Sapin 2 Act: 8 essential measures to combat corruption by 2025

Introduction

The article at a glance

The Sapin 2 Act requires the most at-risk companies to implement a structured anti-corruption framework (risk mapping, third-party vetting, training, whistleblowing), with severe consequences for non-compliance: financial penalties, reputational damage, and lost business opportunities. But beyond being a regulatory requirement, it becomes a genuine business lever for securing Partnerships, accessing demanding markets (large corporate and public sector clients), and strengthening stakeholder trust. Even SMB indirectly affected through their clients have a vested interest in planning ahead. To structure your compliance efforts and turn this obligation into a competitive advantage, discover outsourced DPO support outsourced Dipeeo.com.

Table of Contents I. Understanding the Sapin 2 Law II. Sapin 2 Law: Who Is Affected? III. Anti-Corruption Measures: The 8 Measures Implemented by the AFA IV. Risks of Non-Compliance V. FAQ

I. Understanding the Sapin 2 Act

1.1 What is the Sapin 2 Law?

Law law No. 2016-1691 of December 9, 2016, known as the " Sapin 2 Law," came into force to limit the risks of corruption in France andstrengthen transparency andintegrity in business in order to align with international standards in the fight against corruption. It reinforces the measures established by the Sapin 1 Law, which were deemed insufficient.

1.2 What are the objectives of the Sapin 2 Law?

The Sapin 2 law has three main objectives:

A. Improving transparency in economic and public life

• Regulate influence practices and lobbying activities to promote better business ethics.
• Promote transparency regarding information provided to shareholders and the general public. For example, regarding executive compensation.

B. Combating corruption in the business world

• Establishment ofthe French Anti-Corruption Agency (AFA).
• Obligation for certain large companies to implement systems and measures for the prevention and detection of corruption.
• Protection of whistleblowers. Whistleblowers play a vital role, which is why the Sapin 2 law prohibits any form of retaliation against individuals who report behavior that could lead to corruption.

C. Improving economic governance and competitiveness

• Simplifying life for businesses.
• Creation of new financial instruments.
• Better supervision of financial investments to limit abuse.

II. Sapin 2 law: who is affected?

2.1 The companies concerned

A. Large companies concerned

The Sapin 2 law primarily targets French companies or companies based in France that have a certain economic weight and level of exposure to corruption risks. More specifically, it applies to all companies with at least 500 employees and annual revenue exceeding €100 million, whether listed or unlisted.

These criteria are cumulative. In other words, an SMB 300 employees is not subject to the obligations of Article 17 of the law, unless it belongs to a group whose workforce and turnover exceed these thresholds.

This applies in particular to companies operating internationally in sectors with a high risk of corruption, such as energy, defense, retail, construction, transportation, and chemicals.

Beyond the private sector, certain public sector activities are also affected.

For example, public industrial and commercial establishments (EPICs), semi-public companies, or companies in which the State is a shareholder may be subject to inspection by the French Anti-Corruption Agency if they are subject to compliance issues.

The goal is to establish a uniform anti-corruption culture in all areas at risk, whether public or private.

B.SMB

Due to their relationships with larger clients partners, VSB and medium-sized companies may be indirectly affected by the Sapin II law.

They are also affected by public procurement, where the obligation of transparency applies to all companies, regardless of their size.

Finally, even though it is not mandatory, companies with fewer than 500 employees would be well advised to adopt best practices in risk management and corruption detection in order to strengthen their credibility with clients, banks, and partners.

2.3 Natural persons concerned

The Sapin 2 law does not only target legal entities. It also directly involves a number ofinternal company stakeholders and individuals.

Firstly, senior executives, CEOs, and members of executive committees bear Accountability and operationalAccountability for implementing anti-corruption compliance measures. They are responsible for ensuring that the necessary tools are put in place.

Employees, particularly those in contact with foreign partners, public procurement, or purchasing functions, are also directly affected.

It is often at these intermediate levels that corruption or attempts at embezzlement can emerge. Hence the importance of clear and consistent commitment from management.

III. Anti-corruption measures: the eight measures implemented by the AFA

3.1 Risk mapping

Risk mapping involves identifying and prioritizing the corruption risks to whichthe company is exposed, based on its activities, geographical areas of operation, and sensitive functions.

The AFA specifies that this risk mapping must be based on a rigorous analysis of internal and external data.

This risk mapping must be updated at least once a year and documented. The AFA requires traceability of sources,assessment methods, and decisions made.

3.2 Anti-corruption code of conduct

The code of conduct sets out the rules of conduct to be followed in order to prevent any situation of corruption. Article 17 of the Sapin 2 law requires the companies concerned to draw up a clear, accessible, and enforceable document.

The code of conduct must be incorporated into the internal regulations and distributed to all employees, including those in foreign subsidiaries.

