Sanqto
home blog directive 2024/1226 — criminalisation of eu sanctions violations
Article

Directive 2024/1226 — criminalisation of EU sanctions violations

Directive 2024/1226 is the first EU act to harmonise criminal penalties for sanctions breaches. Find out what this means for company boards and owners in Poland.

Published: · Sanqto Team · 19 min read
dyrektywa-2024-1226 kryminalizacja-sankcji sankcje-ue compliance odpowiedzialnosc-karna projekt-uc92 kary-za-naruszenie-sankcji sanction-screening
European Parliament building — Directive 2024/1226 criminalises violations of EU sanctions

Legal status as of: 2026-05-20.

Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 20241 is the first EU legal act to harmonise the definitions of offences and minimum criminal penalties for violations of Union restrictive measures across all Member States. Before it existed, a Polish estate agency and a Slovak leasing company could face entirely different consequences for the same violation — because each country had its own rules. This article explains what the Directive introduces, who it applies to, and what you specifically need to do within your business.

TL;DR — key points

  • Directive (EU) 2024/1226 of 24 April 2024 is the first EU act requiring all 27 EU Member States to criminalise sanctions violations with minimum penalties.1
  • The implementation deadline was 20 May 2025.2 Poland missed it; the implementing bill (provisionally designated UC92) is currently progressing through the legislative process.
  • The Directive provides for custodial sentences for natural persons — including company directors and owners — for specific categories of violations.3
  • Legal entities (companies) may be held financially liable for violations committed on their behalf or for their benefit.1
  • Poland’s failure to implement the Directive does not eliminate the risk — Council Regulations (EU) No 269/2014 and No 833/2014 apply directly, without any need for transposition into national law.45
  • The Directive applies to every business operating on the EU market — not only banks and financial institutions.

What Directive 2024/1226 is and why it was created

Before 2024, penalties for violating EU sanctions differed between Member States in ways that were difficult to justify. In one country, breaching a ban on trading in sanctioned goods was an administrative infringement punishable by a relatively modest fine. In another, it was a serious criminal offence carrying a prison sentence. A company could attempt to “optimise” across jurisdictions with more lenient law and conduct risky transactions with less concern about consequences where the rules were weaker.

Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and on the facilitation of such violations (hereinafter: Directive 2024/1226) puts an end to this inconsistency.1 Its purpose is twofold: first, to establish a common catalogue of conduct that must constitute an offence in every EU Member State; second, to set minimum penalty thresholds below which no country may fall.

The Directive forms part of the broader EU response to Russia’s aggression against Ukraine. EU sanctions against Russia — adopted under Council Regulations (EU) No 269/20144 and No 833/20145 and subsequent packages (20 packages had been adopted by the date of publication)6 — are in principle directly applicable. The problem was that enforcement of those prohibitions remained a matter of national law. Directive 2024/1226 closes that gap by harmonising criminal law provisions.

It is worth distinguishing two things: EU regulations on restrictive measures (i.e. the sanctions lists and prohibitions) apply directly, without any need for implementation.45 Directive 2024/1226 does not impose new economic sanctions — it places Member States under an obligation to treat violations of those sanctions as criminal offences. This is a subtle but important distinction, which we return to in a separate section below.

What the Directive introduces — common offence definitions and minimum penalties

Directive 2024/1226 defines an exhaustive catalogue of conduct that every EU Member State is required to criminalise.1 It covers situations in which a person intentionally and in breach of a prohibition or obligation constituting a Union restrictive measure:

  • makes funds or economic resources available to a designated person or entity,
  • fails to implement a decision to freeze funds or economic resources,
  • enables a person subject to a travel ban to enter or transit through EU territory,
  • carries out financial transactions or trade in goods and services subject to a prohibition,
  • provides financial and non-financial services to sanctioned entities,
  • circumvents sanctions or breaches reporting obligations arising from sanctions regimes.

The catalogue therefore covers not only financial transactions — but also trade in goods and the provision of advisory, logistical, or IT services. If your business is, for example, an estate agency, a translation bureau, or a training company that has provided services to a sanctioned entity, this catalogue applies to you as well.

