Four years of sanctions: focus shifting to enforcement — Sanctions policies reached their peak and enforcement is dawning

Four years after Russia’s full-scale invasion of Ukraine, sanctions compliance has become an ingrained part of the international business landscape, especially in cross-border transactions.

Following an intense phase of policy-making that now resembles customs regulations in its scope, EU member states have built out their enforcement capacity. Authorities are accelerating investigations, including into early-stage conduct dating back to 2023.

Against this backdrop, two features stand out for compliance officers:

• better information sharing between enforcement authorities and the use of sophisticated tools has significantly improved how enforcement authorities gather and use data; and
• significant progress has been made in enforcing past sanctions breaches, as well as in preventing and monitoring circumvention.

Experience from our practice includes the following:

• Sanctions authorities are now systematically approaching companies suspected of sanctions circumvention that have traded with high-risk counterparties or through high-risk transit countries.
• Sanctions breaches present a significant risk for M&A transactions due to long limitation periods and serious potential consequences, which can materially affect exporting companies or prevent them from exporting altogether.
• Enforcement authorities now share sanctions-related data across the EU and globally with unprecedented speed and informality. By combining enforcement data with open-source intelligence and AI, regulators now access to analytical tools comparable to those used by compliance teams.
• Authorities have begun to informally notify companies of potential breaches involving specific circumventing entities or processes, effectively placing companies “aware”. If a company then fails to react, authorities may rely on that awareness to establish intent.
• Enforcement authorities now regularly require evidence of specific, concrete sanctions compliance measures, such as how third parties are screened for risk, how the company responds to indicators of breaches or no-resale requirement violations and what steps were taken once potential circumvention was identified. A particular focus is how compliance measures have evolved over time and how the company has reacted.
• Enforcement authorities are often unaware of the scale and complexity of large companies’ distribution networks and operations. Explaining bigger picture such as distributing millions daily while facing potential circumvention risks affecting a limited number of products, helps authorities better understand proportionality and operational realities.

Shift to enforcement: how did we get here?

Increased multijurisdictional cooperation between authorities

Sanctions have traditionally been a matter of domestic administrative law, characterised by slow, fragmented and unfamiliar cross-border cooperation. Sanctions investigations were historically rare. As a result, in the early days of the EU’s sanctions against Russia, member states were not accustomed to cooperating on enforcement.

Over time, many states came to recognise that sanctions are most effective when adopted and enforced in a unified manner. The EU coordinated closely with the US and many European non-EU states adopted the EU’s sanctions in full or aligned substantially with them. In addition, national enforcement authorities have entered into new international cooperation agreements with global partners to address sanctions circumvention. Customs authorities in several EU member states actively rely on informal intra-EU cooperation and partnership programmes with US Homeland Security Investigations to detect and prevent circumvention by systematically monitoring export flows and distribution chains.

Notable developments include the Common High Priority Items List (CHPL), developed through cooperation between the EU, the United States and Japan as part of broader G7 guidance aimed at preventing Russian export control and sanctions evasion. The list identifies components found in Russian weapons systems and designates them as high-priority items for enhanced monitoring and enforcement across participating jurisdictions.

Increased data gathering capacity, open source intelligence (OSINT) and AI

Historically, enforcement agencies relied primarily on corporate registries, shipping databases and procurement portals. Today, EU customs authorities share data through EC-coordinated channels, while financial intelligence units exchange a wide range of indicators. Enforcement authorities are also building their own intelligence capabilities using multiple sources, including export and import databases, national export records, paid commercial databases, and OSINT.

OSINT has added a further dimension. NGOs, investigative journalists and specialised OSINT organisations have become key sources of enforcement-relevant intelligence. These organisations have uncovered circumvention networks, tracked shadow-fleet vessels, identified beneficial ownership structures and traced components from European manufacturers to Russian military end users. Their findings are publicly available and are increasingly cited by enforcement authorities. AI and machine learning tools further enhance enforcement capabilities by improving sanctions list matching, detecting name variations across languages and scripts, identifying concealed relationships between entities and enabling continuous real-time monitoring of unstructured data.

Therefore, regulators now have access to the same analytical tools as compliance teams, but they can draw on a significantly wider pool of data, including enforcement-sensitive information that companies themselves do not see.

