Sapin II Law: Anti-Corruption Obligations and Compliance

What is the Sapin II law?

Law No. 2016-1691 of 9 December 2016, known as the Sapin II law after Michel Sapin, then French Minister of the Economy and Finance, succeeds the 1993 Sapin I law and came into force on 1 June 2017.

It aims to strengthen transparency in economic life and the fight against corruption and influence peddling. A major contribution: the creation of the French Anti-Corruption Agency (Agence française anticorruption, or AFA), tasked with supporting, monitoring and sanctioning companies, which are now required to prevent and detect corruption themselves.

‍

What does Sapin II require?

The Sapin II law requires companies in scope to implement an anti-corruption programme structured around eight mandatory pillars, under the supervision of the AFA. One of these pillars is the internal reporting system, which lets every employee report an ethical breach.

It also introduced France's first legal framework for whistleblowers (articles 6 to 16), guaranteeing protection against retaliation for anyone who makes a report.

Who does the Sapin II law apply to?

Companies covered by Sapin II

Article 17 of the Sapin II law subjects to anti-corruption obligations any company with at least 500 employees and revenue (or consolidated revenue for groups) above €100 million (cumulative criteria). The scope includes the French and foreign subsidiaries of a parent company established in France, as well as EPICs (state-owned industrial and commercial establishments).

The scope is also extraterritorial: a company headquartered in France must extend its anti-corruption programme to its foreign subsidiaries, and the AFA can review how those overseas operations apply it. Executives remain personally liable wherever the breach occurs.

‍

Executives and employees: two distinct roles

The Sapin II law makes executives the primary parties responsible for anti-corruption compliance: in the event of a breach, they are personally exposed to financial sanctions, independently of those incurred by the company.

Employees, for their part, are full participants in risk detection, protected as whistleblowers whenever they report a breach in good faith, notably through the internal reporting channel..

The 8 pillars of the Sapin II anti-corruption programme

1. The anti-corruption code of conduct

The code of conduct defines the prohibited behaviours within the organisation: corruption, influence peddling and conflicts of interest. It must be incorporated into the internal rules and regulations and submitted for prior consultation with employee representatives.

‍

2. The internal reporting system

The internal reporting system (also called an internal alert system or internal whistleblowing mechanism) lets every employee report an ethical breach through a secure channel. It guarantees the confidentiality of the report and protection of the reporter against any form of retaliation, in line with articles 6 to 16 of the Sapin II law.

3. Corruption risk mapping

Corruption risk mapping identifies and ranks the organisation's exposure by geographic area and type of third party. A living document, it forms the basis of the anti-corruption action plan.

‍

4. Third-party due diligence

Third-party due diligence covers clients, suppliers and partners, before entering into a relationship and throughout it. It identifies parties that present a corruption risk and helps exclude or frame those that do not meet the organisation's compliance requirements.

‍

5. Accounting controls

Accounting-control procedures and audit mechanisms aim to guarantee the transparency of accounts and to detect any attempt at concealment, whether it originates inside or outside the organisation.

‍

6. Anti-corruption training

Anti-corruption training programmes target the exposed employees identified in the risk map, with content tailored to the concrete situations of each role.

‍

7. The disciplinary regime

The disciplinary regime sets out the sanctions applicable to employees who breach the code of conduct. It makes the programme enforceable internally and reinforces its credibility.

‍

8. Internal control and assessment system

The anti-corruption programme must be subject to ongoing internal control and assessment to measure its effectiveness and identify the adjustments needed. It must be re-evaluated as the business and its risks evolve.

‍

‍

How to comply with the Sapin II law

The 3 key compliance steps

• Identify and prevent: map corruption risks, conduct third-party due diligence and train exposed employees.
• Act and respond: put in place a code of conduct, an internal reporting system, accounting-control procedures and a disciplinary regime.
• Assess and update: monitor the programme's effectiveness and adjust it in line with changes in the organisation and AFA recommendations.

‍

The role of leadership and the compliance officer

The anti-corruption programme rests on an explicit commitment from senior leadership, which bears responsibility for it and allocates the necessary resources. The compliance officer drives it: deploying the pillars, monitoring and reporting.

‍

The French Anti-Corruption Agency (AFA): controls and sanctions under Sapin II

The role of the AFA

The French Anti-Corruption Agency (AFA) performs three functions:

• it supports companies in reaching compliance
• it monitors the effectiveness of anti-corruption programmes
• it sanctions identified breaches, through its sanctions committee

Its recommendations are authoritative in anti-corruption compliance and form the reference methodology for structuring a compliant programme.

‍

Sanctions under the Sapin II law

In the event of a breach of article 17, the AFA's sanctions committee may issue a compliance injunction, fines of up to €1M for the company and €200,000 for executives, and publication of its decision. These sanctions are administrative and distinct from the criminal penalties incurred for proven acts of corruption (which may include exclusion from public procurement).

‍

Sapin II and the EU Whistleblowing Directive

Article 6 of the Sapin II law introduced the first whistleblower status under French law. France later strengthened it by transposing EU Directive 2019/1937 through the 2022 Waserman law: broader protection and extended reporting channels.

To distinguish: article 17 covers the anti-corruption programme (at least 500 employees / more than €100M in revenue); articles 6 to 16 and the Waserman law govern whistleblower protection, with a reporting-channel obligation from 50 employees (article 8).

‍

Sapin II reform: where does Sapin III stand?

Sapin II has been criticised for the limits of its extraterritorial reach. Following an evaluation report in July 2021, a bill known as Sapin III was tabled in October 2021 to strengthen the framework. Its main proposals: extend the article 17 anti-corruption obligations to the French subsidiaries of foreign groups (removing the requirement that the parent company be headquartered in France), transfer oversight of public-sector bodies from the AFA to the HATVP so the agency can focus on economic actors, and reinforce the CJIP, France's negotiated-settlement mechanism for corruption cases.

‍
As of 2026, Sapin III has not been enacted. The binding framework remains the Sapin II law, as supplemented by the 2022 Waserman law on whistleblower protection. Companies should monitor the legislative agenda but build their compliance programmes on the current Sapin II requirements.

‍

Deploy a Sapin II-compliant whistleblowing system with Whispli

The Sapin II law requires an internal reporting system on two counts: as the second pillar of the anti-corruption programme (article 17) and as a whistleblower-protection channel (article 8).

Whispli meets both requirements within a single platform: guaranteed anonymity (no IP address or metadata collected), multichannel reporting available in more than 70 languages, ISO 27001 certification and SOC 2 Type II attestation, sovereign hosting of your choice, and structured case management for every report.