The French anti-corruption agency recommends including practical examples, such as:

• the management of gifts and invitations (for example, prohibition on accepting a trip offered by a supplier without hierarchical approval),
• political contributions or donations to elected officials (e.g an employee who finances a mayor's campaign in connection with a public contract),
• relationships with intermediaries in high-risk areas (e.g using a local consultant in Africa to negotiate a public contract).

The code of conduct must be linked to the company's risk mapping to reflect its areas of vulnerability; those that would be most exposed to corruption.

3.3 Internal alert system and protection of launchers

The law requires the establishment of an internal reporting channel, allowing whistleblowers to report incidents of corruption confidentially and securely.

The AFA recommends appointing a designated contact person, often within the ethics or compliance department, and documenting each alert. The alert must be accessible to everyone, including service providers and processors.

3.4 Third-party assessment and due diligence

The assessment of third parties (clients, suppliers, intermediaries, partners) aims to ensure that they do not present high risks in terms of corruption. This due diligence is an integral part of the control procedures required by Article 17.

This third-party assessment contributes to third-party compliance and the prevention of corruption linked tothe influence of dubious partners.

3.5 Accounting and internal control procedures

Accounting control procedures are used to detect anomalies that may indicate embezzlement or other proven acts of corruption.

The AFA requires that these control procedures be integrated into the internal control system and that they enable the traceability of financial flows, in particular payments abroad, sales commissions, and entertainment expenses.

These controls contribute to transparency and governance, and strengthen companies' compliance with their legal obligations.

3.6 Employee training program on anti-corruption

Training is a cornerstone of prevention. The AFA requires a training program focused on functions exposed to corruption risks: sales management, purchasing, international operations, and senior management.

The materials must include practical examples drawn from thecompany's risk mapping, and proof of participation (sign-in sheets, certificates) must be kept for inspection purposes.

Creating a culture of transparency and compliance requires this training.

3.7 Internal evaluation of measures

Internal evaluation of measures aims to verify the effectiveness of the system. The AFA recommends annual internal audits, random tests on sensitive processes (e.g public procurement, relations with third parties), and perception surveys among employees.

This assessment enables the detection of weaknesses and their rapid remediation. Failure to monitor or document is grounds for sanctions by the sanctions committee, especially in cases of proven corruption.

3.8 Disciplinary measures in the event of non-compliance

The disciplinary policy sets out the penalties applicable in the event of non-compliance with the code of conduct. These can range from a warning to termination of the employment contract, depending on the seriousness of the offense and the applicable legislation.

Proof of effective implementation of the disciplinary regime is required in the event of an audit. This system reinforces compliance, protects thecompany, and prevents the risk of corruption.

IV. Risks in case of non-compliance

4.1 Control mechanism: Who monitors compliance with the Sapin 2 Law?

Compliance with the law is verified bythe French anti-corruption agency, a high authority that has supervisory powers over the companies and entities concerned.

It assesses the implementation of measures, checks documentation, and interviews teams to ensure consistency between procedures and identified risks.

The AFA acts on referral from the judicial authorities or on its own initiative. It analyzes the place of measures within the organization and the quality of evidence of implementation. In the event of a breach, it may refer the matter to the sanctions committee.

4.2 Conduct of an investigation by the French anti-corruption agency

The audit begins with a notification specifying its scope. The company must submit all documentation relating to the implementation of its anti-corruption measures: risk mapping, code of conduct, proof of training, third-party assessment procedures, compliance programs, and the results of the internal assessment of the measures.

The inspectors examine the consistency of the measures and their implementation, and interview key players. The final report details compliance and non-compliance issues, with deadlines for corrections.

4.3 Possible penalties

In cases of proven corruption, the sanctions committee may impose fines of up to €1 million for legal entities and €200,000 for individuals. Compliance orders may accompany the sanction, with follow-up by the AFA.

Sanctions are made public and may affect the company's reputation. Some cases have shown that loss of trust has a direct impact on business opportunities.

Furthermore, breaches can be used in legal proceedings for corruption or failure to comply with corporate obligations in terms of prevention and transparency.

4.5 Remedies and rights of companies

A company sanctioned on suspicion of corruption may appeal to an administrative judge, invoking the proportionality of the fine or the interpretation of the legislation.

The possibility of presenting a rapid remedy is provided for: the AFA considers good faith and responsiveness. Tangible evidence of corrections may influence the outcome of the case.

V. FAQ

Conclusion

Ultimately, the Sapin 2 law is an essential framework for strengthening compliance and effectively combating corruption. It requires the companies concerned to put in place robust prevention measures. Beyond the legal obligations, it represents a real lever for competitiveness and trust for both large companies and smaller players.

The emphasis placed on transparency and business ethics clearly illustrates the strategic importance of this law. Its significance is not limited to regulatory compliance: it also serves to protect the reputation, performance, and resilience of organizations in the face of risksof undueinfluence.