Sanctions List Updates — How to Keep Up with Changes

If you checked a counterparty against the EU sanctions list three months ago and have not looked at that list again since, you cannot be certain the transaction is still safe. EU sanctions lists are not a static document: new packages, ad-hoc listings following major geopolitical events, and personnel changes within listed entities mean the registers are updated regularly. Council Regulation (EU) No 269/2014 of 17 March 2014¹ and Council Regulation (EU) No 833/2014 of 31 July 2014² apply directly to every company operating in the EU³ — and every change to the list is binding on your company from the moment it is published in the Official Journal of the EU.

Legal status as of: 2026-05-20.

TL;DR — key points

• The EU, MSWiA⁴ (Poland’s Ministry of Internal Affairs and Administration), UN⁵, and OFAC⁶ sanctions lists are updated regularly — new entries appear both with successive sanctions packages and between them.
• A one-off check at contract signing does not protect you from risk — if a counterparty is listed during an ongoing relationship, you are liable for every subsequent transaction.
• EU sanctions are directly applicable without transposition³ — a new entry on the Consolidated List takes effect immediately.
• The administrative fine for breaching sanctions law in Poland is up to PLN 20 million (Article 6(2) of the Act of 13 April 2022⁷).
• Tracking changes manually is feasible with a handful of counterparties; with dozens or hundreds of business relationships it becomes unworkable.
• Automating updates and rescreening is the only scalable answer to this operational problem.

Why sanctions lists change constantly

Sanctions lists are not documents published once a year. They are instruments of foreign policy, and foreign policy responds to current events. Every escalation of an armed conflict, every UN Security Council decision, and every new EU Council regulation produces concrete changes to the registers — adding new individuals or entities, expanding the scope of restrictive measures, or — less frequently, but it does happen — removing an entry (known as delisting).

In practice, three mechanisms of change can be identified:

New sanctions packages. The EU Council adopts regulations and decisions introducing successive sets of restrictive measures. Each new package typically brings dozens of new entries to the Consolidated List, which is maintained and published by DG FISMA (the Directorate-General for Financial Stability, Financial Services and Capital Markets Union)⁸. From the moment of publication in the Official Journal of the EU, these entries are binding on your company immediately — with no transitional period.

Ad-hoc updates between packages. New entries can appear outside the cycle of numbered packages. This applies to the EU Consolidated List, the SDN List maintained by OFAC⁶, and the UN Security Council Consolidated List⁵. These bodies add entries in response to specific events — asset acquisitions, new ownership links, decisions within UN sanctions committees.

Delisting — removal from the list. Although far less common than additions, delisting does occur — for example when an entity has divested its shareholding or a court has ruled in its favour. For your company this has a practical dimension: if you suspended cooperation with a counterparty because of their listing, monitoring for delistings allows you to resume the business relationship once the measures are lifted.

It is also worth bearing in mind the so-called 50 per cent ownership rule: EU sanctions automatically cover entities in which a listed person or company holds at least 50 per cent of proprietary rights or exercises control over them⁹. This means a new listing of a single individual can overnight bring dozens of subsidiaries within the scope of sanctions — even if none of those subsidiaries appears on the list by name.

The risk of an outdated verification

Imagine you sign a contract with a supplier, screen them against the sanctions lists, receive a CLEAR result, and fulfil the order. Six months later that same supplier is added to the EU Consolidated List under a new sanctions package. Your company continues to process invoices, accept goods, and settle payments. Every one of those actions is now non-compliant with sanctions law — even though the counterparty was clean on the day the contract was signed.

The law does not provide an automatic grace period for lack of knowledge. EU regulations are directly applicable³ — the obligation to refrain from a transaction arises the moment an entry takes effect, regardless of when you learned of the change. The Head of the National Revenue Administration (KAS — Krajowa Administracja Skarbowa) may impose a financial penalty of up to PLN 20 million under Article 6(2) of the Act of 13 April 2022 on special measures to counter the support of aggression against Ukraine and to protect national security (Journal of Laws 2022 item 835)⁷. A full overview of the financial and criminal consequences can be found in our article on penalties for sanctions violations.

