Key takeaways:
- The Sapin 2 law is the first French law that requires companies to prevent corruption, not merely punish it after the fact.
- Enacted on December 9, 2016, its most structural provisions (Article 17) came into force on June 1, 2017.
- It requires large companies to implement an anti-corruption program consisting of eight measures.
- A dedicated authority, the AFA, is responsible for verifying their implementation and holds genuine sanctioning powers.
Sapin 2 Law: what every executive needs to know to protect their company
The Sapin 2 law does not merely punish corruption. It also sanctions, and this is its defining characteristic, the failure to have guarded against it. A company can be challenged by the French Anti-Corruption Agency (AFA) for the very absence of anti-corruption measures, even if no wrongdoing has been committed. Before this law, nothing of the kind existed in French law.
This guide offers a plain-language, straightforward reading of the text. What the law requires, who it applies to, how to comply with the help of a compliance consulting firm, and what it costs to do nothing.
What is the Sapin 2 law and why did it change the rules of the game?
When discussing the Sapin 2 law, legal professionals often speak of an obligation of means, and the expression captures the spirit of the text fairly well.
The company and its executives, in a personal capacity, must be able to demonstrate that they have put in place a serious compliance framework. Above all, they must prove, with supporting documentation, that it genuinely works.
From the Sapin 1 law to the Sapin 2 law: a turning point in the French anti-corruption effort
The track record of criminal enforcement before 2016
Before the Sapin 2 law (2016), the fight against corruption in France had in reality only one tool: criminal prosecution after the fact.
A framework whose track record, according to the OECD, was fairly dismal. Since the creation of the offence of “transnational bribery” in 2000, only four individuals had been convicted in France. Not a single legal entity.
The achievements and limitations of the Sapin 1 law (1993)
Yet the Sapin 1 law (1993) had laid some convincing groundwork. It regulated political financing and created the Central Service for the Prevention of Corruption (SCPC). However, this body played at best a consultative role, with no powers of oversight or sanction.
A handful of OECD field reports successively highlighted the major shortcomings of the framework. The most damaging was certainly the Phase 3 follow-up document (2014), whose findings were damning: out of 33 recommendations, only 4 had been implemented by France.
The extraterritoriality of US law
At the same time, French companies were being sanctioned by the US Department of Justice under the FCPA (Foreign Corrupt Practices Act), due to the absence of an equivalent French legal framework.
The $772 million fine imposed on Alstom in 2014 acted as a wake-up call. It had become evident that France was leaving its own companies exposed to the extraterritorial reach of US law.
Cahuzac, Panama Papers: the breaking point
The Cahuzac affair (a Budget Minister forced to resign over an undeclared Swiss bank account, in 2013), followed by the Panama Papers in 2016, completed the case that the French framework needed to be rebuilt from scratch.
The 3 main pillars of the Sapin 2 law: transparency, anti-corruption and modernisation
The law creates a register of “interest representatives”, starting with lobbyists. They are required to register and declare their activities. Oversight of this register is entrusted to the High Authority for Transparency in Public Life (HATVP).
This is the core of the framework, entrusted to the French Anti-Corruption Agency (AFA). It organises the anti-corruption obligations of companies as well as the protection of whistleblowers.
The third component brings together provisions on executive compensation, public procurement, and the powers of the AMF and the ACPR. It is this component that gives Sapin 2 an extremely broad scope.
Who is affected by the Sapin 2 law? The precise criteria to know
Approximately 1,600 companies are directly affected in France. But on closer inspection, the scope covers more, due to the ripple effect of the law: clients, suppliers, foreign partners, and so on.
| Type d'entité | Assujettie ? | Condition |
|---|---|---|
| Grandes entreprises privées | Oui | ≥ 500 salariés et CA > 100 M€ |
| EPIC (RATP, SNCF, CEA) | Oui | Mêmes seuils |
| Sociétés d'économie mixte | Oui | Mêmes seuils |
| PME et ETI sous les seuils | Non, mais concernées de facto | Clauses anticorruption imposées par les donneurs d'ordres |
| Toute entité ≥ 50 salariés | Oui, pour le volet lanceurs d'alerte | Obligation de dispositif de signalement |
The application thresholds for private companies: headcount and turnover
There are two thresholds to bear in mind for a company
- At least 500 employees,
- Turnover exceeding 100 million euros.
