Sanctions & Export‑control Compliance in Germany (2026): Criminal Risks, Internal Investigations & a Practical Roadmap

Germany’s sanctions compliance landscape shifted dramatically in early 2026. On 15 January 2026 the Bundestag adopted legislation transposing EU Directive 2024/1226 into German law, substantially tightening criminal penalties for sanctions and export‑control violations under the Foreign Trade and Payments Act (Außenwirtschaftsgesetz, AWG). Barely three months later, on 1 April 2026, the Federal Office for Economic Affairs and Export Control (BAFA) rolled out updated general export authorisations that re‑draw the operational parameters for every company shipping controlled goods from Germany.

For general counsel, heads of compliance and board members, sanctions compliance Germany 2026 is no longer a matter of periodic policy review, it demands an investigator‑led approach to risk identification, evidence preservation and remediation that can withstand regulatory scrutiny and, increasingly, criminal prosecution.

This article provides that approach. It combines a legal analysis of the new criminal exposure with a step‑by‑step internal‑investigation playbook, self‑reporting strategy, and an operational export‑control compliance checklist, the practical tools that short‑form law‑firm alerts rarely deliver. Whether your organisation is a mid‑market industrial exporter, a financial intermediary processing cross‑border payments, or a multinational group coordinating compliance across EU subsidiaries, the roadmap below will help you translate the 2026 rule changes into concrete, defensible action.

Quick Reference, 2024–2026 Timeline of Rules & Enforcement

Before drilling into the substance, the timeline below maps the key legislative and administrative milestones that define sanctions compliance Germany 2026. Each entry links a regulatory event to its practical effect on companies operating in or exporting from Germany.

Criminal & Administrative Exposure Under German Law

The 2026 legislative package fundamentally re‑calibrates criminal liability sanctions Germany companies and their officers face. Understanding the statutory framework, the scope of personal exposure, and the range of penalties is the essential starting point for any corporate sanctions program.

Key Statutory Provisions

Germany’s sanctions and export‑control criminal law is anchored in the AWG (in particular §§ 17, 18 AWG) and the War Weapons Control Act (Kriegswaffenkontrollgesetz, KrWaffKontrG). The 2026 implementing act, transposing EU Directive 2024/1226, expands these provisions in several critical ways:

• Broader offence definitions. The amended AWG now explicitly criminalises intentional circumvention schemes, including the use of intermediary jurisdictions to re‑route sanctioned goods, and the deliberate failure to comply with asset‑freeze reporting obligations.
• Harsher maximum penalties. For the most serious offences, maximum custodial sentences have been increased, aligning with the minimum penalty floors mandated by EU Directive 2024/1226.
• Intentional reporting failures. For the first time, the deliberate omission or falsification of mandatory sanctions‑related reports to authorities has been codified as a standalone criminal offence, not merely an administrative infraction.
• Confiscation and forfeiture. Expanded provisions allow confiscation of economic advantages derived from sanctions violations, including proceeds that have been transferred to third parties.

Who Can Be Prosecuted, Boards, Managers, Employees

Criminal liability sanctions Germany law imposes apply to natural persons who act intentionally or, in defined circumstances, with gross negligence. While Germany has not (yet) adopted a general corporate criminal‑liability statute, supervisory‑duty provisions in the Ordnungswidrigkeitengesetz (OWiG, § 130) allow authorities to impose substantial administrative fines on corporate entities where management failed to implement adequate compliance measures. In practice, this means:

• Board members and managing directors face personal criminal prosecution for intentional sanctions violations and for organisational failures that facilitated breaches.
• Compliance officers and export‑control managers can be prosecuted where they had operational responsibility and knowledge of the breach.
• Operational employees involved in the execution of sanctioned transactions, logistics coordinators, finance staff processing payments, may also face individual liability.

Typical Penalties and Enforcement Trends

The following comparison table summarises the exposure profile for different entity types. Industry observers expect German prosecutors to pursue high‑profile enforcement actions in 2026 to signal the seriousness of the transposition, particularly against companies where compliance failures are systematic rather than isolated.

Enforcement Landscape, Who Investigates & What to Expect

Understanding the enforcement architecture is critical for effective sanctions compliance Germany 2026 planning. Three primary actors operate, often in parallel, when a suspected breach surfaces.

