An Interactive Briefing U.S. Sanctions for Germany & the Baltic States

The U.S. Sanctions Landscape

Five federal authorities, dozens of programs, one operative question for every European company: does this transaction touch the United States — and would it pass through OFAC if it did?

Interactive edition · v1 Companion to The EU Sanctions Landscape Reading time · 18 min For DE / EE / LV / LT operators
0
Federal authorities · OFAC · BIS · DDTC · DOJ · FinCEN
0%
OFAC ownership rule — direct, indirect, or aggregated
0
BIS Common High Priority List items · Russia diversion
$0
BIS max administrative penalty per violation · 2025
0 yrs
Maximum custodial sentence under ECRA
0 yrs
OFAC recordkeeping window — extended from five
§ 01 — The Argument

Five authorities, one perimeter.

Click any agency below to read what it requires of a German or Baltic operator. The U.S. sanctions architecture is plural — Treasury freezes, Commerce classifies, State licenses defense items, Justice prosecutes, Treasury's FIU watches the financial flows.

A company in Germany, Estonia, Latvia, or Lithuania does not automatically owe direct compliance with every U.S. sanctions rule in every purely European transaction. U.S. law becomes mandatory the moment there is a U.S. nexus — a U.S. person, a U.S. affiliate, a U.S. bank, USD clearing, U.S.-origin goods, U.S. software, U.S. technology, U.S. cloud services, U.S. financing, or re-export of items subject to U.S. export control.

U.S. federal authorities — what each one expects from you ▸ click any agency
OFAC DepartmentTreasury Instrument31 CFR Ch. V Penalty (civil)Strict liability

Office of Foreign Assets Control

OFAC administers U.S. economic and trade sanctions. For an EU operator, the core duties are: screen counterparties, beneficial owners, vessels, banks, intermediaries and end users against the SDN list; apply the 50-percent rule, including aggregated ownership by multiple blocked persons; block or reject prohibited transactions; report blocked and rejected property; and retain records for ten years.

SDN LIST50% RULEBLOCK · REJECT10-YEAR RECORDSSTRICT LIABILITY
"U.S. persons must comply with OFAC regulations wherever located; non-U.S. persons may not cause or conspire to cause a U.S. person to violate U.S. sanctions, nor evade them." — OFAC, on the reach of U.S. economic sanctions
§ 02 — Jurisdictional Scope

U.S. sanctions reach the EU through five doors.

A German or Baltic company is not "covered" by U.S. sanctions in the abstract. It is covered when one of these triggers fires.

The first compliance question is jurisdictional. U.S. measures bind a non-U.S. company where the transaction touches U.S. jurisdiction — and a transaction can touch it through paperwork, a bank, an employee, a piece of code, or a single screw of U.S.-origin content above the de minimis threshold. The five doors below cover virtually every realistic exposure.

Secondary sanctions are the harder case. They can reach non-U.S. persons for "significant transactions" with sanctioned persons, sectors or activities — most actively today against Russia, Iran and North Korea, and against foreign financial institutions supporting Russia's military-industrial base under Executive Order 14024. There is no direct U.S. nexus required for a secondary-sanctions designation; only commercial gravity and political will.

§ 03 — Core Duties

Four duties, ordered by severity.

Tap a duty to read its scope and the operational triggers that should make it bite. OFAC enforces civil violations on a strict-liability basis — knowledge and intent are not required.

Screen everyone, every time.

Counterparties, beneficial owners, directors, vessels, ports, freight forwarders, banks, agents, insurers, end users — all of them, against OFAC's SDN List, BIS's Entity / DPL / UVL / MEU lists, and the U.S. Consolidated Screening List. Exact-name matching is not enough: transliteration, aliases, local-language variants, ownership chains and address overlap all matter.

Re-screen at every touch point — onboarding, order, shipment, payment, contract renewal — and on every list update.

Triggers — screening must run
  • New customer, supplier, agent, distributor
  • New shipping party, vessel, port, forwarder
  • List update from OFAC, BIS, EU, UN, UK
  • Ownership or address change at counterparty
  • Contract renewal or scope expansion

The 50-percent rule.

Entities owned 50 percent or more — directly or indirectly, individually or in the aggregate, by one or more blocked persons — are themselves treated as blocked, even if they are not separately listed. October 2025: OFAC designated Rosneft and Lukoil under E.O. 14024 and clarified that any entity owned 50%+ by them is blocked by operation of the rule.

