Article

Navigate conflicting laws driven by national security and geopolitics

A traveller with a map blowing over their face

Part of our report

Cross-border white-collar crime and investigations review 2025
Published Date
Jan 28 2025

The dynamics of geopolitics and national security concerns mean that businesses can increasingly become stuck between conflicting requirements that require delicate navigation. Many areas of white-collar crime investigations and enforcement have a national security context. Understanding this context is key to risk assessments and responding to enforcement action.

Geopolitical tensions have had significant implications for multinational businesses, and 2025 will be no different. Regime change can lead to shifts in regulatory and enforcement practices, requiring monitoring and adaption. Existing regimes can use existing law and enforcement priorities in new ways to drive foreign policy goals. Political instability / transition can increase the risk of corruption and other violations of law.

The second Trump administration in the U.S. may bring a significant shift in U.S. enforcement priorities. National security interests will remain central to the U.S. enforcement regime, with the targets of those interests potentially shifting away from Russia and towards China and other jurisdictions.

China’s broad view of national security continues to impact business operations of foreign companies operating in China:

  • We are seeing more encounters with the Communist Party of China’s (CPC) disciplinary arm in anti-corruption matters involving foreign entities or foreign investors in PRC.
  • Revisions to the Chinese Counter-Espionage Law and the introduction of the Safeguarding National Security Ordinance in Hong Kong highlight the growing emphasis on national security in the region. These laws impose stringent requirements on data transmission, information collection, and corporate compliance, requiring delicate navigation by multinational businesses during an internal or external investigation. Areas under enhanced scrutiny have included agriculture, supply chain due diligence in sensitive regions, artificial intelligence, and electronic vehicles. 
  • New locality-specific counter espionage rules have also been issued, so there may be local as well as national rules to consider. 
  • China has also started to publicly challenge the trading decisions of foreign owned companies under its anti-sanctions laws, including its ‘unreliable entity’ mechanism. This can lead to a company being listed on the ‘unreliable entity list’ which, while not criminal enforcement per se, can disrupt dealings in China.   

In Poland, regime change in 2023 has directly resulted in large state-owned enterprises facing increased corruption enforcement. There are over 500 state-owned enterprises in Poland, many of which are the largest business in their sector. The new investigations are often implicating private businesses in alleged fraud and corruption.

Changes to the rules in many jurisdictions on supply chain due diligence, and approaches to enforcement, can also be viewed through a geopolitical lens. See our article on ESG enforcement risk.

Misleading cybersecurity statements enforcement

State-sponsored cyberattacks are another hallmark of the current geopolitical environment. In addition to the obvious data privacy breaches that may result, we have seen regulatory bodies scrutinizing the adequacy of companies' cybersecurity reporting. In 2024, the U.S. SEC charged and fined four public companies with making materially misleading disclosures regarding cybersecurity risks and intrusions in the aftermath of the compromise of  SolarWinds’ Orion software. The four companies were using Orion at the time of the SolarWinds cyberattacks.

The A&O Shearman White-Collar Crime & Investigations Review 2025 reveals several jurisdictions tightening rules on cybersecurity, e.g., Australia's Cyber Security Act 2024 introduces mandatory ransomware and cyber extortion reporting obligations and the UAE's regulatory bodies have a new emphasis on cyber resilience through comprehensive reviews and enforcement actions. This is an area where law and practice are evolving fast. Read more.

Sanctions  - a foreign policy tool and white-collar crime risk

In 2025, sanctions enforcement is expected to focus on several key themes. Aside from Russia, we expect to see enhanced scrutiny of digital currencies and blockchain technology, as enforcement authorities aim to prevent their misuse for evading sanctions. There will be continued emphasis on thematic sanctions regimes targeting human rights abuses, corruption, and cybersecurity.

The EU has been actively updating and expanding its sanctions regime in relation to Russia and is encouraging increased sanctions enforcement amongst Member States, including a new ‘best efforts’ requirement introduced to require EU businesses to keep their foreign subsidiaries compliant with EU sanctions. Although there remains a lack of harmonization in the EU on criminal enforcement resources and approach, a new Sanctions Directive adopted in 2024,1  with implementation in national laws due by May 2025, should remedy this. The Directive defines sanctions offences, how corporate liability is triggered, and penalties for breach. Companies in scope will need to enhance their compliance programs to address these changes, particularly in high-risk sectors such as finance and technology. Many businesses, particularly those with existing exposure to U.S. or UK sanctions regimes, may already have sufficient compliance measures in place.

For enforcement authorities, advanced technologies and data analytics tools are expected to play a pivotal role in detecting and preventing sanctions violations. We expect coordination and intelligence sharing to continue, including with respect to sanctions targets and licensing decisions. 

There remains a high degree of cooperation between many enforcement authorities around the world. Mutual legal assistance treaties are being increasingly upgraded to direct access agreements for electronic data – allowing the criminal authorities in one country to obtain data directly from service providers in another country, e.g., the EU E-Evidence regulation (in force 2026) and the UK/U.S. Direct Access agreement (in force now).

Key take-aways

  • Businesses will need to consider the commercial, legal and enforcement context to adopt a sensible path through these national security driven and often conflicting requirements.
  • Engaging with external experts, particularly with deep local knowledge, is invaluable in managing risk and navigating a sensitive and sensible course should an issue arise. 
  • Adopt a proactive approach to managing geopolitical risks. This includes conducting regular risk assessments and staying abreast of regulatory and political developments across jurisdictions that are key to the organization. 
  • Those in compliance need to have good communication with business operations, to properly assess risk. Does compliance know, for example, where the business is planning to expand operations or invest?
  • Businesses should ensure they have strong whistleblower policies in place to encourage internal reporting of sanctions issues.
  • Ensure that the business is well-prepared for potential investigations. This includes maintaining accurate and comprehensive records and data maps. Being prepared to respond promptly and effectively to inquiries can help mitigate the impact of potential enforcement actions.

The white-collar crime and investigations lawyers at A&O Shearman can help navigate complex geopolitical considerations, please contact the author(s) of this article or your normal contact.

This article is part of the A&O Shearman Cross-border White-Collar Crime and Investigations Review 2025

Footnotes

1.  Directive (EU) 2024/1226

Related capabilities