Skip to content
AuditFront
RPT.3 EU Sanctions DD

EU Sanctions DD RPT.3: Non-EU Subsidiary Compliance Oversight

What This Control Requires

For EU parent companies with non-EU subsidiaries: is there a mechanism to ensure subsidiaries do not undermine EU sanctions?

In Plain Language

EU parent companies have a 'best efforts' obligation to ensure their non-EU subsidiaries do not undermine EU sanctions. This requirement comes from the EU Best Practices for Restrictive Measures (July 2024) and is directly relevant when a group has operations in or through non-EU jurisdictions.

This is particularly important for companies with subsidiaries in circumvention-hub jurisdictions like the UAE, Turkey, or Central Asian countries. A non-EU subsidiary that continues trading with sanctioned parties effectively makes the EU parent company complicit in sanctions circumvention.

The 'best efforts' standard means you must take all reasonable steps within your power. It does not require guaranteeing subsidiary compliance (which may be impossible in some jurisdictions), but it does require demonstrating that you tried.

How to Implement

If you are an EU entity with subsidiaries or controlled entities outside the EU, implement the following measures:

1. Extend your sanctions compliance programme to all subsidiaries with binding internal policies that require compliance with EU sanctions regardless of local law.

2. Require subsidiaries to screen against the EU Consolidated List (sanctionsmap.eu) in addition to any local sanctions lists.

3. Include sanctions compliance obligations in intercompany agreements, with the right to audit and terminate for non-compliance.

4. Conduct periodic compliance audits of subsidiaries, especially those in circumvention-hub jurisdictions (UAE, Turkey, Central Asia, China/HK).

5. Maintain oversight over subsidiary customer relationships, with a requirement to report new high-risk customers or transactions to the parent compliance function.

6. Provide training to subsidiary staff on EU sanctions requirements and the parent company's compliance expectations.

7. Require subsidiaries to report any sanctions screening matches or red flags to the parent company within 24 hours.

Document all 'best efforts' measures comprehensively. If a subsidiary cannot be brought into compliance (e.g., due to local blocking statutes), assess whether continued ownership creates unacceptable legal exposure for the EU parent and seek legal advice.

In M&A due diligence, assess the target's non-EU subsidiary compliance structures. Weak or non-existent subsidiary oversight is a material risk finding.

Evidence Your Auditor Will Request

  • Group sanctions compliance policy extending to all non-EU subsidiaries
  • Intercompany agreements including sanctions compliance obligations and audit rights
  • Periodic audit records of subsidiary sanctions compliance
  • Subsidiary screening records showing use of EU Consolidated List
  • Training records for subsidiary staff on EU sanctions requirements

Common Mistakes

  • No group-level sanctions policy extending to non-EU subsidiaries
  • Subsidiaries operating independently without parent company sanctions oversight
  • No periodic compliance audits of non-EU subsidiary operations
  • Subsidiaries in circumvention-hub jurisdictions not subject to enhanced monitoring
  • Intercompany agreements silent on sanctions compliance obligations

Related Controls Across Frameworks

Framework Control ID Relationship
EU Sanctions DD EU Sanctions DD RPT.1 (related mapping) Related
EU Sanctions DD EU Sanctions DD PROG.1 (related mapping) Related
EU Sanctions DD EU Sanctions DD GEO.2 (related mapping) Related

Frequently Asked Questions

What does 'best efforts' mean in practice?
Best efforts means taking all steps that are reasonably within your power as a parent company to ensure subsidiary compliance. This includes: issuing binding group policies, providing training, conducting audits, including sanctions clauses in intercompany agreements, and maintaining oversight over subsidiary commercial activities. It does not require achieving guaranteed compliance (which may be impossible where local law conflicts), but it does require demonstrating a systematic, documented effort.
What if local law in the subsidiary's jurisdiction conflicts with EU sanctions?
Some non-EU jurisdictions have 'blocking statutes' that prohibit compliance with foreign sanctions. In these cases, the EU parent faces a genuine legal conflict. Seek specialised legal advice on structuring operations to minimise conflict. Options may include: ring-fencing the subsidiary's operations, restructuring ownership, or in extreme cases, divesting. Document the conflict and your analysis - demonstrating that you identified the issue and took legal advice is part of 'best efforts.'
How does this apply to minority-owned subsidiaries?
The obligation scales with control. For majority-owned subsidiaries, you should be able to impose compliance requirements through corporate governance. For minority-owned entities, your influence is more limited but you should still exercise whatever rights you have: board representation, shareholder agreements, and contractual provisions. Document the steps taken and the limitations encountered. If a minority-owned entity is engaged in sanctions circumvention and you cannot influence its behaviour, consider whether continued investment is appropriate.

Track EU Sanctions DD compliance in one place

AuditFront helps you manage every EU Sanctions DD control, collect evidence, and stay audit-ready.

Start Free Assessment