A key element of the Directive is the “minimum for the maximum” mechanism: EU Member States must ensure that the maximum penalty provided in national law reaches at least a specified level. For violations involving funds or economic resources worth at least EUR 100,000, the Directive requires that the maximum custodial sentence be at least five years.3 The Directive does not prohibit higher penalties — some EU Member States have set national ceilings above the minimum required by the Directive — but it establishes the lower bound.

The Directive also criminalises incitement and aiding and abetting in sanctions violations.1 Your procurement employee who “turned a blind eye” to the fact that a business partner appears on a sanctions list may also face liability — not only the chief executive.

Liability of natural and legal persons — management in the crosshairs

Directive 2024/1226 expressly distinguishes between two categories of persons who may bear liability: natural persons and legal persons (companies, business owners).1

Natural persons — chief executives and board members face criminal liability

Criminal liability under the Directive relates primarily to natural persons — the specific individuals who took the decision about a given transaction or managed the process that led to the violation. A chief executive officer, operations director, or authorised signatory (prokura holder) — any natural person who intentionally caused a sanctions violation may stand before a criminal court and receive a custodial sentence.

This is not an abstract threat. The Directive requires that for violations involving the making available of funds to a sanctioned person or the failure to implement a freeze, where the transaction value is at least EUR 100,000, the maximum custodial sentence be at least five years.3 Poland’s Act of 13 April 2022 on special solutions for preventing support for aggression against Ukraine and for the protection of national security (hereinafter: the 2022 Act)7 already provides for custodial sentences for natural persons who violate the prohibitions arising from EU regulations — the Directive will raise and harmonise those thresholds once implemented.

One important detail: the Directive applies a mechanism of aggravating and mitigating circumstances. Among aggravating factors it lists, inter alia, acting within an organised criminal structure, using forged documents, and obtaining a significant financial advantage. Mitigating factors include, among others, voluntarily providing information to law-enforcement authorities and cooperating with the authorities.1 The complete absence of any counterparty verification procedure may be treated by authorities as an aggravating circumstance, not a mitigating one.

Legal persons — a company is financially liable for violations committed on its behalf

The Directive requires EU Member States to ensure the liability of legal entities for sanctions offences committed by persons acting on their behalf or for their benefit.1 This means that, alongside the criminal liability of a chief executive, the company as an entity may be subjected to financial penalties.

The Directive requires that financial penalties for companies be effective, proportionate, and dissuasive. The precise ranges will be set out in the Polish implementing bill (UC92). Until that legislation enters into force, a financial penalty of up to PLN 20,000,000 may be imposed by the Head of the National Revenue Administration (Szef Krajowej Administracji Skarbowej, KAS) under Article 6(2) of the 2022 Act.8

It is worth emphasising: the financial liability of the company and the criminal liability of the chief executive do not preclude each other. They may be imposed simultaneously, in separate proceedings, by different authorities.

Regulation versus directive — why a directive requires national legislation

This question arises frequently and is entirely reasonable. If EU regulations apply directly — why does a directive require additional implementation by each Member State?

European Union regulations are directly applicable: they are binding and applied in all Member States without any need for transposition into national law.4 Council Regulation (EU) No 269/2014 of 17 March 20144 and Council Regulation (EU) No 833/2014 of 31 July 20145 impose specific prohibitions — asset freezing, trade embargo — and every business in Poland, Germany, and the Netherlands has been bound by them since they entered into force, regardless of what Polish law says.

A directive is a different instrument. It places on Member States an obligation to achieve a specific result — in this case, the criminalisation of sanctions violations with minimum penalties — but leaves them free to choose the form and means. States must enact or amend national law for the directive to take effect vis-à-vis citizens and businesses. The directive itself is not a source of direct criminal liability — only the national statutory provision creates that.

This explains the apparent paradox: violations of EU sanctions against Russia are already prohibited and have been for some time (under the regulations), yet the scope of criminal liability varies depending on what each state has implemented. Poland has its own criminal provisions in the 2022 Act7, but Directive 2024/1226 requires those to be supplemented with a broader catalogue of offences and higher minimum penalty thresholds.

