Sapin II: France's anti-corruption law explained

What is Sapin II?

Sapin II (Law No. 2016-1691 on Transparency, Fighting Corruption and Modernising Economic Life) is France's landmark anti-corruption legislation, enacted on 9 December 2016 and entering into force on 1 June 2017. Named after its champion, Michel Sapin, then French Minister of Finance, the law represents France's most comprehensive overhaul of its anti-corruption framework to date.

Sapin II did three things that had previously been absent from French law: it created a binding obligation for large companies to actively prevent corruption; it established the French Anti-Corruption Agency (Agence Française Anticorruption, or AFA) to supervise and enforce that obligation; and it introduced a general legal framework for the definition and protection of whistleblowers.

The law was shaped by international pressure, particularly a 2012 OECD Working Group report that rated France poorly on foreign bribery enforcement. It aligns France with the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act, and has since been updated by the 2022 Loi Waserman to incorporate the requirements of the EU Whistleblowing Directive.

Who does Sapin II apply to?

Sapin II operates at two distinct thresholds, and it is important to understand which obligations apply to which organisations.

Large companies: the full compliance programme (Article 17)

The most demanding obligations — the eight-pillar compliance programme — apply to companies and groups that meet both of the following criteria:

• 500 or more employees, either within a single entity or within a group whose parent company is headquartered in France
• Annual turnover or consolidated turnover exceeding €100 million

This scope captures large French companies and multinational groups with French-headquartered parent companies. Subsidiaries of foreign parent companies headquartered outside France but operating in France may fall within scope depending on the structure of the group. French-registered subsidiaries of large foreign multinationals are increasingly subject to AFA scrutiny even where the parent is not French.

All companies with 50+ employees: whistleblowing obligation

Separately, any organisation — public or private — with at least 50 employees in France must establish a confidential whistleblowing mechanism. This lower threshold was introduced to align with the EU Whistleblowing Directive and was confirmed by the 2022 Loi Waserman update. It applies regardless of turnover, meaning smaller organisations that do not meet the Article 17 compliance programme threshold are still required to have a functioning reporting channel.

Public institutions and municipalities with more than 10,000 residents are also in scope for the whistleblowing obligation.

The eight pillars of Sapin II compliance (Article 17)

Article 17 of Sapin II sets out the eight components that in-scope organisations must implement as part of their anti-corruption compliance programme. These are not optional or aspirational — they are legally required and subject to AFA audit.

1. Code of conduct

Organisations must adopt a code of conduct that defines and illustrates the types of behaviour prohibited under the law, including bribery and influence peddling. The code must be integrated into the company’s internal rules and regulations and communicated to all employees through regular training.

2. Internal whistleblowing mechanism

An internal reporting system must be in place for employees to disclose conduct that violates the code of conduct. This system must be accessible, confidential, and designed to protect reporters from retaliation. For the full whistleblowing requirements that apply to all 50+ employee organisations, see the section below.

3. Corruption risk mapping

Companies must conduct a documented risk assessment that identifies, analyses, and prioritises their exposure to corruption and influence peddling. The risk map must reflect the organisation’s specific geographic markets, business sectors, and types of counterparties. It must be updated regularly — the AFA recommends at least annually.

4. Third-party due diligence

Based on the risk map, organisations must implement due diligence procedures for customers, suppliers, and intermediaries. This means assessing the corruption risk presented by third parties before entering into relationships, and monitoring that risk on an ongoing basis. The AFA published updated guidance on third-party due diligence in 2025 to help companies operationalise this requirement.

5. Accounting controls

Internal and external accounting controls must ensure that the company’s books, accounts, and records are not used to conceal acts of corruption or influence peddling. Controls should be risk-based and proportionate to the company’s exposure profile.

6. Training programmes

Regular training must be provided to executives and employees most exposed to corruption risk. Training must be practical, targeted, and documented. Broad annual e-learning modules sent to all staff do not, on their own, satisfy this requirement for high-risk populations.

7. Disciplinary procedures

Clear disciplinary consequences for violations of the code of conduct must be defined in advance and communicated to employees. The existence of enforceable consequences is considered a key indicator of programme effectiveness by the AFA.

8. Internal monitoring and evaluation

Companies must have procedures to monitor and evaluate their compliance programme on an ongoing basis, including the effectiveness of each of the seven preceding measures. This includes internal audits, reporting to senior management, and adjustments in response to identified gaps or changes in risk exposure.

Whistleblowing under Sapin II: what organisations must do

Sapin II introduced France’s first general legal framework for whistleblower protection, going beyond sector-specific protections that had existed previously. This framework was substantially updated by the Loi Waserman (Law No. 2022-401 of 21 March 2022), which transposed the EU Whistleblowing Directive into French law.

Who counts as a whistleblower under French law?