BAFA, Customs and Public Prosecutors

• BAFA is the lead authority for export controls Germany. It grants and revokes export licences, conducts compliance audits, and refers suspected criminal violations to prosecutors. As of April 2026, BAFA also administers the updated general export authorisations, meaning any exporter relying on these licences faces direct BAFA oversight.
• Customs (Zollverwaltung / Zollkriminalamt). German customs authorities conduct physical inspections at borders and freight hubs. They have broad seizure powers and can initiate administrative‑offence proceedings independently. Complex cases are handled by the Customs Criminal Investigation Office (Zollkriminalamt).
• Public prosecutors (Staatsanwaltschaft). Criminal investigations into sanctions violations are conducted by specialised public‑prosecutor units, often in coordination with customs. Dawn raids, IT seizures and witness interviews can occur without prior warning.
• EU enforcement coordination. Under the EU’s sanctions framework, national authorities share intelligence and coordinate enforcement through the Council’s Sanctions Information Exchange Repository and Europol. The likely practical effect of the 2026 Directive transposition will be tighter cross‑border coordination and faster information‑sharing among Member State authorities.

Immediate First‑Response Actions on Contact by Authorities

If your company receives an information request, search warrant or dawn‑raid notice, the following steps should be taken within the first hours:

1. Activate the crisis‑response protocol, notify General Counsel, the compliance officer and at least one board member immediately.
2. Engage external sanctions‑specialist counsel before providing any substantive response or documents.
3. Preserve all potentially relevant data, issue a litigation hold across email, ERP, trade‑compliance and financial systems.
4. Designate a single point of contact for all authority communications to avoid inconsistent statements.
5. Document everything, keep a contemporaneous log of all interactions, requests and productions.

Investigator‑Led Internal Investigations Playbook for Sanctions Compliance Germany 2026

This section is the operational heart of the article. When a potential sanctions or export‑control breach is identified, whether by an internal whistleblower, a routine audit, or a media report, an investigator‑led internal investigation is the single most effective way to contain risk, gather facts, and position the company for a credible self‑report or defence. What follows is a structured playbook for conducting a sanctions investigation Germany companies can deploy immediately.

Step 1, Triage & Scoping

The first 48 hours determine whether the company retains control of the narrative or loses it. Triage involves answering a short set of critical questions:

• What is the suspected violation, an unlicensed export, an asset‑freeze breach, a circumvention scheme, a reporting failure?
• Is the breach isolated (single transaction, one employee) or systemic (multiple shipments, management knowledge)?
• Are any ongoing transactions at risk, can further violations be stopped immediately?
• Is there a reporting obligation that has already been triggered or will be triggered imminently?
• Is there a risk of evidence destruction, departing employees, automated data‑deletion policies, external server access?

Document the answers in a confidential triage memorandum prepared under legal‑professional privilege. This memorandum becomes the foundation of the investigation scope and terms of reference.

Step 2, Evidence Preservation

Evidence preservation is non‑negotiable. Failure to preserve relevant data can constitute obstruction and dramatically increases criminal exposure. A robust preservation protocol includes:

1. Litigation hold notice. Issue to all custodians, individuals with potentially relevant documents or data, instructing them to preserve all electronic and physical records. Suspend automated deletion and archiving routines for relevant systems.
2. Data mapping. Identify all systems where relevant data may reside: ERP systems (SAP, Oracle), trade‑compliance platforms, email and messaging (including personal devices if BYOD policies apply), financial‑transaction databases, customs‑filing records and shipping documentation.
3. Forensic imaging. For high‑risk custodians (suspected wrongdoers, key decision‑makers), engage IT forensics specialists to create forensic images of devices and mailboxes.
4. Chain‑of‑custody documentation. Maintain a detailed log of every piece of evidence collected, who collected it, when, from which system, and where it is stored. This log is essential for any subsequent self‑report or prosecution defence.

Step 3, Witness Interviews

Internal investigations sanctions cases require careful witness management. Interviews should be conducted by experienced investigators, typically external counsel, following a structured protocol:

Sample interview opening statement: “We have been instructed by [Company] to conduct an internal review of certain trade‑compliance matters. This interview is conducted on behalf of the company, not on your personal behalf. The legal privilege that attaches to this interview belongs to the company, not to you individually. You are expected to answer truthfully and completely. You are free to consult your own personal legal adviser at any time.”

• Interview order. Begin with peripheral witnesses (administrative staff, logistics coordinators) to build a factual baseline, then move to key decision‑makers.
• Documentation. Prepare a detailed interview memorandum for each session: date, time, participants, questions asked, answers given (attributed), and any documents reviewed during the interview. Avoid audio recording unless the interviewee consents and local works‑council requirements are met.
• Privilege management. All interview memoranda should be marked “Privileged and Confidential, Prepared at the Direction of Legal Counsel.” Store them in a segregated, access‑controlled repository.

