Article

Violation of EU restrictive measures: the Italian Decree implementing EU Directive 2024/1226

Violation of EU restrictive measures: the Italian Decree implementing EU Directive 2024/1226
Published Date
Jan 14 2026
Related people
Image of Francesca Petronio
Francesca PetronioPartner, Milan
Image of Veronica Rossetti
Veronica RossettiSenior Associate, Milan
Image of Daniela Martini
Daniela MartiniAssociate, Milan
Image of Allyson Elisabeth McCrory
Allyson Elisabeth McCroryTrainee, Milan

On January 9, 2026, Legislative Decree no. 211 of 30 December 2025 (the “Decree”) was published in the Official Italian Journal, implementing Directive (EU) 2024/1226 on the definition of offenses and penalties for the violation of restrictive measures of the European Union. The Decree will enter into force on January 24, 2026.

News on the impact of Legislative Decree no. 231/2001 and compliance measures for companies

1) The innovations introduced by the Decree for natural persons

The Decree introduces into the Italian Criminal Code an organic corpus of cases aimed at guaranteeing the effectiveness of the restrictive measures of the European Union, harmonizing types of crimes, sanctions frameworks, and enforcement tools.

In summary, crimes “against the common foreign and security policy of the European Union” (Articles 275-bis et seq.) are introduced into the Italian Criminal Code, entitled in the new Chapter I-bis, Title I, Book II of the code:

Article 275-bis of the Criminal Code “Violation of EU restrictive measures”

Conduct punished:

  • Making funds or economic resources available (directly or indirectly) to natural or legal persons, entities, or bodies or groups subject to restrictive measures of the European Union (defined by the Decree as the “Designated Subject”); failing to freeze funds or economic resources belonging to a Designated Subject; entering into or continuing transactions (commercial, economic, or financial) with a third state or with its bodies or with entities/bodies directly owned or controlled by the third State or its bodies when prohibited; trading, importing, exporting, selling, purchasing, transferring, transiting, or transporting goods, as well as providing brokering services, technical assistance, or other services relating to prohibited goods (including intangible goods); and the provision of services, including financial services in violation of prohibitions, obligations, or restrictions imposed by restrictive measures of the European Union or by national provisions implementing restrictive measures of the European Union.
  • Circumventing a European Union restrictive measure through the use/transfer of frozen funds or economic resources and the use of false declarations or documents to conceal beneficial ownership/ultimate beneficiary of such funds/resources.

Penalties: imprisonment from two to six years and a pecuniary sanction from EUR25,000–250,000.

Threshold of criminal relevance: If the funds, resources, goods, services, and/or transactions have a value < EUR10,000, administrative fines will apply (from EUR15,000–90,000), except in the case of items from the EU Common Military List or dual-use items (EU Reg. 2021/821), for which criminal relevance remains.

Article 275-ter of the Criminal Code “Breach of disclosure obligations”

Conduct punished:

  • Failure to report funds/resources in the territory of the state to the competent authorities by the Designated Subject or the legal representative of the Designated Subject, in violation of an obligation imposed by an EU restrictive measure or national implementing provision.
  • Failure to provide information acquired for official or professional reasons on the funds/resources of the Designated Subject, in violation of an obligation imposed by an EU restrictive measure or national implementing provision.

Penalties: imprisonment from six months to two years and a pecuniary sanction from EUR15,000–50,000.

Threshold of criminal relevance: If the funds, resources, goods, services, and/or transactions have a value < EUR10,000, administrative fines will apply (from EUR5,000 to 45,000)

Article 275-quarter of the Criminal Code “Violation of the conditions of the authorization”

Punished conduct: Activities that do not comply with the conditions and obligations that constitute a European Union restrictive measure.

Penalties: imprisonment from two to five years and a pecuniary sanction from EUR25,000–150,000.

Threshold of criminal relevance: If the activities concern funds, resources, goods, services, and/or transactions with a value < EUR10,000, administrative fines will apply (from EUR15,000–80,000).

Article 275-quinquies of the Criminal Code “Culpable violation of EU restrictive measures”

Punishable conduct: Gross negligence in trading, importing, exporting, selling, purchasing, transferring, transiting, or transporting goods, as well as providing brokering services, technical assistance, or other services relating to goods (including intangible goods) that are “Culpable violation of EU restrictive measures” included in the EU Common Military List or dual-use items (EU Reg. 2021/821).

Penalties: imprisonment from six months to three years and a pecuniary sanction from EUR15,000–90,000.

Threshold of criminal relevance: N/A

Article 275-sexies of the Criminal Code “Aggravating circumstances”

Penalty increased from one third to one half for:

  • acts committed in the context of criminal association
  • use of false statements or documents
  • acts committed in the exercise of professional, commercial, banking, and financial activities or with abuse of powers or violation of duties inherent in a public function/public service
  • significant profit/advantage
  • evidentiary obstruction
  • commission of the crime of obstruction of justice or inducement not to make statements or to make false statements to the judicial authority to ensure impunity.

