In the world of financial crime compliance, the first half of 2025 was dominated by news of the pause on enforcement of the Foreign Corrupt Practices Act (FCPA) by the US Department of Justice. As a result, more attention was drawn to enforcement agencies in other jurisdictions, including the UK and the EU, which in some cases were issuing increasingly robust public statements of their intent to ensure that financial crimes were rigorously investigated and prosecuted. It seemed too much of a coincidence, for example, that the International Anti-Corruption Prosecutorial Taskforce was launched on 20 March 2025 with a strong founding statement signed by leading law enforcement agencies from Switzerland, France and the UK.
Although enforcement of the US FCPA resumed in mid-June 2025, with the Department of Justice issuing updated policies and guidance, the pause had provided a useful reminder of the global nature of financial crime enforcement. The world is a complicated network of legal systems and compliance frameworks, and there are capable and enthusiastic enforcers in many places outside of the US.
With this context in mind, it is therefore timely to turn to developments in the European Union (EU) as it enters a particularly significant period for white-collar crime regulation.
The Anti-Corruption Directive
The EU, for all its merits, often moves slowly. It inevitably takes time to engage 27 Member States in the multi-stage process required to introduce a new EU-wide law. And where there is disagreement, the process can stall considerably.
Following considerable initial background work, in 2023, the European Commission presented a package of new anti-corruption measures which included proposals for a new Directive aiming to modernise the existing EU anti-corruption legal framework. What followed was two years of debate, as Member States wrangled over legal wording and broader policy principles. By the summer of 2025, progress was deadlocked due to disagreement between some Member States over certain proposals, including whether ‘abuse of office’ should be classified as a criminal or administrative offence.1
This was a frustrating impasse given the apparent desire among the European general public for action on anti-corruption initiatives. Although many EU Member States score well in international rankings such as Transparency International’s Corruption Perception Index, a 2025 survey cited by the European Parliament revealed that more than two-thirds of Europeans believe corruption is widespread in their country.2 There was clearly a need to address the issue, and pressure grew on the EU institutions to resolve their differences.
The draft Directive was finally agreed by the Commission in December 2025,3 and formally adopted by the European Parliament on 26 March 2026.4 Before entering into force, it must also be formally adopted by the Council and published in the Official Journal of the EU. Member States will thereafter have 24 months to transpose the Directive into national law, with the exception of provisions relating to risk assessments and national strategies, for which a transposition deadline of 36 months applies.
The law covers both public- and private-sector corruption, and has modernisation and uniformity as its key goals. As the European Parliament subsequently noted in its amendments to the draft Directive, the underlying philosophy behind the Directive is that “diverse manifestations of corruption necessitate a coordinated and harmonized approach among Member States to address its root causes and consequences effectively.”5
Once in force, the Directive will standardise definitions of corruption offences. For example, Articles 7 and 8 of the draft Directive set out definitions of public and private bribery, respectively, while Article 10 deals with ‘trading in influence’.
Article 16 states a requirement for Member States to ensure that harmonised rules on corporate criminal liability are introduced. The minimum standard set out in that provision is that an underlying corruption offence is committed for the benefit of the corporate entity by someone with “a leading position” in the corporate who has any one of: a “power of representation” of the corporate; an authority to take decisions on behalf of the corporate; or “authority to exercise control” within the corporate.
It is important to note that the new Directive “aims to criminalise corruption offences when committed intentionally” and does this by providing for “minimum rules”. In some cases, Member States may therefore adopt or maintain more stringent rules for criminal corruption offences.
The Directive also aims to set minimum limitation periods and minimum criminal and non-criminal penalties across the bloc. For example, Member States must ensure that companies are liable for fines of no less than €40 million or 5% of total worldwide turnover if convicted of a bribery offence. Further, once the Directive is in force, all EU Member States will be required to establish anti-corruption bodies (Article 21c), publish a national anti-corruption strategy (Article 21b), adopt sectoral risk assessments, impose stricter rules for high-level officials, improve access to public-interest information, and implement additional non-criminal measures for convicted individuals and companies.
Non-EU companies with sufficient nexus could face liability in an EU Member State even if the conduct occurred elsewhere.
There is also a whistleblowing element: the new Directive would make the 2019 EU Whistleblowing Directive applicable to the reporting of various criminal offences, and would require relevant national authorities across the EU to ensure that whistleblowers are given “the necessary protection, support and assistance in the context of criminal proceedings”.