Beyond financial risk there is also operational and reputational risk. A payment freeze imposed by a correspondent bank, a company account block, or a public investigation — these are consequences that can severely disrupt day-to-day business before the matter ever reaches a regulatory authority. The risk of an outdated verification is particularly high in long-term relationships: regular suppliers, long-term lease agreements, multi-year service contracts. For precisely such relationships, a one-off check at contract signing is an absolute minimum — but a minimum that is decidedly insufficient.

How often to check counterparties

The answer depends on two factors: the nature of the business relationship and the level of risk it poses to your company.

For one-off relationships — for example, an occasional purchase from a new supplier or a single-occasion service order — verification before the transaction is concluded is sufficient. You must document the check and retain the result in a hits register.

For ongoing relationships — regular suppliers, multi-year contracts, sub-agents, business partners, tenants — a one-off check at contract signing is not enough. The status of any of these entities can change during the course of the relationship. That is why rescreening is applied to such relationships: re-verification at defined intervals or automated notification of changes.

How often should rescreening be carried out? Polish law does not explicitly set a minimum frequency — the Act of 13 April 2022¹⁰ and the EU regulations¹² impose an obligation to comply with sanctions, not a specific verification schedule. In practice, however, compliance standards adopt the following approach:

• Monthly rescreening is applied to relationships with moderate risk and a large number of counterparties.
• Weekly or continuous monitoring — for counterparties in higher-risk sectors, high transaction values, or cooperation with entities from countries subject to a broad sanctions regime.
• Immediate notification — when a screening tool tracks lists in real time and alerts you to a new entry affecting an identified counterparty.

The key principle: the longer and more intensive the business relationship, the more frequent rescreening should be. If counterparty verification was a one-off event at contract signing — you have a gap in your compliance process.

Continuous monitoring versus one-off verification

One-off verification means checking a specific entity against the current version of the sanctions lists at a given moment. It gives you certainty about the state at that one moment — and nothing more.

Continuous monitoring is the reverse process: you do not check the list when you choose — the list “checks itself” and notifies you when a change occurs affecting entities in your counterparty database. The difference is fundamental.

Continuous monitoring does not replace one-off verification — it complements it. The correct process looks like this: you verify a counterparty before the contract is signed (initial verification), and then maintain continuous monitoring that alerts you when the status changes during the course of the relationship.

For travel companies⁴ handling bookings from dozens or hundreds of intermediary agents, continuous monitoring is not a luxury — it is an operational necessity. The same applies to insurance brokers and agents, who maintain long-term relationships with clients and partners.

Where to track changes on the lists

If you want to track changes manually, several official sources are available. The list with links is below.

EU list — Consolidated List (FSD) The European Commission, through DG FISMA⁸, publishes the consolidated list in the Financial Sanctions Database (FSD) available at webgate.ec.europa.eu/fsd/fsf. The list is available in XML and CSV formats — useful for automated processing. The Official Journal of the EU (eur-lex.europa.eu) is the place of official publication for every regulation amending the list.

EU Sanctions Map The interactive tool available at sanctionsmap.eu¹¹ allows you to browse EU sanctions packages by country and type of measure. Useful for understanding context, but it does not replace checking directly in the FSD when verifying a specific entity.

Polish MSWiA list The Minister of Internal Affairs and Administration (MSWiA — Ministerstwo Spraw Wewnętrznych i Administracji) maintains the national sanctions list, published at gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami⁴. The list is updated following each ministerial decision — there is no fixed schedule, so you cannot assume that a check from a month ago remains current.

UN list — UN SC Consolidated List The UN Security Council maintains a consolidated list managed by the individual Sanctions Committees⁵, available at un.org/securitycouncil/content/un-sc-consolidated-list. Changes are published as press releases and direct updates to the list.

OFAC list — SDN List OFAC (Office of Foreign Assets Control, U.S. Department of the Treasury) maintains the SDN (Specially Designated Nationals and Blocked Persons) List⁶ at ofac.treasury.gov. For most Polish SMEs outside the financial sector, the OFAC list is relevant primarily in the context of dollar-denominated transactions or cooperation with US-based entities.

