5 EU Anti-Corruption Compliance Steps Before the 2027 Deadline

Every US law firm with an EU footprint now faces a compliance clock. The EU Anti-Corruption Directive 2026/1021 — formally adopted by the European Parliament and the Council on 19 March 2026 — replaces the patchwork of national anti-corruption statutes across 27 member states with a unified criminal law framework. EU member states have until early 2028 to transpose it into national law, with most expected to meet the de facto compliance benchmark by late 2027. For US law firms, the directive's broad extraterritorial logic means that any firm with an EU office, EU-based clients, or transactions touching EU public procurement must act now.

Five compliance steps cannot wait. The firms that begin today will spend three months on controlled gap analysis; the firms that wait until 2027 will spend three months in emergency mode.

Step 1: Map Your Firm's EU Exposure Before Anything Else

The EU Anti-Corruption Directive 2026/1021 applies to conduct occurring within EU territory — and to natural and legal persons who commit covered offenses on behalf of legal entities established in the EU. A US law firm with a London or Dublin office that advises on EU public procurement bids, or whose partners execute transactions in Germany or France, operates within that perimeter.

Your first task is a precise exposure map, not a general policy review. Assign a compliance partner or outside counsel to audit three dimensions:

1. Jurisdictional presence — List every EU-registered entity (offices, subsidiaries, local partnerships) and the member states where the firm is authorized to practice or holds registered addresses.
2. Client nexus — Identify active clients who are EU public officials, state-owned enterprises, or entities participating in EU-funded public procurement. These relationships carry the highest risk under Articles 7-9 of the directive, which target bribery involving public officials and trading in influence.
3. Transaction exposure — Flag matters involving EU regulatory approvals, EU public contracts, or enforcement proceedings before EU institutions. Each category creates potential nexus for the directive's active bribery and obstruction provisions (Articles 7 and 11).

Without this map, every subsequent compliance step is built on guesswork. With it, the firm can scope and prioritize the remaining four steps efficiently.

Step 2: Run a Structured Anti-Corruption Risk Assessment Tied to EU Standards

The US Foreign Corrupt Practices Act (FCPA) already requires many large US law firms to maintain anti-corruption programs. The directive does not simply duplicate FCPA logic — it expands it in ways that matter. Under Articles 8 and 9, the directive criminalizes passive bribery by private-sector employees who request or receive advantages, a category the FCPA covers only for foreign public officials. The directive also introduces illicit enrichment as a standalone offense (Article 10) and covers trading in influence even where no corruption ultimately succeeds.

Your risk assessment should be structured around three questions the directive implicitly poses to any compliance program:

1. Does your conflict-of-interest screening capture influence-peddling scenarios? Trading in influence under Article 9 covers intermediaries who sell their access to decision-makers. If the firm uses local counsel, lobbyists, or government-relations consultants in EU markets, those relationships must be assessed.
2. Does your third-party due diligence extend to sub-agents? The directive's liability framework reaches organizations whose agents commit offenses "for the benefit of the organization" (Article 17). Standard KYC (Know Your Client) screens are insufficient if they stop at the direct counterparty.
3. Are your FCPA risk ratings calibrated for EU-specific offense categories? A jurisdiction rated "medium" under FCPA criteria may be "high" under the directive because of its specific rules on trading in influence or illicit enrichment.

Document the assessment in writing. EU enforcement authorities will expect to see evidence of proportionate risk analysis before granting any cooperation credit.

Step 3: Update Policies and Codes of Conduct to Reflect EU Offense Categories

Most large US law firms maintain an anti-corruption code of conduct aligned to FCPA and the UK Bribery Act 2010. The directive introduces offense definitions that are materially broader than either US or UK baselines in specific respects, requiring targeted policy revisions rather than wholesale rewrites.

The table below shows where the directive diverges most significantly from the FCPA framework US firms know well:

Minimum policy updates required:

1. Gifts, hospitality, and facilitation payments — The directive contains no facilitation-payment carve-out. If your firm's FCPA policy permits small facilitation payments (as some US policies do for foreign routine governmental actions), that carve-out must be suspended for EU-nexus transactions.
2. Intermediary engagement policy — Add a specific section on trading in influence. Any engagement of persons claiming access to EU regulatory or procurement decision-makers should require pre-approval by the General Counsel or Ethics Committee.
3. Whistleblower reporting channels — The directive works in tandem with EU Whistleblower Protection Directive 2019/1937. Firms with EU entities must maintain confidential reporting channels meeting EU standards, which set higher procedural protections than US Sarbanes-Oxley Section 806 baselines.

