulators.
FaceUp helps organizations deploy an easy-to-use whistleblowing platform in as little as two hours, complete with multi-channel intake via web forms, 24/7 hotlines, and iOS/Android mobile apps in 113 languages to help individuals report without fear of retaliation.
Centralized case management with automatic activity logging and role-based permissions allows compliance teams to document the entire resolution process, helping demonstrate the active supervision the Directive considers when evaluating cases.
Quick Facts
Full legislation
Applies to
Public and private entities across all EU member states, once transposed into national law by 1 June 2028
Penalties
Prison terms of 3 to 5 years for individuals;
corporate fines of 3 to 5 percent of worldwide turnover or 24 to 40 million euros.
The FaceUp Solution
FaceUp is an anonymous reporting and compliance platform designed to help businesses meet whistleblowing regulations worldwide, including those in the US, EU, UK, and UAE.

Fully Anonymous Reporting
Give staff multiple secure channels to report their concerns, complete with an anonymous two-way chat.
Mobile-First Accessibility
No IP storage, no device IDs, encrypted submissions
Customizable forms, categories, routing rules, and more

Customizable Case Management
Create an easily verifiable audit trail through a customizable case management system with automatic routing.
Supports multiple locations, subsidiaries, or units
Entity-specific routing and access permissions
Optional notifications via email, Teams, or Slack

Real-Time Data Analytics
Identify trends, repeated issues, and escalation risks early with customizable visual real-time dashboards.
Filter by category, region, channel, and more
Share without revealing sensitive information
ISO 27001 and SOC 2-certified local servers