From mitigating factor to strategic asset: How the New EU Anti-Corruption Directive reframes Internal Investigations
For two decades, Romanian and continental European boards have treated internal investigations as something close to a fire drill: an emergency response triggered when a whistleblower call, a press leak, or a prosecutor’s knock at the door forced their hand. The new EU Anti-Corruption Directive, adopted in April 2026 and now ticking down toward a 2028 transposition deadline, quietly rewrites that script. Internal investigations are no longer a damage-control reflex. They are a codified mitigating factor, a defence asset that can shave millions off a corporate fine and, in some cases, keep a company out of the courtroom altogether[1].
1. A directive that finally rewards what compliance professionals have been preaching
The Anti-Corruption Directive is the EU’s first bloc-wide criminal-law instrument harmonising the definition, prosecution and sanctioning of corruption offences across all 27 Member States. It captures bribery in both public and private sectors, trading in influence, misappropriation, abuse of functions, obstruction of justice and unlawful enrichment derived from corruption[2].
For legal entities, the headline numbers are eye-watering: maximum fines of at least 5% of worldwide annual turnover or EUR 40 million for bribery, and 3% or EUR 24 million for trading in influence – with Member States free to go higher. Add exclusion from public procurement, withdrawal of permits, judicial supervision and mandatory publication of the conviction, and the reputational arithmetic becomes existential[3].
What changes the strategic calculus, however, is not the ceiling of the sanction: it’s the floor that the Directive creates beneath it. Article 16 expressly recognises a catalogue of mitigating circumstances for legal entities, including the implementation of effective compliance programmes, internal controls, internal investigations, prompt cooperation with authorities, and voluntary self-disclosure followed by remedial measures[4]. Recital 29 of the Directive sharpens the warning: programmes that amount to window dressing will not only fail to mitigate — they may aggravate the company’s position.
2. The four conditions that turn an investigation into a defence
The Directive does not reward investigations as a category. It rewards investigations that deliver results the authorities could not otherwise have obtained. To qualify as a genuine mitigating factor, an internal investigation must satisfy four cumulative conditions:
– provide the competent authorities with information they would not otherwise have been able to obtain, including assistance in identifying or prosecuting other offenders;
– assist meaningfully in the collection of evidence — not merely produce a sanitised executive summary;
– be embedded in effective internal controls, ethics awareness and compliance programmes implemented either before or after the offence;
– result in rapid, voluntary self-disclosure to the authorities and in appropriate remedial action.
Each of these conditions is a project in itself. None of them can be improvised on the day a dawn raid is announced. The Directive’s real message to general counsel and audit committees is therefore deceptively simple: the time to build investigative capacity is before the incident, not after.
3. The OECD overlay: same direction, sharper edges
The Directive does not exist in a vacuum. It dovetails with the OECD’s 2021 Anti-Bribery Recommendation, which urges member states to encourage companies to implement and publicly disclose appropriate internal anti-corruption compliance measures, and to permit the processing of personal data necessary for due diligence and internal investigation processes[5]. For practitioners, the practical takeaway is that EU and OECD expectations now point in the same direction — toward proactive detection, transparent documentation and disciplined cooperation — but each adds its own enforcement gravity. A company exposed to both regimes can no longer choose which standard to satisfy; it must engineer its compliance framework to clear the higher bar of the two.
4. Why this lands hardest in Romania
Romanian companies and their boards face a particularly sharp version of this challenge. Romania has become one of the most active jurisdictions for European Public Prosecutor’s Office (EPPO) investigations, with concentrated activity around VAT fraud and the alleged misappropriation of funds from the National Recovery and Resilience Plan (PNRR)[6]. House searches and asset seizures are deployed at cross-border speed and with multi-jurisdictional coordination. By the time prosecutors arrive, the window to demonstrate proactive compliance and credible self-detection has already closed.
The Directive’s 24-month transposition deadline, with up to 36 months for the national anti-corruption strategy and risk-assessment obligations, means that, by the summer of 2028, every Romanian company falling within the Directive’s scope will operate under a legal regime in which the absence of a serious internal investigation function is itself a form of exposure[7]. Boards that wait for transposition to begin building this capacity will arrive late. Boards that build it now will, by 2028, have a documented track record, the only kind of evidence that meaningfully persuades a prosecutor or a court that compliance is not window dressing.
5. Five practical shifts for the next 24 months
What is emerging is not merely a higher compliance burden, but a different operational model of internal investigations, one that is faster, more documented, more technologically sophisticated and, increasingly, designed around prosecutorial expectations rather than purely internal governance considerations.
From event-driven to programme-driven. Internal investigations should be governed by a written protocol approved at board level, with predefined triggers, escalation paths, privilege strategy and external-counsel engagement criteria, not improvised under pressure.
From paper compliance to evidenced compliance. Risk assessments, training logs, third-party due-diligence files and audit trails are the artefacts a prosecutor will demand. They are also the artefacts that demonstrate the programme is not, in the Directive’s words, mere window dressing.
From legal silo to cross-functional capability. Effective investigations now require fluency in data privacy, ephemeral messaging preservation, forensic IT and increasingly AI-assisted document review.
From local to multi-jurisdictional by default. Conflicting laws on disclosure, privilege and data transfer must be mapped in advance. A Romanian subsidiary of a multinational cannot afford to discover at the moment of crisis that its parent’s privilege strategy is incompatible with Romanian criminal procedure.
From self-report aversion to self-report literacy. The Directive does not mandate self-disclosure, but it conditions the largest sanction reductions on it. The question for boards is no longer whether to consider self-reporting, but when, to whom, and on what evidentiary footing.
6. A new defence architecture
For white-collar defence practitioners, the EU Anti-Corruption Directive marks the end of an era in which internal investigations were merely a tool of last resort. They are now, formally and explicitly, an instrument of legal defence, one whose value is measured not by how quickly a crisis is contained, but by how credibly a company can demonstrate, on paper and in practice, that it was already looking for the problem before anyone else found it.
That shift transforms the role of the white-collar lawyer as well. Beyond advising on liability and representing clients in proceedings, we are increasingly called upon to architect the very systems that, in two years’ time, will determine whether a company’s exposure is measured in millions or in tens of millions. The boards that understand this in 2026 will be the ones still in business in 2028.
[1] Transparency International EU, “EU finalises anti-corruption Directive,” 21 April 2026, available here.
[2] Baker McKenzie, “European Union: New EU Anti-Corruption Directive Enters into Force,” 8 May 2026, available here.
[3] Morrison & Foerster, “EU Adopts Bloc-Wide Anti-Corruption Directive,” 28 April 2026, available here.
[4] Schoenherr, “EU Anti-Corruption Directive: Harmonising Offences and Strengthening Corporate Sanctions,” May 2026, available here.
[5] OECD, 2021 Recommendation for Further Combating Bribery of Foreign Public Officials in International Business Transactions, available here.
[6] Legal 500, “Romania: White Collar Crime – Country Comparative Guide,” 2026, available here.
[7] Baker McKenzie, “European Union: New EU Anti-Corruption Directive Enters into Force,” 8 May 2026, available here.