Increase in both retrospective and prospective enforcement

Over the past four years, authorities across the EU have been gathering substantial amounts of data. Many of the cases now reaching the enforcement stage concern conduct from the early years of the sanctions regime, including activity dating back to 2023. Sanctions authorities are systematically approaching companies suspected of sanctions circumvention that have traded with high-risk counterparties or through high-risk transit countries.

A further development in this direction is the EU’s “best efforts” obligation. This requires EU entities to use their best efforts to ensure that any subsidiaries outside the EU do not undermine EU sanctions, whether in Central Asia, the Caucasus, the Middle East or elsewhere. In practice, this extends the reach of EU sanctions to non-EU entities that would not ordinarily be required to comply with EU regulations.

How can businesses manage this increased compliance risk effectively?

This increased cooperation and information-gathering, combined with a heightened focus on enforcement, has direct consequences for companies. Limitation periods for sanctions breaches may range from three to ten years, depending on the offence, meaning that conduct from 2022 onwards can remain well within the enforcement window.

In recent practice, customs authorities in several EU member states have adopted an informal, “carrot-and-and-stick” approach. Authorities provide companies with lists of business partners suspected of sanctions circumvention and expect companies to carry out internal screening and diligence measures. This informality should not be mistaken for leniency. Companies should maintain clear internal records of the steps taken in response to such outreach. Those records may prove decisive if enforcement authorities later revisit the issue and seek to argue that the company was aware of the circumventing business partners, thereby establishing intent.

In this context, the following points are particularly relevant for compliance officers operating in the EU:

• Sanctions negligence can lead to fines, trade restrictions and imprisonment

Sanctions non-compliance can result not only in administrative liability, but also in criminal liability and corporate criminal liability. Under EU Directive 2024/1226, fines can reach 1–5% of worldwide turnover or EUR 8–40 million. Companies may also face exclusion from public funding and tenders, while individuals may face imprisonment.

Companies may be particularly affected by the recently lowered threshold for prosecution. A single shipment, payment or failure to obtain a licence may now constitute sufficient grounds for a criminal charge relating to dual-use goods or military material. The required standard of due care is measured against publicly available professional guidance, such as European Commission FAQs, EBA guidelines, the CHPLs and industry standards. A manager who has implemented no screening procedures, exercised no oversight and failed to consult applicable guidance may meet the threshold for gross negligence on the basis of a single transaction.

In addition to fines, companies may face restrictions or prohibitions on their business activities. In this respect, the consequences of sanctions violations for businesses may closely resemble the effects of the sanctions themselves.

• Sanctions compliance should be incorporated into the M&A process to limit buyer liability

We frequently encounter M&A transactions in which the target company has significant sanctions exposure but limited or no sanctions compliance management system. In many cases  the due diligence process is not structured to identify or assess sanctions compliance risks at all.

Buyers should ask themselves whether the target has exposure to sanctions and, if so, whether it has sanctions compliance in place. At a minimum this should include a localised, well-documented compliance process, a dedicated compliance employee, regular screening against up-to-date sanctions, export-control and high-priority item lists, as well as a demonstrable record showing how the system has evolved in response to regulatory changes and identified risks.

• Companies must demonstrate that they have an adequate compliance system in place

Where breaches are identified or suspected, customs or prosecuting authorities increasingly require companies to provide a detailed explanation of their compliance processes. More and more, this does not mean merely submitting compliance management system documentation, but rather being able to explain what was checked  in the specific context of the situation, when it was checked, by whom and how the system has evolved over time.

Companies that are unable to demonstrate a documented and evolving compliance management system face significantly higher enforcement risk and more severe sanctions.

• Companies should have a clear protocol for responding to high-risk counterparty identifications

When enforcement authorities flag a high-risk counterparty, whether through designation, inclusion in enforcement intelligence or via direct informal communication to the company,  the company should, at minimum,  check the entity against both direct customer records and distributor point-of-sale data.

How we can help

We provide comprehensive legal guidance on sanctions compliance, enforcement and related regulatory matters. Our team helps businesses navigate complex sanctions landscapes, ensuring compliance with both current and future regulatory requirements.