The implementation deadline for the Directive in all EU Member States was 20 May 2025.2 Poland missed that deadline — the implementing bill is currently progressing through the legislative process. The delay does not release anyone from obligations arising from the regulations — those remain directly applicable.

How Poland is implementing Directive 2024/1226

Poland did not implement Directive 2024/1226 by the deadline of 20 May 2025.2 The implementing bill, provisionally designated UC92, is — as of 2026-05-20 — progressing through the legislative process; its current stage can be checked on the Government Legislation Centre website at legislacja.rcl.gov.pl (search: “UC92” or “dyrektywa 2024/1226 naruszenie środków ograniczających”).

What does the failure to implement mean in practice? First, the European Commission has opened infringement proceedings against Member States that did not transpose the Directive by the deadline.2 Second — and more importantly for you as a business owner — the provisions of the 2022 Act7 remain fully in force, including custodial sentences for violations of the prohibitions in the EU Regulations. Regulations 269/2014 and 833/2014 apply directly.45

The absence of implementation is not a “window of impunity”. It simply means that the higher minimum criminal penalty thresholds required by the Directive have not yet entered into force in Poland — everything else applies. When bill UC92 does enter into force, the scope of criminal liability will increase and the minimum penalty thresholds will be raised.

It is also worth knowing that the Polish sanctions list, maintained by the minister responsible for internal affairs (MSWiA — Ministry of the Interior and Administration), operates in parallel with the EU lists.9 The Head of the National Revenue Administration (KAS) is the authority empowered to impose a financial penalty for failure to implement an obligation to freeze funds or economic resources.10

For a detailed look at how individual EU countries have approached implementation — which transposed the Directive on time and which did not — see our article Transposition of Directive 2024/1226 — 9 EU countries that implemented on time.

What this means for your business

Directive 2024/1226 does not change what is prohibited — the prohibitions arise from EU regulations. What it changes is the consequences of violating them and who may be personally liable.

If you run a business outside the financial sector — a travel agency, estate agency, leasing company, e-commerce shop, or insurance firm — and have until now assumed that sanctions compliance is a matter for banks, this Directive is a direct signal that it is not.

A number of specific implications:

Company directors and owners are personally liable. The Directive requires that criminal liability extend to the natural persons making decisions. The chief executive of a sole-trader service business who sold a service to an entity on a sanctions list risks criminal proceedings — not just a fine for the company.

Incitement and aiding are criminal offences. An employee who knew that a counterparty appeared on a sanctions list and did not act may be liable. This means that employee training and a clear procedure are not merely a formality — they are a genuine protective shield for the entire organisation.

Cumulative liability. A company and its management may be held liable simultaneously — the company financially, management criminally. Both forms of liability are distinct and may be pursued in parallel.

Negligence is not a defence. The argument “I did not know the counterparty was on the list” may reduce a penalty, but will not eliminate it. The Directive requires intent — however, the complete absence of any verification procedure may be treated as evidence of gross negligence, not as a mitigating circumstance.

Companies operating in countries that have already implemented the Directive are subject to those countries’ stricter rules. If you sell to the Netherlands, have a branch in Sweden, or route freight through Lithuania — a sanctions violation in those countries already gives rise to criminal liability under the national provisions implementing Directive 2024/1226.12 Polish implementation through UC92 does not change that position for your foreign operations.

For a fuller picture of penalties — including administrative penalties under the 2022 Act, the imposing authority (Head of KAS10), and the scope of exclusion from public procurement — see our article What are the penalties for violating EU sanctions?.

What to do — 6 steps

  1. Check whether your business has an obligation to carry out sanctions screening. EU regulations apply to every business operating on the Union market — without exception and without a minimum threshold. The scope of additional obligations (e.g. reporting to GIIF — the General Inspector of Financial Information, Poland’s financial intelligence unit) depends on whether you are an obliged institution within the meaning of the AML Act. This is explained in detail in the article Does my business have to carry out sanctions screening?.

  2. Identify high-risk counterparties and transactions. Start with entities that have connections to Russia, Belarus, Iran, Syria, and North Korea. Review active contracts and the transaction history for the past two years — a counterparty may have been added to a list during an ongoing business relationship.