The Directive marks a significant step in EU anti-corruption law with considerable practical consequences for companies. By standardising offence definitions – covering bribery in both the public and private sectors as well as trading in influence – and introducing harmonised corporate liability and penalty rules, it closes the gaps that previously resulted in inconsistent treatment of similar conduct across Member States. Beyond definitions and liability, the Directive establishes a more structured EU-wide framework: Member States must create dedicated anti-corruption bodies, publish national strategies, and adopt sectoral risk assessments, underpinned by stronger sanctioning mechanisms and a more robust enforcement architecture at EU level. For companies, this convergence translates into greater legal certainty and an increasingly common baseline for assessing exposure.
That said, the case for optimism must be weighed carefully. All Member States have signed the UN Convention Against Corruption, and the formal requirements are therefore already broadly comparable. The differences arise rather from the practical interpretation and enforcement of those requirements, as the Directive’s legislative history demonstrates the two-year deadlock, including the dispute over whether abuse of office should constitute a criminal or administrative offence, and illustrates the depth of divergence in political and legal culture across the Member States. It must be further noted that the Directive sets only minimum rules, Member States retain discretion to go further, and some will.
For companies operating cross-border, a jurisdiction-by-jurisdiction assessment of exposure will therefore remain necessary even after the Directive enters into force.
e-Evidence Package
Another important set of European regulations is set to come into force soon and could impact anyone connected to the EU (albeit indirectly in many cases). The EU’s Electronic Evidence Legislative Package has the main aim of implementing “strong safeguards to ensure compliance with personal data protection and fundamental rights of EU citizens”.6 The package does this by introducing two new, EU-wide legal orders which will bypass the need to use the notoriously slow, and often bureaucratic, mutual legal assistance route when seeking to obtain electronic evidence in the EU.
There are two components to the package. The ‘Regulation on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings’ (the EPO Regulation) eliminate barriers to the preservation and production of e-evidence within the EU by creating the European Production Order and the European Preservation Order.
Once it comes into force on 17 August 2026, the Regulation will enable judicial authorities in one Member State to order preservation and production of electronic evidence directly from “service providers” in another Member State, regardless of where the data is stored, by way of a European Production Order.
Failure by a service provider to comply with an Order would be unlawful and could result in a significant penalty (up to 2% of total worldwide annual turnover).
Service providers in scope include “electronic communications services”, domain name and IP registration services and “information society services” enabling communication, or data storage or processing on behalf of users. This would cover social media providers, online marketplaces and cloud service providers.
The second component of the package is a Directive which is more administrative in nature. It sets out harmonised rules requiring all service providers operating in the EU to designate establishments or appoint a legal representative in at least one EU Member State for the purpose of enforcement of one of the new types of Order.
The Directive will be in force on 17 February 2026, and Member States will then need to make relevant national laws.
The new rules will have significant practical implications for companies operating in the EU or serving EU-based users. Authorities will be able to obtain electronic evidence directly and swiftly, placing considerable pressure on companies to respond promptly and in full compliance. Companies should therefore use the time until the rules come into force to assess their exposure, review and adapt their internal data governance frameworks and response workflows, and ensure that any obligations arising under the new regime are compatible with their existing GDPR compliance structures.
Environmental Crime Directive
According to the EU, environmental crime is the fourth largest organised crime activity in the bloc, accounting for losses of between €80 billion and €230 billion annually and growing at around 5% to 7% each year. The new EU Environmental Crime Directive (the ECD), which replaces the 2008 version, was designed to address shortcomings in the effectiveness of EU environmental criminal law.7 It is now in force, meaning EU Member States are required to implement relevant local laws, regulations and administrative provisions by 21 May 2026.
Member States will need to establish rules which meet the minimum requirements of the ECD with regards to the definition of criminal offences and associated penalties.
For example, the ECD sets out a list of types of conduct which Member States must ensure constitute criminal offences in their jurisdictions. Notably, these include acts which lead to, or are likely to lead to, ecocide as well as death or serious injury to people. Member States are also permitted to add further offences which aim to protect the environment. Where one of these listed offences is committed and leads to the destruction of, or widespread and substantial damage to the environment, it will be classed as a “qualified offence” and lead to more severe penalties.