Article 275-septies of the Criminal Code “Mitigating circumstances”

Penalty reduced from one third up to two thirds in the case of collaborative conduct to ensure evidence of crimes and for the identification of other offenders.

In addition to the above-mentioned, the following are added:

  • The mandatory confiscation—in direct form or by equivalent—of the things that were used or intended to commit the crime and of the price/product/profit of the crime in the event of a conviction or plea bargain sentence (Article 275-octies of the Criminal Code)
  • The publication of the sentence of conviction in cases of imprisonment of not less than three years (Art. 275-novies of the Criminal Code)
  • The extraterritorial extension of Italian jurisdiction where such crimes are committed by citizens abroad (Article 275-decies of the Criminal Code).
  • Amendments to the Code of Criminal Procedure, with the inclusion of new offenses among those falling within the competence of the specialized district prosecutor and among the offenses for which longer terms of investigation apply
  • Amendments to the consolidated text of the provisions concerning the regulation of immigration and rules on the condition of foreigners (Legislative Decree no. 286/1998, “Consolidated Immigration Act”) with the introduction of paragraph 1-bis, which extends the punishability of activities aimed at facilitating the entry of foreigners into the territory of the state carried out in violation of prohibitions, obligations, or restrictions imposed by an EU restrictive measure by allowing or facilitating entry in the territory of the state of Designated Subject
  • Extension of the scope of Legislative Decree no. 24/2023 (implementing EU Directive 2019/1937 regarding whistleblowing provisions) to the reporting of violations of the restrictive measures of the European Union
  • Protection of professional secrecy for legal professionals for information concerning a client acquired in defense, representation, or consultancy activities related to proceedings.

2) The innovations introduced by the Decree for legal persons

The Decree introduces art. 25-octies.2 of Legislative Decree no. 231/2001 (“Decree 231”, which introduced into the Italian legal system the corporate quasi-criminal liability of entities for certain offenses), making the crimes relating to restrictive measures of the European Union predicate crimes of the quasi-criminal liability of the entities.

An entity may therefore be held liable if any of the new offenses against the European Union’s common foreign and security policy is committed, in the interest or to the advantage of the entity, by persons who hold representation, administrative, or managerial functions, as well as by persons subject to their direction or supervision.

The Decree introduces for the first time in the system of Decree 231 a measure of “turnover-based” sanctions: for these crimes, the financial penalty is not determined by quotas (i.e., by multiplying a number of quotas determined by the judge on the basis of the seriousness of the fact and the degree of responsibility of the entity by the unit value of the quota whose value is commensurate with the economic and financial conditions of the entity), but according to a certain percentage of the total global turnover of the entity relating either to (i) the financial year prior to the commission of the offense, or (ii) the financial year prior to the imposition of the financial penalty (whichever is lower). In the absence of a determinable turnover, fixed amounts from EUR3–40million (for the most serious cases) and from EUR1–8m (for violations of information obligations) are applied.

A one-third increase in financial penalties is envisaged in the event of repeated offenses.

The Decree also introduces very high disqualification sanctions for the entity held responsible for the new crimes: from two to six years if the crime was committed by top management, and from one to three years for subordinate subjects.

Article 25-octies.2 of Decree 231 provides for the following sanctions:

In relation to art. 275-bis (paragraphs 1, 2 and 5), 275-quarter (paragraph 1) and art. 12, paragraph 1-bis of the Consolidated Immigration Act

Financial penalty:

  • From 1% to 5% of the entity’s global turnover
  • In the absence of determinable turnover, a fixed amount from EUR3–40m

In relation to art. 275-ter of the Criminal Code (paragraphs 1 and 2)

Financial penalty:

  • From 0.5% to 1% of the entity’s global turnover
  • In the absence of determinable turnover, a fixed amount from EUR1–8m

In addition to the financial penalty, for each offense the imposition of disqualifying sanctions is further provided; from two to six years where the offense is committed by top management, and from one to three years where it is committed by subordinate personnel.

3) Impacts on companies and takeaways

The expansion of entities’ liability risk for offenses introduced by the new Decree requires a comprehensive reassessment and strengthening of the internal control system, by integrating in a cohesive manner the “sanctions and export controls” area into the control framework and into the organization, management, and control model provided for under Decree 231 (“Model 231”). Particular attention should be paid by parent companies established in the European Union to their foreign branches or subsidiaries with respect to sanctions risk.

Under the exemption mechanism, based on an adequate and effective Model 231, the role of the Supervisory Body on training and monitoring remains unchanged. However, the bar of eligibility is significantly raised: the sanctioning perimeter extends along the export, finance, logistics, procurement, and professional services supply chains, with risk profiles that are also extraterritorial and potential hypotheses of complicity in the crime.

