International trade has entered a period in which “conflicting legal requirements” are no longer exceptional; they are part of the operating environment for global businesses and the professionals who advise them. The change is the volume and complexity of sanctions regimes, but also the migration of compliance expectations from the margins of the legal function into governance, risk, financing, and commercial decision-making.
In Europe, restrictive measures adopted in response to Russia’s war against Ukraine have accelerated a broader shift: the development of an EU sanctions and compliance architecture with growing consequences for corporate governance, criminal exposure, and competitiveness. Export controls are evolving alongside sanctions, creating overlapping obligations that attach both to who a company deals with and what it exports. For cross-border operators, legal risk is no longer confined to the “sanctions clause” at the end of a contract; it sits at the center of supply-chain design, counterparty selection, and group structuring across jurisdictions.
This article considers the EU’s enforcement trajectory through a practical lens for companies navigating cross-border transactions where regulatory expectations and legal duties can diverge. It also takes a French perspective, not because France is unique, but because certain French compliance obligations and institutional reflexes can be an advantage if deployed thoughtfully under EU sanctions pressure.
Sanctions and Export Controls: From Specialized Issues to Structural Business Constraints
Sanctions are no longer background diplomatic instruments. They are structural tools of economic statecraft that reshape how companies engage in international trade and investment. In parallel, export controls continue to regulate sensitive goods and technologies through licensing systems, and the two regimes increasingly overlap in day-to-day compliance.
A useful starting point is the functional distinction: sanctions typically attach to the identity of the counterparty (designated persons, entities, sectors, or countries), while export controls attach to the nature of the goods or technology being exported. In practice, however, companies often must evaluate both at once, including end users, end use, beneficial ownership, and circumvention risk. That analysis increasingly extends beyond direct counterparties to third parties and supply chains, creating friction where business models are global and modular.
The tension sharpens when cross-border business intersects with US extraterritoriality, particularly where US primary and secondary sanctions create exposure for EU or French companies beyond the formal territorial scope of EU restrictive measures. In that setting, companies may face a risk landscape in which legal compliance is jurisdiction-dependent, while commercial and reputational expectations are not.
The Enforcement Inflection Point: Criminalization as a Significant Shift in Enforcement
The most significant recent shift in the EU sanctions environment is the move from primarily administrative enforcement toward a criminal-law framework. Directive (EU) 2024/1226 requires Member States to criminalize specified conduct, including violations of restrictive measures, inciting, aiding and abetting, and attempts.¹ It also establishes common penalties and a harmonized approach to liability for legal persons, replacing a patchwork of national penalty systems.
From a corporate perspective, this matters for at least three reasons. First, criminalization changes how boards and senior management should view sanctions risk: it is no longer only a compliance topic, but an area that can expose individuals and companies to criminal consequences. Second, it heightens the importance of defensible compliance architectures, because enforcement will often turn on what a company knew, should have known, and reasonably implemented. Third, it interacts with cross-border investigations, where suspected violations may involve multiple jurisdictions, transit countries, and evidentiary trails that do not align with corporate boundaries.
The directive’s significance is not simply that there are more penalties. It signals that the EU is treating sanctions compliance as a core integrity issue, closer in spirit to anti-corruption enforcement than to traditional administrative trade regulation.
The EU Enforcement Architecture: a Fragmented Framework
Even as the EU strengthens its enforcement posture, the model remains structurally decentralized. EU sanctions are adopted by the Council through Common Foreign and Security Policy decisions, and some measures require Council regulations directly applicable in Member States. Implementation and enforcement, however, still largely sit with Member States and their national competent authorities, including decisions on authorizations, derogations, investigations, and penalties.²
That decentralization remains a source of tension for operators. A central challenge is inconsistency across Member States in enforcement intensity and interpretation, which creates legal uncertainty and openings for evasion. Differences in how “ownership and control” are assessed can produce divergent outcomes, to the point that a company may be treated as frozen in one Member State and not in another. Limited publicity around penalties and derogations further reduces visibility into how the rules are applied in practice.
At EU level, the Commission plays a central role in overseeing uniform application of EU law and monitoring enforcement through information-sharing and operator reporting obligations embedded in Council regulations. It has also developed tools to strengthen coordination, including the EU Sanctions Whistleblower Tool, a sanctions helpdesk for SMEs, and, in the Russia context, the Freeze and Seize Task Force.³ The EU has also created the role of Sanctions Envoy to engage with third countries and reduce evasion and circumvention.
The Council also contributes through RELEX best practices and implementation guidance, which it has updated in recent years. In the Russia regime, it also introduced a designation criterion targeting persons and entities facilitating circumvention, reflecting an evolution in enforcement tools aimed at those who enable evasion.
In litigation and judicial oversight, EU courts play a limited role in enforcement as such, but they may review the legality of listing decisions, and the CJEU may shape enforcement through preliminary rulings on validity and interpretation. More broadly, sanctions compliance requires familiarity with the applicable regulations, as well as with the institutions, agencies, and courts that shape enforcement expectations over time.
Circumvention and the “Best Efforts” Turn: Practical Extraterritorial Effects Without Formal Extraterritoriality
A defining feature of EU sanctions has traditionally been their limited formal territorial scope compared with US regimes. EU restrictive measures generally apply within EU territory, to EU nationals wherever located, to persons and entities located in the EU, and to business conducted in whole or in part in the EU. That limited scope, however, can create incentives for circumvention through third countries, including rerouting prohibited goods and technologies through intermediaries and transit jurisdictions.
