EU sanctions enforcement reform and corporate criminal liability

Italy is now implementing the Directive through Draft Legislative Decree no. 317/2025 (Draft Decree), introducing, for the first time, specific criminal offenses and related corporate liability for breaches of EU restrictive measures.

The Directive aims to reduce the fragmentation and discretion that have long characterized Member States’ enforcement systems, differences that not only determined whether a violation amounted to an administrative or criminal offense but also led to significant variations in the type and severity of applicable penalties, creating a concrete risk of forum shopping by individuals and businesses. By setting minimum rules on the criminalization of violations and circumvention, the Directive seeks to ensure a more uniform level of deterrence and a harmonized enforcement response across the EU.

The Draft Decree marks a structural shift in the Italian framework, replacing the long-standing hybrid model. While export-control violations were already punishable under both criminal and administrative law (notably under Law 185/1990 on military items and Legislative Decree 221/2017 on dual-use items, as amended by Decree 69/2023), violations of EU financial sanctions were subject to administrative fines, primarily under Legislative Decree 109/2007, unless the conduct simultaneously amounted to another crime (e.g., money laundering or false declarations).

Now, by introducing harmonized criminal offenses for the violation and circumvention of any EU restrictive measure and extending corporate liability under the 231 Decree, this legislative initiative aligns Italy with EU sanctions’ enforcement objectives. The timing of the reform, which preceded the adoption of the EU’s 19th sanctions package on October 23, 2025, further underscores Italy’s intention to ensure full consistency between domestic implementation and the evolving EU sanctions landscape.

To give effect to this alignment, the Draft Decree proposes the addition of a new chapter within the Italian Criminal Code (ICC) – Chapter I-bis of Title I of Book II, titled “Crimes Affecting the European Union’s Foreign Policy and Security.” The chapter sets out the core offenses underpinning the new regime, including:

• Violation of EU restrictive measures: Anyone who breaches a prohibition, obligation, or restriction imposed by an EU sanctions measure may face two to six years’ imprisonment and fines up to EUR 250,000. The provision identifies a broad set of punishable conducts, including the following:
  • Making funds or economic resources available to sanctioned individuals or entities

    This covers anyone who directly or indirectly provides funds or economic resources to a designated person, entity, body, or group or who allocates funds or economic resources for their benefit. For example, this includes releasing or transferring money, granting credit, providing guarantees or performance bonds, and providing assets, goods, or any resource (whether tangible or intangible, movable or immovable) that may be used to obtain funds, goods, or services.

  • Failing to freeze funds or economic resources

    This criminalizes the omission to freeze funds or economic resources that belong to or are owned, held, or controlled (even indirectly) by a designated person, entity, body, or group.

  • Engaging at any title in any economic, commercial, or financial transactions with certain third-country actors

    This makes it an offense to enter into any kind of economic, commercial or financial transaction with:

    • A third country
    • Its public bodies
    • Entities or bodies directly owned or controlled by that third country or its bodies

    The phrase at any title suggests that the scope of this provision is extremely broad. It includes concluding, continuing, or executing contracts, including public procurement and concession contracts.

  • Importing, exporting, trading, selling, purchasing, transferring, or transporting goods (including intangible goods) or providing related services

    This point covers all operations involving goods – tangible or intangible – whether moving them into or out of Italy, trading them, transferring ownership of them, or transporting them. It also includes providing related services, such as brokerage services and technical assistance.

    This provision captures many typical sanctions-circumvention attempts, including the use of intermediaries or providers of technical services.

  • Providing any type of services – including financial ones – or carrying out financial operations

    This clause establishes a residual and extremely broad category. It criminalizes the provision of any service whatsoever (not only financial), as well as undertaking any financial operation, when these conducts breach EU restrictive measures.

  The penalties provided for the basic offense (two to six years’ imprisonment and a fine of EUR 25,000 to EUR 250,000) also apply to anyone who circumvents the implementation of an EU restrictive measure by: i) using, transferring to third parties, or otherwise disposing of designated persons’ frozen funds or economic resources or ii) submitting or using false statements or documents intended to obscure the beneficial ownership or ultimate beneficiary of frozen funds or economic resources.

  Paragraph 5 of Article 275-bis of the ICC extends the applicability of the previous provisions to situations in which the prohibited conduct is carried out without the required authorization or on the basis of an authorization obtained through false statements or falsified documentation. In other words, the same penalties apply when:

  • An individual performs an operation that would normally require a license or exemption under EU restrictive measures but does so without obtaining such authorization
  • The individual deceitfully obtains such authorization by submitting false information or documents and then carries out the activity

  The rule therefore ensures that fraudulent licensing practices are punished as severely as direct violations or circumventions.

