France Sapin 2 Act and anti-corruption compliance for SMEs of 100 to 499 employees in 2026: why anticipate the obligation

Updated 26 May 2026.

Article 17 of Law no. 2016-1691 of 9 December 2016 (Sapin 2 Act — the French anti-corruption law) imposes a mandatory anti-corruption compliance programme on companies with more than 500 employees and more than €100 million in turnover, registered in France. SMEs below these thresholds are not legally required to implement the programme, but the AFA (Agence Française Anticorruption — French Anti-Corruption Agency) strongly encourages mid-caps of 100 to 499 employees to voluntarily adopt best practices — for three converging reasons: anticipating organic growth towards the threshold, contractual pressure cascading down from large clients subject to the law, and growing ESG governance expectations from banks, investors and public buyers.

This practical 2026 guide covers the 8 mandatory programme measures, the precise application thresholds, the sanctions imposed by the AFA sanctions commission (up to €1M for the company, €200,000 for the director personally), and the case for voluntarily anticipating the framework at SME level — including how Sapin 2 now interacts with CSRD (Corporate Sustainability Reporting Directive), NIS 2, and DDADUE (French transposition of CSDDD — Corporate Sustainability Due Diligence Directive).

In brief. The Sapin 2 Act applies legally to companies simultaneously exceeding 500 employees and €100M turnover, with a French registered office. It requires an 8-measure compliance programme, with fines of up to €1M for the company and €200,000 for the director personally. Sub-threshold SMEs are not technically exempt: the contractual cascade from large groups, CSRD reporting obligations and the forthcoming DDADUE already affect them indirectly.

• Legal thresholds: more than 500 employees AND more than €100M turnover, French registered office (cumulative).
• 8 mandatory measures: code of conduct, risk mapping, internal alert mechanism, third-party assessment, internal accounting controls, disciplinary regime, training, control and evaluation system.
• Penalties: up to €1M for the company + €200k for the director + exclusion from public procurement for up to 5 years.
• SMEs below threshold: not legally required, but subject to growing contractual, banking and ESG pressure.
• Setup cost: €80-250k in year 1 for the full programme; €30-60k for a lightweight setup suited to sub-threshold SMEs.
• Regulatory convergence: Sapin 2 aligns with CSRD, DDADUE and NIS 2 — a shared risk mapping can substantially reduce the overall compliance cost.

Article 17 of the Sapin 2 Act#

Article 17 requires the management body of a subject company to take measures to prevent and detect, in France or abroad, acts of corruption or influence trading. Failing this, both the individual and corporate liability can be engaged before the AFA sanctions commission, independently of any criminal liability that may arise from an established offence.

Application thresholds#

Subject companies must simultaneously meet:

Thresholds are assessed at individual company level OR at group level when the French parent company is itself a subject entity. A French subsidiary belonging to a group above the thresholds may be pulled into scope even if individually below.

Outside direct scope#

• SMEs and mid-caps below the cumulative thresholds (but encouraged by the AFA to anticipate voluntarily).
• Public industrial and commercial establishments (specific regime).
• French subsidiaries of foreign groups where the governance body is not located in France (depending on configuration).

Principle#

Risk mapping is the cornerstone of the programme. It must be:

• Activity-specific (services, manufacturing, distribution, construction, etc.).
• Geographic (foreign presence, at-risk countries per the Transparency International Corruption Perceptions Index).
• Documented (methodology, sources, update frequency).
• Updated at least every two years or upon a major event (acquisition, new geography, change of management).

Four-step methodology#

1. Identification of exposed business processes (purchasing, export sales, public procurement, lobbying).
2. Assessment of probability × impact for each risk (5×5 matrix).
3. Prioritisation of risks by score (major risks = priority treatment).
4. Documented action plan with concrete prevention and detection measures, assigned to named individuals with deadlines.

