EU, UN, OFAC and MSWiA Sanctions Lists — a Guide

If you run an ordinary company in Poland — not a bank, not a currency exchange, not a law firm — you are still obliged to screen your clients and business partners against EU sanctions lists. This obligation follows directly from EU regulations that apply without any implementing act by the Polish Parliament. Since 2022, a Polish national list maintained by MSWiA (Ministry of Internal Affairs and Administration) has been added to the mix. Most SMEs are still unaware of any of this.

This article answers a simple question: which lists exactly apply to your company and how do they differ from one another.

TL;DR

• EU list (Regulations 269/2014 and 833/2014 + annexes to successive packages) — applies to every entity in the EU, without exception. This is your baseline.
• UN list (Security Council Consolidated List) — indirectly, because the EU transposes UN sanctions into its own regulations. In practice, the EU list is sufficient.
• OFAC SDN list (USA) — formally not binding on a Polish company, but it affects you whenever you settle in USD, correspond with US banks, or operate under a contract containing a sanctions clause.
• Polish MSWiA list — a national supplement to the EU list, maintained under the Act of 13 April 2022. You check it alongside the EU list.
• UK list (OFSI/HMT) — relevant if you have a branch, clients, or payments in the United Kingdom.

Where this obligation comes from

EU economic sanctions operate within the Polish legal order differently from most other regulations. EU regulations (269/2014, 833/2014, 765/2006 and subsequent packages) require no implementing statute. They apply directly from the date of publication in the Official Journal of the EU, and they cover every natural and legal person in the EU — regardless of sector, size, or whether anyone has ever heard of them.

Two key articles in Regulation 269/2014:

• Prohibition on making funds available to persons and entities listed in Annex I (you may not sell, rent, lend, transfer, or provide anything to them).
• Obligation to freeze assets if such persons are already your clients or hold money, goods, deposits, or unpaid invoices with you.

These two obligations themselves require you to know who is on the list. And to know that, you must screen. That is the entire premise of sanctions screening.

In Poland, this was supplemented by the Act of 13 April 2022 on special measures to counter the support of aggression against Ukraine and to protect national security (Journal of Laws 2022 item 835; hereinafter: “the Sanctions Act”). This Act introduced a national sanctions list maintained by the Minister of Internal Affairs and Administration — which is why we refer to it informally as the “MSWiA list”.

The EU list — your baseline that cannot be avoided

The EU list is not a single file. It is a set of annexes to various regulations, plus one consolidated database that the European Commission makes available in CSV/XML format.

Two main regulations you need to know

Council Regulation (EU) No 269/2014 of 17 March 2014 concerns restrictive measures in respect of persons and entities responsible for actions undermining the territorial integrity of Ukraine. This is the “personal” regulation — Annex I contains a list of individuals and companies whose assets are frozen.

Council Regulation (EU) No 833/2014 of 31 July 2014 concerns sectoral sanctions against Russia — export, import, services, and financing. This is not about lists of individuals, but about sectors and products. Sectoral sanctions are often more demanding from a compliance perspective than personal lists, because they require checking what you are selling, not just to whom.

For Belarus, the equivalent regulation is 765/2006. For Iran — 267/2012. For North Korea — 2017/1509. And so on. By 2026, the list of countries subject to some EU sanctions regime numbers more than 30 entries.

The EU consolidated list — where to download it

The European Commission maintains the EU Financial Sanctions Files (FSF) — a single file combining all sanctions regimes and all annexes. This is the one source for the entire EU.

Address: https://webgate.ec.europa.eu/fsd/fsf

Format: XML (full) and CSV (simplified). Update frequency: each time a new package is published or a listing is updated in the Official Journal of the EU — in practice, several times per month.

A second useful source is the EU Sanctions Map (https://sanctionsmap.eu/) — an interactive map where you click a country and see which regimes apply to it. Good for learning; poor for automation.

What you will find in the consolidated file

Each entry contains:

• name (plus aliases, transliterations, former names),
• date of birth, place of birth, nationality (for individuals),
• registration number, address (for entities),
• passport number (where known),
• legal basis — which annex, which package, which regime,
• date of listing.

Having a surname is not enough to produce a hit. Sanctions screening is not Ctrl+F on a name. You must account for aliases, transliterations (Putin / Putyn / Putine), spelling variants, and dates of birth. This is why tools use fuzzy matching and a three-state result instead of a simple YES/NO — more on this in a separate article on the implementation procedure.

The UN list — formally important, but already inside the EU list in practice

The UN Security Council Consolidated List is a list of individuals and entities subject to sanctions imposed by Security Council resolutions. Regimes covered include: ISIL/Al-Qaeda, Taliban, Iran (pre-JCPOA), North Korea, Libya, Sudan, Somalia, and several others.