• Breach of information obligations: Designated persons or representatives of sanctioned entities who fail to report to the competent administrative authorities any funds or economic resources owned, held, or controlled within the Italian territory may face six months to two years’ imprisonment and fines up to EUR 50,000. The same penalties apply to anyone who fails to provide the competent administrative authorities with information – acquired by reason of their office or professional capacity – concerning funds or economic resources located in Italy that belong to or are owned, held, or controlled by designated persons, entities, organizations, or groups. Therefore, professional secrecy cannot constitute a shield that prevents the identification of assets covered by restrictive measures.
• Breach of the conditions of an authorization to carry out activities: Carrying out activities in a way that does not comply with the obligations or conditions set out in an authorization issued by the competent authority when such authorization is required under an EU restrictive measure could lead to two to five years’ imprisonment and fines up to EUR 150,000.
• Negligent violation of EU restrictive measures: Gross negligence in importing, exporting, selling, purchasing, transferring, or transporting military or dual-use products (listed in Annexes I and IV of Regulation (EU) 2021/821) or providing related services (including brokering, technical assistance, or other support services) is punishable by six months to three years’ imprisonment and fines up to EUR 90,000.

The Draft Decree also introduces special aggravating circumstances, increasing the penalties by one-third to one-half. These apply in the situations where the offense is committed:

• Within a criminal association
• Through the use or submission of false statements or falsified documents
• In the course of a professional, commercial, banking, or financial activity
• Through abuse of powers or breach of duties connected with a public office or public service
• Where the offense results in a substantial profit or significant advantage
• Where the offender destroys, conceals, alters, or damages documents or objects that could serve as evidence or assist in detecting or proving the offense

Special mitigating measures are established as well. If the offender proactively cooperates with the authorities – by preventing further consequences of the offense, facilitating the gathering of evidence, identifying other participants, or enabling the seizure of funds or economic resources – the penalty may be reduced from one-third to two-thirds. The provision is clearly designed to incentivize cooperation and enhance the effectiveness of enforcement by encouraging individuals to support the authorities in uncovering violations and identifying other perpetrators.

Severe offenses trigger 1) mandatory assets confiscation, in direct form (confiscation of items used or intended to be used to commit the offense or that constitute the price, product, or profit of the offense) or by equivalent (seizure of assets available to the offender – even indirectly or through intermediaries – up to an amount equivalent to the price, product, or profit of the offense) and 2) publication of judgments (Article 275-novies ICC), thus reinforcing transparency and deterrence. Notably, these rules apply even to offenses committed abroad by Italian citizens.

From a corporate standpoint, the Draft Decree incorporates the newly defined offenses into the 231 Decree (Article 25-octies.2) as new predicate crimes, triggering:

• Pecuniary sanctions ranging from 1% to 5% of global turnover (or a fixed fine between EUR 3 million and EUR 40 million when turnover cannot be determined) for i) violation of EU restrictive measures and ii) violation of the conditions set under a granted authorization, and from 0.5% to 1% of global turnover (or a fixed fine between EUR 1 million and EUR 8 million when turnover cannot be determined) in case of violation of information obligations.

  In cases of repeated offenses, these financial penalties are further increased by one-third.

• Disqualification sanctions – such as suspension from business activities or revocation of authorizations or licenses, as well as exclusion from financial benefits and funds – for periods ranging from two to six years when senior management is involved or one to three years for employee-level offenses.

These measures represent a significant departure from the ordinary regime under the 231 Decree, which caps both pecuniary fines and disqualification periods at substantially lower levels (up to EUR 1.5 million and two years, respectively). The enhanced framework clearly reflects the legislator’s intention to assign greater punitive weight to sanctions-related offenses and strengthen corporate accountability and deterrence in the context of EU sanctions violations.

The Draft Decree is currently subject to the competent parliamentary committees for review and opinion (the committees may make observations in light of the guidance given with the delegating law), thus there may be further adjustments before the final text is approved.