Sham divestments, recent ownership reshuffles, nominee directors and relatives of sanctioned persons all require sceptical review. Control without majority ownership can also matter.

Triggers — apply ownership analysis
  • Counterparty linked to a designated person
  • Recent divestment by a sanctioned shareholder
  • Nominee directors or opaque shareholding
  • Aggregated stakes across multiple SDNs
  • Russia/Iran/Venezuela ownership trail

Block, reject, report.

Blocking means freezing property and interests in property of a sanctioned party. Rejection means declining to process a prohibited transaction that does not involve blockable property. Both must be reported to OFAC — generally within 10 business days, with annual blocked-property reports thereafter, via OFAC's Reporting System.

Civil enforcement is strict-liability: a violation can be penalized even without knowledge or intent. An effective sanctions compliance program is a recognized mitigating factor.

Triggers — report obligation
  • SDN match in counterparty, UBO, vessel or bank
  • Funds blocked at onboarding or in flight
  • Rejected transaction touching U.S. jurisdiction
  • License question — general or specific
  • Annual blocked-property reporting cycle

Ten years of evidence.

OFAC has extended sanctions recordkeeping from five to ten years, consistent with the extended statute of limitations under IEEPA. Maintain the per-transaction file: counterparty data, screening results, ownership analysis, classification, end-use review, U.S.-nexus analysis, contract clauses, approval and approver, and any post-shipment monitoring.

Records must survive M&A, ERP migrations, distributor turnover, and personnel changes. The audit trail is the program.

Triggers — preserve evidence
  • Every screened transaction · 10-year retention
  • Override or release decisions — named approver
  • License applications & correspondence
  • Disclosed or self-disclosed violations
  • Distributor and end-user certificates
§ 04 — Operational Risk Surfaces

Seven surfaces, one programme.

Click each row to expand. Every commercial function carries a sanctions surface — onboarding, master data, shipping, payments, M&A, distributors, and people inside the company.

01
Counterparties & ownership
SDN · 50-percent rule
+

Customers, suppliers, banks, agents, freight forwarders, insurers, beneficial owners, directors, vessels, ports, end users. Apply the 50-percent rule, including aggregated ownership by multiple blocked persons. Don't rely on exact-name matching — transliterations, aliases, local-language names, ownership chains and address matches all carry weight.

SDN ListUBO chainsAliasesAddress overlapAggregated ownershipSham divestments
02
Goods, software & technology
EAR · ITAR · CHPL
+

Identify whether products, components, spare parts, software, technology, drawings, cloud services or technical support are U.S.-origin, contain U.S.-origin controlled content, are subject to the EAR (including via de minimis or foreign direct product rules), or are ITAR-controlled. Russia and Belarus are particularly hot — BIS controls are broad and CHPL items are actively targeted for diversion.

ECCN classificationEAR99De minimisFDPRITAR · USMLCHPL — 50 lines
03
Payments & banks
USD · correspondents · SWIFT
+

USD payments, U.S. correspondent banks, U.S. clearing, U.S. payment processors, U.S. credit cards, U.S. insurers and U.S.-based platforms can each create a U.S. nexus. For Russia-related business, foreign financial institutions can face sanctions risk for significant transactions involving Russia's military-industrial base or persons blocked under E.O. 14024.

USD clearingCHIPS · FedwireU.S. correspondentsFFI riskE.O. 14024
04
Logistics & routing
17 jurisdictions
+

Watch transshipment through Türkiye, UAE, Kazakhstan, Armenia, Kyrgyzstan, Serbia, Hong Kong, mainland China, India, Thailand and other jurisdictions repeatedly named in evasion cases. Treasury has sanctioned procurement networks across 17 jurisdictions for supporting Russia's acquisition of critical technology and manufacturing components.

Türkiye · UAECentral AsiaHK · PRCVessel screeningForwarder DD
05
Distributors & sales agents
Indirect channels
+

An EU seller can still face U.S. export-control or sanctions risk if a distributor resells to a prohibited end user, conceals Russia/Iran/Syria/Cuba/Venezuela exposure, or accepts false end-user documentation. Onboarding, end-use certificates, audit rights, resale restrictions and clear escalation triggers are essential — not optional.

