Skip to main content

C-Level Liability May 2026 Checklist

Written by Andreea Pop on . Posted in Uncategorized.

Liability focus May 2026: Sanctions criminal law, Cyber Resilience Act and AML compliance. Are you prepared?

I. Introduction to the topic

With May 2026, the European regulatory landscape enters a phase of intensified enforcement in which theoretical compliance requirements turn into immediate operational and criminal-law risks. The delayed national implementation of the EU Sanctions Directive (2024/1226) means that companies are now under considerable time pressure to secure their systems against the new criminal liability for negligence (“recklessness”). At the same time, this month marks the administrative starting signal for the conformity assessment bodies under the Cyber Resilience Act (Regulation EU 2024/2847), which for the C-level represents the last chance to proactively manage market access risks for 2027.

In parallel, the new Anti-Money Laundering Authority (AMLA), pursuant to Regulation (EU) 2024/1620, is specifying its technical standards, while the “Single Rulebook” (AMLR) replaces the previous national discretion under the Money Laundering Act (GwG) with directly applicable Union law. For management and those responsible for compliance, May 2026 is therefore not merely an administrative date, but the decisive time window to avoid personal liability through the harmonisation of internal processes and to ensure operational resilience in the face of the new, centralised EU supervision.

 

 

FAQ: Liability focus May 2026 – Sanctions, CRA & AML compliance


  • Why is May 2026 a critical point in time for management liability?

    In May 2026, several EU regulations enter their decisive enforcement phase.
    In particular, the stricter criminal liability for negligence (“recklessness”) in sanctions law as well as
    the administrative deadlines of the Cyber Resilience Act (CRA) and the new
    Anti-Money Laundering Regulation (AMLR) mean that compliance failures
    can immediately translate into personal liability scenarios and high fines.


  • What fundamentally changes in sanctions criminal law (§ 18 AWG new version)?

    A paradigm shift is taking place: previously, criminal prosecution generally required intent.
    With the implementation of Directive (EU) 2024/1226, gross negligence (recklessness) is now sufficient.
    An organisational deficiency in the screening process can directly lead to prison sentences of up to 3 years for those responsible.


  • Which urgent deadlines does the Cyber Resilience Act (CRA) already set in May 2026?

    Although full application only takes effect in 2027, May 2026 is the “bottleneck” for market access.
    Companies must now secure capacity at Notified Bodies (e.g. TÜV) for conformity assessments.
    Missing this date risks a sales ban from 2027 for connected products without a valid CE marking.


  • What does the “Single Rulebook” (AMLR) mean for money laundering prevention?

    The previous national Money Laundering Act (GwG) is replaced by directly applicable EU law (AMLR).
    National special approaches are eliminated in favour of harmonised EU standards.
    Companies must mandatorily switch their KYC processes and risk analyses to these new
    technical regulatory standards (RTS) of the AMLA by May 2026.


  • What risks arise from the EU Pay Transparency Directive by June 2026?

    This involves a reversal of the burden of proof: if companies cannot
    fully document their pay structures, discrimination is presumed in lawsuits.
    The employer must then prove the opposite. In addition, unlimited claims for damages
    and exclusion from public procurement may arise.


  • How high is the financial risk for compliance violations from 2026?

    The fine framework has been massively expanded:

    Sanctions: Up to €40 million or turnover-based penalties.

    Money laundering: Up to 10% of global annual turnover.

    Cyber (CRA): Up to €15 million or 2.5% of global turnover.


  • What technical requirements will apply in future for sanctions screening?

    A “best effort” approach is no longer sufficient. Since recklessness is punishable,
    real-time screening is expected. Manual uploads of sanctions lists once per week
    are considered liability-critical. Systems must process updates from the Financial Sanctions Database (FSDA)
    with virtually no delay.


  • What do C-level executives specifically need to do now?

    1. Gap analysis: Review current systems against the AMLR and CRA requirements.

    2. Resource planning: Secure budgets for certifications and IT upgrades for 2026/2027.

    3. Documentation: Build an “auditable chain of reasoning” for organisational decisions
    to rebut allegations of recklessness during audits.

Liability-relevant deadlines for the months of May/June 2026

Stricter due diligence obligations · Art. 3(3) Directive 2024/1226

  • May 2026
    Stricter due diligence obligations · Art. 3(3) Directive 2024/1226
    1. Sanctions compliance: New sanctions criminal law
    Criminal liability for recklessness: Violations of EU sanctions are now punishable even in cases of reckless conduct.
    Corporate fine: up to €40 million or a % of global turnover. Review screening systems — EU lists updated almost daily.
  • From May 2026
    Start of conformity assessment bodies · CRA 2. Cyber Resilience Act:
    Testing bodies commence operations
    Notified Bodies may issue official certificates from May onwards.
    C-level check: Manufacturers of connected products (sales from 2027) should secure appointments now — a massive bottleneck is expected.
  • 7 June 2026
    Implementation deadline · EU Pay Transparency Directive
    3. Pay transparency: Final sprint of implementation
    Right to information: employees gain the right to information on average pay for the same/equivalent work.
    Reversal of the burden of proof: employer must demonstrate non-discrimination.
    Action: HR/compliance analyses pay structures in May.
  • May / June 2026
    AMLA Frankfurt · Minimum KYC standards
    4. Anti-money laundering (AML): Preparing for the AMLA
    The new EU Anti-Money Laundering Authority (AMLA) in Frankfurt specifies its technical standards (RTS).
    Focus: Adapt KYC processes to EU minimum standards — preparation for direct AMLA supervision from 2028.

