Sanctions in e-commerce — what every online shop needs to know

Running an online shop might feel like a safe zone — consumer transactions, fast delivery, no exotic markets. That impression is misleading. EU economic sanctions regulations apply directly to every entity operating within the Union, with no exception for any sector or sales model — including online shops and e-commerce platforms.¹ If your shop serves B2B customers, ships abroad, or trades in electronics, components, or other dual-use goods, you have a genuine sanction screening obligation.

This article explains who and when you must verify, which goods are subject to embargo, what the “no re-export to Russia” clause means for a shop that ships internationally, and how to organise verification without paralysing your operations.

Legal status as of: 2026-05-20.

TL;DR — the essentials in 60 seconds

• Sanction screening in e-commerce is not optional — EU regulations apply directly, with no revenue threshold and no sector exemption.¹
• B2B customers, international recipients, and marketplace suppliers are verified against the EU Consolidated List, the Polish MSWiA list (maintained by Poland’s Ministry of Internal Affairs and Administration)² and — for transactions in USD or involving US-linked entities — the OFAC SDN list.³
• Electronics, components, spare parts, and dual-use goods are subject to the EU embargo on Russia under Council Regulation (EU) No 833/2014⁴ — check the CN code of your product in the TARIC database before shipping.⁵
• Since the 11th sanctions package (23 June 2023), EU exporters are required to obtain a written declaration from buyers in third countries confirming that goods will not be re-exported to Russia — the so-called “no re-export to Russia” clause under Art. 12g of Regulation 833/2014.⁶⁷
• Breaching sanctions carries a financial penalty of up to PLN 20,000,000 imposed by the Head of the National Revenue Administration (Szef Krajowej Administracji Skarbowej, KAS).⁸
• The EU has adopted 20 sanctions packages against Russia to date (the latest: 23 April 2026) — sanctions lists grow systematically, so a one-off check is never enough.⁹

Does an online shop have to carry out sanction screening?

The short answer is yes. The longer answer explains why the intuition that “this only applies to banks” is wrong.

EU Council Regulations are directly applicable in all Member States — they take effect without the need for separate implementation by the Polish legislature.¹ Art. 2(1) of Council Regulation (EU) No 269/2014 of 17 March 2014¹⁰ prohibits making available — directly or indirectly — any funds or economic resources to persons and entities listed on the sanctions list. That prohibition does not distinguish between making funds available via a bank transfer and doing so by shipping goods purchased from an online shop.

The sectoral embargo operates in parallel. Council Regulation (EU) No 833/2014 of 31 July 2014⁴ prohibits the sale, supply, and export of certain categories of goods and technology — regardless of whether the buyer appears on any sanctions list. If your product falls into a prohibited category, the transaction is illegal irrespective of the buyer’s identity.

Poland’s domestic sanctions obligation is reinforced by the Act of 13 April 2022 on special solutions for countering support for aggression against Ukraine and protecting national security (Journal of Laws 2022, item 835).¹¹ Its provisions apply to every entity operating in Poland — with no revenue threshold and no carve-out for e-commerce.

If you want to check in detail whether your company is subject to this obligation, read the article Does my company have to carry out sanction screening?

Who to verify — B2B customers, international recipients, counterparties

Not every online order requires the same depth of verification. In practice, risk is distributed unevenly and concentrates in a few transaction categories.

B2B customers and corporate orders

When a company places an order — providing a tax identification number, requesting a VAT invoice in the company’s name, or using a B2B account — you have a specific legal entity to verify. You check the full company name, identification number (NIP or registration number), and country of establishment against the EU Consolidated List and the Polish MSWiA sanctions list maintained by the Minister of Internal Affairs and Administration.² It is also important to check the ownership structure: an entity controlled by a sanctioned person to more than 50% is subject to sanctions in the same way as that person — even if the entity itself does not appear on the list.¹² This principle, known as the ownership rule, follows directly from the DG FISMA FAQs published by the European Commission.