As soon as both conditions are met simultaneously, the company is subject to the law.
Another important point is that these thresholds are assessed at group level. In other words, if your French parent company ticks both boxes, all of its subsidiaries are required to deploy the anti-corruption program. Including a subsidiary with 50 employees.
The law also targets executives in a personal capacity, and this is a point many underestimate. The sanction can reach up to 200,000 euros in fines for the executive personally, independently of any fine imposed on the company.
Public sector, associations, SMEs: who else is covered by the Sapin 2 law?
Public industrial and commercial establishments (EPICs), those public entities that carry out commercial activities (such as RATP, SNCF or CEA), are subject to the law as soon as they cross the thresholds.
The same applies to mixed-economy companies (SEMs), those structures with majority public shareholding found in urban development, local transport or water management.
SMEs and mid-sized companies below the thresholds are not subject to the law as such. However, the cascade effect is real, meaning they are affected de facto. It is common for large contracting authorities, aware of theimportance of due diligence, to impose anti-corruption clauses on their suppliers.
If you work with a CAC 40 group, you have probably already filled in an anti-corruption questionnaire. The Sapin 2 law is the reason behind it.
ℹ️ Good to know: The French Anti-Corruption Agency (AFA) has published a practical guide designed for SMEs and smaller mid-sized companies, acknowledging that anti-corruption compliance affects them de facto, even if they are not subject to the obligations of Article 17.
The 8 obligations of the Sapin 2 law that your company must implement
During its audits, the AFA looks for tangible evidence of the existence (and proper functioning!) of eight mechanisms:
A code of conduct ...
… that clearly states what is prohibited, supported by concrete examples.
A whistleblowing channel ...
… so that employees can report a problem in full confidentiality.
A risk mapping ...
… that identifies where the company is most exposed, country by country, business line by business line.
A third-party verification process ...
… before entering into a relationship with a supplier, an intermediary or a partner.
Accounting controls ...
… targeted at sensitive items (commissions, gifts, consultancy fees).
An internal sanctions regime ...
… so that breaches of the code of conduct carry consequences.
A monitoring mechanism ...
… that verifies the whole system is working, not just on paper.
Code of conduct and risk mapping: the foundations of the Sapin 2 framework
The code of conduct sets the rules; the risk mapping determines where they must be applied as a priority. These two measures form the foundation on which the rest of the program rests.
The code of conduct
It must define and concretely illustrate prohibited behaviours:
- The gifts and hospitality policy (with defined monetary thresholds),
- Conflicts of interest,
- Sponsorship and patronage,
- Facilitation payments.
It is incorporated into the internal rules and regulations, which requires consultation with the works council (CSE). Note that this “code” is not a document of general principles. The AFA expects concrete illustrations, adapted to the company’s lines of business. An industrial group operating in sub-Saharan Africa will not have the same code of conduct as a Parisian software publisher.
The risk mapping
It is described as the “cornerstone” of the framework by the AFA. It identifies, analyses and ranks all the corruption risks to which the company is exposed.
Everything therefore depends on its sectors of activity, its geographical locations and its operational processes.
Updates are required at least once a year, and following any significant change (acquisition, entry into a new market).
Whistleblower protection: what the Sapin 2 law concretely guarantees
Every employee of a company subject to the law must be able to report a problem without fear for their career. This is the guarantee established by the Sapin 2 law.
The Waserman law (2022) pushed the boundaries further: an employee can report directly to an authority, without being required to go through the company’s internal channel.
The protections are robust, and were designed to be so. The whistleblower’s identity remains confidential. Any form of retaliation (dismissal, sidelining, denial of promotion) is prohibited.
The law also covers “facilitators“: the colleague who helps gather evidence, the union representative who supports the process, the close associate who provides advice.
On the company side, this translates into the implementation of a secure reporting platform, typically an off-the-shelf solution such as:
- Whispli,
- WhistleB/NAVEX,
- Whistleblower Software,
- FaceUp,
- Or IntegrityLine.
A dedicated officer handles reports and assesses whether there are grounds to follow up. If there are not, the data must be destroyed within two months.
ℹ️ Good to know: The legislator intended these protections to have real teeth. Disclosing the identity of a whistleblower carries a penalty of 2 years imprisonment and a 30,000 euro fine. Obstructing a report carries one year imprisonment and a 15,000 euro fine.