In relation to corporate offending, the ECD sets out two alternative fining methods: one based on fixed amounts between €24 million and €40 million and one based on total annual worldwide turnover.
Companies should review their operations against the ECD’s list of criminal offences to identify potential exposure, with particular attention to activities that could constitute qualified offences carrying more severe penalties. Internal compliance frameworks, environmental policies, and supply chain due diligence processes should be strengthened accordingly, and the transposition of the Directive into national law monitored closely, as Member States may go beyond the ECD’s minimum standards.
Enhanced anti-money laundering enforcement
The EU’s Anti-Money Laundering Authority (AMLA) was created on 26 June 2024 and officially began its work on 1 July 2025 from its office in Frankfurt, Germany (although not all of its powers are available to it yet). When it is fully operational, AMLA will be the agency responsible for coordinating the authorities responsible for anti-money laundering (AML) supervision in each EU Member State, maintaining a central AML database and – in some cases – directly supervising certain regulated entities.8
AMLA’s most significant impact is expected to stem from its work to harmonise AML regulation and enforcement, as well as from the data-driven approach it has committed to adopting. As well as overseeing national AML regulators, AMLA will also directly supervise 40 of the biggest financial services institutions across the EU, beginning in 2028.
AMLA has recently started a data collection exercise with the aim of testing and calibrating its risk-assessment models for financial institutions.9 The results of the exercise will be used to help AMLA decide which institutions it will directly supervise. AMLA will collect data from two sample groups of institutions: those which may end up being directly supervised, and those which are likely not to (and will instead remain under national supervision). AMLA has already notified relevant national supervisors as to which of their countries’ institutions have been selected to participate in the exercise.
AMLA has also opened a consultation on developing three new Regulatory Technical Standards, a set of harmonised standards for regulated sectors in the EU. These will build on the higher-level rules found in the EU’s Anti-Money Laundering Regulation (part of a larger legislative package which also includes the Sixth Anti-Money Laundering Directive). One of the Standards deals with “a common supervisory approach” to enforcing breaches of AML obligations.10
Some have suggested that AMLA could be transformational for the AML landscape, and expectations are high. AMLA aims to transform the fight against money laundering and countering the financing of terrorism across Europe by harmonising regulations across the EU’s 27 Member States, seeking to create a cohesive and efficient framework to combat financial crime. Financial institutions will face more stringent requirements and potentially increased penalties, whilst also benefiting from a more consistent, risk-based approach from their national regulators.
Navigating the AML framework may in some respects become more difficult, as overlapping but still inconsistent rules persist across the EU. Member States are likely to interpret the Sixth Anti-Money Laundering Directive differently, meaning that multinational institutions could face a patchwork of national implementations alongside the new EU-level requirements.
Key takeaways
These developments reflect a deliberate and coordinated effort by the EU to raise the floor on white-collar crime enforcement, marking a material shift towards greater harmonisation, more robust enforcement and higher penalties across the Member States.
Divergent legal cultures and the complexity of legislating across 27 Member States mean that minimum standards will raise the floor without levelling it entirely. For companies with an EU nexus, passive monitoring is not a sufficient response; the cumulative effect of these changes demands coordinated action across legal, compliance and risk functions.
Eva Volk (White & Case, Transaction Lawyer, Frankfurt) contributed to the development of this publication.
1 https://www.politico.eu/article/eu-anti-corruption-directive-scandals-penalties/
2 https://europa.eu/eurobarometer/surveys/detail/3361
3 https://www.europarl.europa.eu/news/en/press-room/20251201IPR31697/agreement-reached-on-the-first-eu-wide-criminal-law-rules-against-corruption
4 https://www.europarl.europa.eu/news/en/press-room/20260323IPR38831/parliament-greenlights-eu-anti-corruption-rules
5 https://www.europarl.europa.eu/RegData/commissions/libe/inag/2026/01-09/LIBE_AG(2026)782345_EN.pdf
6 https://www.eurojust.europa.eu/publication/eu-electronic-evidence-legislative-package
7 https://environment.ec.europa.eu/law-and-governance/environmental-compliance-assurance/environmental-crime-directive_en
8 https://www.amla.europa.eu/index_en
9 https://www.amla.europa.eu/amla-launches-data-collection-exercise-test-risk-assessment-models_en
10 https://www.amla.europa.eu/amla-consults-key-mandates-private-sector-and-harmonized-supervision_en
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2026 White & Case LLP
