EU Anti-Corruption Directive 2026: What Spanish Companies Must Do

Key data

If your company operates in Spain or any EU country, Directive 2026/1021 changes the rules of the game on corporate corruption. Published on 11 May 2026, this regulation establishes a harmonized criminal framework across the entire European Union that requires Member States—including Spain—to criminalize and prosecute corrupt conduct in both the public and private sectors.

Most relevant for companies: responsibility no longer rests solely with the natural person who commits the act. The directive expressly establishes that organizations may be held liable for acts of corruption committed in their name, with significant sanctions.

What does this regulation establish?

Directive 2026/1021 creates a common criminal anti-corruption framework for the entire EU, replacing two earlier norms that had become obsolete:

Additionally, it amends Directive 2017/1371 on the fight against fraud to the Union's financial interests, broadening its scope.

The conduct that Member States are obliged to criminalize and penalize are:

• Active bribery: offering, promising or giving undue advantages to officials or persons in the private sector.
• Passive bribery: soliciting or accepting undue advantages by officials or persons in the private sector.
• Embezzlement: unlawful appropriation of public or private funds or assets.
• Trading in influence: using real or supposed influence to obtain favorable decisions from authorities or officials.

The subjective scope of application is significantly broadened. It includes:

• National officials of any EU Member State.
• Officials of European institutions.
• Officials of international organizations.

Spain must review its Criminal Code and procedural regulations to ensure full compliance with these requirements.

Economic and operational impact

The most direct impact for companies is corporate liability for acts of corruption committed in their name. This means that it is not enough for the company not to have ordered the act: if an employee, director or representative acts corruptly in the name of the organization, the company may face significant criminal sanctions.

Specific operational consequences include:

• Need to review and strengthen internal compliance programs and codes of conduct.
• Update of internal reporting channels (whistleblowing) to detect conduct before it generates liability.
• Review of internal controls over payments, commissions and relationships with officials.
• Mandatory training for employees and managers on newly criminalized conduct.
• Possible need to hire or strengthen the role of Compliance Officer.

For companies that already have a corporate integrity program, this directive requires a review to ensure it explicitly covers all criminalized conduct: active and passive bribery, embezzlement and trading in influence, in both public and private sectors.

Who does it affect?

• Private companies operating in Spain or any EU Member State, especially those maintaining relationships with public administrations, contracting with the public sector or operating in regulated sectors.
• Compliance officers and general counsels who must update corporate integrity programs.
• CFOs and financial directors who oversee payments, commissions and relationships with third parties.
• National public officials and staff of European institutions and international organizations.
• Spanish public administrations, which must adapt their internal procedures.
• Legal advisors and consultants providing compliance services to companies.
• Multinational companies with operations in several Member States, which must harmonize their anti-corruption policies to the new common standard.

Practical example

Imagine a Spanish construction company participating in public tenders. One of its regional directors, without formal knowledge of management, offers an economic advantage to a municipal official to favor the award of a contract. This constitutes active bribery, one of the conduct expressly criminalized by Directive 2026/1021.

Under the new framework, the company—not just the director—can be held criminally liable for that act committed in its name, with significant sanctions. If the company had had a robust compliance program, with controls over payments to third parties and documented training for directors, that program could act as a mitigating factor or exemption from corporate liability.

This same scheme applies to companies in any sector: pharmaceuticals with relationships with public health personnel, technology companies contracting with administrations, or business groups with subsidiaries in several EU countries where trading in influence can occur in different jurisdictions.

What should companies do now?

1. Audit the current compliance program: verify that it explicitly covers active and passive bribery, embezzlement and trading in influence in public and private sectors.
2. Review controls over payments and relationships with officials: identify processes where there is risk of contact with national, European or international organization officials.
3. Update the code of conduct and internal policies to reflect the newly criminalized conduct and the expanded subjective scope of the directive.
4. Strengthen the internal reporting channel: ensure it allows detection and management of corrupt conduct before it generates corporate liability.
5. Train managers and employees with access to funds, public contracts or relationships with administrations on the new obligations.
6. Monitor Spanish transposition: watch for when Spain modifies the Criminal Code and procedural regulations to adapt compliance programs to the final national text.
7. Consult with a legal advisor specialized in compliance to assess the company's specific level of exposure and appropriate mitigation measures.