French law defines a whistleblower as any individual who reveals or reports, acting selflessly and in good faith, a crime or offence, a serious and clear violation of an international commitment ratified by France, a violation of a law or regulation, or a serious threat to the public interest, of which the individual has personal knowledge.

The 2022 update substantially broadened the definition compared to the original 2016 text. The requirement to act “selflessly” means without seeking personal benefit, but this does not preclude the reporter from personally suffering harm as a result of the conduct they are reporting. Good faith is the operative standard: a reporter who genuinely believes the information to be accurate at the time of reporting is protected, even if the concern is later found to be unfounded.

Who is protected?

Protection under the 2022 framework is broad. It covers current employees, former employees, job applicants, self-employed individuals, contractors and subcontractors, shareholders, volunteers, and trainees. It also extends to facilitators and to colleagues or relatives of the reporter who face retaliation by association. This scope mirrors the protections established by the EU Whistleblowing Directive. For a broader view of when whistleblower protection applies, read our guide to the 5 conditions of whistleblowing.

Reporting channel requirements

Every organisation with 50 or more employees must establish a confidential internal reporting channel accessible to employees and external stakeholders. The channel may be operated at group level provided specific conditions are met. It may also be handled externally by a third-party provider, provided that provider offers the required levels of confidentiality and independence.

The channel must support written and/or verbal reporting. For verbal reports, a contemporaneous record must be made with the reporter’s consent or documented accurately and confirmed by the reporter. Reporter identity and all identifying information must be kept strictly confidential.

Organisations must acknowledge reports promptly and provide feedback to reporters on the outcome of their reports within a reasonable timeframe. The 2022 law aligns these timelines with the EU directive: acknowledgment within 7 days and feedback within 3 months.

Prohibition of retaliation

Sapin II explicitly prohibits any retaliatory action against a whistleblower, including dismissal, demotion, harassment, or any adverse change in working conditions. The 2022 update extended this prohibition to a broader range of persons and introduced a reversed burden of proof: where a reporter suffers adverse treatment following a disclosure, the employer bears the burden of demonstrating that the treatment was not connected to the report.

Preventing a whistleblower from making a report is itself a criminal offence under French law, punishable by two years of imprisonment and a €30,000 fine. Disclosing the identity of a whistleblower without their consent carries the same penalties.

The French Anti-Corruption Agency (AFA)

Sapin II created the AFA as the supervisory and enforcement body for anti-corruption compliance in France. The AFA sits under the joint authority of the Minister of Justice and the Minister of the Budget and has powers to conduct both proactive audits — initiated on its own authority — and compliance audits following referral from judicial authorities.

In 2024, the AFA conducted 39 audits across private companies, public entities, and Olympic Games-related organisations. The AFA regularly updates its guidance, including its core Recommendations for anti-corruption compliance programmes, and published updated third-party due diligence guidance in consultation with industry in 2025.

AFA sanctions are applied by an independent sanctions committee, not the AFA itself. Penalties for non-compliance include:

• A public reprimand (the decision may be published)
• Fines of up to €200,000 for individuals (including company directors)
• Fines of up to €1 million for legal entities
• A mandatory compliance improvement programme under AFA supervision for up to three years, at the company’s expense

Sapin II and the EU Whistleblowing Directive: how they interact

France was among the first EU member states to have a dedicated whistleblowing framework predating the EU directive. When the directive came into force, France used its transposition as an opportunity to strengthen its domestic regime, resulting in the Loi Waserman of March 2022.

The updated French framework is largely consistent with the directive’s requirements. The key differences that remain:

• Scope of reportable conduct: Sapin II’s whistleblowing provisions cover a broader range of conduct than the EU directive, including serious threats to the public interest and violations of international commitments, not just breaches of EU law.
• The ‘selfless’ requirement: French law requires the reporter to have acted without personal gain. The EU directive does not impose this condition, meaning French law is slightly more restrictive in this respect.
• No financial incentives: Unlike the US SEC whistleblower programme, neither Sapin II nor the EU directive provides for financial rewards to whistleblowers.
• CNIL oversight: The French data protection authority (CNIL) has issued guidance on whistleblowing data processing. Organisations operating a whistleblowing channel in France must ensure their data handling complies with both GDPR and CNIL requirements.

For multinational organisations operating across France and other EU member states, a single whistleblowing platform configured to meet both Sapin II and the EU directive requirements can satisfy both frameworks, provided it supports confidential anonymous reporting, compliant data handling, documented case management, and the required timelines for acknowledgment and feedback.

Sapin II and the CJIP: deferred prosecution for companies

One of Sapin II’s major innovations was introducing the Convention Judiciaire d’Intérêt Public (CJIP), France’s equivalent of a deferred prosecution agreement. The CJIP allows prosecutors to resolve corporate corruption cases without a criminal conviction, in exchange for a financial penalty, publication of the agreement, and a compliance improvement programme under AFA oversight.

