EU Sanctions DD GEO.1: Sanctioned Territory Exposure Mapping
What This Control Requires
Does the business involve any operations, customers, or shipments in or through sanctioned territories?
In Plain Language
Direct exposure to sanctioned territories is the most basic geographic red flag in EU sanctions compliance. The EU maintains restrictive measures against multiple countries and territories, each with different scope and prohibitions.
The key sanctioned territories under current EU measures include Russia, Belarus, Crimea, Donetsk, Luhansk, Iran, Syria, North Korea, and Myanmar. The full list with applicable measures is maintained on the EU Sanctions Map.
Exposure is not limited to selling goods to these territories. It includes any nexus: operations based there, customers or suppliers located there, shipments transiting through, payment routing via banks in those jurisdictions, server locations for digital services, and even employees working from sanctioned territories.
How to Implement
Create a complete map of all jurisdictions where you or your counterparties operate, ship, deliver, or process payments. Check each against the EU Sanctions Map (sanctionsmap.eu) for applicable restrictive measures.
Jurisdictional touchpoints to map: 1. Country of incorporation of all counterparties and their group companies 2. Operational bases - offices, warehouses, factories, data centres 3. Delivery destinations for goods and services 4. Transit and transshipment routes (ports, airports, overland crossings) 5. Payment routing - which banks and correspondent banks are in the chain 6. Server and data centre locations (for digital services and SaaS) 7. Employee and contractor locations 8. IP addresses and user locations for software products
Any nexus with a sanctioned territory requires immediate legal review to determine which specific prohibitions apply and whether any exemptions, derogations, or wind-down periods are available.
For M&A targets, map the target's entire geographic footprint including customer and supplier locations. Inherited sanctions exposure can be a deal-breaker or require significant remediation.
Evidence Your Auditor Will Request
- Complete geographic footprint map covering all jurisdictional touchpoints
- Cross-reference of all jurisdictions against EU Sanctions Map programmes
- Legal analysis of any identified sanctioned territory exposure
- Assessment of exemptions, derogations, or licences applicable to any ongoing exposure
- Remediation plan for any identified sanctions territory nexus
Common Mistakes
- Mapping only direct trade destinations without considering transit, routing, and service delivery points
- Ignoring digital exposure - server locations, user access from sanctioned territories for SaaS
- Not checking the full supply chain for sanctioned territory touchpoints
- Treating sanctions as applying only to goods exports while ignoring services and technology transfer
- Using an incomplete list of sanctioned territories - not checking all EU programmes
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| EU Sanctions DD | EU Sanctions DD GEO.2 (related mapping) | Related |
| EU Sanctions DD | EU Sanctions DD WHO.6 (related mapping) | Related |
| EU Sanctions DD | EU Sanctions DD WHAT.1 (related mapping) | Related |
Frequently Asked Questions
What is the difference between comprehensive and targeted sanctions?
Does providing SaaS to users in sanctioned territories violate EU sanctions?
What about transit through sanctioned territories?
Track EU Sanctions DD compliance in one place
AuditFront helps you manage every EU Sanctions DD control, collect evidence, and stay audit-ready.
Start Free Assessment