Step 4, Legal Privilege & Cross‑Border Data

German law provides more limited in‑house‑counsel privilege than common‑law jurisdictions. Communications between in‑house lawyers and internal business clients are generally not protected from seizure by German prosecutors. To maximise protection:

• Engage external Rechtsanwälte (admitted German lawyers) to lead the investigation; their communications with the client enjoy stronger privilege protection.
• Clearly label all investigation documents as prepared under the direction of external counsel.
• For cross‑border groups, coordinate with local counsel in each relevant jurisdiction, privilege rules differ materially between Germany, the UK, the US and Asia.

Step 5, Reporting & Escalation Matrix

Establish a clear internal escalation path before the investigation begins:

1. Investigation team → General Counsel / Chief Compliance Officer: daily updates during active investigation phase.
2. General Counsel → Board / Audit Committee: immediate escalation if findings indicate systemic violations, board‑level knowledge, or mandatory reporting triggers.
3. Board → External authorities (BAFA / Customs / Prosecutors): decision on self‑reporting based on legal advice (see below).

Self‑Reporting Strategy and Remediation, Sanctions Self‑Reporting Germany

Self‑reporting is one of the most consequential decisions a company will make after discovering a sanctions violation. There is no blanket obligation to self‑report every inadvertent breach, but specific mandatory reporting duties exist under the AWG, anti‑money‑laundering legislation, and EU sanctions regulations. The 2026 implementing act has widened these duties by criminalising intentional failures to submit required reports.

Decision Framework, When and How to Self‑Report

• Mandatory reporting triggers: asset‑freeze notifications to the Deutsche Bundesbank; suspicious‑transaction reports under the Geldwäschegesetz (GwG); and newly codified AWG reporting obligations for certain export‑control breaches.
• Discretionary self‑reporting: where no mandatory duty applies, companies should consider voluntary disclosure where the violation is material, where there is a risk the breach will be discovered independently (e.g., through a business partner’s audit), or where timely disclosure is likely to attract significant enforcement mitigation.
• To whom: BAFA for export‑control matters; the Bundesbank for asset‑freeze reporting; customs (Zoll) for goods‑related violations; public prosecutors via counsel where criminal exposure is identified.

What a Self‑Report Should Contain

1. Concise description of the violation(s), what happened, when, which sanctions or export‑control regulations were breached.
2. Root‑cause analysis, how the breach occurred (system failure, human error, intentional conduct).
3. Remedial measures already taken, transaction reversals, disciplinary actions, process changes.
4. Forward‑looking remediation plan, compliance‑program enhancements, monitoring commitments, training initiatives.
5. Offer to cooperate fully with any subsequent investigation.

Early indications suggest that German authorities are prepared to offer meaningful mitigation, including reduced fines and the avoidance of prosecution in borderline cases, where companies self‑report promptly, cooperate fully, and demonstrate credible remediation. However, self‑reporting is not an immunity mechanism and does not guarantee any particular outcome.

Practical Export‑Control & Sanctions Compliance Checklist for 2026

Operationalising sanctions compliance Germany 2026 requirements demands more than updated policies on paper. The following export‑control compliance checklist translates the regulatory changes into concrete, auditable controls. Companies should treat this as a minimum standard, not a ceiling.

1. Sanctions‑list screening. Screen all counterparties, beneficial owners and end‑users against consolidated EU sanctions lists, BAFA denial lists, UN lists, and, where relevant, OFAC SDN and sectoral lists. Automate screening and re‑screen existing business relationships on every list update.
2. Export classification review. Re‑classify all products against the EU Dual‑Use Regulation Annex I, the German Export List (Ausfuhrliste), and Germany’s transaction‑matrix requirements. Pay particular attention to items affected by the 1 April 2026 BAFA general‑authorisation updates.
3. Licence verification. Confirm that every shipment of controlled goods is covered by a valid individual or general export licence. Review and, where necessary, re‑apply for authorisations under the revised BAFA framework.
4. Transactional controls. Implement payment‑screening procedures to block or flag transactions involving sanctioned jurisdictions, entities or vessels. Coordinate with your bank’s compliance function.
5. Supplier and intermediary due diligence. Conduct enhanced due diligence on agents, distributors and freight forwarders, particularly those in or routing through high‑risk jurisdictions.
6. Training and escalation. Deliver mandatory, role‑specific sanctions and export‑control training to all relevant staff (sales, logistics, finance, legal). Establish a clear escalation path for red‑flag situations.
7. Record‑keeping. Maintain complete records of all export transactions, licence applications, screening results and compliance decisions for a minimum of five years, longer where litigation or investigation is anticipated.
8. Periodic audits. Schedule at least annual independent compliance audits, with interim spot‑checks triggered by risk events (new sanctions packages, new business partners, acquisitions).