UK OFSI Consolidated List Following Brexit, the United Kingdom maintains its own list of financial sanctions targets through OFSI (Office of Financial Sanctions Implementation, HM Treasury)¹². It applies to transactions with UK entities or those settled in GBP.

Why manual tracking does not scale

With one or two counterparties, manual tracking is feasible: you visit the DG FISMA and MSWiA websites once a week, compare against your own list, and enter the result in a spreadsheet. Tedious, but doable.

With ten counterparties, problems begin. With a hundred — it is impossible to maintain as a reliable compliance process.

Why? First, sanctions lists do not send e-mail notifications. New entries appear without warning. You must actively check each source yourself — and there are at least four main lists (EU, MSWiA, UN, OFAC), each in a different format and on a different website. Second, manual name-matching is error-prone. Individuals on the list frequently appear under multiple aliases, with transliterations of names from Cyrillic or Arabic. Missing an alias that matches your counterparty is a realistic scenario in manual verification. Third, you have no history — a spreadsheet will not tell you whether a counterparty was clean on the day you contracted with them if you did not record that explicitly with a date and the version of the list. And regulatory authorities may ask exactly that.

Finally: time. A thorough manual check of a single counterparty across four lists, taking into account the 50 per cent ownership rule⁹, takes at least several minutes. Multiply that by the number of counterparties and the frequency of rescreening — and you have a full-time job.

Automating updates — how it works

Automating sanctions screening means replacing the manual process with a system that:

1. Fetches and updates sanctions lists directly from the sources (DG FISMA, MSWiA, UN, OFAC) continuously or on a defined schedule.
2. Compares your counterparty database against current versions of the lists — including aliases, transliterations, and the ownership rule.
3. Reports the result in three states: MATCH (definite hit), POSSIBLE (possible hit requiring review), CLEAR (no hit).
4. Alerts the relevant people in your organisation immediately when a counterparty’s status changes from CLEAR to POSSIBLE or MATCH.
5. Records every verification in a hits register — with the date, the version of the list, and the result.

The outcome is continuous protection without requiring staff time for manual checking. The compliance officer is notified only when a hit appears that requires a decision — without the need to review multiple sources every day.

It is worth noting the deployment model: a system can operate as an external service (SaaS, where counterparty data leaves your infrastructure) or as an on-premise solution installed within the client’s own network (data never leaves the company). The choice of model matters particularly for companies that process sensitive personal data of their customers or counterparties and have restrictions arising from GDPR or confidentiality agreements.

If you want to understand how counterparty verification against sanctions lists works from a technical perspective, read our article on how sanctions screening works.

How to keep up with changes — implementation steps

If you want to bring order to this area in your company, do it step by step:

1. Identify all active counterparties. Compile a list of entities with whom you have active contracts, active orders, or regular transactions. This is your database for rescreening.

2. Determine which relationships are ongoing. Separate one-off purchases from long-term contracts. For the latter, you must plan regular rescreening — verification at contract signing alone is not sufficient.

3. Check which lists apply to you. Certainly: the EU Consolidated List¹³ and the Polish MSWiA list⁴. If you conduct dollar-denominated transactions or work with US-based entities — the OFAC list⁶. If you have counterparties in the United Kingdom — the OFSI list¹². The UN list⁵ is embedded in the EU list (the EU implements UN sanctions), but it is worth tracking independently for counterparties outside the EU.

4. Establish a procedure for handling hits. Before you launch any monitoring, decide: who is notified on an alert? What happens to the transaction whilst it is being investigated? Who reviews a POSSIBLE result before a decision is made? Without this procedure, an alert from the system falls into a void.

5. Choose your tool. For a small number of counterparties, a manual process with a standardised spreadsheet and schedule may suffice. For a larger number of relationships — consider dedicated sanctions screening software that automates list retrieval and rescreening.