Proposed reform of the 231 Decree: Key developments in corporate criminal liability

Back in 2001, the 231 Decree introduced corporate liability, formally qualified as “administrative liability,” for a wide range of criminal offenses (regularly updated) committed by managers or employees in the interest or for the benefit of the company. A company may be held liable when it fails to implement an adequate compliance program or internal control system suitable to prevent the commission of such offenses. In particular, if the predicate offense is committed by an employee, the company can avoid liability by demonstrating that it had put in place a compliance program designed to effectively prevent that category of offenses. However, where the offense is committed by senior executives, the burden on the company is higher. Liability can be excluded only if the company provides sufficient evidence of the following:

• It implemented an adequate and effective organizational model (MOG)
• The Supervisory Body (Organismo di Vigilanza, or OdV) had autonomous powers of initiative and control and exercised adequate and effective oversight over the functioning, enforcement, and updating of the MOG
• The senior manager committed the offense by fraudulently circumventing the company’s internal controls

On September 29, 2025, Italian Parliament started discussing an extensive proposal for the reform of the 231 Decree (the Proposal). If approved, the Proposal will revise the foundations of corporate liability, further aligning Italy with EU and international standards, enhancing the preventive function of MOGs.

Below are the key features of the Proposal:

• Corporate “administrative liability” would be expressly redefined as “liability from crime”, more accurately reflecting the criminal nature of 231 offenses and reinforcing the autonomy of the entity’s liability.
• The revised 231 Decree would apply only to collective entities, excluding sole proprietorships and small entities. Small entities would be excluded based on two cumulative criteria:
  • The absence of organizational and managerial autonomy of the administrative body from individuals who, even de facto, exercise control
  • Simultaneous concurrence of three restrictive thresholds: annual assets not exceeding EUR 220,000, annual revenues not exceeding EUR 440,000, and an average workforce of no more than 10 employees

  The exclusion would not apply where the entity exercises direction and coordination over a group of companies.

• Jurisdiction is extended to entities operating in Italy through permanent establishments or structures without legal personality, regardless of their registered office (EU or non-EU).
• The Proposal introduces a transnational ne bis in idem mechanism, which prevents dual proceedings for the same conduct where an entity has been definitively acquitted or convicted in the country where it is headquartered. A distinction is made between entities based in the EU, for which recognition of the foreign decision is automatic, and those based outside the EU, for which a standard recognition procedure is required.
• The revised Article 5 of the 231 Decree refines how interest or advantage need to be assessed, particularly for negligent predicate offenses. Liability must derive from a breach of precautionary rules aimed at achieving cost savings, productivity gains, or other economic benefits. Moreover, parent companies may face liability for offenses committed at subsidiaries’ level, where the conduct serves a specific interest or advantage of the controlling company.
• The Proposal removes the distinction between top management and employees. An entity would be liable if:
  • It fails to implement an effective MOG
  • It fails to assign the OdV adequate oversight duties on the functioning, enforcement, and updating of the MOG
  • The OdV does not properly perform its monitoring duties. The Proposal confirms the applicability of confiscation – even in the absence of liability – if the entity has nonetheless benefited from the offense

  In line with the proposed changes reflecting the criminal nature of corporate liability, the presumption of liability for acts committed by senior management would be abolished, thereby aligning 231 Decree’s system with the fundamental principles of criminal law.

• The revised Article 7 of the 231 Decree establishes a new structure for MOGs, with three core components:
  • A general section (governance structure, ethics code, disciplinary system, whistleblowing channels)
  • A special section (risk mapping and predicate offenses)
  • Operational protocols (monitoring segregation of duties, reporting flows)

  MOGs must also be periodically updated and supported by mandatory, continuous training.

