If you still think sanctions are just a list of names in a dusty Excel file, 2026 is going to be a shock. Take the case of one of Britain’s top law firms. In March 2025, Herbert Smith Freehills was slapped with a £465,000 fine by the Office of Financial Sanctions Implementation (OFSI) after its former Moscow arm made nearly £4 million in payments to sanctioned Russian banks during its wind-down.

Just ten years ago, sanctions compliance felt like a niche legal issue, with simple items of paperwork handled in a small corner of the back office. Fast-forward to now and it’s front-page news, with board-room reputations at stake. This isn’t another “know your customer and update your policy” article; It’s about the forces reshaping sanctions governance, risk and compliance across the EU and UK and how firms will need to reinvent their approach in the months ahead.

Fewer surprises, tougher consequences

In 2026 the trend will no longer be ever-larger sanctions packages, but smarter, more aggressively enforced ones and, increasingly, strong consequences for those who fail to comply with earlier measures.

In the European Union, focus remains firmly on circumvention and on third-country intermediaries. Its most recent Russia-related sanctions rounds have homed in on vessels in Russia’s “shadow fleet,” third-country shipping channels, and entities in China and Hong Kong helping Russia bypass restrictions. For instance, tankers registered under third-country flags, once a common way to skirt sanctions, now face port bans and asset freezes. Some export contracts now embed “No Russia” clauses, obliging firms to prevent re-export of sensitive goods into Russia, even via third countries.

In the UK, the creation of the Office of Trade Sanctions Implementation (OTSI),  in addition to OFSI, has reshaped enforcement. Since its 2024 inception, OTSI has gained sweeping civil-penalty powers for trade-sanctions breaches, regardless of intent. Recent OFSI enforcement actions, including the fine for Herbert Smith Freehills mentioned above, underscore this shift.

The real surprise in 2026 may not be a new sanctions package, but who gets hit. It may be not just direct targets, but third-party intermediaries, service providers, financial institutions and shipping brokers. Compliance lapses with old sanctions are now costly.

Sanctions meet financial crime

Sanctions compliance in Europe is now converging with broader anti-money-laundering (AML) and financial-crime controls, driven above all by the new EU Anti-Money Laundering Authority (AMLA) which will directly supervise high-risk cross-border banks, payments firms and selected crypto-asset service providers later in the decade. The Commission’s launch announcement confirms its mandate to coordinate and enforce consistent AML standards across the bloc. This shift aligns with the EU’s new AML Regulation and related directives, which together form a single AML rulebook applying from 2027 and harmonise customer-due-diligence, beneficial-ownership and reporting requirements. This uniform supervision will narrow loopholes exploited by criminals and sanctions evaders.

Although sanctions remain legally distinct, regulators increasingly expect firms to treat sanctions exposure, AML, terrorist financing and circumvention as one integrated financial-crime framework. A payments firm found facilitating crypto-based circumvention, for example, may face both sanctions penalties and AMLA-driven supervisory action.

Crypto risk sits at the centre of this convergence. AMLA and the European Banking Authority flag crypto assets as major money-laundering and terrorist-financing threats, citing anonymity and cross-border portability. By 2026, a sanctions officer in the EU will resemble a financial-crime architect, blending sanctions expertise with AML, fraud, on-chain analytics and Virtual Asset Service Provider (VASP) oversight.

Sanctions + ESG + supply chains

By 2026, sanctions are no longer just a legal compliance box, but are fast becoming a core part of Environmental, Social, Governance (ESG) and supply-chain due diligence. Under the Corporate Sustainability Due Diligence Directive (CSDDD) and the Corporate Sustainability Reporting Directive (CSRD), large companies must identify human-rights, environmental and governance risks in their value chains. That, in practice, includes suppliers or counterparties flagged on sanctions lists or operating in high-risk jurisdictions.

Take the familiar “No Russia” clause that many EU export contracts now embed. What began as a sanctions compliance tool has morphed, in boardrooms at least, into a supply-chain governance provision, treated as a red flag in ESG or procurement policy reviews.

By 2026, forward-looking GRC teams are expected to track “sanctionability”, the risk a counterparty might become sanctioned at short notice, much like they track environmental or labour risks. That risk may factor into procurement scores, pricing calculations, or even Merger and Acquisition (M&A) valuations. In short: in 2026, sanctions aren’t just a compliance red line, they’re another line on your ESG dashboard.

Technology, AI and the GRC skills crunch

Sanctions compliance is now being reshaped by AI systems that go far beyond static list-checking. Banks and logistics platforms increasingly use behaviour-based models to spot evasion, for example, unusual routing of dual-use goods through high-risk hubs, and network analytics that map beneficial-ownership webs across multiple jurisdictions. The European Banking Authority (EBA) has already highlighted the need for advanced analytics to detect complex financial-crime patterns.

Regulators, meanwhile, are raising the bar. Both AMLA and UK supervisors, including the Financial Conduct Authority (FCA), stress model governance, data quality and the ability to explain automated decisions. In practice, firms will need to document why an alert was cleared, not just that the system said it was low-risk.

The real crunch, however, is talent. GRC teams now need people who understand sanctions law, data engineering and AI tooling, a combination that remains rare. Several global banks have already created hybrid roles blending compliance and analytics, echoing a shift seen in tech-forward risk teams. In 2026, the biggest sanctions risk may not be the algorithm, but the fact nobody on the team truly understands how it works.

Accountability

Sanctions enforcement in the UK is now being shaped by a wider shift towards corporate criminal liability. The Economic Crime and Corporate Transparency Act 2023 introduces a failure to prevent fraud offence for large organisations from 1 September 2025, carrying unlimited fines. Although fraud-focused, government guidance stresses integrated risk assessments, strong controls and an ethical culture. These are all principles that overlap directly with sanctions and AML.

This sits alongside broader reforms expanding how corporate misconduct is attributed to companies. The UK’s new “senior manager” test makes it easier to hold firms criminally liable where decision-makers were aware of, or enabled, wrongdoing, including for foreign companies with UK operations. Reuters notes prosecutors now have greater scope to pursue large multinationals for economic-crime breaches.

For GRC leaders, the message is simple: treat sanctions failures as if they were already a failure to prevent offence, because enforcement logic is clearly heading in that direction.

What “good” GRC will look like in 2026

A high-performing sanctions GRC function in 2026 looks far more integrated than it has in the past. Sanctions, AML, fraud and ESG teams operate from a single risk map, sharing data through a unified platform, a direction encouraged by EU supervisory reforms. Contracting teams routinely drop in no-circumvention clauses and assess suppliers against both sanctions exposure and sustainability risks.

AI-driven monitoring tools highlight unusual trade routes or ownership links, but a cross-functional panel, with legal, risk and data specialists, decides how to handle borderline cases and oversees model governance. Each quarter, the board receives a “sanctions resilience” dashboard tracking exposure to high-risk sectors, time-to-detect and time-to-exit metrics, and considers training coverage across senior managers and front-line staff.

By 2026, the organisations that treat sanctions as a strategic design problem, not a regulatory irritation, will be the ones still doing business where it matters.

And what about you…?   

  • What aspects of sanctions compliance (screening, monitoring, reporting, supplier due diligence, etc.) do you think will require the most attention or investment in your organisation over the next year?
  • What emerging technologies or tools (AI, automation, advanced analytics) do you believe could most improve your sanctions compliance practice, and what concerns do you have about adopting them?