A new era of criminal liability for environmental harm
The transposition deadline for Directive (EU) 2024/1203 on the protection of the environment through criminal law expired on 21 May 2026. From that moment, Member States were legally bound to have national legislation in force that criminalises a much broader range of environmental conduct, raises sanctions to unprecedented levels, and exposes company directors to personal criminal liability. Spain and most other Member States missed the deadline, which means the European Commission can already open infringement procedures and, in some cases, the directive’s provisions may produce direct effect against the state.
For sustainability and compliance teams, this is not a routine update. The directive transforms environmental risk from a fine line in the operational risk register into a board-level matter, with potential prison sentences for executives and fines that can wipe out a year of operating margin.
What changes with Directive 2024/1203
The directive replaces the 2008 framework and substantially expands what qualifies as an environmental crime under EU law. The catalogue of offences grows from 9 to 20 categories, including conduct that until now sat in administrative grey zones.
Among the newly criminalised behaviours are:
- Serious breaches of EU chemicals legislation, including illegal handling of mercury, fluorinated gases and ozone-depleting substances
- Illegal ship recycling and discharges from ships
- Illegal water abstraction causing substantial damage
- Serious breaches of the EU Timber Regulation and the new Deforestation Regulation
- Trade in invasive alien species
- Pollution caused by ships in breach of MARPOL standards
- Conduct causing destruction or widespread, substantial and irreversible damage to an ecosystem, comparable to ecocide
Crucially, the directive introduces a “qualified offence” category for conduct that causes destruction or widespread and substantial damage that is either irreversible or long-lasting to an ecosystem of considerable size or environmental value, or to a habitat within a protected site, or to the quality of air, soil or water. This is the closest the EU has come to recognising ecocide in binding law.
Penalties that change the risk calculus
The headline figures are designed to deter, and they do.
For natural persons, including executives and managers, the directive sets maximum imprisonment sentences of:
- At least 10 years for qualified offences and for offences that cause death
- At least 8 years for offences that cause serious injury or substantial damage
- At least 5 years for most intentional offences
- At least 3 years for the remaining offences
For legal persons, fines must reach at least:
- 5% of total worldwide turnover, or 40 million euros, for the most serious offences
- 3% of total worldwide turnover, or 24 million euros, for the remaining offences
Member States can choose between turnover-based or fixed amounts, but they must adopt one of the two, and they are free to go higher. To put 3% in perspective: a company with one billion euros in global revenue could face a single fine of 30 million euros, before reputational damage, civil claims and remediation costs are added.
Beyond fines, the directive lists additional sanctions that national law must make available: exclusion from public funding and tenders, withdrawal of permits, judicial winding-up, obligation to restore the environment, and publication of the judicial decision. These accessory measures are often more damaging than the fine itself.
Personal liability for directors and senior managers
The directive expects Member States to ensure that legal persons can be held liable when offences are committed for their benefit by anyone exercising a leading position, and also when a lack of supervision or control by such a person made the offence possible.
In practice, this means that a director who fails to put in place adequate environmental due diligence, monitoring of emissions, or supply chain controls can be prosecuted personally, even if the harmful act was carried out by an employee or a supplier. The directive also requires Member States to recognise aggravating circumstances when offences are committed in the framework of a criminal organisation, when public officials abuse their position, or when the offence generates substantial financial benefits.
For boards, the message is clear: environmental compliance is no longer something that can be delegated to a single ESG manager and forgotten. It is a fiduciary duty.
The transposition gap: Spain and the rest
By 21 May 2026, Member States were required to bring into force the laws, regulations and administrative provisions necessary to comply with the directive. Spain has not yet adopted the required reform of the Penal Code’s environmental chapter, and most Member States are in a similar position. The Commission has signalled that it will not be patient with delays on this file.
Until national transposition is complete, companies operating across the EU face a fragmented landscape. Some Member States will apply the new framework before others, and groups with cross-border operations should expect divergent enforcement intensity during the transition.
This uncertainty is itself a risk. Prosecutors in countries that have transposed quickly may use the new tools aggressively to set precedents, and the directive expressly allows Member States to apply the rules to conduct that continues after the transposition date, even if it started earlier.
What companies should do now
Three priorities deserve immediate attention from sustainability, legal and operations teams.
First, map the offences against your operations. Review where the company handles substances, waste, water, biodiversity-sensitive sites or supply chains that touch deforestation-risk commodities. The new offence list is broader than most internal risk maps reflect.
Second, strengthen evidence trails. Criminal proceedings turn on what can be documented. Automated, auditable environmental data, including emissions, discharges, waste flows and supplier declarations, is now a legal defence asset, not just a reporting input. Dcycle’s automated data collection helps companies build the kind of traceable, time-stamped evidence base that prosecutors, regulators and courts now expect.
Third, escalate environmental risk to the board. Update the risk register, review D&O insurance coverage in light of personal criminal liability, and integrate environmental crime exposure into the double materiality assessment and the carbon footprint roadmap.
The directive does not change what good environmental management looks like. It changes what happens when management is absent. Companies that have already invested in robust data, controls and supplier oversight have little to fear. Those that have not now have a clear, criminally enforceable deadline to catch up.
Ready to turn environmental compliance into a defensible, auditable system? Request a demo and see how Dcycle helps companies stay ahead of EU environmental law.