Our expert view#

The classic trap: completing a "generic" mapping downloaded from an AFA guide without tailoring it to the actual business. The AFA checks the coherence between the mapping and the nature of the effective risks. A construction SME with activity in French-speaking Africa presenting a mapping without any geographic risk is immediately suspect. The mapping must reflect operational reality, including identified vulnerabilities — and the action plan must respond to them concretely.

Based on our practice with industrial exporting SMEs, risk mappings built by a single person without input from commercial, purchasing and finance teams are systematically contested by the AFA during a review. A robust mapping implies structured interviews across functions and produces a documented deliverable of 15 to 30 pages — not a ten-line spreadsheet.

Reinforced 2022 legal framework#

Law no. 2022-401 of 21 March 2022 (transposition of EU Directive 2019/1937) reinforced whistleblower protection:

• Extended legal protection against retaliation (dismissal, sanction, demotion).
• Absolute confidentiality of the whistleblower's and the accused person's identities.
• Data retention: five years minimum, with possible anonymisation.
• Information to data subjects about processing of their personal data (GDPR / RGPD).

Technical implementation#

Three options:

1. Internal channel managed by the company (dedicated mailbox, intranet platform).
2. Specialised external platform (Whispli, WhistleB, Convercent).
3. External mandator (lawyer, independent chartered accountant).

For an SME of 100-499 employees, option 2 is generally the most balanced (€3,000 to €10,000 per year) and provides the strongest confidentiality guarantees. The mechanism must be registered as a GDPR data processing activity, with a data protection impact assessment (DPIA) recommended, and the DPO — if the company has one — should be consulted on the technical configuration.

Corporate sanctions#

Individual sanctions (directors)#

120-employee SME exporting to the Maghreb#

Profile: SME with 120 employees, €18M turnover of which 35% in export to the Maghreb (Algeria, Morocco, Tunisia). Below the Sapin 2 threshold legally, but: (1) local distributors systematically request a code of conduct; (2) ministerial tenders require a compliance attestation; (3) the French bank is reinforcing controls on international flows.

For €18M of turnover, the programme costs 0.3% of revenue — a profitable ratio against access to public procurement and banking partner trust.

220-employee SaaS B2B supplier to CAC 40 groups#

A software publisher with 220 employees and €28M in recurring revenue was below the Sapin 2 threshold but worked with five listed groups representing 60% of its ARR. At the 2025 framework contract renewals, all five clients required a signed code of conduct and annual training attestations for the commercial team. Based on similar client files, a lightweight programme — code of conduct, simplified two-tier risk mapping, external alert platform, annual training — came to approximately €35,000 in year 1 with a recurring cost of €12,000. The director positioned the investment as an ESG maturity signal in the firm's Series B investor materials, where it was received positively.

The frequent trap: an SME below the threshold assumes it has "nothing to do". That assumption is inaccurate in the vast majority of cases. Large subject groups contractually cascade their obligations onto critical suppliers — mandatory codes of conduct, annual ethical audits, termination clauses for violations. An SME refusing to sign these undertakings progressively loses its contracts. An SME of 100-499 employees with a lightweight setup gains credibility and pre-empts the full setup cost when it later crosses the legal threshold organically.

The accumulation of regulatory frameworks is often experienced as an unmanageable burden. In practice, the frameworks share a common documentary infrastructure — risk mapping, governance, reporting, traceability — that can be mutualised to substantially reduce total compliance cost.

Comparative framework table#

What this means for an SME of 100-499 employees#

CSRD: listed and large companies in scope since 2025 must report on anti-corruption indicators. As a supplier, your buyer will ask about your own practices as part of supply chain due diligence. A Sapin 2 risk mapping directly feeds the data your clients need for their CSRD reporting — a strong commercial argument for building one.

DDADUE 2027: the French transposition of CSDDD extends the duty of care to companies significantly smaller than the Vigilance Law threshold — projected at around 1,000 employees and €450M turnover for the entry phase. SMEs of 100-499 employees will not be directly subject, but their clients will be, and the contractual cascade will intensify. The risk mapping built for Sapin 2 provides the supply chain documentation your buyers will require.

