Download PDF

EU Sanctions Enforcement: Turning Criminal

July 2026
Paul Henty

A recent Belgian conviction and Ireland’s delayed implementation of new EU legislation point to the same conclusion: across the EU, sanctions breaches are increasingly being treated as criminal offences, and the scope for relying on softer enforcement jurisdictions is diminishing.

In June 2026, a Belgian national court convicted three people for funnelling restricted goods to Russia’s defence sector. A Brussels-based businessman had, between 2023 and 2025, run a network which ‌channelled ⁠goods via entities in Hong Kong, Kazakhstan and elsewhere, concealing that the goods were ultimately bound for Russian entities, many of which were linked to the sanctions-hit military sector. Aside from front companies, the group also misrepresented the nature of shipments and falsified documents to circumvent customs checks and export controls. The Brussels criminal court found the defendants guilty of participating in a criminal organisation, making illegal exports of sanctioned goods, forgery and ​customs fraud.

The significance of this case extends far beyond Belgium. It reflects a broader shift. The European Union is moving sanctions enforcement from the administrative margins to the centre of the criminal law, and the variation between Member States that businesses have quietly relied on is narrowing.

At the centre of this change is Directive (EU) 2024/1226, which requires every Member State to criminalise both the breach and the circumvention of EU sanctions to a common minimum standard. The aim is to end the patchwork under which the same conduct might draw a serious prosecution in one country and little more than a regulatory letter in another. The practical effect has been arbitrage, with some Member States operating as de facto softer jurisdictions.

The Directive goes further than simply requiring criminalisation. For the more serious categories of breach, Member States must provide for maximum custodial penalties of at least five years. That marks a clear move away from the historically lower ceilings in some jurisdictions, including Ireland.

This brings into focus an uncomfortable reality for Ireland. Ireland is due to hold the presidency of the EU Council from 1 July 2026, even as the legislation transposing that directive remains unfinished. A jurisdiction can lead the Union’s agenda and still be behind on the Union’s own enforcement rules. That tension will not last: the political and legal pressure runs one way, and the gap will close.

As at late June 2026, the Bill remains at pre‑legislative stage and has not yet been introduced in the Oireachtas, notwithstanding the expiry of the May 2025 transposition deadline.  Within Ireland the pressure is on to make progress, not least due to the EU Commission taking infringement proceedings against Ireland for failing to transpose the Directive on time. In December 2025, Ireland’s Central Bank signalled a tougher stance, requiring firms to ensure their governance and risk systems are ‘sound and sufficient’ to address sanctions risk. That raises not only the prospect of regulatory action for non‑compliance, but also the likelihood that evasion is detected through the financial system, as banks and payment service providers are expected to interrogate and, where appropriate, escalate suspicious transactions. The Brussels case reported above reminds us that such risks are more real than imagined.

For businesses, the lesson is not really about any single country. It is that the jurisdictional arbitrage is ending. The assumption that exposure depends heavily on where a transaction happens to touch down is becoming unsafe. Increasingly, the same breach carries criminal risk wherever in the EU it occurs.

The Belgian case also highlights where that risk actually lives. This was not a careless direct sale to a listed buyer. It was a deliberate structure built to conceal the real end-user, and that is the pattern enforcement now targets. Circumvention through intermediaries and front companies is the centre of gravity, not the obvious, sanctioned counterparty.

That has a direct consequence for how businesses manage risk. Screening a counterparty against the lists at onboarding is necessary, but no longer sufficient. The harder question is who sits behind that counterparty, and where the goods or funds ultimately come to rest. A clean name on the contract tells you little if it is a conduit.

None of this requires intent for things to go badly wrong. The reputational damage of being the inadvertent supply line to a sanctioned military programme is real today. The criminal exposure is arriving, and in some cases, a standard well short of intent will be enough to trigger it.

In practice, that means moving beyond one‑off screening towards continuous monitoring, genuine interrogation of beneficial ownership and end‑use, scrutiny of routing through intermediary jurisdictions, and records that show why a decision was taken at the time.  Those are the things that separate a business that took the risk seriously from one that looked the other way.

Europe spent the years after 2022 building an unprecedented sanctions regime against Russia. It is now building the enforcement to match. The Belgian conviction is one of the first clear signals of what that looks like in practice, and it will not be the last. The businesses that adjust to a world of converging, criminal enforcement now will be better placed than those waiting to see how serious their own jurisdiction proves to be.

If you have any questions regarding the information discussed in this article, please contact Paul Henty.

Download PDF