The implementation of the EU Anti-Corruption Directive means U.S. companies operating in EU markets should remain attentive to their ABAC policies and cross-jurisdictional requirements when doing business abroad. Unlike the U.S., which seems to be retreating from enforcement of foreign corruption and bribery, the Directive seeks to reduce cross-border enforcement friction, thereby increasing the likelihood of sanction for wrongdoing. U.S. multinational companies operating globally will need to maintain corporate compliance policies to police against foreign corruption and bribery touching upon EU Member States.
The EU Anti-Corruption Directive goes beyond the FCPA in several key respects: it harmonizes public and private sector bribery; introduces trading in influence as a standalone offence; imposes turnover-based corporate fines of up to 5% of worldwide turnover; and creates corporate liability for supervisory failures. U.S. multinationals with EU operations or business ties should conduct a gap analysis against existing FCPA-focused programs to adequately mitigate against this heightened enforcement risk.
Current U.S. FCPA enforcement landscape
After a pause in FCPA enforcement from February 2025 through June 2025, then-acting Attorney General Todd Blanche issued a memorandum (the “Blanche Memo”) providing guidelines on how the DOJ would enforce the FCPA going forward. The memo reflects the Trump Administration’s “America First” policy, focusing on conduct that has harmed American companies and individuals, and prioritizing enforcement related to certain national security risks such as cartels and transnational criminal organizations. This refocused enforcement policy, however, has yielded inconsistent results and it is difficult to predict what the DOJ will choose to enforce. Statements made by President Trump have indicated a belief that previous ABAC enforcement had harmed the competitiveness of American companies abroad putting them at a “serious economic disadvantage”, and that enforcement would largely reflect the vindication of American interests abroad. This may lead to a belief that a safe harbor exists for U.S. companies doing business abroad, but enforcement risk remains from other foreign jurisdictions.
U.S. companies that have connections to the EU should be wary of enforcement of the new Directive by EU Member States. Given the U.S.’s FCPA prioritization of enforcement against foreign companies that cause harm to U.S. companies and individuals or threaten U.S. national security interests, Member States may show increased interest in enforcing the Directive, and their respective anti-bribery and anti-corruption laws, against U.S. companies to fill the resulting enforcement vacuum.
Jurisdictional elements
While the FCPA has historically had a broad jurisdictional reach, including funds transferred through U.S. banking channels, the EU Directive carries an even broader extraterritorial reach that would cover U.S.-controlled companies. Under Article 20 of the Directive, each Member State must establish jurisdiction over (1) where the offense was committed in whole or in part within its jurisdiction or (2) where an offender is a national. But under the Directive, EU Member States can choose to extend jurisdiction where an offender is a habitual resident in the territory, the offense is committed against a national, the offense is committed for the benefit of a legal person in its territory, or where the offense is committed for the benefit of a legal person in respect of business done in whole or in part in the Member State’s territory, or when a company has only a digital connection to the Member State.
The broad jurisdictional provisions of the directive would both mandate or potentially allow for jurisdiction over U.S. companies doing business abroad in those Member States, but also potentially where the alleged misconduct touches on the Member State by harming or benefiting a national of that State.
Just as the U.S. has anchored its jurisdiction in the use of U.S. banking channels, mail or other forms of communication to carry out prohibited activity, the EU Directive does the same and also provides that Member States must ensure jurisdiction is established when an offense “is committed by means of information system used on their territory, whether or not that technology is based in their territory.” While the directive is unclear on the full extent of the application of this provision, given the intentionally broad scope of the Directive, the provision could be read to imply that a Member State can extend jurisdiction to businesses with no physical footprint in the EU Member State that has cloud-hosted or centralized IT infrastructure touching the Member State based purely on a digital connection. Critically, this would allow enforcement against companies headquartered outside of the EU for actions taking place outside of the EU, or even U.S. companies merely using IT systems in a Member State.
Trading in influence
Unlike the FCPA, the Directive includes a component that criminalizes the intentional brokering or purchasing of improper influence over public officials to obtain advantages regardless of whether the influence is effective. Indeed, the official need not even be aware of the arrangement for liability to manifest. The only act needed for such liability is an improper exchange. This component of the EU directive aims to protect the integrity of public decision-making connected to public officials with decision-making authority. There is a similar—but not identical—provision in the FCPA which criminalizes an intent to bribe.
Stricter penalties and scope
The Directive may pose a much larger financial risk to companies than under the FCPA: the EU Directive establishes a mandatory minimum floor for penalties which are tethered to the company’s turnover. Fines have the potential to be steep—5% of worldwide turnover at a minimum. Beyond monetary liability, penalties may also include exclusion from public funding and tenders, disqualifications from business activities, withdrawal of permits, judicial supervision, and even closure of establishments within the EU.
Failure to supervise
The new Directive also requires Member States to impose criminal liability on persons with “leading positions” for corruption offenses. Companies may be liable not only for those in leading positions, but also where supervision or control has enabled misconduct. Individuals convicted of corruption will be faced with minimum prison terms and potential sanctions including professional disqualifications and fines.
Self-reporting
One of the largest divergences in U.S. enforcement policy and that of the new EU Directive is the impact of self-disclosure. On March 10, 2026, the U.S. DOJ issued its first ever Department-wide policy on corporate enforcement, which aims to create incentives for companies to self-disclose wrongdoing. Under the new policy, prosecutors may decline to prosecute companies for wrongdoing if they (1) self-disclose misconduct to the appropriate DOJ criminal component, (2) cooperate with the DOJ’s investigation, (3) remediate the misconduct and (4) there are no aggravating circumstances such as recidivism.
While the EU Directive does recognize self-disclosure as a mitigating circumstance for reduced penalties, it does not rise to the level of a total declination of prosecution as in the U.S.. Thus, companies considering self-disclosure in the U.S. should contemplate global implications: self-disclosing misconduct may lead to declination in the U.S. but not produce the same ameliorative effect in the EU.
Should a company decide to disclose, it may choose to self-report wrongdoing in multiple jurisdictions simultaneously to reap the greatest benefit from doing so.
Conclusion: U.S. companies should maintain robust compliance programs
The EU Directive, like the FCPA, places a strong emphasis on preventing corruption. U.S. companies, particularly those that have an extraterritorial reach that touches on EU Member States, must develop a multi-jurisdictional approach to compliance. Companies that proactively maintain a robust compliance program will be better positioned in all jurisdictions. Effective compliance programs will constitute a mitigating factor for enforcement. However, compliance programs that only exist on paper and merely constitute “window dressing” will in fact be considered an aggravating factor for sentencing purposes under the Directive. Companies must therefore be advised that the program must be functional, not simply exist in name only. FCPA-focused programs should be reviewed and adapted to account for new enforcement risks presented by the new EU Directive.
Key elements of a strong anti-corruption and anti-bribery program include:
- regular ABAC training addressing U.S. and international standards
- robust due diligence processes along the supply chain
- regular program audits and reviews to update policies and codes of conduct to mirror ongoing changes in the law
- ensuring that senior members of management receive training on the risks posed by failure to properly identify and mitigate ABAC risks
- whistleblowing mechanisms that are confidential and protect the reporting individual from retaliation
- a strong culture of compliance, with a particular emphasis on the tone-from-the-top.
U.S. companies doing business in high-risk jurisdictions should pay special attention to the ever-evolving geopolitical landscape and remain agile in their ABAC compliance approach.