NIS 2: the cybersecurity directive targets "essential" and "important" entities by sector and size. It shares with Sapin 2 a risk governance logic and periodic internal review requirement. For an SME operating in a critical sector or managing sensitive data, a partially shared risk mapping can reduce the marginal cost of NIS 2 compliance.

From our experience advising SMEs on multiple frameworks simultaneously, a well-structured Sapin 2 risk mapping covers between 40% and 60% of the documentary requirements for CSRD and NIS 2 as well. Building the infrastructure once and feeding it for each obligation is the most cost-effective approach available to a sub-threshold SME.

The contractual cascade: mechanism and stakes#

When a large group is subject to Sapin 2, it must assess its third parties — suppliers, clients and intermediaries — under measure 4 of its programme. In practice, this generates ethics due diligence questionnaires, requests to sign supplier codes of conduct, and occasionally on-site audits.

Based on our advisory work with industrial and services SMEs, compliance clauses in framework contracts have become standard practice among CAC 40 and SBF 120 companies since 2023. Refusing to sign, or being unable to produce the required documentation, typically results either in supplier disqualification or inability to renew the contract.

10-step compliance roadmap for a voluntary sub-threshold SME#

1. Map contractual exposure: list large subject-group clients and review compliance clauses already signed.
2. Audit requests already received: collect all questionnaires, codes of conduct and attestations — identify gaps.
3. Appoint an internal compliance contact: the CEO, CFO or in-house counsel, even on a part-time basis.
4. Draft a code of conduct: tailored to the activity, approved by management, signed by senior staff.
5. Build a simplified risk mapping: two risk tiers (significant / moderate) are sufficient for a sub-threshold SME.
6. Set up an alert channel: an external platform is recommended for confidentiality (€3,000-€10,000/year).
7. Train exposed functions: purchasing, commercial, management — a minimum of two documented hours per year.
8. Deploy third-party assessment for critical suppliers: a simplified questionnaire for suppliers representing more than 10% of purchases.
9. Formalise the disciplinary procedure: a single clause in the internal rules is sufficient for sub-threshold SMEs.
10. Document and archive: retain all deliverables (mapping, training records, alerts processed) for at least five years.

This lightweight programme satisfies the contractual demands of large-group buyers in the vast majority of cases, and provides the foundation on which to build a full programme if the legal thresholds are crossed.

• Exposure diagnosis: do I have large subject-group clients? Export activity to at-risk countries? Public procurement participation?
• Setup level: full compliance (subject entity) or lightweight (sub-threshold SME)?
• Calendar: alignment with an HR project (growth towards 500 employees) or a commercial one (entering ministerial tenders)?
• Budget: €80-250k in year 1 for full compliance; €30-60k for a lightweight setup.
• Compliance officer: externalised (specialist firm) or internalised (compliance officer hire)?
• Framework articulation: CSRD, DDADUE, NIS 2, Vigilance Law (2017-399) — build one shared mapping to cover multiple obligations.

• Threshold evolution: no change announced for 2026, but discussion on lowering to 250 employees is ongoing (OECD recommendations, Conseil d'État opinions).
• Enhanced AFA audits: the sanctions commission has publicly targeted companies with a formal but ineffective programme ("paper compliance").
• CSRD articulation: since 2025, companies in the CSRD scope must report on anti-corruption indicators — a direct bridge to Sapin 2 data.
• Public procurement: since 2025, a non-conviction attestation for corruption is required at tender stage.
• Sapin 3 discussions: parliamentary proposals to broaden scope and strengthen sanctions are being monitored — no enactment expected in 2026 but regulatory direction of travel is clear.

Updated 26 May 2026. This article presents the general rules applicable at the date of publication. The Sapin 2 thresholds, sanctions and obligations may evolve. It does not substitute for analysis of your specific situation by a specialist lawyer or a compliance-focused chartered accountant. Sources: legifrance.gouv.fr; agence-francaise-anticorruption.gouv.fr.