International recipients

Every shipment abroad — particularly to countries outside the Schengen Area or the EU — requires separate attention. You verify the recipient (both individuals and companies in B2B orders) against sanctions lists before fulfilling the order. For transactions in US dollars or involving entities connected to the United States, it is also worth checking the OFAC SDN list — the Specially Designated Nationals list maintained by the Office of Foreign Assets Control (OFAC), U.S. Department of the Treasury.¹³ The OFAC SDN list is published officially by the Treasury Department.³

Suppliers, platforms, and logistics partners

Verification does not end with the customer. Suppliers from whom you purchase goods for resale, and logistics partners handling international shipments, are further points at which your shop may — unknowingly — come into contact with a sanctioned entity. A detailed step-by-step verification procedure — including how to handle MATCH and POSSIBLE results — is set out in the article Verifying a counterparty for sanctions compliance.

Which goods in e-commerce carry risk

Two categories of risk overlap: counterparty risk (who is buying) and product risk (what you are selling). The second category is easy to overlook, because the trade embargo operates independently of the buyer’s identity.

Dual-use goods

Dual-use goods and technology are products with both civilian and military applications. Regulation 833/2014 prohibits their sale, supply, transfer, or export — directly or indirectly — to Russia or for Russia’s benefit.⁴ In e-commerce, this category frequently includes: electronic components (integrated circuits, processors, communication modules), precision positioning equipment, aviation accessories, software for managing critical infrastructure, and specialised industrial tools. The CN codes of goods subject to the prohibition are set out in the annexes to Regulation 833/2014 — you can consult the full list in the European Commission’s TARIC database.⁵ Detailed information on how to read CN codes and use TARIC is provided in the article The Russia embargo — a practical guide for businesses.

Consumer electronics and spare parts

Consumer electronics may appear innocuous — smartphones, laptops, routers — but the same devices can be used for military purposes or communications. In successive sanctions packages, the EU has expanded the list of prohibited categories to include an ever-wider range of electronic products. Before shipping any electronic equipment to a recipient outside the EU, check the CN code in TARIC.⁵

Luxury goods

Regulation 833/2014 prohibits the export of luxury goods to Russia above the value threshold specified in the annexes to the regulation.⁴ The category includes, amongst other things, luxury vehicles, watches, jewellery, and works of art. If you run a shop in this niche with international shipping, this topic concerns you directly.

International shipping and sanctions

Online sales with international delivery represent the area where sanctions risk is highest and hardest to control. Several issues require your particular attention.

Prohibition on deliveries to Russia and Belarus

Goods subject to embargo cannot be shipped to Russia — either directly or through intermediaries in third countries. The prohibition covers sale, supply, transfer, and export — the wording deliberately encompasses different forms of transfer, not only classical export.⁴ In practice, this means that even if you formally ship goods to country X whilst the ultimate recipient is an entity in Russia, the transaction is illegal.

The “no re-export to Russia” clause — Art. 12g

Since the EU’s 11th sanctions package (23 June 2023), EU exporters have been required to obtain from buyers in third countries a written declaration that the goods will not be re-exported to Russia.⁶ This obligation arises from Art. 12g of Regulation 833/2014⁷ and applies to certain goods listed in the annexes to the regulation, in particular dual-use goods and goods on the Common High Priority list.

In practice: if you ship goods covered by this provision to a buyer in Kazakhstan, Georgia, Turkey, or other third countries, you need a declaration from that buyer confirming no re-export to Russia — and you must retain it in your records. The European Commission classifies these countries as areas carrying an elevated risk of sanctions circumvention, using the term “third countries with continued and particularly high risk of circumvention”.¹⁴ The re-export mechanism and warning signals are discussed in more detail in the article Circumventing Russia sanctions via third countries.

Prohibition on using Russian carriers

From successive sanctions packages onward, Russian transport companies and vehicles registered in Russia may not enter EU territory.¹⁵ If your shop uses logistics firms, make sure you are not entering into contracts with carriers subject to this prohibition.

Dropshipping and marketplace — additional risks

Business models based on dropshipping and marketplace aggregation complicate the legal picture significantly. In classic dropshipping, the shop accepts the order but the goods are shipped directly by the supplier — often from another country. On a marketplace aggregating multiple sellers, each seller bears responsibility for its own transactions, but the platform operator may bear additional liability for enabling transactions that breach sanctions.

