What Sapin II Actually Requires — And Why Most Companies Miss the Point

Sapin II is not a soft obligation. But it is widely misread as one.

When the French anti-corruption law known as Sapin II came into force in 2017, it introduced something that had not previously existed in French law: a positive, proactive obligation on large companies to prevent corruption — not merely to refrain from it.

The law applies to French companies and their subsidiaries worldwide that meet two thresholds: more than 500 employees and annual revenue exceeding 100 million euros. It also applies to French subsidiaries of foreign groups that meet those thresholds at group level. The reach is significant. And the obligation it creates is specific.

Article 17 of Sapin II requires companies in scope to implement eight defined measures: a code of conduct; an internal whistleblowing system; a risk map; third-party due diligence procedures; accounting controls; training; a disciplinary regime; and an internal control and evaluation procedure. These are not principles. They are requirements. And the Agence Française Anticorruption — the AFA — is empowered to verify their implementation through on-site investigations that carry real consequences.

Having measures is not the same as implementing them.

The most common misreading of Sapin II is treating it as a documentation exercise. Companies that have a code of conduct on a shared drive, a whistleblowing hotline with a provider contract, and a training module uploaded to a learning management system sometimes conclude that the eight measures are in place.

The AFA investigates differently. Its published methodology is clear on this point: the agency assesses not whether measures exist on paper, but whether they are operational, proportionate to the company's risk profile, and effectively applied in practice. An AFA investigation involves document review, interviews with employees at multiple levels, and a direct assessment of whether the compliance architecture functions as intended — or merely as represented.

The distinction between existence and implementation is where most companies that receive AFA findings encounter difficulty. A code of conduct that has not been updated since 2018. A risk map that was completed for the initial implementation and never reviewed. A training programme that covers managers but has not reached the commercial teams with the highest third-party exposure. These are not technical deficiencies. They are substantive compliance failures — and the AFA treats them as such.

A practical view of the most common gaps.

Of the eight measures, risk mapping and third-party due diligence account for the majority of AFA recommendations. The risk map is frequently produced as an initial exercise and not revisited — a significant weakness in an AFA assessment, since the agency expects the map to be reviewed when the business changes and at regular intervals regardless. Third-party due diligence is often designed in principle but applied inconsistently: robust for certain categories of counterparty and absent for others that carry comparable risk.

Accounting controls represent a measure that many compliance functions leave to finance. The expectation under Sapin II is that the compliance function actively verifies that accounting controls are capable of detecting corruption-related anomalies — not merely that general financial controls exist. The distinction matters.

Training is frequently over-reported and under-designed. Completion rates are high. Behaviour change — the actual objective — is rarely measured. The AFA looks for training that is tailored, scenario-based, and demonstrably connected to the company's actual risk environment. A global e-learning module in a language most employees do not use is unlikely to satisfy this expectation.

The consequence of an AFA finding is not merely reputational. The agency can impose financial penalties on the company and on its senior executives personally. It can also require the appointment of a compliance monitor. For a law that is now nearly a decade old, the enforcement posture has matured — and the expectations have only become more demanding over time.