Overall, companies are thus exposed to a double risk front: criminal for individuals, and criminal liability for entities pursuant to Decree 231, with financial penalties anchored to turnover and serious disqualification measures.

3.1) The update of Model 231: operational priorities for risk mapping and management

Companies operating in sectors potentially at risk (such as, among others, finance and insurance, energy, international trade and manufacturing, transport, and logistics and shipping) should map the potential risk areas for committing these type of crimes as soon as possible, and consequently update their Model 231 to reflect these risks and formalize the control safeguards. In particular, companies should undertake the following:

  • Specific risk assessment: carry out a specific assessment of the risk profile covering countries, product/service portfolios, sales channels, and counterparties, clearly distinguishing the different critical issues: Designated Subjects, high-risk countries and sectors, dual-use and military goods, financial and non-financial prohibitions, etc.
  • Mapping and classification of products/services: establish customs and dual-use classification processes, determine the export control classification numbers/ items relevant to the EU lists and applicable regulations, and keep evidence of the technical-legal assessment carried out.
  • Governance and accountability: define the roles of the corporate bodies and corporate business functions involved in the processes and controls with formalized escalation procedures for the management of critical issues and the involvement of the Supervisory Body.
  • Licenses, waivers, and authorizations: develop structured procedures for the application, management, and monitoring of authorizations, including segregation of duties and the application of the four eyes principle in the process. 
  • Documentability, traceability, and adequate archiving: keep the documentation relating to screening, risk assessment, classifications, licenses, authorizations, decisions, and periodic audits in an orderly and complete manner.
  • Sanctions screening/due diligence: carry out: (i) checks, during onboarding and contractual execution, on customers (including distributors and agents), suppliers, partners, and their respective beneficial owners, verifying their presence on the sanction list; (ii) screenings of individual operations and transactions to identify red flags (e.g., those related to the use of distributors or agents, nature of end customers, banking institutions involved, payment methods, possible circumvention through third countries or interposed parties); and (iii) define the cases that require Enhanced Due Diligence (such as opaque ownership structures or the inclusion of additional third parties in the operational chain).
  • Beneficial ownership and avoidance: strengthen checks on beneficial ownership and de facto control of counterparties and assets, with policies that prohibit structures or schemes aimed at concealing the availability of funds or assets of Designated Subjects and ensure the traceability of decisions.
  • Transaction monitoring and blocking of transactions: define thresholds, rules and alerts to block payments, shipments, and services in the presence of suspicious or prohibited transactions.
  • Audit program: schedule periodic audits, with a frequency proportionate to the level of risk, on the sensitive processes and controls implemented.
  • Management of third parties and contractual remedies: structure or strengthen the due diligence process on relevant third parties, as well as providing contractual clauses on “sanctions and export controls” with audit rights and termination rights to prevent the risk of secondary liability or concurrence.
  • Information flows: provide ad hoc information flows on export control to the Supervisory Body.
  • Targeted training: activate differentiated training programs for the most exposed functions (export, sales, compliance and legal, supply chain, and finance), with practical cases, continuous updating, and testing of learning.
  • Whistleblowing provisions: make confidential internal channels available for reports relating to the violation of restrictive measures of the European Union and, consequently, update the relevant documentation (Model 231, whistleblowing policies, and corporate websites) to reflect this novelty.

3.2) Compliance in the context of groups and the obligation of best effort

In light of the new offenses introduced by the Decree and the related reflections on the provisions of quasi-criminal liability of entities pursuant to Decree 231, European Union companies with subsidiaries in third countries must implement ad hoc measures to prevent the risk of sanctions and the risk of “rising” liability for acts committed by their subsidiaries.

In this context, it should be noted that in the event that a European Union company is aware that the activity of a subsidiary in a third country affects the restrictive measures of the European Union, the European parent entity may be held liable for a violation of Article 8-bis of Regulation (EU) No. 833/2014 (the “best effort rule”), for not having taken all the necessary and possible actions in order to prevent the violation by the subsidiary.

At the same time, failure by the European operator to carry out all necessary and possible actions may also constitute a violation of Article 12 of the same Regulation. This is because the exemption from liability occurs only if the European operator was not aware, nor had any reasonable reason to suspect, that the actions of the subsidiary would have violated the restrictive measures set out in Regulation (EU) No. 833/2014.

Conclusion

In conclusion, the Decree transposing EU Directive 2024/1226 significantly raises the expected level of internal control of entities operating in Italy on sanctions, export controls, and restrictive measures. The sanctioning lever pursuant to Decree 231, anchored to global turnover and significant prohibitions, makes it essential to promptly and substantially update Model 231 and the control measures, requiring a truly integrated approach between the various corporate functions involved (including legal, compliance, risk management, finance, and procurement).

Related capabilities