Address: https://www.un.org/securitycouncil/sanctions/information

Within the EU, the rule is that every UN sanction adopted by the Security Council is transposed into EU law by a separate regulation. In other words, when the UN adds someone to the Taliban list, the EU issues an implementing regulation within a matter of weeks. From that point, that person also appears on the EU list.

Practical conclusion: if you check the EU consolidated list, the UN list is already inside it. The only situation in which you need to check the UN list separately is during the window between a UN Security Council resolution and its EU transposition — which is extremely rare and mainly affects banks and logistics companies operating in real time. For the vast majority of SMEs, the UN list can be treated as a subset of the EU list.

The OFAC SDN list — American, but watch out for extraterritoriality

OFAC is the Office of Foreign Assets Control, part of the US Department of the Treasury. It maintains the SDN (Specially Designated Nationals and Blocked Persons) list, which runs to tens of thousands of entries and is updated almost daily.

Address — not the EU Sanctions Map, to be clear. This is OFAC: https://ofac.treasury.gov/sanctions-list-search-tool. Raw file: https://sanctionssearch.ofac.treas.gov/.

When it applies to a Polish company

Formally? A Polish company is not required to comply with the American SDN list, because it is US law. In practice? It must comply in four situations:

1. You settle in US dollars. Every USD transaction passes through a correspondent bank in the United States. If the counterparty is on the SDN list, the bank will block the payment regardless of your view on the matter.
2. You have US clients or suppliers. An American partner will require you to perform a “sanctions clearance” against their own standards — that is, against OFAC.
3. Your contract includes a sanctions clause. In international contracts, it is standard practice to include a clause requiring “compliance with applicable sanctions, including OFAC”. Breaching that clause is a breach of contract, independent of any breach of law.
4. Your business has a “US nexus” — for example, you use American software, you have clients who are US green-card holders, or you deliver goods or services to US territory. In such cases, OFAC may consider you subject to US jurisdiction.

For a company operating exclusively in Poland, with no USD transactions, no US clients, and no American software — OFAC formally does not apply. But fewer companies fit that description than you might expect. Always analyse your supply chain and payment flows before saying “this doesn’t concern us”.

OFAC secondary sanctions

A separate category: secondary sanctions. This is the mechanism by which the United States can penalise a non-US company for doing business with an SDN-listed entity — even if that company has no foothold in the United States at all. The penalty: being cut off from the dollar system and placed on the SDN list itself. That effectively ends international business. Secondary sanctions are applied primarily in relation to Iran and selected Russian entities.

The MSWiA list — the Polish supplement you cannot ignore

The Polish national sanctions list is maintained by the Minister of Internal Affairs and Administration (MSWiA) under Article 2 of the Act of 13 April 2022. In brief: the Act allows MSWiA to add an entity to the list if it supports Russian or Belarusian aggression against Ukraine. The consequences of being listed are analogous to the EU list — asset freeze, prohibition on transactions — with the additional effect of exclusion from public procurement.

List address: https://www.gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami

The page is public; the list is available in HTML and PDF format, with decision numbers. Updates appear irregularly — sometimes weekly, sometimes monthly. Each entry corresponds to a separate ministerial decision published in the Court and Commercial Gazette (Monitor Sądowy i Gospodarczy).

Why it exists alongside the EU list

Because the EU list requires consensus among 27 member states, which can be slow. Poland — as a frontline state — received in 2022 a tool enabling it to act unilaterally and more quickly than Brussels. MSWiA therefore adds entities that are not yet on the EU list.

Some MSWiA listings are subsequently added to the EU list. Others remain exclusively national. This matters because as a Polish company you are liable for breaching both lists — including the one that exists only in Poland.

Financial versus administrative sanctions

The MSWiA list is not only about asset freezes. A listing also entails:

• exclusion from public procurement procedures,
• prohibition on accessing EU funds,
• the possibility of compulsory liquidation of a listed entity’s company,
• appointment of a statutory administrator over the entity’s assets.

These are stronger instruments than those available under EU law — the EU knows asset freezing, but not statutory administration or compulsory winding-up. Polish law goes further.

The UK list (OFSI / HMT) — when it matters

Brexit separated the British sanctions regime from the EU’s. The United Kingdom maintains its own list through OFSI (Office of Financial Sanctions Implementation) at HM Treasury. It is sizeable and frequently diverges from the EU list — the UK has listed Russian oligarchs that the EU overlooked, and vice versa.

Address: https://www.gov.uk/government/publications/the-uk-sanctions-list

For a Polish company, the UK list is relevant if:

• you have a branch, subsidiary, or clients in the UK,
• you settle in GBP,
• your contracts contain a UK sanctions clause.

