Spain: A Corporate Compliance Overview

Compliance as a Preventive Mechanism for the European Union’s Economic Security and Foreign Policy

EU sanctions reform and the expansion of criminal liability

Recent developments in the European Union’s regulatory framework on restrictive measures have significantly strengthened the role of compliance as an essential risk-management tool for companies engaged in international business. The transposition of Directive (EU) 2024/1226, currently underway in Spain through Organic Law 121/000072, represents a significant shift in the way liability for breaches or circumvention of international sanctions is addressed, reinforcing a broader trend towards greater private-sector involvement in the effective enforcement of the European Union’s sanctions policy.

In Spain, Organic Law 121/000072 was introduced before the Spanish Parliament on 31 October 2025. The bill amends the Spanish Criminal Code in order to transpose the Directive, introducing a new Title: “Offences Relating to the European Union’s Common Foreign and Security Policy”, which is currently progressing through the legislative process for its approval.

The proposed reform introduces new criminal offences arising from breaches of EU restrictive measures. First, it criminalises the direct violation of sanctions, including making funds or economic resources available to sanctioned individuals or entities, carrying out prohibited trade-related transactions, or failing to comply with asset-freezing obligations. Second, it sanctions the facilitation of entry into, or transit through, EU territory of designated individuals. Finally, it criminalises conduct aimed at circumventing or obstructing the sanctions regime, including breaches of reporting obligations and the concealment or manipulation of information relating to assets, ownership structures, or control arrangements.

One of the most significant aspects of the reform is the extension of criminal liability to legal entities when offences are committed for their benefit or as a result of inadequate supervision and control. Companies would therefore face criminal penalties, including fines ranging from 1% to 5% of their worldwide annual turnover, as well as ancillary measures such as the publication of the conviction, significantly increasing both reputational and financial exposure. It should also be noted that these offences are equally applicable to members of the executive management team, who may face prison sentences in addition to substantial financial penalties.

Compliance measures for sanctions-related risk

This new regulatory framework is expected to have a direct impact on sectors particularly exposed to international operations and sanctions regimes, including financial institutions, international trade businesses, technology and dual-use industries, the energy sector, and industrial companies operating through global supply chains. Likewise, consulting firms, professional services providers and digital asset businesses are becoming increasingly affected by these compliance obligations.

Against this backdrop, compliance assumes a central role as a mechanism for preventing sanctions-related risk. Companies with international exposure will need to review and update their compliance programmes in order to adequately address these new criminal risks associated with international sanctions.

As a first step, corporate criminal risk maps should be updated to incorporate the newly introduced offences and to reassess both the company’s inherent and its residual risk exposure. Similarly, existing internal control mechanisms should be reviewed and, where necessary, supplemented with measures specifically designed to address sanctions-related risks:

• Reviewing ongoing contracts and transactions that may be affected and suspending them where appropriate.
• Implementing customer and counterparty screening procedures to ensure that business partners are neither individuals/entities designated by the EU, nor parties linked to economic sectors affected by international sanctions. To this end, companies should rely on up-to-date public information regarding EU sanctions lists, as well as automated screening and due diligence tools capable of identifying not only direct matches against sanctions lists, but also indirect ownership structures, relevant connections and adverse media reports.
• Provision of specific internal training for employees.

The increasing technical and legal complexity of the EU sanctions regime, combined with its constant evolution and interaction with domestic criminal law, makes specialised legal advice particularly important. This is especially true given that many of the new offences operate under blanket criminal provisions, whose scope depends on continually evolving EU legislation. In addition, the frequent modification of sanctions lists, and the practical difficulties associated with identifying complex ownership and control structures, require companies to continuously reassess and update their compliance systems.

When discussing compliance and corporate governance today, the focus can no longer be limited to traditional governance structures and compliance programmes aimed solely at managing risks associated with corporate criminal liability. While this traditional approach remains essential and should be maintained and strengthened, the key issue is that compliance and governance must now be approached through the lens of vision and purpose.

Integrated compliance and governance as a value-creating function

Indeed, compliance should be understood as part of a broader, integrated compliance ecosystem encompassing not only traditional criminal and anti-corruption compliance, but also tax compliance, employment compliance, competition law compliance, regulatory compliance, anti-money laundering and sanctions compliance, data protection and cybersecurity, environmental compliance, third-party risk management, financial compliance, and other relevant areas depending on the size and nature of the business.

Such a compliance ecosystem should enable different compliance functions to interact effectively with one another, not only to reduce corporate risk exposure but also to improve the overall efficiency of the compliance framework.

This is where governance becomes critical. Governance structures must be efficient and adapted to this cross-functional approach, ensuring not only effective reporting by compliance functions to the supervisory body, but also the optimal use of the information generated. This facilitates an integrated approach to risk management, reduces the company’s overall risk exposure, and supports the development of coherent policies, processes and controls, which are often mandatory, such as anti-harassment protocols, competition law risk management systems, and anti-money laundering controls.

Meeting this challenge requires full alignment among the three core functions of the organisation: business, compliance and internal audit. These functions must evolve from operating as separate silos to adopting a collaborative and integrated approach that enhances efficiency and strengthens risk management capabilities. Ultimately, compliance should be viewed not merely as a control function, but as a value-creating element within the organisation. Achieving this requires strong leadership, continuous adaptation to business needs, and the ability to respond effectively to evolving legal and regulatory requirements.