Obligations for responsible persons (deadline May 2026)

1. C-level (management board & executive board)

  • Capacity management (CRA): Ensure budgets and quotas at Notified Bodies. Pursuant to Chapter IV of Regulation (EU) 2024/2847, appointments for conformity assessments (Modules B/C/H) must be secured to prevent a sales ban on connected products from 2027.
  • Liability management (sanctions): Establish a monitoring structure addressing criminal liability for recklessness (§ 18 AWG new version in conjunction with Directive 2024/1226). Management is liable for organisational fault if screening processes fail due to gross negligence.
  • Financial provisioning: Adjust provisions planning to the new fine framework (up to €40 million or a percentage of group turnover).

2. Compliance management (general compliance)

  • System validation (screening): Mandatory review of automated screening tools. They must be able to process the almost daily updates of the EU Financial Sanctions Database (FSDA) without delay.
  • Process audit: Implement controls for armaments and dual-use goods, as the threshold for “gross negligence” (recklessness) under Art. 3(3) of Directive 2024/1226 is set particularly low here.
  • Whistleblowing integration: Ensure internal channels complement the EU Sanctions Whistleblower Tool to pre-empt external reports through internal follow-up.

3. Money laundering officers (anti-money laundering)

  • KYC migration: Transition identification processes to the EU Single Rulebook (AMLR – 2024/1624). This includes removing national special approaches (formerly GwG) in favour of harmonised EU identification standards.
  • Risk analysis 2.0: Adapt the internal risk analysis to the new technical regulatory standards (RTS) of the AMLA, especially with regard to high-risk transactions and crypto interfaces.
  • Cash compliance: Technical implementation of monitoring the €10,000 cap and establishing immediate reporting channels to the FIU in cases of structuring or attempted circumvention.

4. IT security & product owners (C-level interface)

  • Documentation obligation: Prepare the technical documentation under the CRA requirements for all connected products in the lifecycle for 2027.
  • Vulnerability management: Set up a process to report exploited vulnerabilities to the BSI to prepare for the CRA reporting obligations taking effect from September 2026.

Liability risks and specific sanctions

Liability focus May 2026 – risks & duties for management

As a corporate officer and executive, from 1 May 2026 you will be at the centre of a stricter European enforcement phase. Theoretical compliance requirements now turn into immediate operational, civil and criminal liability risks.

The focus is shifting dramatically: with the new EU Sanctions Directive and the CRA, the grace period ends. Particularly critical are the new criminal liability for recklessness in sanctions law and the reversal of the burden of proof in pay transparency. Those who do not steer proactively now risk personal prison sentences and existentially threatening fines for the company.

  • Sanctions criminal law: Safeguarding against criminal liability for recklessness (§ 18 AWG new version) through real-time screening structures.
  • Cyber Resilience Act (CRA): Securing testing capacity at Notified Bodies to avoid sales bans from 2027.
  • AML compliance: Migrating KYC processes to the “Single Rulebook” (AMLR) and the new AMLA supervisory logic.
  • Pay transparency: Building a data structure to manage the reversal of the burden of proof by June 2026.
  • Financial provisioning: Adjusting provisions planning to the new fine framework (up to €40 million or turnover-based penalties).
  • Liability protection: Avoiding organisational fault through demonstrable implementation of the new EU standards.

 

Catalogue of measures

1. Sanctions: From “best effort” to real-time screening

Since “recklessness” is now punishable (§ 18 AWG), any failure to update the system is a potential offence.

  • System audit: Check whether your screening provider automatically ingests the EU Financial Sanctions Database (FSDA). Manual uploads once per week are now a liability risk.
  • Latency check: Eliminate delays. When a listing appears in the EU Official Journal, the system must block within hours (not days).
  • Dual-use classification: Re-check the product master data. Especially for goods that can be used for civilian and military purposes, the duty of care has been massively increased by the new Directive (EU) 2024/1226.

2. Cyber resilience (CRA): Secure capacities

May 2026 is the “bottleneck” month for long-term marketability.

  • Notified Body booking: Immediately contact bodies such as TÜV, DEKRA or specialised IT testing organisations. Secure quotas for the conformity assessment of your products for 2027.
  • SBOM creation: Implement a Software Bill of Materials (SBOM) for all connected products. Without complete supply chain documentation, certification is not possible.
  • Vulnerability reporting: Set up an internal reporting office capable of reporting vulnerabilities to the BSI within 24 hours (preparation for September 2026).

3. Pay transparency: Gain data ownership

By 7 June 2026, systems must be in place to manage the reversal of the burden of proof.

  • Salary audit: Perform a statistical analysis of pay structures by gender and job families (equal pay check).
  • Define the information process: Create standard report formats for employee requests. HR must be able to provide information ad hoc to avoid litigation indicators.
  • Job evaluation: Harmonise the criteria for “same or equivalent work”. Only objective, gender-neutral criteria (skills, responsibility, workload) protect against damages.

4. Anti-money laundering (AML): Harmonisation

Prepare for the “Single Rulebook” and AMLA supervision.

  • KYC update: Adapt customer identification to the new EU minimum standards of Regulation (EU) 2024/1624. National specifics must be replaced by the EU standard.
  • Cash block: Implement technical payment stops for amounts above €10,000 (or corresponding risk workflows for dealers in high-value goods).
  • Transaction monitoring: Upgrade software to AI-based pattern recognition to meet the upcoming AMLA technical standards (May/June 2026).

Sources