If you have no UK connection whatsoever — skip it. There is no point checking every sanctions list in the world if you have no point of contact with the relevant jurisdiction.

Comparison table

In practice, for the majority of Polish SMEs the minimum configuration is EU + MSWiA. If you settle in USD or have an American partner — add OFAC. If you have any UK connection — add OFSI. The UN is inside the EU; no need to check it separately.

What to do concretely in your company

1. Designate a responsible person. This does not have to be a lawyer. In an SME it most commonly falls to the compliance officer, the finance director, or the owner. What matters is that it is clear who it is.
2. Establish which lists are in scope. EU and MSWiA — always. OFAC — if USD or US nexus. OFSI — if UK nexus. Others — only after analysis.
3. Choose a data source. Either you download from official sources manually (labour-intensive, risk of human error), or you use a tool that does it automatically. We advise against Excel as a base — we have written about this separately.
4. Set a screening frequency. Minimum: at every new client onboarding, and at every significant new transaction. Standard: a full client-base review once a month. List updates — at least once a week.
5. Record every check. No documentation equals no evidence that you exercised due diligence. An inspection will come and ask “when did you last check Mr Ivanov?” — you need to have the date, time, and result on file.
6. Establish a procedure for a hit. What do you do when you receive POSSIBLE or MATCH? Who do you notify? When do you freeze? Write the procedure once and use it repeatedly.
7. Keep up to date legally. The EU issues packages. MSWiA adds listings. UC92 will enter into force and change the rules. Someone in the company needs to read the Official Journal of the EU and the Court and Commercial Gazette — or subscribe to a newsletter that does it for them.

In a separate article we cover the step-by-step sanctions screening procedure — including a template sanctions policy and a template hit register.

What you risk if you do not act

Three levels of risk, in ascending order.

First, administrative fines. The Act of 13 April 2022 provides for a financial penalty of up to PLN 20 million for breaching the obligations arising from EU regulations and from the Act itself. The penalty is imposed by administrative decision of the Head of KAS (National Revenue Administration) or the Minister of Internal Affairs, depending on the legal basis. The decision is immediately enforceable. An appeal does not suspend execution.

Second, criminal liability upon the entry into force of UC92. Directive (EU) 2024/1226 obliges member states to criminalise sanctions violations. In Poland, the implementing bill designated UC92 provides for custodial sentences (specific ranges are still being debated in the legislative process) and personal criminal liability for management board members. Once in force, a sanctions violation will cease to be an administrative matter and will become a criminal one. The transposition deadline for member states was 2025.

Third, business risk. Your bank freezes your account pending investigation, your American partner terminates the contract, a Polish institutional client excludes you from a public procurement procedure, and an insurer refuses to issue a policy. This happens faster than any administrative penalty and often hurts more.

In a separate article we cover in detail the fines and enforcement cases imposed across the EU in 2024–2026.

How Sanqto can help

Sanqto is sanctions screening software for companies outside the financial sector. It consolidates the EU, UN, OFAC SDN, MSWiA and OFSI lists into a single database, updates it automatically, runs on-premise (your clients’ data never leaves your infrastructure — which matters for GDPR compliance), and returns a result in three states: MATCH, POSSIBLE, CLEAR. Sub-30 ms per query. Plus a set of implementation documents — sanctions policy, operating procedure, hit register — so you are not starting from a blank page.

If your company operates in one of the industries we serve, check the specific guidance: travel agencies, estate agencies, insurance agencies. If you cannot find yours — get in touch; we most likely cover you already, we simply have not built the landing page yet.

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 — CELEX 32014R0269
• Council Regulation (EU) No 833/2014 of 31 July 2014 — CELEX 32014R0833
• Council Regulation (EC) No 765/2006 of 18 May 2006 (Belarus) — CELEX 32006R0765
• Directive of the European Parliament and of the Council (EU) 2024/1226 of 24 April 2024 — CELEX 32024L1226
• Act of 13 April 2022 on special measures to counter the support of aggression against Ukraine and to protect national security (Journal of Laws 2022 item 835) — ISAP
• List of persons and entities subject to sanctions (MSWiA) — gov.pl
• EU Financial Sanctions Files — webgate.ec.europa.eu/fsd/fsf
• OFAC SDN List — ofac.treasury.gov
• UN Security Council Consolidated List — un.org/securitycouncil
• UK Sanctions List (OFSI / HM Treasury) — gov.uk

Information, not legal advice. This article is for informational and educational purposes only. It does not constitute legal advice. Legal status as of: 17 May 2026. The specific obligations applicable to your company depend on your business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.