April 2026

The Anti-Corruption Directive - Twenty-four months to transpose, twenty-four months to design

The directive will enter into force twenty days after its publication in the Official Journal. From that point, Member States - including Romania - will have 24 months to transpose its criminal-law provisions into national law, and 36 months for the preventive measures, including the obligation to adopt national anti-corruption strategies and to conduct corruption risk assessments.

The transposition deadline is widely understood as a compliance milestone. It is, in substance, something more demanding. The provisions of the directive will not be tested by the act of transposition. They will be tested by the first internal investigation conducted under the framework that transposition produces. The interval between today and that first test is the window in which the relevant structures must be designed.

Three provisions of immediate structural consequence in Romania

The directive contains three provisions that warrant particular attention from boards and legal counsel responsible for corporate exposure in Romania.

The first concerns the calibration of corporate sanctions. For public-sector bribery, private-sector bribery, and misappropriation, Member States must ensure that the maximum fine reaches at least 5% of the legal person's total worldwide annual turnover, or, as an alternative, €40 million. For the remaining offences within scope, the threshold is set at 3% of worldwide turnover, or EUR 24 million. Romanian corporate criminal liability under Article 137 of the Criminal Code currently operates through a day-fine system. Transposition will require structural recalibration. Significantly, the reference point will no longer be the turnover of the Romanian subsidiary in isolation. It will be the consolidated turnover of the group.

The second concerns the basis of corporate liability. The directive requires that legal persons be held liable for offences committed for their benefit by persons in a leading position, and equally where inadequate supervision by such persons has enabled the commission of the offence. The second limb represents a material expansion. A company may be liable not because senior management directed or sanctioned the conduct, but because the supervisory framework was insufficient to prevent it. This shifts the evidentiary terrain on which corporate liability is contested.

The third concerns the role of compliance and cooperation. The directive expressly identifies a series of mitigating factors that may support reduced sanctions, including cooperation with the authorities during an investigation, the implementation of effective internal controls and compliance programmes before or after the misconduct, and voluntary disclosure and remediation upon discovery of the offence. It does not establish any of these as a defence to liability. Mitigation is recognised, but only on the basis of demonstrated operation rather than formal existence.

The corresponding implications for internal investigations

Each of these provisions modifies what an internal investigation must establish in order to be of use to the company.

The shift to turnover-based sanctioning alters the economic stakes of the investigation's findings. When the upper boundary of corporate exposure is calibrated to worldwide group turnover, the distinction between findings that support a mitigation argument and findings that do not is measured in percentage points of consolidated revenue. The investigation is no longer producing a record for the board; it is producing the evidentiary basis on which the company will negotiate, or fail to negotiate, a sanction calibrated to its global financial position.

The introduction of the failure-to-supervise standard alters the appropriate scope of the investigation. Under a liability framework anchored to direct involvement, scope can reasonably be confined to the conduct under review. Under a framework that also captures supervisory inadequacy, the investigation must extend to the supervisory architecture itself: the allocation of oversight responsibilities, the operation of relevant controls, the points at which they failed, and the degree to which any failure was systemic. This represents a meaningful expansion of scope; and one that is unlikely to be retrofitted credibly after the fact.

The mitigating role of compliance and cooperation places a specific evidentiary burden on the investigation. Effectiveness cannot be assessed in the abstract; it is assessed against the programme's performance in the matter at hand: whether it was adequate for the business; whether it detected the conduct, whether it should reasonably have done so, whether the relevant controls were operational, and whether the persons responsible acted on the information available to them. The investigation produces the record against which that assessment is made. A report that establishes the underlying facts without documenting the operation of the compliance programme leaves the mitigation argument structurally unsupported.

The Romanian framework: the gap that transposition does not, of itself, close

Romania presents a particular configuration of strengths and gaps relative to the directive.

The substantive elements are largely in place. Corporate criminal liability is established under Article 135 of the Criminal Code. The corruption offences are codified across the Criminal Code, Law no. 78/2000 on the prevention, discovery and sanctioning of corruption offences, and Law no. 319/2024 on the bribery of foreign public officials in international business transactions. Transposition will require adjustment, but not foundational reconstruction.

What is absent is the operational infrastructure that supports the directive's architecture in jurisdictions that have already developed comparable frameworks. Romania has no equivalent of the French Convention judiciaire d'interet public or the United Kingdom's Deferred Prosecution Agreement. There is no negotiated resolution mechanism through which the quality of an internal investigation can be translated into a defined sanctioning outcome. There is no published prosecutorial guidance on the conduct of corporate internal investigations comparable to the March 2023 AFA/PNF practical guide or the Serious Fraud Office's April 2025 Corporate Cooperation Guidance. Cooperation between companies and the National Anticorruption Directorate (DNA) exists, but operates within prosecutorial discretion rather than within a published framework.

Transposition of the directive does not, of itself, address this. The directive establishes minimum rules on offences and sanctions; it does not require Member States to introduce cooperation mechanisms. Romania may transpose strictly, leaving the existing gap in place, or it may use the transposition window to develop the surrounding framework. Both outcomes remain possible.

The 24-month window, properly understood

Once transposition takes effect, the architecture is in place. A red alert is received; an investigation begins; the framework applies. The choices that determine whether the investigation can support the company's position before regulators - who leads it, how scope is defined, how privilege is structured, whether the compliance programme can be demonstrated to have operated - are not choices made at the moment a matter surfaces. They should be made earlier, in the design of the relevant functions and reporting lines, in the documentation practices that allow supervisory adequacy to be reconstructed under challenge, in the sequencing by which counsel is engaged in relation to forensic and operational work.

The transposition window is not a period for awaiting the final national text, but the period in which the structures the directive will subsequently test must be designed and embedded.

This article is part of the EU Anti-Corruption Directive Romania Corporate Exposure Hub.