EUCAudit rightsResale restrictionsDistributor screeningFlow-down DD
06
M&A and successor liability
The Unicat lesson
+

Acquiring a company can import historical sanctions violations, hidden distributor channels, legacy business with sanctioned countries, falsified invoices, and unclassified U.S.-origin technology. DOJ enforcement materials — notably the Unicat case — show how post-acquisition discovery, voluntary self-disclosure and cooperation can become decisive in resolution.

Sanctions diligenceSuccessor liabilityVoluntary disclosureDOJ NSD policy
07
U.S. persons inside the company
Recusal & access controls
+

A U.S. citizen employee, board member, director, controller or finance approver may be individually prohibited from participating in certain transactions — even while working for a German or Baltic company. Recusal procedures, system-access partitioning, and approval-routing rules may be necessary. "Causing" a U.S. person to violate is itself prohibited.

U.S. personsRecusalSystem accessApproval routing"Causing" prohibition
§ 05 — Sanctioned Regimes

Five focal points, one rolling perimeter.

Hover or tap each card to focus. Russia and Belarus dominate operational risk in 2026; the others remain critical legal-review triggers, especially where the EU and U.S. positions diverge.

RUBY· E.O. 14024 · 14071
TIER · CRITICAL

Russia & Belarus

Highest operational risk
  • E.O. 14024FFI risk
  • Rosneft · LukoilSDN · Oct 2025
  • CHPL50 lines
  • Shadow fleetProcurement nets
  • 17 jurisdictionsDiversion vectors
IR· ITSR · CISADA · CAATSA
TIER · CRITICAL

Iran

Comprehensive · secondary
  • Oil · PetrochemsSectoral
  • IRGCCounter-terrorism
  • Drones · MissilesProcurement
  • Shadow bankingExchange houses
  • EU BlockingConflict-of-laws
KP· NKSPEA · UNSCR · OTSR
TIER · CRITICAL

North Korea

Proliferation & cyber
  • UN + U.S.Comprehensive
  • IT-worker schemesHR diligence
  • Maritime evasionSTS transfers
  • Crypto theftWallet screening
  • OutsourcingRemote-worker risk
CN· Entity List · MEU · UFLPA
TIER · HIGH

PRC-linked actors

Selective · entity-based
  • Entity ListBIS controls
  • MEU ListMilitary end-use
  • UFLPAForced labour
  • Russia-evasion2024 designations
  • SurveillanceHuman-rights
SYCUVE· SySR · CACR · VSR
TIER · HIGH

Syria · Cuba · Venezuela

U.S.-nexus & secondary risk
  • SyriaComprehensive · humanitarian carve-outs · diversion
  • CubaU.S.-person and U.S.-controlled-subsidiary scope
  • VenezuelaSectoral · oil · government-of-Venezuela
SDGTSDNTKCYBER· list-based · global reach
TIER · ALWAYS-ON

Terrorism · Narcotics · Cyber

List-based, global reach
  • SDGTCounter-terrorism designations
  • SDNTKNarcotics · transnational crime
  • Cyber sanctionsRansomware · state-linked

The PRC point deserves restating. China is not subject to comprehensive U.S. sanctions. The risk is not "China business" as such — it is specific counterparties, controlled technology, military or surveillance end uses, Russia re-export, Xinjiang/forced-labour exposure, and Entity List parties. Treasury's 2024 Russia-evasion actions included PRC-based dual-use exporters.

§ 06 — EU Overlay & Conflicts

Don't apply U.S. rules mechanically.

A German or Baltic company must comply directly with EU and national sanctions. Where a U.S. rule is extraterritorial and no direct U.S. nexus exists, the EU Blocking Statute may prohibit compliance. Legal review is required before refusing, exiting, or terminating business solely because of U.S. sanctions.

EU sanctions breaches and circumvention have been harmonized under Directive (EU) 2024/1226 — routing goods through third countries to sanctioned destinations, concealing designated persons' ownership, and using false information to hide an ultimate beneficiary are now criminal offences across the Union.

National enforcement remains plural. In Germany, BAFA handles goods, technical assistance and economic resources; the Bundesbank handles funds, financial resources and financial assistance; the new Central Office for Sanctions Enforcement (ZfS) covers gaps. In Latvia, public-sector and procurement contexts must observe OFAC sanctions in PPP and procurement, refusing direct or indirect dealings with sanctioned persons. In Estonia, the International Sanctions Act renders any transaction violating international sanctions void. In Lithuania, financial-market supervision can impose special measures where sanctions touch a participant, owner or controller.