• The Proposal strengthens the OdV by giving it greater autonomy and continuous oversight duties, along with full access to corporate information and adequate resources, proportionate to the size of the company. It also requires a collegial body of at least three qualified members, except for entities with fewer than 30 employees, which may appoint a single nonmanagerial internal member who meets the necessary independence and expertise requirements.
• The Proposal reinforces the autonomy of the entity’s liability from that of the individual perpetrator when the latter remains unidentified or is not guilty. Under the new Article 8, the entity would be liable only if the offense results from a failure to adopt or implement an effective MOG. In such cases, the entity must prove under the general principles of causation in criminal law that it could have prevented the offense with the proper adoption and implementation of the MOG.
• A new provision excludes liability for minor offenses, punishable solely with a limited pecuniary sanction, provided that a MOG was adopted prior to the commission of the offense. However, this exemption does not apply to more serious offenses (e.g., corruption, terrorism, organized crime) or in cases of repeated violations.
• The Proposal significantly reforms the sanctions regime to enhance proportionality and deterrence:
  • When determining penalties, courts must consider the entity’s overall financial situation, in addition to its economic and asset conditions
  • Disqualification sanctions must be applied in a targeted manner, limited to the business area in which the predicate offense originated
  • Entities that voluntarily hand over illicit profits may obtain a penalties reduction
• The Proposal also aims to strengthen the reward-based dimension of the 231 Decree. Currently, incentives for cooperation are incomplete and widely considered as insufficient; self-disclosure of violations to authorities may even imply higher risks of harsher consequences, providing companies with little motivation to disclose breaches. The Proposal introduces several innovations to this:
  • Codified nonpunishability clauses, complementing existing reductions of pecuniary sanctions and exclusions of disqualification measures, conditional upon prior adoption of a MOG
  • Introduction, for the first time, of a cause of nonpunishability based on active cooperation and timely remediation of organizational deficiencies. Specifically, nonpunishability would require:
    • That the entity, before having formal knowledge of criminal proceedings, provides the judicial authority with decisive evidence enabling the discovery of facts (e.g., with an internal investigation) or the identification of perpetrators and takes steps to prevent further consequences, provided that the entity had previously adopted a MOG (even if inadequate). Thus, procedural cooperation becomes truly effective only if preceded by a genuine commitment by the entity, prior to the offense, to foster disclosure – including through targeted internal investigations – without the risk of sanctions
    • The elimination, before trial, of the organizational gaps that facilitated the offense through the adoption of effective corrective measures suitable to mitigate the risk of similar offenses in the future
    • The alignment of the exclusion of liability for entities with that for individuals, ensuring nonpunishability when the predicate offense is extinguished for reasons not strictly personal or when the perpetrator is not punishable due to objective circumstances. This benefit applies on the condition that the entity had previously adopted a MOG and has remedied its organizational deficiencies before trial
• A new probation mechanism for legal entities (applicable only to offenses punishable by a pecuniary sanction not exceeding, at its maximum, 500 units), combined with a dedicated procedural framework, to encourage cooperation and organizational remediation. Access to this mechanism is possible on the entity’s initiative or upon the public prosecutor’s proposal, within defined time limits. If granted, the judge would set an implementation period and actively coordinate with the OdV to ensure transparency and continuity of internal controls. Successful completion of the probation mechanism would result in the extinction of the entity’s liability; otherwise, the proceedings resume, and any actions already undertaken are considered for the determination of sanctions.

  The probation program must include a “reorganization and accountability program” that satisfies four specific conditions:

  • Adoption of a MOG
  • Assignment to the OdV of responsibility for monitoring the functioning, compliance, and updating of the MOG
  • Elimination of harmful or dangerous consequences of the offense, offering full compensation where possible and making available any additional profit obtained, including by equivalent
  • Performance of a social utility activity agreed with a territorial public entity or a noneconomic public body where the competent judicial authority is located. Social utility activity refers to a business activity of general interest, carried out without profit and for civic and solidarity purposes, carried out in the exclusive interest of a local public body or noneconomic public body

  This system reflects a paradigm shift: cooperation and remediation are no longer merely mitigating factors but, under strict conditions, can lead to full exemption from liability, thereby promoting a culture of compliance and proactive risk management.

The Proposal will be preliminarily reviewed by the competent parliamentary committee and then discussed and approved (with possible changes) by each one of the chambers of the Italian Parliament. Considering the average duration of the legislative process, final approval is expected by mid-2026, but the timing could be significantly impacted by a number of factors.

A converging framework: What businesses need to know

Although driven by different policy objectives, both the proposed reform of the 231 Decree and the introduction of sanctions-related offenses under the Draft Decree will have a significant impact on corporate risk management. Together, they entail:

• Higher compliance expectations for the corporate sector
• Broader criminal exposure for entities
• Enhanced oversight duties for parent companies
• Higher standards for MOGs and OdVs
• Harsher pecuniary and disqualification sanctions, balanced by stronger incentives for cooperation, remediation, and self-disclosure
• The inclusion of sanctions compliance as a mandatory component of 231 Decree risk analysis

This dual reform will need careful monitoring, since it would ultimately reshape Italy’s compliance landscape, requiring companies to revisit their governance structures and internal controls and recalibrate their approach to risk. Strengthening compliance systems ahead of these changes will enable businesses to operate with greater certainty and better mitigate both legal and reputational exposure.

*Trainee Valeria Kiseleva also contributed to this article.