  3. Screen against sanctions lists. The minimum is the EU Consolidated Sanctions List (available via sanctionsmap.eu) and the Polish MSWiA list available at gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami.11 If you have counterparties in the United States, also check the OFAC SDN list. A detailed guide to the lists is available in the article Russia sanctions — what your business needs to know.

  4. Implement a written procedure and designate a responsible person. A written sanctions policy, a staff operating instruction, and a hits register are the minimum. Without documentation, screening does not exist in the eyes of a supervisory authority. Directive 2024/1226 strengthens the position of companies that have documented procedures — this is an element of defence in any potential proceedings.

  5. Document every screening check with its result and date. The date of verification, the list used, the outcome (hit or clear), and who carried out the check — this information creates a defensive shield in proceedings. A record made before a transaction is evidence of due diligence.

  6. Monitor changes to the lists and the progress of bill UC92. EU sanctions lists against Russia are updated regularly — 20 packages of sanctions had been adopted by the date of publication.6 The entry into force of the provisions implementing Directive 2024/1226 may require updates to your procedures. Track the progress of UC92 at legislacja.rcl.gov.pl.

FAQ — frequently asked questions about Directive 2024/1226

How does Directive 2024/1226 differ from EU sanctions regulations? The regulations (e.g. 269/2014 and 833/2014) impose the actual prohibitions — asset freezing, trade embargo. They apply directly, without implementation.45 Directive 2024/1226 does not impose new prohibitions — it requires EU Member States to make violations of those prohibitions a criminal offence with minimum criminal penalties. The Directive requires transposition through national legislation; in Poland this is under way through bill UC92.

Does the Directive apply only to financial firms? No. The Directive covers every natural person and every business that violates Union restrictive measures — regardless of sector. A travel agency, estate agency, IT firm, freight forwarder — every entity operating on the EU market falls within its scope.1 The financial sector has additional obligations imposed on it (AML, KYC — Know Your Customer), but the obligation to comply with sanctions is universal.

Poland has not implemented the Directive — does that mean I face no risk? No. EU regulations apply directly to you right now.45 Poland’s 2022 Act contains its own criminal provisions for sanctions violations.7 A financial penalty of up to PLN 20,000,000 may be imposed by the Head of KAS under Article 6(2) of the 2022 Act.8 The absence of implementation means only that the higher minimum criminal penalty thresholds required by the Directive have not yet entered into force in Poland — everything else applies.

Who is personally liable — the company or its management? Both, independently of each other. The company is financially liable for violations committed on its behalf or for its benefit. Natural persons — the chief executive, operations director, authorised signatory — face criminal liability if they intentionally caused a violation. The Directive requires that both mechanisms exist in national law.1

What will happen when UC92 enters into force? The catalogue of sanctions offences will be extended and the minimum criminal penalty thresholds for natural persons will be raised. The scope of liability of legal entities (companies) will be clarified in the new provisions. Companies that have not yet implemented sanctions compliance procedures will face greater pressure from supervisory authorities. The precise ranges and catalogue of offences will be known once the text of the Act is published.

How long do I have to adjust my procedures after UC92 enters into force? The Directive does not provide for a transitional period for private entities — the prohibitions in EU regulations apply from the date they enter into force, and the provisions implementing the Directive take effect from the date specified in the national legislation. In practice, it is advisable to implement procedures before, not after.

How Sanqto can help

Sanqto is sanctions screening software installed on the client’s own network — counterparty data never leaves your infrastructure (on-premise model). The system screens counterparties against current sanctions lists and returns a result in one of three states: MATCH (a hit requiring immediate action), POSSIBLE (requires manual review by a compliance officer), or CLEAR (no hit, the transaction may proceed). Every check is automatically recorded with the date, the list used, and the result — building the documentation required in the event of an inspection by the authorities.

The implementation document pack includes a ready-made sanctions policy tailored to Polish and EU requirements, a staff operating instruction, and template hits registers. The compliance officer training and certification give the designated person the knowledge needed to understand the rules, including the requirements of Directive 2024/1226 after its implementation in Poland. For businesses operating in sectors with additional obligations, we have prepared dedicated materials — see the pages for estate agencies and insurance brokers.