The CJIP has become a significant enforcement tool. France’s National Financial Prosecutor’s Office (PNF) has used it to resolve major international corruption cases, including in coordination with the US DOJ and UK SFO. The PNF has secured €12.3 billion through enforcement proceedings since its creation, with 111 convictions in 2023 alone.

For companies facing potential AFA or PNF scrutiny, voluntary self-disclosure and a demonstrably effective compliance programme are material factors in determining whether a CJIP is available and on what terms.

What Sapin II means for non-French organisations

Sapin II’s reach extends beyond companies headquartered in France. Any organisation with a work-related connection to France — including foreign subsidiaries operating in France, or multinationals whose French operations meet the relevant thresholds — may fall within scope. The law also establishes extraterritorial reach for corruption offences: French courts can now prosecute acts of corruption committed abroad where the company or individuals have economic activity in France.

For organisations already complying with the FCPA or UK Bribery Act, Sapin II’s compliance programme requirements will be familiar. The eight pillars broadly mirror the compliance framework elements those laws encourage. However, Sapin II’s requirements are more prescriptive — the AFA’s Recommendations specify in detail what each pillar should contain and how its effectiveness should be demonstrated. Compliance with FCPA or Bribery Act standards does not automatically mean Sapin II compliance.

How SpeakUp supports Sapin II compliance

SpeakUp’s whistleblowing platform is designed to help organisations meet the internal reporting channel requirements of Sapin II and the EU Whistleblowing Directive in a single deployment. The platform provides:

• Fully anonymous reporting across web, app, and phone channels in 75+ languages — critical for multinational organisations managing French and other EU obligations simultaneously
• End-to-end encryption and strict access controls to protect reporter identity and comply with CNIL data handling requirements
• Automated acknowledgment workflows to meet the 7-day acknowledgment requirement reliably at scale
• A documented case management system that creates an auditable record of every report, action, and outcome — supporting AFA audit readiness
• Configurable routing to ensure reports reach the appropriate compliance function or oversight body

SpeakUp is audited quarterly to ISAE 3000 Type II standards and complies with GDPR, ISO 27001, and SOC 2, providing the independent assurance that AFA auditors expect to see documented in a compliance programme.

To understand how a whistleblowing programme fits into a broader compliance framework, read our guide to building a whistleblowing policy or explore our complete guide to what whistleblowing is.

Frequently asked questions

Does Sapin II apply to non-French companies?

Yes, in certain circumstances. Foreign subsidiaries operating in France with 50 or more employees must comply with the whistleblowing channel requirement. French-registered subsidiaries of large foreign multinationals may also fall within the Article 17 compliance programme obligations depending on group structure and employee numbers. French courts can also prosecute corruption offences committed abroad where there is a sufficient French connection.

What is the difference between Sapin II and the EU Whistleblowing Directive?

Sapin II is French national law covering anti-corruption compliance more broadly, including risk mapping, third-party due diligence, and accounting controls. The EU directive is an EU-wide instrument focused specifically on whistleblower protection. The two overlap on the whistleblowing channel requirement. France transposed the directive into national law via the Loi Waserman (2022), updating and aligning its domestic whistleblowing regime with the directive’s minimum standards.

What is the AFA and what powers does it have?

The Agence Française Anticorruption is the supervisory body created by Sapin II to oversee anti-corruption compliance in both the public and private sectors. It conducts proactive audits of companies subject to Sapin II and compliance audits following judicial referral. It can recommend sanctions including fines of up to €1 million for companies and €200,000 for individuals, as well as mandatory compliance improvement programmes.

Can a group of companies share a single whistleblowing channel?

Yes. Groups of companies may set up a single group-wide whistleblowing system, provided specific conditions set by decree are met, including ensuring that the channel is genuinely accessible to all in-scope employees and maintains appropriate confidentiality across entities.

What happens if an organisation does not comply with Sapin II?

The AFA can refer non-compliant organisations to its independent sanctions committee, which may impose public reprimands, financial penalties, and mandatory compliance improvement programmes. Criminal liability may also arise for corruption offences. The PNF has shown increasing willingness to pursue international cases involving French-connected entities, including through coordinated enforcement with the US DOJ and UK SFO.

Is Sapin III in force?

As of early 2026, Sapin III has not been enacted. The Loi Waserman of 2022 addressed the whistleblowing dimension that Sapin III was expected to cover. Proposed Sapin III measures focused on extending Article 17 obligations to subsidiaries of large groups and strengthening the CJIP regime. Organisations should monitor legislative developments, but the current compliance framework remains Sapin II as updated by the 2022 whistleblowing law.