If you are a dropshipping operator, you are responsible for verifying both your suppliers (who manufactures and ships the goods) and the end customers (who is ordering). You cannot transfer that responsibility to the supplier — you are a party to the commercial transaction and it is you who completes the sale. Similar logic applies to marketplace operators: enabling an entity subject to sanctions to use your platform and making its infrastructure available as an economic resource may breach Art. 2 of Regulation 269/2014, which prohibits making economic resources available to listed entities — directly or indirectly.¹⁰

In practice, this means you must implement a seller onboarding process (marketplace) or supplier onboarding process (dropshipping) that includes verification against sanctions lists — not only once at contract signing, but on a recurring basis, because the lists are updated regularly.

How to automate verification at high order volumes

An online shop processing hundreds or thousands of orders per day cannot carry out manual verification of every customer — it is neither efficient nor watertight. At the same time, the absence of verification carries real legal risk. The solution is a structured process built around a few key elements.

Risk segmentation

Not every order requires the same depth of verification. Establish risk profiles: domestic B2C orders of low value with no sensitive goods represent low risk; B2B orders, international orders, and orders involving dual-use goods represent high risk and require full screening. This division allows you to concentrate resources where the risk is greatest without slowing down your entire operation.

Automatic screening at registration and on order placement

At B2B account registration, with every international order, and with every transaction above a set value threshold, it is worth integrating automatic verification of counterparty data against sanctions lists. A screening tool fetches the current lists and compares the data — first name, surname or company name, country, identifier — returning a result of MATCH, POSSIBLE, or CLEAR. A CLEAR result is logged in the register and does not block the order. A POSSIBLE result requires manual verification. A MATCH result blocks the transaction pending resolution.

Verification of goods against TARIC

In addition to entity screening, the shop should maintain an up-to-date product map — a table of CN codes for key goods, showing whether a given code is subject to embargo. The European Commission’s TARIC database can be consulted directly at ec.europa.eu/taxation_customs/dds2/taric.⁵

Documentation and a hits register

Every verification should be documented: the date of the check, the entity checked, the list used, the result, and the person who carried out the check. For entities subject to the Anti-Money Laundering Act of 1 March 2018 on countering money laundering and the financing of terrorism, the retention period for documentation is five years from the end of the business relationship.¹⁶ Even if your shop is not formally an “obligated institution” within the meaning of that Act, documenting verifications is good practice and potentially a key piece of evidence in the event of an inspection.

Sanqto as a tool for online shops

Sanqto is sanction screening software installed within your own infrastructure — customer data never leaves your servers (on-premise model). The system matches counterparty data against consolidated sanctions lists and returns a result in three states: MATCH, POSSIBLE, or CLEAR, helping you quickly separate orders that require attention from those that can be fulfilled. Automated screening helps reduce the risk of missing sanctions hits at high daily transaction volumes — without the need to check every order manually.

More on how to determine whether the screening obligation applies to your shop is available in the article Does my company have to carry out sanction screening?

Penalties for breaching sanctions in e-commerce

Breaching sanctions is not merely a reputational risk — it carries specific legal, administrative, and criminal liability.

Financial penalty

Under Art. 6(2) of the Act of 13 April 2022¹¹, the Head of the National Revenue Administration (Szef KAS) may impose a financial penalty of up to PLN 20,000,000.⁸ The penalty is imposed by administrative decision.¹⁷

Criminal liability

Directive 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures¹⁸ requires EU Member States to criminalise intentional violations of sanctions. The implementation deadline passed on 20 May 2025.¹⁹ For the most serious violations, the Directive prescribes a maximum term of imprisonment of at least five years.²⁰

Poland has a draft implementing act (bill UC92) — its current status can be checked at legislacja.rcl.gov.pl.

No minimum threshold

It is worth emphasising: the legislation does not provide for any order value threshold or revenue threshold for a company below which the sanctions obligation would not apply. Art. 2(1) of Regulation 269/2014 applies to “any funds and economic resources” — without any monetary limit.¹⁰

FAQ — frequently asked questions from online shops

Do I have to verify all B2C customers?

The obligation applies to every transaction — in theory, even individual consumers. In practice, the risk for domestic B2C orders of standard consumer goods is low, and a risk-segmentation approach is justified. For international orders, goods potentially subject to embargo, and any B2B order, verification should be mandatory.

What should I do if a screening result comes back as POSSIBLE?