6. Document every verification. The date of the check, the version of the list (or date of update), the result, and the person who verified — this is the minimum a regulatory authority may require. Retain documentation for at least the duration of the business relationship plus several years.

7. Update your company’s sanctions policy. The internal document setting out the procedure should specify the frequency of rescreening, the persons responsible, and the method of recording results.

FAQ — frequently asked questions

Do I need to re-verify a counterparty with whom I have a multi-year contract?

Yes. Verification at contract signing protects you only on the day you carried it out. If the counterparty is placed on a sanctions list after the contract is signed, you are obliged to suspend all transactions from the moment the entry takes effect — regardless of the contract terms.

How long do the prohibitions arising from an EU list entry remain in force?

An entry on the Consolidated List applies from the moment of publication in the Official Journal of the EU. EU regulations are directly applicable³ — there is no vacatio legis specific to any individual company. The entry remains in force until delisting or the revocation of the regulation.

What about counterparties that are subsidiaries of a listed company?

The 50 per cent ownership rule means that sanctions automatically cover entities controlled by listed persons or companies⁹. If your counterparty’s parent company is placed on the list, its subsidiaries are subject to sanctions regardless of whether they appear on the list by name. This requires verification of the ownership structure (UBO — ultimate beneficial owner), not just the company name.

How quickly must I respond after a new entry appears?

Immediately — from the moment an entry takes effect you are obliged to cease prohibited transactions. There is no statutory deadline for “becoming aware” of a change to the list. This is precisely what makes continuous monitoring more effective than one-off verification when list updates are irregular.

Is a one-off verification at contract signing sufficient for a cash transaction?

For a one-off and immediate transaction — yes, initial verification is sufficient. But bear in mind that the obligation applies not only to the signing of the contract, but to every transaction in its performance: wire transfers, delivery of goods, provision of services. If several weeks have elapsed between contract signing and payment, it is advisable to repeat the verification immediately before the transaction itself.

Do I need to check counterparties against all four lists simultaneously?

The legal obligation arising directly from Polish law and EU law covers the EU Consolidated List¹³ and the Polish MSWiA list⁴. The OFAC and UK OFSI lists are binding primarily in the context of transactions with US or UK entities and settlements in USD/GBP. In practice, however, most sanctions screening tools check all major lists simultaneously — which is a sensible approach, particularly for relationships with foreign entities.

How Sanqto can help

Sanqto is sanctions screening software installed within the client’s own infrastructure (on-premise) — your counterparty data never leaves your company’s network. The system automatically retrieves sanctions list updates, rescreens your entire counterparty database, and reports results in a three-state model: MATCH, POSSIBLE, or CLEAR. Your compliance team is therefore notified only when a hit appears that requires a decision — without the need to manually check multiple sources every day. If you operate a travel agency or another business in a sector where you regularly enter into relationships with new counterparties and partners, we can help reduce operational risk and streamline the documentation required by sanctions regulations.

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269
• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833
• Council Regulation (EC) No 765/2006 of 18 May 2006 concerning restrictive measures in view of the situation in Belarus — CELEX 32006R0765
• Directive of the European Parliament and of the Council (EU) 2024/1226 of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures — CELEX 32024L1226
• Act of 13 April 2022 on special measures to counter the support of aggression against Ukraine and to protect national security (Journal of Laws 2022 item 835) — ISAP
• Act of 1 March 2018 on countering money laundering and terrorist financing (Journal of Laws 2018 item 723) — ISAP
• DG FISMA — EU sanctions hub — finance.ec.europa.eu/eu-and-world/sanctions-restrictive-measures_en
• EU Sanctions Map — sanctionsmap.eu
• UN — UN Security Council Consolidated List — un.org/securitycouncil/content/un-sc-consolidated-list
• OFAC SDN List — ofac.treasury.gov
• UK OFSI Consolidated List — gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets
• Polish MSWiA sanctions list — gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami

Information, not legal advice. This article is for informational and educational purposes only. It does not constitute legal advice. Legal status as of: 20 May 2026. Your company’s specific obligations depend on its business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.