The UK Bribery Act is a key standard that many businesses will have aligned their programmes to, but it is different to the standards set in the Directive. The UK Bribery Act is broader with its "failure to prevent" offence, yet the Directive adds requirements to criminal law of member states like trading in influence and the imposition of penalties based on turnover. It is also important to remember that the Directive only provides minimum standards which member states can supplement. Our analysis assumes that member states will implement the Directive’s requirements, but it will be important to look for local nuances during implementation.
For the Directive's key features and member state impact, see our earlier articles: New EU Directive on combatting corruption: key features for businesses and New EU Directive on combatting corruption: impact on bribery laws in the EU.
Some elements of the Directive are already part of the UK Bribery Act—public and private bribery offences, corporate liability and extra-territorial impact. However, there are areas where the Directive introduces different requirements. Of course, post-Brexit the UK is under no obligation to implement the Directive.
A different trigger for corporate “failure to supervise” liability
Under the Directive, corporate liability arises in two ways: where someone in a “leading position” commits a bribery offence; or where a leader's “lack of supervision or control” has made possible a bribery offence for the benefit of the entity by someone under the entity’s authority. This is structurally different to the UK Bribery Act's section 7 “failure to prevent bribery” offence, which applies strict liability to an organisation for not preventing bribery by any broadly defined “associated person,” without requiring proof of poor oversight. The UK Bribery Act’s section 7 offence also only applies to a failure to prevent the payment of a bribe, whereas the Directive’s lack of supervision or control offence applies to both offering/paying a bribe and asking for/receiving a bribe. It is perhaps harder to see how a company benefits (a requirement of the Directive) where, e.g. an employee receives a bribe—the company is more likely to be a victim.
In practical terms, the Directive's corporate liability model is narrower in scope but more personally focused: it directs attention to named individuals in leadership roles and asks whether their oversight was adequate. Businesses should ensure that their ABAC risk assessments specifically map supervisory responsibilities within their EU operations, identifying who their “leaders” are, which leaders are accountable for which teams and functions, and whether those leaders have the tools, training, and information to discharge that supervisory obligation. This is a different exercise from the broader "associated persons" mapping that most UK programmes already undertake.
Furthermore, several member states already have existing corporate (criminal) liability standards, which may have lower thresholds for applicability than the regime set out in the Directive. Businesses with an EU presence would be prudent to tailor their ABAC programmes to factor in these lower thresholds.
Compliance programme as mitigation, not defence
Here the UK Bribery Act offers stronger protection for businesses. An ABAC compliance programme that meets the “adequate procedures” test can serve as a complete defence for a commercial organisation against the section 7 “failure to prevent” offence. However, the same compliance programme, even if on paper it looks adequate, is considered only a mitigating circumstance to corporate liability under the Directive, not a defence, where a leader’s lack of supervision has made possible the bribery.
The practical consequence is significant. A company with a program that meets the UK's “adequate procedures” standard could still face liability in an EU member state. Companies should not assume that a programme sufficient for UK purposes will provide the same level of protection against enforcement in the EU.
Understanding how member state courts will assess whether a compliance programme is “effective” in order to qualify as mitigation to corporate liability under the Directive will take some time. The emphasis on “effective” aligns the EU with the increasing demands from UK and U.S. authorities for corporates to demonstrate—with measurable outcomes and data-driven evidence—that their compliance programmes are effective in preventing, detecting, and remediating misconduct.
EU prosecutors and courts may reference existing European benchmarks. France's AFA guidance and French CJIPs, which assess programme design, implementation, and outcomes, are possible models for the Directive's standard. To prove effectiveness, organisations will need to document KPIs, test results, training data, and remediation outcomes, not just the existence of compliance programmes.
Trading in influence—the EU goes beyond UK law
Trading in influence is not an offence in English law, as it is under the Directive (and in some EU member states already).
The UK Bribery Act focuses on the offer/giving of an advantage to a public official. The Directive's trading in influence offence criminalises payments to an intermediary who merely claims or confirms they have influence over a public official, even where no bribe is ever discussed with, or ever reaches the official. The offence is complete at the point of payment to the intermediary. The "influence" need not be real, or exercised, and the official need not even be aware of the arrangement.
