Daesh and Al-Qaeda Sanctions 2026: What Banks and Companies Must Do

Key data

Banks, fund managers and companies with international operations have a new urgent obligation as of March 9, 2026: to verify that none of their counterparties appear on the updated list of individuals and entities sanctioned for their links to Daesh and Al-Qaeda. Implementing Regulation (EU) 2026/561, published on March 10, 2026, introduces the 354th amendment to Regulation (EC) No. 881/2002, the European framework for restrictive measures against these terrorist organizations.

This is not a new regulation: it is the continuous update of a mechanism that has been in force for decades and that obliges all affected companies to keep their control systems permanently up to date. Each amendment may incorporate new names or entities, and operating with any of them—even unknowingly—constitutes a serious breach.

What does this regulation establish?

Regulation (EC) No. 881/2002 is the European legal instrument that implements UN Security Council sanctions against individuals and entities associated with Daesh (EIIL) and Al-Qaeda. It is updated periodically to reflect changes in the lists of designated persons.

This 354th amendment updates that list with new designated subjects. The restrictive measures applied to all listed parties are:

• Freezing of financial assets: all funds and economic resources belonging to designated individuals must be immobilized.
• Prohibition of making funds available: no natural or legal person may transfer, assign or make available funds or economic resources to listed parties, either directly or indirectly.

These obligations are directly applicable in all EU Member States, including Spain, without the need for national transposition. Entry into force on March 9, 2026—one day before official publication—means that obligations are enforceable from that same date.

Economic and operational impact

The impact is not a fee or direct cost: it is a risk of serious sanctions for those who do not update their processes. The specific operational consequences are:

• Need to immediately update internal control lists (screening lists) in compliance systems.
• Review of active counterparties: customers, suppliers, payment beneficiaries and business partners must be verified against the new list.
• Possible blocking of ongoing operations if any counterparty is found to be included in the updated list.
• Operational cost of due diligence processes and system updates, which falls on the entity itself.

Non-compliance—operating with a listed subject without detecting it—may result in serious administrative and criminal sanctions. In the case of financial entities, this also includes reputational risk and supervisory consequences associated with failures in anti-money laundering and terrorist financing prevention controls.

Who does it affect?

• Banks and credit institutions: obliged to integrate the updated list into their customer and transaction screening systems.
• Investment fund managers: must verify that no participant, beneficiary or counterparty appears on the list.
• Companies with international activity: any company that makes payments, collections or transactions with foreign counterparties must maintain updated controls.
• Compliance officers and regulatory compliance departments: directly responsible for implementing and documenting the update of controls.
• Financial advisors and consultants: who manage funds or assets of third parties must verify the status of their clients.

Practical example

A Spanish fund manager has among its participants a foreign national who makes periodic contributions. Following the publication of Regulation 2026/561 on March 10, 2026, the compliance officer must execute a screening process of all participants against the updated list.

If that participant appears on the new list of designated individuals linked to Daesh or Al-Qaeda, the fund manager is obliged to immediately freeze the assets under its management and notify the competent authorities. It cannot make any refunds or transfers in favor of that person. If the fund manager does not perform the screening and continues operating normally, it incurs a breach of Regulation (EC) 881/2002, with the consequent risk of serious administrative and criminal sanctions.

This same scenario applies to a bank that has as a customer a company included on the list: it must block its accounts and operations from the moment the designation becomes effective, that is, from March 9, 2026.

What should companies do now?

1. Immediately update control lists: incorporate the new subjects included in Regulation 2026/561 into internal screening systems. The obligation is enforceable from March 9, 2026.
2. Execute a screening process of active counterparties: review customers, suppliers, payment beneficiaries and business partners against the updated list to detect possible matches.
3. Block operations if a match is detected: if any counterparty appears on the list, freeze its assets and suspend any fund transfers, notifying the competent authorities.
4. Document the update process: keep written record that the review has been carried out, the date it was executed and the result obtained. This documentation is key in the event of an inspection.
5. Review internal compliance procedures: given that this is the 354th amendment to Regulation 881/2002, companies must ensure they have an automated or periodic list update process, not just a reactive one.
6. Consult with legal counsel or compliance officer: if there is any doubt about whether a counterparty may be affected, act with caution and obtain qualified advice before proceeding with the transaction.

Official source

Implementing Regulation (EU) 2026/561 of March 10, 2026, amending Regulation (EC) No. 881/2002 on restrictive measures against certain persons and entities associated with terrorism. Published in the Official Journal of the European Union.