EU Sanctions Against Russia 2026: What Companies and Exporters Must Do

Key data

Spanish companies with exposure to Russia have a new urgent obligation as of 16 March 2026: to verify that none of their business partners, suppliers or clients are listed on the sanctions lists updated by Council Decision (CFSP) 2026/646. This regulation amends Decision (CFSP) 2024/2643 and may have added or removed natural and legal persons from the sanctions lists, as well as adjusted the applicable measures.

This is not a forward-looking regulation: it entered into force on the same day it was published. Any transaction carried out from that date with an entity or person included in the updated lists constitutes a breach of the European sanctions regime.

What does this regulation establish?

Decision (CFSP) 2026/646 amends the sanctions framework established in Decision (CFSP) 2024/2643, which regulates the EU's restrictive measures against persons and entities linked to Russia's destabilizing activities. The changes that this amendment may introduce are as follows:

• Addition of new natural or legal persons to the sanctions lists.
• Removal of persons or entities that are no longer subject to restrictions.
• Adjustments to the measures applicable to those already included on the lists.

The two main restrictive measures applied to those listed are:

The regulation is part of the EU's Common Foreign and Security Policy (CFSP) and is directly applicable in Spain without the need for national transposition.

Economic and operational impact

The impact for companies is not only legal: it is operational and economic. Working with a sanctioned entity or person can result in immediate suspension of operations, freezing of payments in transit and the opening of sanctioning procedures in both administrative and criminal proceedings.

The main operational risk areas are:

• Payments and international transfers to Russian counterparties or those linked to Russia that may have been added to the lists.
• Existing contracts with suppliers or distributors that are now listed as sanctioned.
• Export operations to Russia or to third countries acting as intermediaries.
• Compliance systems that have not been updated with the lists of 16 March 2026.

For financial entities, the risk is particularly high: they are obliged to block any transaction with listed persons or entities and to report to the competent authorities. A failure in screening systems can result in serious regulatory penalties.

Who does it affect?

• Companies with operations in Russia: any Spanish company that imports, exports, has subsidiaries, joint ventures or active contracts with Russian counterparties.
• Financial entities: banks, savings banks, payment entities and asset managers that process transactions with Russia or with persons/entities linked to it.
• Spanish exporters: especially those operating in dual-use, technology, energy, defence or industrial goods sectors.
• Logistics and transport companies: that manage goods with origin or destination in Russia or transit through third countries as intermediaries.
• Advisors and consultants: that provide services to clients with exposure to Russia have an obligation to verify the sanctions status of their own clients.
• Compliance and legal departments: responsible for keeping screening systems and internal compliance policies up to date.

Practical example

A Spanish industrial machinery company has an active supply contract with a Russian company it has been working with since 2022. On 16 March 2026, Decision (CFSP) 2026/646 enters into force. If that Russian company has been added to the sanctions lists in this update, any payment, shipment of goods or provision of services made from that date constitutes a breach of the European sanctions regime.

The compliance officer of the Spanish company should have reviewed the updated lists on 16 March itself. If they did not and processed a payment that day or in subsequent days, the company is exposed to serious administrative and criminal penalties, regardless of whether the contract was legitimate before that date.

This same risk applies to a Spanish bank that processes a transfer to that Russian company without having updated its screening system with the new lists.

What should companies do now?

1. Immediately review the updated lists: Access Decision (CFSP) 2026/646 published on EUR-Lex and identify which persons or entities have been added or removed compared to Decision (CFSP) 2024/2643.
2. Cross-reference the lists with your business partner database: Verify that no supplier, client, partner or intermediary is listed on the updated lists. This process must be carried out urgently given that the regulation is already in force.
3. Update compliance and screening systems: Compliance departments must incorporate the new lists into their counterparty screening tools, especially in financial entities.
4. Review active contracts and operations: Identify any active contract, pending payment or shipment in transit that may be linked to an entity or person now sanctioned and suspend the operation until the status is clarified.
5. Document the verification process: Keep written records of the checks carried out and their results. This documentation is key in case of inspection or sanctioning proceedings.
6. Consult with specialized legal advice: If there is actual exposure to Russian counterparties, it is advisable to obtain specific legal advice on the implications of this update before continuing to operate.