Data Considerations, DADG and Data Act Implications for Investigations

Germany’s implementation of the EU Data Act and the Datennutzungsgesetz (DADG) introduces additional constraints on how companies collect, transfer and process data during internal investigations. For sanctions investigation Germany proceedings, three practical issues stand out:

• Cross‑border data transfers. Transferring employee communications or transaction data from German subsidiaries to a group‑level investigation team based outside the EU requires a valid transfer mechanism under the GDPR (adequacy decision, standard contractual clauses, or binding corporate rules). The DADG adds further conditions for the re‑use of certain non‑personal data held by public‑sector bodies.
• Works‑council participation. In companies with a Betriebsrat (works council), any systematic monitoring or review of employee data during an investigation may trigger co‑determination rights. Failure to involve the works council can render evidence inadmissible and expose the company to injunction proceedings.
• Court orders for data access. Where voluntary data access is restricted, for example, by a departing employee invoking GDPR data‑subject rights, companies should seek court orders promptly rather than risk allegations of unlawful data processing.

The practical guidance is clear: involve data‑privacy counsel from the outset of any sanctions investigation and build data‑handling protocols into the investigation plan before evidence collection begins.

Remediation & Monitoring Post‑Investigation

Completing the investigation is not the end of the process. A credible corporate sanctions program requires demonstrable remediation and ongoing monitoring. Post‑investigation steps should include:

• Policy and procedure updates. Revise internal trade‑compliance manuals, approval workflows and escalation procedures to address the root causes identified in the investigation.
• Disciplinary measures. Where individual wrongdoing is established, take proportionate disciplinary action, up to and including termination, and document the rationale.
• Enhanced monitoring. Implement a defined monitoring period (typically 12–24 months) with specific KPIs: screening‑hit resolution times, exception rates, training‑completion rates, audit findings.
• Certification of remedial completion. At the conclusion of the monitoring period, have the compliance function (or an independent external auditor) formally certify that remedial measures have been fully implemented and are operating effectively.
• Board reporting. Integrate sanctions‑compliance metrics into regular board and audit‑committee reporting to ensure sustained executive oversight.

Key Templates & Checklists

To support practical implementation, the following templates should be prepared and adapted to your organisation’s specific circumstances. Engage qualified export‑control and investigations counsel, available through the Global Law Experts lawyer directory, to customise these tools to your regulatory environment:

• Evidence preservation checklist, litigation‑hold notice template, data‑mapping worksheet, chain‑of‑custody log
• Interview memorandum template, structured format covering participant details, privilege warnings, question log and answer summaries
• Self‑report checklist and sample disclosure letter, decision‑tree for mandatory vs. discretionary reporting, letter framework with required content elements
• Export‑control decision matrix, classification flowchart, licence‑type selection guide, BAFA general‑authorisation eligibility check (updated for 1 April 2026 changes)
• Remediation plan template, root‑cause tracker, corrective‑action register, monitoring KPI dashboard, certification sign‑off form

Conclusion, Practical Next Steps for Sanctions Compliance Germany 2026

The 2026 reforms leave no room for complacency. The convergence of expanded criminal offences, harsher penalties and heightened enforcement activity means that boards and general counsel must act now, not when the first dawn‑raid notice arrives. Three immediate priorities stand out:

1. Audit your current compliance program against the 2026 legislative changes and the BAFA general‑authorisation updates. Identify gaps, re‑classify controlled items and update screening processes.
2. Build investigation‑readiness infrastructure, crisis‑response protocols, evidence‑preservation procedures, pre‑selected external counsel and a tested escalation matrix, before a breach occurs.
3. Engage specialist counsel to conduct a privileged compliance health‑check and to advise on self‑reporting strategy where potential violations have already been identified.

Sanctions compliance Germany 2026 is not a box‑ticking exercise. It is an ongoing operational discipline that requires legal expertise, investigative rigour and executive commitment. The companies that invest in that discipline now will be the ones best positioned to manage risk, protect their officers and maintain their licence to trade.

Sources

1. ADVANT Beiten, Sanctions compliance: Bundestag tightens sanctions criminal law
2. Gleiss Lutz, Stricter criminal sanctions law: Germany’s transposition of EU Sanctions Directive
3. EU Sanctions Compliance Helpdesk, EU sanctions and German businesses: challenges, risks and practical support
4. Global Sanctions, Germany updates general export authorisations (April 2026)
5. Noerr, EU Directive implemented: Bundestag tightens German criminal law on sanctions
6. Norton Rose Fulbright, Harsher penalties for violations of EU sanctions in Germany: key changes
7. PwC Germany, Germany: Foreign trade and criminal law tightened
8. CMS Expert Guide, Financial sanctions enforcement in Germany
9. BAFA, Export Control (official)