EU corporate liability: a model of harmonisation without corporate fault?

EU corporate liability is often presented as a coherent and increasingly harmonised model. However, this perception is misleading.

Despite more than two decades of legislative development, the EU framework still rests on a fragile foundation: it systematically attributes liability to companies without fully articulating what corporate fault actually is. This tension between formal harmonisation and substantive gaps remains one of the central weaknesses of EU criminal law. 

At first glance, the system appears stable. Across directives, a ‘standard clause’ requires Member States to ensure that legal persons can be held liable where offences are committed for their benefit, either by individuals in leading positions or by subordinates whose misconduct was enabled by a lack of supervision. Sanctions must be ‘effective, proportionate and dissuasive’ but their nature—criminal, administrative or civil—is left to national discretion.

This model has obvious advantages. It facilitates convergence across legal systems and avoids imposing a single conception of corporate criminal liability on Member States. But it does so at a cost. By anchoring liability to individual misconduct—whether through identification or failures of supervision—the EU framework remains fundamentally derivative. In complex corporate structures, where decision-making is diffuse and responsibility fragmented, this approach risks becoming both artificial and under-inclusive.

More importantly, it obscures a deeper problem: the absence of a genuine theory of corporate culpability. EU law does not require a meaningful inquiry into whether the offence reflects a failure in the organisation, culture, or risk management of the company. As a result, liability may be imposed even where the company lacks any real ‘fault’ beyond the fact that the offence occurred within its sphere of activity. The risk, in practice, is a drift towards forms of quasi-strict liability, difficult to reconcile with core principles of criminal law.

Recent legislative developments suggest that the EU legislator is aware of these limitations. New instruments—including the proposed Anti-Corruption Directive, the 2024 Environmental Crime Directive, and the Directive on the violation of EU restrictive measures—place increasing emphasis on compliance systems, internal controls, and post-offence behaviour. At the same time, sanctions are becoming more economically calibrated, with fines linked to a percentage of global turnover.

This shift is significant. It reflects a growing recognition that corporate liability should be connected not only to individual wrongdoing, but also to how companies are organised and governed. In particular, the introduction of mitigating factors linked to compliance programmes and voluntary disclosure signals an emerging role for what is often described as “organisational fault.”

Yet the evolution remains incomplete. Compliance is still treated primarily as a mitigating factor, not as a basis for excluding liability. Companies are rewarded for reacting to wrongdoing, but not necessarily for preventing it. This creates a problematic incentive structure: investing in remediation after the fact may be more legally relevant than building robust preventive systems ex ante.

At the same time, the increasing reliance on turnover-based fines raises further concerns. While such sanctions enhance deterrence, they may operate unevenly across firms, disproportionately affecting smaller companies while being absorbed as a cost of doing business by larger ones. Without a more nuanced approach, the effectiveness of sanctions risks being undermined by their lack of differentiation.

The broader issue, however, is structural. The EU model continues to prioritise harmonisation of outcomes over coherence of principles. It requires Member States to punish corporations, but does not fully define why corporations are blameworthy in the first place. As long as corporate liability remains tied to individual misconduct and loosely connected to organisational failure, the system will struggle to achieve both fairness and effectiveness.

A more convincing model would move beyond minimum harmonisation and place organisational fault at its centre, linking liability to demonstrable failures in governance, compliance, and risk management. Without such a shift, EU corporate liability risks remaining what it currently is: a formally harmonised regime, but a substantively incomplete one.

Readers interested in the full article can contact the author at federica.zazzaro@unicampania.it.

Federica Zazzaro holds a PhD in Criminal Law from the University of Campania Luigi Vanvitelli.