This creates a typology that UK Bribery Act based compliance programmes are not specifically designed to detect. Existing third-party due diligence questionnaires and risk-rating models are typically calibrated to Bribery Act risk: they ask whether the third party will interact with government officials on the company's behalf, whether there is a corruption risk in the relevant jurisdiction, and whether the fee structure is proportionate to legitimate services. Some may, but not all of them typically ask the more fundamental question that trading in influence requires: is this intermediary being compensated for expertise and deliverables, or for relationships and access?
Businesses should take the following steps:
- Review consultancy and advisory agreements with intermediaries for fee structures that correlate payment with access or outcomes—for example, success fees tied to regulatory approvals, or retainers for “relationship management” with no defined deliverable.
- Review local lobbying requirements, as they may define permissible forms of advocacy and lobbying not covered by the trading in influence offence.
- Update due diligence questionnaires to ask about the basis of the intermediary's claimed value proposition: does it rest on subject-matter expertise, or on proximity to decision-makers?
- Examine whether existing gifts, hospitality, and sponsorship policies extend to indirect benefits conferred through intermediaries, not just direct expenditure.
Senior manager vs “leading position”
Since December 26, 2023 there has been a new test of attribution for corporate criminal liability for certain economic crimes, including bribery, under English law. If a “senior manager” commits active or passive bribery, the company may also be criminally liable for a substantive bribery offence. In broad terms, a senior manager is defined as an individual who plays a significant role in the decision-making process, or actual management or organisation, of the business (or a substantial part of it). Many businesses have invested considerable effort in mapping who falls within the definition of a “senior manager” in order to carry out proper risk assessments and calibrate training and controls.
Under the Directive, a company can be found criminally liable if an individual in a “leading position” commits a bribery offence for its benefit. This is defined as someone with power to represent, decide on behalf of, or exercise control within, the entity
There is likely to be substantial overlap between a “senior manager” and a “leading position” but the definitions are not the same. In some respects the UK “senior manager” test seems broader, e.g., it includes someone who plays a significant role in decision making, whilst the Directive requires someone in a leading position to have authority to take decisions on behalf of the entity. There is no case law yet on how the UK concept of a “senior manager” will be interpreted. But for now, businesses should not assume that they are the same.
Overlapping jurisdiction
The Directive’s requirement for member states to assert jurisdiction in specific circumstances means that bribery misconduct with an EU connection could expose a UK-headquartered business to criminal liability both in the EU and in the UK.
Whilst the Directive mandates cooperation mechanisms to determine which member state should prosecute in cases of overlapping EU jurisdiction, no such mechanism exists between the UK and EU member states post-Brexit. Although informal coordination between the UK and certain member states (e.g. France) appears to function well, the absence of a formal framework means there is no structured mechanism to resolve competing claims to jurisdiction, agree on lead authority, or prevent duplicative proceedings.
For organisations exposed to both regimes, this creates genuine uncertainty in incident response: a decision to self-report in one jurisdiction may have unintended consequences in the other and the legal and practical implications of self-reporting may differ from jurisdiction to jurisdictions. Self-reporting decisions should factor in those local differences. Organisations exposed to both regimes should ensure that their incident response protocols and external counsel mandates are designed from the outset to manage parallel proceedings across both the UK and EU, rather than treating each jurisdiction in isolation. This is especially true for bribery offences, which often are multinational in nature.
Penalties and limitation
The Directive establishes turnover-based penalty floors for corporate offenders, whilst penalties for offences under the UK Bribery Act are determined by reference to the gains from the crime adjusted by reference to harm and culpability. There is no turnover based penalty floor.
The Directive also sets minimum limitation periods of five years for private sector bribery and trading in influence, and eight years for public sector bribery. In contrast, there is no statutory limitation period for prosecuting bribery offences under the Bribery Act 2010.
These points of difference could be significant in M&A due diligence: whilst enforcement under the Directive has calculable penalty floors and clear time-bar limits, the enforcement risks are less readily calculable, and remain indefinitely, in the UK.
Our next article will consider what the Directive means for businesses with FCPA focused compliance programmes.
Ensuring compliance programmes keep up with new corporate criminal offences was identified as one of the key challenges for 2026 in the A&O Shearman Cross-border white collar crime and investigations review 2026. Read the review for the other challenges.
Please contact your normal A&O Shearman contact or one of the authors of this article if you would like to discuss how the Directive may impact your organisation.
