France Sapin 2 anti-corruption compliance for SMEs 100-499 employees in 2026: why anticipate the obligation

Updated on 13 May 2026.

Article 17 of Law no. 2016-1691 of 9 December 2016 (Sapin 2) imposes an anti-corruption compliance program on companies with more than 500 employees and €100 million turnover. SMEs below these thresholds are not legally required, but the French Anti-Corruption Agency (AFA) strongly encourages mid-caps with 100-499 employees to voluntarily adopt best practices — for 3 reasons: growth anticipation, contractual demand from large clients subject to the law, and emerging ESG governance expectations.

This practical 2026 guide presents the 8 mandatory measures, the precise thresholds, the AFA sanctions commission penalties (up to €1M for company + €200,000 for director), and arguments to voluntarily anticipate the framework at SME level.

• Legal thresholds: > 500 employees AND > €100M turnover, French HQ (cumulative).
• 8 mandatory measures: code of conduct, risk mapping, alert, third-party assessment, controls, sanctions, training, evaluation.
• Penalties: up to €1M company + €200k director + public procurement exclusion.
• SMEs below threshold: not legally required but subject to contractual pressure from large clients.
• Setup cost: €80-250k year 1 for SMEs; €30-60k for lightweight setup.

Article 17 of the Sapin 2 Law#

Article 17 requires the management body of a subject company to take measures to prevent and detect corruption or influence trading, in France or abroad. Failing this, its responsibility can be engaged before the AFA sanctions commission.

Application thresholds#

Subject companies have simultaneously:

Thresholds assessed at individual company level OR group level if the parent is a subject parent.

Out of scope#

• SMEs and mid-caps below thresholds (but encouraged by AFA).
• Public establishments (specific regime).
• French subsidiaries of foreign groups (depending on governance).

Principle#

Risk mapping is the cornerstone. It must be:

• Activity-specific (services, industry, distribution, BTP).
• Geographic (foreign presence, at-risk countries per Transparency International CPI).
• Documented (methodology, sources, update frequency).
• Updated at least every 2 years or upon major events.

4-step methodology#

1. Identification of exposed business processes (purchasing, export sales, public contracts, lobbying).
2. Assessment of probability × impact for each risk (5x5 matrix).
3. Prioritisation by score (major risks = priority treatment).
4. Documented action plan with prevention and detection measures.

Our expert view#

Classic trap: filling out a "generic" mapping downloaded from an AFA guide without adapting to actual activity. The AFA controls coherence between mapping and effective risk nature. A BTP SME with French-speaking African activity presenting mapping without any geographic risk is immediately suspect. The mapping must reflect operational reality.

Reinforced 2022 legal framework#

Law no. 2022-401 of 21 March 2022 (transposition of EU Directive 2019/1937) reinforced whistleblower protection with:

• Extended legal protection against retaliation.
• Absolute confidentiality of whistleblower and accused identities.
• Data retention: 5 years minimum, with possible anonymization.
• Information to persons on their data processing (GDPR).

Technical implementation#

Three options:

1. Internal channel managed by company.
2. Specialised external platform (Whispli, WhistleB, Convercent).
3. External mandator (lawyer, independent accountant).

For an SME of 100-499 employees, option 2 is usually the most balanced (€3,000-€10,000/year).

Corporate sanctions#

Individual sanctions (directors)#

Profile: SME 120 employees, €18M turnover including 35% Maghreb export (Algeria, Morocco, Tunisia). Below Sapin 2 threshold legally but: systematic demand for code of conduct by local distributors; ministerial tenders requiring compliance attestation; French bank reinforcing controls on international flows.

12-month implementation plan#

For €18M turnover, program costs 0.3% of revenue — profitable ratio vs public procurement access and bank trust.

Frequent trap: an SME below threshold considers it has "nothing to do". Wrong in 80% of cases. Large subject groups contractually cascade their obligations to critical suppliers — mandatory codes of conduct, annual ethical audits, termination clauses in case of violation. An SME refusing to sign loses contracts progressively. Conversely, an SME 100-499 employees with a lightweight setup gains credibility and pre-empts the setup cost when crossing the future threshold.

• Exposure diagnosis: do I have large subject-group clients? Export to at-risk countries?
• Setup level: full compliance (subject) or lightweight (below threshold)?
• Calendar: alignment with HR project (500-employee recruitment) or commercial (tenders)?
• Budget: €80-250k year 1 full / €30-60k lightweight.
• Compliance officer: externalised or internalised?
• Other framework articulation: NIS 2, CSRD, DDADUE, law 2017-399.

• Threshold evolution: not announced for 2026 but discussion on lowering to 250 employees (Conseil d'État, OECD recommendations).
• Enhanced AFA audit: sanctions commission publicly announced targeted controls.
• CSRD articulation: since 2025, CSRD companies must report on anti-corruption indicators.
• Public procurement: new obligation since 2025 of non-conviction attestation for corruption.

Sapin 2 law today far exceeds its original legal scope. Through contractual cascade, bank requirements and CSRD obligations, every B2B SME 100-499 employees with international activity or public procurement is indirectly concerned. Anticipating the setup is a modest investment (€30-60k) with quick return in client trust and growth preparation.

Our firm advises SMEs and mid-caps on Sapin 2 compliance program setup, from initial diagnosis to annual audit. Contact our experts.