Third-party assessment, training and accounting controls: the most commonly overlooked obligations
These are the three least well-deployed measures according to the AFA’s 2024 national diagnostic, and they are where audits focus as a priority.
In other words: when a company subject to the law presents a clean code of conduct and risk mapping, but neglects its third-party due diligence or accounting controls, the signal it sends is that of a window-dressing program.
Third-party assessment
Before signing with a supplier or intermediary, the company must ensure it knows who it is dealing with. This is the principle of anti-corruption due diligence: scrutinising the third parties you work with, in proportion to the risk they represent.
An intermediary in a country with a high corruption index will therefore not be assessed with the same level of diligence as a business introducer in France.
In practice, this involves several checks:
- Verifying the identity and actual ownership structure of the third party (and/or beneficial owners),
- Searching for any convictions or adverse information,
- Detecting the presence of politically exposed persons (PEPs),
- Ensuring that the remuneration paid is proportionate to the actual service provided.
The training framework
Training is conducted at two levels. The first targets employees most exposed to risk: sales staff negotiating with foreign partners, buyers selecting suppliers, managers in regular contact with public officials.
For them, the AFA expects concrete sessions, with scenarios drawn from the reality of their role:
- What to do when an intermediary offers to “facilitate” obtaining a permit?
- How to respond to a request for an unusually high commission?
The second level is broader awareness-raising, aimed at all staff, so that everyone knows the code of conduct and knows how to use the reporting channel.
Anti-corruption accounting controls
These are in place to prevent the accounts from concealing any suspicious transactions. In practice, this involves:
- regularly reviewing the most exposed items, such as entertainment expenses, consultancy fees, intermediary commissions, donations and sponsorship,
- maintaining a clear separation between bookkeeping and account control functions,
- establishing a hierarchical approval process for high-risk expenditure.
Two measures complete the framework. The disciplinary regime, incorporated into the internal rules and regulations, provides for graduated sanctions in the event of a breach of the code of conduct.
The internal monitoring and evaluation mechanism verifies, for its part, that the program as a whole is running properly and feeding into management reporting.
ℹ️ Good to know: A robust compliance framework also serves as a lever against internal fraud. The whistleblowing and control mechanisms deliver benefits well beyond the anti-corruption perimeter.
Sapin 2 law sanctions: what risks does non-compliance carry?
On the administrative side, the AFA’s sanctions committee has a graduated scale of sanctions, ranging from a warning to a fine. But it is the criminal side that poses the greatest risk in the event of non-compliance.
AFA administrative sanctions: warning, injunction and fines
The AFA’s sanctions committee has three levers, and it is not the most obvious one that hurts the most:
The compliance injunction
With a deadline of up to three years to get back on track. This is the most commonly used tool at this stage.
But in practice, it is a fourth mechanism that concentrates the most concern: publication of the decision. A published sanction remains visible online to anyone who types your company’s name into Google.
A prospect, a partner, an investor who comes across a committee decision before a meeting will not forget it quickly.
ℹ️ Good to know: The sanctions committee has not yet imposed any actual financial penalty. It currently favours a pedagogical approach, making primary use of injunctions. But this leniency will not last indefinitely. More than half of the companies subject to the law have deployed all eight measures (2024 national diagnostic). The higher the general level rises, the less latecomers will be able to plead ignorance.
Criminal risks and reputation: what executives do not always anticipate
AFA administrative sanctions are one thing. Criminal prosecution is quite another, of an entirely different magnitude. An executive convicted of corruption faces up to 10 years imprisonment and a 1 million euro fine.
For the legal entity, the bill can reach 5 million euros, or even ten times the profit derived from the offence. Without counting additional penalties, such as exclusion from public procurement.
One of the key mechanisms is the public interest judicial agreement (CJIP)
. This is a form of negotiated resolution, which allows an agreement to be reached without admitting guilt.
The advantage is real, but so is the price: the fine can reach 30% of the average turnover of the last three financial years.
ℹ️ Good to know: The CJIP has already resolved more than 25 corruption cases since 2017, for a cumulative total of approximately 4 billion euros in fines. Major companies have signed CJIPs, including Airbus (over 2 billion euros), HSBC, Société Générale, and Bolloré.
How to achieve compliance with the Sapin 2 law: the step-by-step method
Key figure
-
12 to 18 months: this is the average time required for Sapin 2 compliance. As a general rule, the project is carried out in three phases.
