EU Sanctions against Daesh and Al-Qaeda: what companies must verify

Key data

Any Spanish company operating with international counterparties or managing funds has an active obligation from 7 April 2026: to verify that none of its commercial or financial relationships involve persons or entities included in the updated list of sanctioned individuals linked to Daesh (EIIL) and Al-Qaeda. This obligation is not new, but is renewed with each update to the list. The Commission Implementing Regulation (EU) 2026/830 represents the 356th amendment to Council Regulation (EC) No 881/2002, which gives an idea of the frequency and continuity of this control mechanism.

What does this regulation establish?

Commission Implementing Regulation (EU) 2026/830 updates the list of persons and entities subject to specific restrictive measures due to their association with Daesh (EIIL) and Al-Qaeda. This list is part of the international framework for combating terrorism and financing of extremism.

The measures applied to subjects included in the list are as follows:

• Freezing of assets: all funds and economic resources belonging to those listed must be immobilized immediately.
• Prohibition of making funds available: no company or entity may transfer, assign or make funds or economic resources available to sanctioned subjects, either directly or indirectly.

This update modifies the current list under Council Regulation (EC) No 881/2002, incorporating new subjects or modifying existing ones. It is the 356th time this regulation has been updated since its entry into force, reflecting the dynamic nature of this control instrument.

Economic and operational impact

The direct impact of this regulation is not measured in fees or fixed regulatory costs, but in the risk of non-compliance and in the operational costs of verification processes. Companies that do not have automated screening systems must perform manual checks each time the list is updated.

The main operational impacts are:

• Review of counterparties: need to check clients, suppliers, partners and beneficial owners against the updated list.
• Blocking of operations: if a match is detected, the operation must be stopped and assets frozen, with the liquidity and operational implications this entails.
• Legal and reputational risk: non-compliance can result in serious legal and administrative consequences, in addition to reputational damage associated with links—even if unintentional—with terrorist organizations.
• Compliance cost: entities that do not have automated compliance tools must allocate human resources to periodic verification of these lists.

Who does it affect?

This update directly and immediately affects:

• Financial entities: banks, savings banks, credit cooperatives, payment entities and any institution that manages funds or carries out transfers.
• Companies with international activity: importers, exporters and companies with suppliers or clients outside Spain that may have links with those listed.
• Fund and asset managers: obliged to verify that no participant or beneficiary appears on the sanctioned list.
• Companies in any sector that maintain commercial or financial relationships with persons or entities that may be included in the updated list.
• Advisors and consultants who manage funds or assets on behalf of third parties.

Practical example

A Spanish financial entity manages accounts for several clients with activity in the Middle East and North Africa. With the entry into force of Regulation 2026/830 on 7 April 2026, the compliance department must execute a screening process of its entire client base against the updated list.

If during that verification it is detected that one of the account holders appears on the new list of sanctioned individuals linked to Daesh or Al-Qaeda, the entity is obliged to:

1. Immediately freeze all assets and funds of that account holder.
2. Not execute any pending transfer or operation on their behalf.
3. Notify the competent authorities according to the procedure established in the applicable regulation.

Failure to act within the corresponding timeframe constitutes a breach of Council Regulation (EC) 881/2002, with the serious legal and administrative consequences this entails.

What should companies do now?

1. Execute an immediate screening process of the entire client, supplier and counterparty base against the updated list published in Commission Implementing Regulation (EU) 2026/830, effective from 7 April 2026.
2. Update compliance tools to incorporate the new version of the list of sanctioned individuals linked to Daesh and Al-Qaeda, ensuring that the system reflects the 356th amendment to Council Regulation (EC) 881/2002.
3. Review ongoing operations to identify whether any pending transaction involves persons or entities included in the updated list. If so, stop it immediately.
4. Freeze assets of any listed subject with whom a relationship is maintained, and refrain from making funds available to them directly or indirectly.
5. Document the verification process to be able to demonstrate to the competent authorities that the obligations arising from the regulation have been complied with.
6. Consult with the legal department or a specialized advisor if there is any doubt about whether a counterparty may be linked to the listed subjects, as non-compliance can result in serious legal and administrative consequences.