The EU’s response has increasingly relied on tools that, while not “extraterritorial” in a traditional doctrinal sense, can have practical extraterritorial effects. In the Russia context, the EU has adopted measures that may restrict exports of certain goods to designated third countries where diversion risk is high. It has also adopted “best efforts” obligations requiring persons bound by EU restrictive measures to seek to ensure that controlled non-EU entities do not participate in activities that undermine those measures.⁴
For multinational companies, “best efforts” is not a drafting nuance. It implies group-level compliance programs with governance capable of influencing non-EU subsidiaries and monitoring able to detect higher-risk trade patterns routed through third countries. If enforcement expectations extend to what the group can reasonably prevent within its sphere of control, corporate structures do not eliminate risk; they can amplify it.
This dynamic is not limited to Russia-related measures. Recent reporting and investigations in other contexts show that enforcement tests can arise outside the main geopolitical focus, including where the classification of goods (such as dual-use or potentially military-relevant platforms) creates fact-sensitive questions about whether transactions fall within prohibited categories.
A French Perspective: Compliance Infrastructure as a Competitive Advantage
France offers an instructive example of how compliance infrastructure can become a strategic asset rather than a cost center. Since the Sapin II law of 2016, large French companies have been subject to mandatory anti-corruption compliance obligations, including risk mapping, third-party due diligence, internal controls, whistleblowing systems, and training programs.⁵ Although designed for anti-corruption compliance, those tools are readily adaptable to sanctions compliance.
That matters in practice because many core sanctions-compliance mechanics (screening, third-party review, risk mapping, internal controls, escalation, and documentation) closely resemble those required by mature anti-corruption frameworks. As a result, some French companies may have a head start in embedding compliance into governance and operations, which can help when business partners, investors, or lenders demand evidence of robust controls.
In this environment, companies that can credibly demonstrate mature compliance controls may reduce enforcement risk while improving their ability to transact.
Practical Implications for Cross-Border Transactions: What Sophisticated Operators Are Doing Now
Because sanctions enforcement is becoming more consequential while remaining partly fragmented, strategic planning should focus on resilience: the ability to make decisions that remain defensible across regulators, jurisdictions, and evolving expectations. Four practical themes stand out.
- Companies should treat “ownership and control” analysis as a dynamic risk assessment, not a box-checking exercise. Given divergent Member State approaches and limited transparency around penalties and derogations, operators need internal methodologies that are consistent, well documented, and explainable to different regulators. Where the same structure could be viewed differently across Member States, the practical question is the risk appetite for proceeding and which mitigating controls, including contractual protections, are truly effective.
- Circumvention risk should be treated as a supply-chain and trade-route risk, not only a counterparty risk. The practical question is whether a company can identify atypical routing, mismatches between stated end use and product characteristics, or transaction patterns suggesting diversion.
- Group-wide governance is increasingly critical because of “best efforts” expectations for controlled entities outside the EU. Multinationals should have credible tools to influence subsidiary behavior, including policy deployment, training, audit rights, and cross-border escalation channels. The goal is not perfection, but a demonstrable record of meaningful steps to prevent controlled entities from undermining restrictive measures.
- Cross-border operators should also treat reporting obligations and privilege constraints as part of enforcement risk management. Companies and counsel therefore need a disciplined approach to internal investigations, documentation, and external communications, particularly where multiple legal regimes and investigative authorities intersect.
Conclusion: Compliance as Governance, and Governance as Strategy
The EU sanctions landscape is evolving toward a model that is more criminalized, more coordinated, and more sensitive to circumvention, even as key aspects of enforcement remain decentralized across Member States. For cross-border business, that creates a paradox: higher enforcement expectations and greater risk, paired with inconsistent application and limited visibility into how rules are implemented in practice.
In that environment, the companies best positioned to perform are not those that treat sanctions as a narrow legal constraint. They are those that integrate sanctions and export control compliance into governance, transaction planning, and operational controls, treating compliance as a strategic capability that supports market access, financing, and resilient cross-border execution.
France’s experience with mandatory compliance infrastructure illustrates how a mature compliance toolkit can become an advantage as sanctions expectations rise. As the EU refines enforcement tools through criminalization, best practices, information-sharing mechanisms, and anti-circumvention measures, the strategic question for boards and management becomes how to turn compliance into a genuine source of competitive resilience in a world of conflicting legal requirements.
Footnotes
- Directive (EU) 2024/1226 on the definition of criminal offences and penalties for the violation of Union restrictive measures.
- Council restrictive measures are adopted by the Council under CFSP and implemented through a mix of decisions and regulations, with enforcement primarily by Member States.
- European Commission tools and coordination initiatives referenced in this article include the EU Sanctions Whistleblower Tool, the EU Sanctions Helpdesk, and the Freeze and Seize Task Force.
- EU anti-circumvention and “best efforts” concepts discussed here reflect the EU’s evolving approach to circumvention risks, including obligations targeting controlled non-EU entities and measures addressing third-country diversion risk in the Russia regime.
- Observations on French compliance infrastructure are based on mandatory compliance elements described in connection with Sapin II (risk mapping, third-party due diligence, internal controls, whistleblowing systems, and training programs) and their adaptability to sanctions compliance.