The conflict-of-laws issue is real. The EU Blocking Statute can prohibit EU operators from complying with certain specified extraterritorial foreign sanctions laws, nullify foreign judgments based on those laws, and allow recovery of damages. A blanket "we apply U.S. rules everywhere" policy is therefore not safe — it can itself be a violation.

PILLAR 01Management commitmentBoard-level ownership; authority to stop transactions; periodic reporting on screening, blocks, escalations.
PILLAR 02Risk assessmentInherent risk across clients, products, intermediaries, transactions and geographies — re-run on a cadence.
PILLAR 03Internal controlsERP master-data flags, hard-stop screening, payment holds, end-use review, contract clauses, override discipline.
PILLAR 04Testing & auditQuarterly review for high-risk corridors; annual independent attestation of operating effectiveness.
PILLAR 05TrainingJob-specific — sales, finance, logistics, procurement, IT, engineering, management — refreshed annually.

OFAC's framework names these five components as the floor for an effective sanctions compliance program. An effective program is treated favourably in enforcement and may mitigate civil monetary penalties.

§ 07 — Evasion Radar

Seven indicators, one perimeter.

U.S. and allied enforcement now centres on circumvention. Click each indicator to read it; the radar visualises their relative weight in current OFAC, BIS and FinCEN practice.

Red flags · click to focus

Indicators in current U.S. enforcement

    High-risk diversion geographies — apply enhanced due diligence
    Armenia
    China · HK · Macau
    Georgia
    India
    Kazakhstan
    Kyrgyzstan
    Malaysia
    Serbia
    Singapore
    Thailand
    Türkiye
    UAE
    Uzbekistan
    Vietnam
    § 08 — Risk Simulator

    A transaction, scored against U.S. nexus.

    Compose a hypothetical transaction below. The simulator returns a risk tier and the prescribed control response — the same logic a working U.S. sanctions team should apply.

    Live U.S.-nexus simulator

    Score a hypothetical cross-border deal.

    RESET ↻
    Counterparty & ownership
    Goods, software or technology
    U.S. nexus in chain
    Destination & intermediary
    0
    LOW
    Prescribed response

    Standard screening & documentation

    A direct intra-EU transaction with established counterparties, no U.S. nexus and no controlled content falls in the LOW tier. Apply baseline screening, periodic review, and document the decision in the per-transaction sanctions file.

    1. Standard counterparty screening (name + address + UBO)
    2. Goods & technology classification (ECCN / EAR99 / USML)
    3. Standard payment screening
    4. Retain in per-transaction sanctions file · 10 years
    § 09 — Decision Logic

    Seven steps, in this order.

    Click each step. The order matters: jurisdiction precedes ownership precedes goods precedes routing precedes payment. Every step that releases a transaction must be documented; every step that stops one must be reported where required.

    01
    Identify all parties
    Customer, supplier, consignee, end user, beneficial owner, bank, vessel, broker, freight forwarder, insurer, agent — every named or implied actor in the transaction.
    InputsMaster data · order · contract · payment instructions
    02
    Screen all parties
    If a confirmed sanctions match appears, stop the transaction and escalate. Do not perform, ship, pay, return funds, or notify the counterparty without legal review.
    ListsOFAC SDN · BIS Entity / DPL / UVL / MEU · EU · UN · UK · DE · Baltic
    03
    Apply ownership & control analysis
    If a blocked person owns 50% or more — directly or indirectly, individually or in aggregate with other blocked persons — treat the entity as blocked for OFAC purposes. Look for control without majority too.
    Test50-percent rule · sham divestment · nominees
    04
    Identify U.S. nexus
    U.S. person, U.S. bank, USD clearing, U.S.-origin item, U.S. software, U.S. cloud, U.S. financing, U.S. contract, U.S. affiliate. If yes — apply U.S. sanctions review on top of EU compliance.
    DoorsPerson · payment · property · cause · secondary
    05
    Classify goods & technology
    If subject to the EAR or ITAR, determine ECCN / USML category, license requirements, destination restrictions, and end-user / end-use restrictions. Classify spare parts, software, cloud and technical services in the same exercise.
    AuthoritiesBIS · DDTC · DOC · DOS
    06
    Check evasion red flags
    If present — third-party payer, irrational routing, mismatched product profile, request to drop end-user names, refusal of EUC — require enhanced due diligence, documentary proof, management approval, and legal review.
    SourcesFinCEN advisories · OFAC guidance · BIS red flags
    07
    Document the decision
    For each released high-risk transaction, document screening, ownership review, classification, U.S. nexus analysis, end-use review, contractual safeguards, and the named approver. The audit trail is the program.
    Retention10 years · OFAC recordkeeping rule
    § 10 — Implementation

    Thirty days, ninety, then forever.

