The 13th EU sanctions package: How should businesses adapt?

How can companies keep pace with updates to complex sanctions regimes, without overstretching limited resources? As the implications of the EU’s 13th sanctions package against Russia grow clearer, Christian Kellner, Senior Product Director for Risk and Finance at Dun & Bradstreet, explores how the solutions start, and end, with data.

As sanctions are regularly adjusted in response to geopolitical events, having responsive systems in place makes all the difference in minimising pressure on compliance teams. While every version of a sanctions package may contain the same basic ingredients – blacklists of entities or specific goods – even small changes can make it challenging to maintain accurate records or embed the requisite operational adjustments.

Regulatory change presents organisations with a conundrum. Striking a balance between adhering to stringent compliance standards and managing resources efficiently is crucial in this context.

The European Union (EU's) recently unveiled 13th sanctions package against Russia in response to the invasion of Ukraine is a case in point, and also illustrates how data is key to getting this delicate balance right.

When change is constant

Data and automation are especially pertinent in the case of sanctions against Russia, which have been subject to continuous updates since the conflict in Ukraine erupted in 2022. The 13th sanctions package aims to further limit Russia’s access to a range of high-tech military equipment and components, especially drones, as well as the ability of third countries to circumvent restrictions and redirect sanctioned goods to Russia.

Key points of EU’s 13th Sanctions Package

  • Focuses on preventing Russia from acquiring drone technologies
  • Adds 194 designations, including companies and individuals, bringing the total to over 2,000
  • Lists new entities from Russia, China, India, Serbia and Turkey, including firms involved in parallel imports of prohibited goods      
  • Extends list of sensitive goods that should not be re-exported to Russia to components such as electric transformers, static converters and aluminium capacitors
  • Adds UK to list of partner countries restricting iron and steel imports from Russia, or originating in Russia and processed via third countries

Compliance upgraded

As targeted as the package attempts to be, it will add to the burden on already strained compliance teams, and highlights the crucial role data needs to play in making their approaches more tactical and future-proof.

Businesses are starting to recognise the value of data-driven strategies in navigating evolving regulatory demands. In Dun & Bradstreet’s latest Business Resilience survey report, three-quarters of the global business leaders polled said they were using data to help keep their businesses compliant. In the sanctions context, data can be applied in three key ways:

1. Assessing interconnectedness

First, as the 13th sanctions package targets additional businesses and individuals, companies will have to be more proactive and forward-thinking in evaluating all layers of their business relationships. Quality data can build an understanding of how business partners and intermediaries are related by ownership, the roles of key executives or other factors, making it harder for any entity to disguise its identity or associations. This enables companies to anticipate problematic developments and prepare accordingly.

2. Leveraging automation through standardisation and Perpetual KYC

Automation harnesses data to facilitate faster decision-making and minimises the likelihood of sanctions violations. This is made possible by incorporating more comprehensive data sets from trusted third-party sources, and adopting advanced processes such as Perpetual KYC (P-KYC), based on standardised policies. P-KYC trades periodic reviews for more consistent automated monitoring that ensures that problematic entities and individuals are flagged on an ongoing basis, as crucial details change.

P-KYC is not only less time-consuming and resource-intensive than yearly reviews; Dun & Bradstreet research shows that incorporating richer and more comprehensive data sets can also substantially reduce instances of resource-draining false positive remediation.

3. Expanding the scope of scrutiny

Third, employing data to broaden the scope of analysis and identify and scrutinise larger networks gives businesses a more holistic view of the customers and suppliers they transact with. Sophisticated systems can, for example, alert businesses to potential circumvention activities if a company in their network suddenly begins engaging heavily in trade with Russia, either directly or via markets or entities known to play an intermediary role with elevated risk. Such capabilities enable businesses to rapidly fine-tune risk management strategies, and reassess relationships and patterns of activity when these run up against red lines.

By leveraging data, enhancing vigilance through automation, and scrutinising larger networks, businesses can effectively navigate regulatory challenges and make smart decisions that maintain compliance integrity and resilience.

Developments like the 13th sanctions package demonstrate that as the regulatory landscape shifts, compliance teams will need to be even more proactive and innovative. The good news is data-driven strategies and solutions are evolving in tandem, ensuring continued resilience for businesses in the process.

An example is D&B Risk Analytics Compliance Intelligence, an automated, always-on risk engine for third-party compliance. The platform is configured according to a company’s specific risk policy and regulatory obligations. It then scans all third parties against relevant watch lists and sanction lists – as well as other criteria a company may wish to assess such as ESG performance, adverse media coverage, or legal events. This assessment is then applied against the company’s risk policy to determine whether they can be onboarded directly or whether further investigation is required. It also monitors for any ongoing changes to third-party compliance status or regulatory requirements. If a change is detected that puts a third party outside the parameters of the company’s risk policy, an automated alert is triggered to carry out further investigation.

By tackling complex processes at scale, innovations like these are paving the way for more proactive risk mitigation, and strengthening the link between data and strategic decision-making.



Accelerate your third-party compliance and evolve to Perpetual KYC with D&B Risk Analytics Compliance Intelligence. By defining your policy in our highly configurable risk engine, you can automate your onboarding, accelerate your due diligence workflows, and focus on what really matters. This enables you to increase your compliance effectiveness while reducing your costs and workload. It’s also the foundation for always-on compliance monitoring and Perpetual KYC. By combining our unrivalled ability to identify hidden ownership structures – with over 100 watch lists and sanction lists worldwide – you gain deeper insight and the ability to proactively mitigate risk.
Request a free trial