May 2026

The failure-to-supervise basis

The introductory note in this series identified the failure-to-supervise basis of corporate liability as one of three provisions of immediate consequence singled out at the outset of this series. The note observed that, on that basis, a company may be liable not because senior management directed or sanctioned the conduct, but because the supervisory framework was insufficient to prevent it; and that this shifts the evidentiary terrain on which corporate liability is contested. This note returns to that basis in detail. Its concern is the operational consequence: how the firm's internal investigations and whistleblowing infrastructure may determine whether the threshold is met and, where it is, how the available mitigators are reached.

The provision: text and scope

The basis is codified at Article 13(2) of the directive. Read with Article 13(1), it concerns legal persons and persons in a leading position within them: persons empowered to represent the legal person, take decisions on its behalf, or exercise control within it. Member States must take the necessary measures to ensure that a legal person may be held liable where the lack of supervision or control by such a person has made possible the commission, for the benefit of that legal person, of one of the offences referred to in Articles 3 to 6 and 8 to 11 of the directive by a person under its authority.

The provision therefore attaches the supervisory or control function to the leading-position individual, and to the legal person the consequences of a failure in that function. Corporate liability under Article 13 does not preclude criminal proceedings against the natural persons involved, whether as perpetrators, inciters or accessories.

In practical terms, Article 13(2) directs attention to three elements: the predicate offence by a person under the legal person's authority; the commission of that offence for the benefit of the legal person; and the lack of supervision or control by a person in a leading position that made the commission possible. The third element will often be the contested terrain. It is the element on which the institution's documentary record - and the investigation that produces it - may shape the outcome.

The investigative consequence: liability and mitigation

Article 13(2) and Article 16 should not be collapsed into a single inquiry. The first question is one of liability: whether the conditions for the failure-to-supervise basis are met. The second is one of sanction: if liability is established, what circumstances are capable of mitigating the consequence. The same factual record may be relevant to both questions, but it does not perform the same function in each.

For present purposes, Article 16 matters in three ways. It requires Member States to ensure that the competent court or judge is able to take into account cooperation with competent authorities, including the provision of information or other assistance; it recognises the prior or subsequent implementation of effective internal controls, ethics awareness and compliance programmes, unless these constitute a ground for exclusion of liability under national law; and it recognises rapid voluntary disclosure by the legal person upon discovery of the offence, accompanied by remedial measures. The recitals make clear that programmes maintained only for cosmetic purposes - 'window dressing' - are unlikely to carry weight; what matters is demonstrable effectiveness.

This is why the investigation should not be framed only as a mitigation exercise. A record built solely around cooperation, disclosure and remediation may be adequate for Article 16, but may leave insufficiently developed the supervision-and-control record on which Article 13(2) turns. Conversely, a record built only to contest the supervision-or-control gap may neglect the discovery, escalation, voluntary disclosure and remediation narrative on which Article 16(d) depends. Both lines should be addressed from the outset, without assuming that one substitutes for the other.

Whistleblowing and the application of Directive (EU) 2019/1937

Article 25(1) of the directive requires Member States to ensure that Directive (EU) 2019/1937 applies to the reporting of the offences referred to in Articles 3 to 11 of the directive and to the protection of persons reporting such offences, under the conditions established in the 2019 directive. Article 25(2) goes further, requiring access to protection, support and assistance measures, in accordance with national law, for persons reporting offences, providing evidence or otherwise cooperating with competent authorities in the context of criminal proceedings.

The relevance to Article 13(2) is twofold.

The first concerns the supervision-and-control infrastructure itself. The existence and effective functioning of internal reporting channels is part of what 'supervision or control' denotes in the context of a modern compliance programme. A regime in which subordinate conduct can be raised, escalated, investigated and addressed through documented internal channels is capable of evidencing supervision; the absence of such a regime, or its dysfunction in practice, is a factual point that prosecutors and courts may rely on when assessing the supervision-or-control gap on which Article 13(2) turns.

The second concerns the moment of discovery. An internal report will often be the event that enables the legal person to move rapidly from discovery to voluntary disclosure and remediation, the mitigator recognised in Article 16(d). The institution that has a reporting channel - and acts on what is reported through it - has a stronger foundation for both the liability contest and the mitigation argument. The institution that lacks such a channel, or whose channel is ineffective in practice, starts from a materially weaker position on both points.

The point is not that internal reporting channels or compliance programmes automatically defeat liability under Article 13. They should not be presented in that way. The practical point is more precise: the same programme infrastructure may help contest the application of Article 13(2) by evidencing that supervision and control were in fact exercised; and, if liability is nonetheless established, it may also support mitigation under Article 16.

Closing observation - the Romanian framework

The Romanian formulation of corporate criminal liability under Article 135 of the Criminal Code is broader than the directive on certain axes - liability arises where an offence is committed in carrying out the object of activity, or in the interest or on behalf of the legal person - but, as the comparative note in this series observed, it does not articulate the failure-to-supervise limb as a distinct basis. Transposition should therefore require Romania to make the supervisory standard explicit, whether as a distinct limb of liability or through a clear adjustment of the existing Article 135 framework. The consequence for institutions operating in Romania is that the internal investigations and reporting infrastructure designed today should anticipate a liability framework that, once transposed, will test the operation of supervision in a way the current Romanian formulation does not expressly do.

For institutions in the regulated financial sector that qualify as obliged entities under the AML framework, the failure-to-supervise basis overlays the aggravator at Article 15(2)(f), addressed in the second note in this series. The aggravator does not alter the basis of liability under Article 13; it modifies the sanctioning consequence. For an AML-obliged firm, the two operate sequentially: Article 13(2) determines whether corporate liability attaches; Article 15(2)(f), where transposed in the relevant Member State, determines the upper end of the consequence.

With the directive published in the Official Journal on 11 May 2026, entering into force on 31 May 2026, and the general criminal-law transposition deadline falling on 1 June 2028, the design window for the frameworks the directive will subsequently test is now defined.

This article is part of the EU Anti-Corruption Directive Romania Corporate Exposure Hub.