Initial diagnostic, mapping and deployment: the 3 phases of a successful compliance process
Phase 1. Diagnostic
- (≅ 2 to 3 months)
Before building anything, you need to know where you are starting from. This first phase involves making a clear-eyed assessment: what do you already have in place, and what is missing? In practice, this comes down to:
-
Verifying whether the company is subject to the law (cumulative thresholds),
-
Mapping existing mechanisms (ethics charter, procurement procedures, internal rules and regulations),
-
Benchmarking them against AFA recommendations,
-
Identifying priority gaps,
-
Appointing a compliance officer with direct access to senior management and dedicated resources.
Phase 2. Structuring
- (≅6 to 10 months)
This is the most intensive phase, and the most decisive. The risk mapping built during the diagnostic serves as the backbone. It dictates the content of the code of conduct, the scope of third-party due diligence, the audiences to be trained as a priority, and the accounting controls to be strengthened. Each measure is then deployed:
-
Drafting a code of conduct and incorporating it into the internal rules and regulations (with consultation of the works council),
-
Mapping existing mechanisms (ethics charter, procurement procedures, internal rules and regulations),
-
Benchmarking them against AFA recommendations,
-
Identifying priority gaps,
- Appointing a compliance officer with direct access to senior management and dedicated resources.
Phase 3. Monitoring
- (ongoing)
A compliance program is never finished. It lives, or it fails. Oversight is organised across three levels:
-
Managers verify day-to-day application,
-
The compliance officer supervises the whole,
-
A periodic independent audit assesses what the framework is actually worth in practice.
The risk mapping is reviewed every year, and the indicators feed into management reporting. It is this monitoring discipline that the AFA will scrutinise first when it initiates an audit.
Why engaging a specialist compliance firm accelerates (and secures) the process
Sapin 2 compliance is a cross-functional undertaking. It draws on expertise in criminal business law, risk management, and more.
It also requires a certain familiarity with AFA audit practices and international standards. All of this is rarely found under one roof.
For a mid-sized company approaching the subject for the first time, external support makes sense. It saves valuable time and avoids false starts, which prove costly in subsequent corrections.
A compliance consulting firm brings three concrete advantages:
- A sector benchmark: having supported several companies in the same sector, it knows which corruption scenarios are most relevant for your risk mapping and which controls are effective.
- A proven methodology, which reduces deployment timelines while legally securing each step.
- An external perspective, to assess what your framework is genuinely worth in practice, as this is precisely what the AFA seeks to measure during its audits.
Eterra Partners supports companies in structuring their compliance program, from the diagnostic phase through to ongoing monitoring. A single conversation is enough to establish a clear picture of your situation and identify the first actions to take.
YOUR QUESTIONS
FAQ - Frequently asked questions about the Sapin 2 law
Before contacting us, you may have these questions. Here are direct answers from our senior consultants.
Does the Sapin 2 law apply to foreign subsidiaries of a French group?
Yes. As soon as the French parent company meets the thresholds (500 employees, 100 million euros in consolidated turnover), the obligations apply to the entire perimeter, including foreign subsidiaries. This logically requires translating the code of conduct and adapting the risk mapping to local contexts.
What documents must be retained to demonstrate Sapin 2 compliance?
The AFA does not impose a fixed list, but its audit questionnaire gives an indication of the minimum to have in place: a code of conduct (with proof of distribution), a dated and signed risk mapping, third-party due diligence files, training certificates, and internal control reports.
Is a Sapin 2 compliance audit mandatory or optional?
The law does not require an “audit” in the formal sense. However, the eighth measure of Article 17 requires a documented internal monitoring and evaluation mechanism, with a report submitted to management. A periodic external audit therefore constitutes a best practice in preparation for a potential AFA audit.
References
[1] Sherpa, Corruption internationale – changer les pratiques : L’affaire Alstom, 2016
[2] Article 3 de la loi n° 2016-1691 du 9 décembre 2016 relative à la transparence, à la lutte contre la corruption et à la modernisation de la vie économique, Légifrance
[3] Article 17 de la loi n° 2016-1691 du 9 décembre 2016, Légifrance
[4] AFA, Guide pratique anticorruption à destination des PME et petites ETI, 2021
[5] AFA, Diagnostic national entreprises 2024