Below is a list of legal acts with verified sources that form the basis of this article:

  • Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and on the facilitation of such violations, and amending Directive (EU) 2018/1673 — CELEX 32024L1226
  • Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269
  • Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833
  • Act of 13 April 2022 on special solutions for preventing support for aggression against Ukraine and for the protection of national security — Journal of Laws 2022, item 835 — eli.gov.pl
  • Bill implementing Directive 2024/1226 (provisionally designated UC92) — current stage available at legislacja.rcl.gov.pl (status unconfirmed from primary source — check current status)
  • Act of 1 March 2018 on counteracting money laundering and terrorism financing — Journal of Laws 2023, item 1124 (consolidated text) — eli.gov.pl
  • List of persons and entities subject to sanctions (Polish MSWiA list) — gov.pl/web/mswia

Information, not legal advice. This article is for informational and educational purposes only. It does not constitute legal advice. Legal status as of: 20 May 2026. Your company’s specific obligations depend on its business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.

  1. Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and on the facilitation of such violations, and amending Directive (EU) 2018/1673 — Art. 3(1) (catalogue of criminal conduct and intent requirement), Art. 4(1) (incitement and aiding), Art. 5 (penalties), Art. 6 (liability of legal persons), Arts. 8–9 (aggravating and mitigating circumstances): “Member States shall ensure that the following conduct constitutes a criminal offence when committed intentionally and in violation of a prohibition or an obligation constituting a Union restrictive measure” — CELEX 32024L1226, eur-lex.europa.eu, as of 2026-05-20 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  2. Directive (EU) 2024/1226, Art. 20(1): “Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 20 May 2025.” — CELEX 32024L1226, eur-lex.europa.eu, as of 2026-05-20 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  3. Directive (EU) 2024/1226, Art. 5(3)(b): violations under Art. 3(1)(a), (b) and (h)(i)–(ii) involving funds or economic resources worth at least EUR 100,000 “shall be punishable by a maximum term of imprisonment of at least five years” — CELEX 32024L1226, eur-lex.europa.eu, as of 2026-05-20 ↩︎ ↩︎ ↩︎

  4. Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — Art. 2(1)–(2): “All funds and economic resources belonging to […] the natural persons […] listed in Annex I shall be frozen […]” — CELEX 32014R0269, eur-lex.europa.eu, as of 2026-05-20 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  5. Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — Art. 2(1): “It shall be prohibited to sell, supply, transfer or export […] dual-use goods and technology […]” — CELEX 32014R0833, eur-lex.europa.eu, as of 2026-05-20 ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  6. DG FISMA, European Commission — Sanctions adopted following Russia’s military aggression against Ukraine, last updated 23 April 2026 (20th package of sanctions): finance.ec.europa.eu, as of 2026-05-20 ↩︎ ↩︎

  7. Act of 13 April 2022 on special solutions for preventing support for aggression against Ukraine and for the protection of national security — Journal of Laws 2022, item 835, consolidated text available — eli.gov.pl, as of 2026-05-20 ↩︎ ↩︎ ↩︎ ↩︎

  8. Act of 13 April 2022 (Journal of Laws 2022, item 835), Art. 6(2): “The financial penalty shall be imposed by the Head of the National Revenue Administration, by way of a decision, in an amount of up to PLN 20,000,000” — eli.gov.pl, as of 2026-05-20 ↩︎ ↩︎

  9. Act of 13 April 2022 (Journal of Laws 2022, item 835), Art. 2(1) and Art. 3(1): “The list of persons and entities […] shall be maintained by the minister responsible for internal affairs. The minister responsible for internal affairs shall issue decisions on entry on the list and removal from it” — eli.gov.pl, as of 2026-05-20 ↩︎

  10. Act of 13 April 2022 (Journal of Laws 2022, item 835), Art. 6(2): “The financial penalty shall be imposed by way of a decision of the Head of the National Revenue Administration” — api.sejm.gov.pl, as of 2026-05-20 ↩︎ ↩︎

  11. List of persons and entities subject to sanctions — Ministry of the Interior and Administration (MSWiA): gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami, as of 2026-05-20 ↩︎

All articles See demo