    Click each item to mark it complete. The bar tracks programme maturity end-to-end.

    0%0% complete100%
    PHASE 010–30 days
    1. Create a sanctions escalation protocol — who can stop, release, block, reject, report
    2. Map all U.S. nexus points: USD payments, U.S. banks, U.S. persons, affiliates, goods, software, cloud, contracts
    3. Screen all active customers, suppliers, banks, vessels, agents, distributors, UBOs against EU, UN, OFAC, BIS, UK, DE, Baltic lists
    4. Freeze onboarding of new RU/BY, IR, SY, CU, KP, VE-related transactions pending enhanced review
    5. Identify all products that may be EAR-controlled, ITAR-controlled, dual-use or on the CHPL
    6. Insert sanctions clauses into new contracts immediately
    7. Establish ten-year sanctions recordkeeping rule, aligned with OFAC's update
    PHASE 0230–90 days
    1. Complete a formal sanctions risk assessment — clients, products, intermediaries, geographies
    2. Classify goods, software, technology, spare parts, technical services and documentation
    3. Build an escalation matrix by jurisdiction, product, counterparty, payment route and U.S. nexus
    4. Implement automated screening with fuzzy matching, ownership checks, alias handling, list-update rescreening
    5. Introduce end-use certificates and distributor certifications for high-risk goods
    6. Train sales, finance, procurement, logistics, legal, IT and management — job-specific
    7. Procedures for blocked property, rejected transactions, OFAC reports, BAFA / Bundesbank / ZfS escalation, voluntary disclosure
    PHASE 03Ongoing
    1. Quarterly sanctions-risk review for high-risk jurisdictions and sectors
    2. Annual training for all relevant staff, refreshed by function
    3. Annual independent testing or internal audit
    4. Periodic distributor and agent audits — flow-down evidence
    5. Board reporting on screening hits, blocked / rejected transactions, licenses, overdue DD, high-risk revenue exposure
    6. Continuous monitoring of OFAC, BIS, EU, BAFA, Bundesbank and Baltic updates
    7. Stress-test against realistic diversion scenarios; align with AML, customs, ESG and supplier DD
    § 11 — Board-Level Closing

    Twelve questions. One programme.

    A board or senior management team should be able to answer all twelve in the affirmative. Tap each row to mark it answered — the gaps are the programme's next month of work.

    Board-level questions0 / 12 answered
    1. Do we know where U.S. jurisdiction enters our business — by person, payment, property, "causing", or secondary risk?
    2. Do we know which products, services, software and technologies are subject to the EAR or ITAR?
    3. Do we screen customers, suppliers, owners, banks, vessels, logistics providers and end users — at every touch point?
    4. Do we apply OFAC's 50-percent rule, including aggregated ownership by multiple blocked persons?
    5. Do we have hard-stop controls in ERP and payment workflows, not soft warnings?
    6. Do we know our Russia / Belarus, Iran, North Korea, Syria, Cuba, Venezuela and PRC-linked exposure — by revenue and channel?
    7. Do we know whether any revenue depends on high-risk distributors or indirect sales?
    8. Do contracts prohibit resale, diversion, sanctions evasion and false end-use statements — with audit rights?
    9. Do finance and logistics teams recognise payment, routing and documentation red flags on the spot?
    10. Do we have a procedure for blocked property, rejected transactions, OFAC reporting, EU / national reporting, and voluntary disclosure?
    11. Do we keep sanctions records for ten years, surviving M&A and ERP migrations?
    12. Do we test the system and report results to management — with named owners and dates?
    The Operative Question
    Does this transaction, payment, service, shipment, technology, contract or relationship — directly or indirectly — touch a U.S. person, the U.S. financial system, U.S.-origin items, or a sanctioned regime in a way that would make us, or any U.S. person, cause a violation of U.S. sanctions or export-control law?

    If the answer cannot be confidently documented, the transaction should be stopped, escalated, and — where legally required — reported. That is the entire programme, in a sentence.