A POSSIBLE result means the algorithm found data similar to an entry on the list, but it is not a confirmed hit. You hold the order and carry out manual verification: compare the customer’s exact identification data (full name, date of birth, country, identification numbers) with the details of the entry on the list. If the data does not match — document the result and release the order. If it does match — treat it as a MATCH and contact a lawyer or the relevant authority.

Does the embargo apply to my goods if I am shipping within the EU?

In principle, the embargo prohibits the export of prohibited goods to Russia, not to other EU countries. However, if the goods are subsequently re-exported to Russia, the transaction may breach sanctions — which is why the “no re-export to Russia” clause under Art. 12g of Regulation 833/2014 exists.⁶⁷ Within the EU the risk is lower, but not zero.

How do I check whether my goods have a CN code subject to embargo?

Go to the European Commission’s TARIC website at ec.europa.eu/taxation_customs/dds2/taric⁵ and enter the CN code or description of your product. The system displays active trade measures, including export prohibitions. If you do not know the CN code, you can identify it using the Combined Nomenclature (CN) available within the same tool.

As a marketplace operator, am I responsible for sellers on my platform?

Yes. Enabling an entity subject to sanctions to use your platform and making its infrastructure available as an economic resource may breach Art. 2 of Regulation 269/2014.¹⁰ You should have a process for verifying sellers at onboarding and a procedure for periodic review.

How often do I need to repeat verification?

A one-off check — at registration or at the first order — is not sufficient. Sanctions lists are updated regularly: the EU has adopted 20 packages of sanctions against Russia, the latest in April 2026.⁹ For active commercial relationships, you should repeat verification periodically or integrate automatic screening that uses the current versions of the lists.

What to do in practice — a step-by-step checklist

1. Identify risk products. Review your product range and flag goods that may be subject to embargo (electronics, components, precision tools). Check their CN codes in the TARIC database.⁵

2. Establish an order segmentation procedure. Determine which orders require full screening (B2B, international orders, dual-use goods) and which may be treated as low risk.

3. Choose a screening tool. Manual verification at high order volumes is impractical and error-prone. Integrate a screening tool with your order management system or carry out batch verification when onboarding new B2B customers.

4. Implement the “no re-export to Russia” clause. If you ship goods covered by Art. 12g of Regulation 833/2014 to countries outside the EU, prepare a template declaration for buyers and collect signed documents before fulfilling the order.⁶⁷

5. Set up a hits register. Document every verification — the date, the entity, the list, the result, and the person who carried out the check. Retain documentation for at least five years.¹⁶

6. Designate a person responsible for compliance. Even a small shop should have someone who knows the procedures and understands what to do when a MATCH or POSSIBLE result appears.

7. Establish an onboarding procedure for marketplace sellers and dropshipping suppliers. If you work with suppliers or sellers, verify them against sanctions lists before signing a contract and periodically throughout the relationship.

8. Conduct periodic reviews. Sanctions lists change. Set a regular review schedule or implement automatic monitoring of list updates.

Legal basis

• Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine — CELEX 32014R0269
• Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine — CELEX 32014R0833
• Act of 13 April 2022 on special solutions for countering support for aggression against Ukraine and protecting national security (Journal of Laws 2022, item 835) — ELI
• Directive 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures — CELEX 32024L1226
• TARIC — European Commission database of CN codes and trade measures — ec.europa.eu/taxation_customs/dds2/taric
• EU Consolidated List (Financial Sanctions Files) — webgate.ec.europa.eu/fsd/fsf
• Polish MSWiA sanctions list — gov.pl/web/mswia
• OFAC SDN List — Office of Foreign Assets Control, U.S. Department of the Treasury — ofac.treasury.gov
• DG FISMA FAQ — Sanctions adopted following Russia’s military aggression against Ukraine — finance.ec.europa.eu
• DG FISMA FAQ — “No re-export to Russia” clause, Art. 12g — finance.ec.europa.eu/publications/no-re-export-russia-clause_en

Footnotes

Information, not legal advice. This article is for informational and educational purposes only. It does not constitute legal advice. Legal status as of: 20 May 2026. Your company’s specific obligations depend on your business profile and require individual assessment — if in doubt, consult a lawyer or compliance adviser.