Step 4: Strengthen Client Due Diligence and Third-Party Oversight for EU Matters

Directive 2026/1021, Article 17 establishes organizational liability: a legal entity may be held responsible when a person in a leadership position commits a covered offense "for the benefit of" that entity. This is the EU equivalent of the FCPA's "knowing" standard — and enforcement risk is highest at client intake.

For US law firms, the practical implication runs through the client relationship. If a firm accepts instructions from a client on an EU public procurement matter, and that client or its agent pays a bribe to an EU official during the matter, the firm's exposure depends on what due diligence it conducted. Three immediate upgrades are required:

1. Ultimate beneficial owner (UBO) verification — Align client intake with the EU's 4th and 5th Anti-Money Laundering Directives (4AMLD, 5AMLD), which require disclosure of beneficial owners holding 25% or more of entities. The anti-corruption directive does not set its own UBO threshold, but EU courts will expect AMLD-level diligence as the baseline.
2. Politically exposed person (PEP) screening — Expand PEP screens to cover the directive's definition of "public officials," which includes persons exercising public functions within EU institutions and international organizations, not only national government positions.
3. Ongoing monitoring for EU public procurement clients — Implement matter-level monitoring triggers: if a client's EU public contract is suspended or if the client is listed on the European Union's Early Detection and Exclusion System (EDES), the matter partner must be notified within 48 hours.

Step 5: Deploy Targeted Training and Build a Sustainable Reporting Infrastructure

Training is the compliance step most commonly executed as a box-ticking exercise — and the one most likely to determine enforcement outcomes. Under Article 16 of the directive, member states must ensure that "effective, proportionate, and dissuasive" measures are applied to organizations that fail to prevent covered offenses. Prosecutors in multiple EU jurisdictions have cited inadequate training as an aggravating factor in organizational liability determinations.

A training program adequate for EU anti-corruption compliance in 2027 has three characteristics that distinguish it from legacy FCPA training:

1. Directive-specific offense coverage — Training content must address the offense categories introduced or expanded by 2026/1021: trading in influence, passive private-sector bribery, and illicit enrichment. Most off-the-shelf FCPA e-learning modules do not cover these.
2. Role-differentiated delivery — Partners and associates who handle EU public procurement matters need deeper scenario-based training than general administrative staff. Document completion rates by role; aggregate completion rates are insufficient evidence of proportionate training.
3. Confidential reporting channel accessible from EU jurisdictions — Whistleblower Protection Directive 2019/1937 requires that organizations employing 50 or more workers in the EU maintain an internal reporting channel meeting specific procedural standards: confidentiality, acknowledgment within seven days, substantive feedback within three months. US law firms whose EU offices meet that threshold must audit their existing hotlines against these requirements before the directive's transposition date.

À retenir: A training record that shows role-differentiated completion with documented scenario outcomes is the single most credible evidence a law firm can produce in the event of a directive-related investigation.

What the 2027 Timeline Actually Means for Action Today

The 2027 transposition deadline is a legislative target for EU member states — not a compliance deadline for individual firms. By the time Germany, France, Italy, or the Netherlands publish their implementing statutes, enforcement mechanisms will be operational. Any firm that waits for final national legislation before beginning compliance work will be starting its program at the moment of maximum enforcement risk.

The five steps above are sequential by design. Exposure mapping (Step 1) scopes the risk assessment (Step 2); the risk assessment determines which policy updates are highest priority (Step 3); policy updates inform due diligence standards (Step 4); and due diligence findings shape training scenarios (Step 5). Attempting any step without its predecessor produces compliance theater rather than compliance.

The directive text is publicly available at eur-lex.europa.eu, where the official Journal of the European Union publishes all binding EU legislation. Assign a designated attorney in each EU-jurisdiction office to monitor member-state transposition bills as they advance through national legislatures, and set a firm-wide review calendar for Q3 2026 and Q1 2027.

Disclaimer: The information in this article is provided for general informational purposes only and does not constitute legal advice. US law firms should consult qualified legal counsel in each relevant EU jurisdiction to assess their specific compliance obligations under Directive 2026/1021 and applicable national implementing legislation.