The ECJ’s latest decision on corporate fines under the AML Directive – same same, but different?

The European Court of Justice (ECJ) has confirmed its direction of travel. Ever since its landmark “Deutsche Wohnen” ruling, which opened the door for direct corporate GDPR fines, the key question has been whether this principle would extend to other areas of EU law.
On 29 January 2026, we got a clear answer. 

The ECJ decided that corporate fines for violations of national laws implementing the EU’s Anti-Money-Laundering Directive (AMLD) can be imposed against a legal entity without requiring a prior attribution of misconduct by a natural person. This is a significant development, as it solidifies a major shift away from the traditional approach in member states like Germany and Austria, where corporate liability often hinged on individual wrongdoing. The ECJ’s decision is a continuation of its prior landmark “Deutsche Wohnen” ruling on GDPR corporate fines, expanding it to corporate fines under national laws implementing EU Directives. This has implications for the EU regulatory landscape as a whole. The ECJ’s broad considerations are expected to, for example, impact corporate fines under the EU’s NIS2 Directive (NIS2). Businesses that have not already adapted their defence strategies since “Deutsche Wohnen” must do so now. Below we analyse the ECJ’s case law and outline key strategic considerations for businesses.

The ECJ‘s decision in a nutshell 

As stated above, in certain EU member states, particularly Germany and Austria, corporate fines require establishing a natural person’s violation of a regulatory obligation, which is attributable to the legal entity. The case before the ECJ involved the Austrian Financial Market Authority fining an Austrian bank for alleged AML due diligence breaches. The fine decision named only the legal entity, conflicting with Austrian law’s requirements on identifying an attributable natural person’s misconduct.

The ECJ, contrary to the AG’s opinion, ruled that the AML Directive precludes an application of Austrian law, which, prior to imposing a fine on a legal entity, requires the identification of a natural person’s attributable misconduct. In the ECJ’s view, such an attribution requirement would risk weakening the effectiveness of the AMLD. The possibility to impose fines directly against members of management or other natural persons under the AMLD is, according to the ECJ, ancillary to the possibility of imposing a corporate fine. 

The ECJ’s ruling in light of the landmark decision in „Deutsche Wohnen“

The ECJ’s ruling partly reiterates its landmark “Deutsche Wohnen” decision, which had established that the imposition of corporate fines under the GDPR does not depend on attributing a natural person’s misconduct. The ECJ’s latest decision now transfers the direct attribution approach from “Deutsche Wohnen” to corporate fines imposed under member states’ national laws implementing EU Directives. 

Overall, the direct attribution approach applied by the ECJ does not constitute as much of a revolution as some, particularly regulators, like to claim. The ECJ’s approach signifies a shift from the person-centric approach under the German Law on Administrative Offences (OWiG). However, under Sec. 30, 130 OWiG, regulators have already imposed corporate fines for insufficient supervisory measures by members of management, without directly identifying specific employee misconduct. German law even allows for “anonymous” corporate fines (Sec. 30 (4) OWiG), where the specific natural person committing the violation is not identified.
Crucially, the “Deutsche Wohnen” decision clarified that there is no strict liability standard under the GDPR. As the GDPR requires DPAs to consider the “intentional or negligent character” of infringements, even a direct corporate fine must establish a legal entity’s intent or negligence. The ECJ’s AMLD decision does not depart from this reasoning. The ECJ did not rule on the liability standard, as the Austrian court’s request was limited to the question of attribution. The ECJ’s ruling must, however, be viewed in light of the distinction made between attribution and culpability in “Deutsche Wohnen”. The AMLD also requires fine decisions to consider “the degree of responsibility of the natural or legal person held responsible”. Even if a regulator can impose a direct corporate fine; establishing a legal entity’s intent or negligence without identifying a natural person’s misconduct remains a significant hurdle for regulators – a key strategic defence for businesses.

Key strategic considerations for businesses

Businesses must proactively consider their defence strategy ahead of potential fine proceedings. Here are key strategic considerations for businesses: 

• Organisational measures that effectively prevent violations of regulatory requirements, be it under the AMLD, GDPR or NIS2, remain key. Regulators must establish the legal entity’s intent or negligence, which can be countered by demonstrating a lack of organisational negligence.
• Businesses can actively build barriers against an allegation of organisational culpability by implementing internal policies, compliance with which should be subject to (documented) regular audits. In doing so, businesses can certainly adopt a risk-based approach: preventive measures can be proportional to the potential impact of violations. When determining the scope of necessary organisational measures, the minimal risk of a minor violation by an employee may be assessed differently than high-risk activities associated with significant repercussions.
• If a regulator intends to impose a corporate fine, the “Deutsche Wohnen” distinction between attribution and liability will be a key element in any business’s defence strategy. The regulator bears the burden of establishing the legal entity’s culpability.