On 23 April 2026, the Council of the European Union adopted its 20th package of sanctions against Russia. Official Journal of the European Union The package moves beyond traditional Russia-destination restrictions and deeper into controls aimed at third-country facilitation, payment and crypto workarounds, shadow-fleet infrastructure, and legal protection for EU operators exposed to Russian retaliation.

The package continues and further escalates the EU’s existing Russia sanctions strategy. It continues the familiar pattern of adding asset-freeze listings, expanding trade annexes, targeting banks, restricting services, designating shadow-fleet vessels, and aligning the Belarus regime more closely with Russia measures. The package also introduces and implements several newer tools, most importantly the first use of the EU’s anti-circumvention instrument against a third country, broader crypto and payment-channel restrictions, new tanker-sale due diligence requirements, and defensive legal mechanisms for EU companies facing Russian expropriation, abusive litigation or misuse of intellectual property.

The Council and Commission describe the package as targeting Russia’s energy revenues, military-industrial base, financial infrastructure and sanctions-evasion networks. The package adds 120 individual and entity listings, expands trade restrictions on both exports to Russia and imports from Russia, designates 46 additional shadow-fleet vessels, restricts additional Russian banks and third-country financial intermediaries, and introduces new measures aimed at crypto-assets, digital payment infrastructure and payment agents.

Energy and shipping

A central feature of the package is its energy and shipping component. The EU has added more vessels to its shadow-fleet list, bringing the total to 632 vessels subject to port-access and service restrictions. The measures also target port and logistics infrastructure, including Russian ports such as Murmansk and Tuapse and, significantly, the Karimun Oil Terminal in Indonesia. This is the first time the EU has brought a third-country port into this type of Russia-related transaction ban, reflecting the EU’s increasing focus on the infrastructure surrounding Russian oil exports rather than only the Russian entities directly involved.

The package also tightens controls around tanker sales. EU sellers must now approach tanker transactions with heightened due diligence and contractual protections designed to prevent vessels from being transferred into Russia’s shadow-fleet ecosystem. This is part of a wider EU trend toward “contractual sanctions compliance” – using no-Russia clauses, resale restrictions, audit rights and diligence obligations to prevent diversion after an EU operator exits the immediate transaction.

The EU has not yet imposed a full maritime services ban on Russian crude oil and petroleum products, but the 20th package creates the legal basis for such a ban. The timing remains linked to future coordination with the G7 and Price Cap Coalition. This is an important signal: the EU is preserving alignment with partners while preparing for a possible shift away from the current price-cap set up toward broader service prohibitions.

Financial restrictions

The financial measures are also substantial. The package adds 20 Russian banks to transaction bans, bringing the Commission-stated total of Russian banks excluded from the EU internal market to 70. It also targets third-country financial institutions and payment facilitators in jurisdictions such as Kyrgyzstan, Laos and Azerbaijan where the EU sees facilitation of Russia-related transactions or links to Russian financial messaging infrastructure. The package further extends into crypto by targeting Russian crypto-asset service providers, decentralized platforms, RUBx, the digital rouble and the A7A5 ecosystem. This shows the EU’s concern that Russia is increasingly using alternative payment rails, crypto infrastructure, payment agents and netting arrangements to bypass conventional bank sanctions.

Trade restrictions

The package adds new export restrictions worth more than €365 million, covering categories such as laboratory glassware, high-performance lubricants and lubricant additives, energetic materials, certain chemicals, vulcanized rubber articles, steel articles, metal-production tools and industrial tractors. It also adds import restrictions on Russian revenue-generating goods, including additional metals, chemicals, minerals, raw materials, scrap and rubber articles. This means that companies should consider re-running their product classification and sanctions screening.

The package also introduces a quota for Russian ammonia imports. This is not a complete ban, but it caps existing volumes and signals that the EU continues to narrow space for Russian-origin commodities that remain economically or supply-chain sensitive for EU Member States.

Anti-circumvention measures

Perhaps, the most legally significant innovation is the first activation of the EU’s anti-circumvention tool. The EU has applied the tool to Kyrgyzstan, prohibiting exports of certain CNC machine tools and telecommunications equipment where the EU concluded that trade patterns showed a serious risk of re-export to Russia. This is not a sanctions program against Kyrgyzstan. However, this is a major sanctions-related development. Until now, the EU’s third-country response has largely consisted of diplomacy, warning letters, listings of individual entities, and exporter due diligence expectations. The new measure shows that the EU is prepared to impose country-specific export restrictions where it believes diversion risk is systemic and unresolved.

This marks an important difference between the EU’s current posture and earlier Russia packages. Previous measures already targeted third-country entities in China, Türkiye, the UAE, India, Thailand and other jurisdictions. The 20th package goes further by restricting certain EU exports to a third country as such. While the EU still does not operate a US-style secondary sanctions regime in the broadest sense, the practical result is that third-country conduct is now increasingly relevant to EU transaction legality. EU operators must screen not only sanctioned parties and Russia destinations, but also diversion-risk jurisdictions, routing patterns, unusual payment structures and potential onward supply to Russia.

Industry-related designations

The package also expands restrictions on the Russian military-industrial complex, including additional entities subject to stricter export controls for dual-use and advanced technology items. These include entities in Russia and in third countries such as China, Hong Kong, Türkiye, Thailand and the UAE. This continues the EU’s focus on Russia’s ability to procure battlefield-relevant goods through non-Russian intermediaries, especially common high-priority items and industrial technology used in weapons production.

Restrictions on services

Services restrictions also continue to expand. The 20th package introduces new restrictions on managed security and cybersecurity services to Russia. This is particularly important for multinational companies that have residual Russian operations, IT infrastructure, shared services or outsourced security arrangements. Legal teams will need to map not only customer-facing services but also back-office cybersecurity support, monitoring, incident response, managed firewall services, endpoint detection and other security functions that may touch Russia or Belarus.

Anti-takeover measures

One of the more distinctive parts of the package is its new legal-protection architecture for EU operators. The EU is increasingly responding not only to Russian economic activity, but also to Russian countermeasures against European companies. The new measures strengthen protections for EU businesses facing Russian expropriation, Russian court proceedings, abusive litigation, third-country enforcement of Russian judgments, and unauthorized use of intellectual property or trade secrets. The package creates frameworks for transaction bans and damages claims related to these retaliatory or coercive actions. This is a notable evolution: EU sanctions law is becoming more defensive, designed to protect EU companies and legal rights from Russian counter-sanctions pressure.

Traceability and funding

The package also tightens media, research and diamond-related measures. It extends restrictions to mirror sites reproducing or proxying content from already banned Russian propaganda outlets. The measures prohibit acceptance of Russian government funding, grants or donations in research and innovation contexts. It also reinforces diamond traceability requirements, including due-diligence statements confirming that polished diamonds were not mined, processed or produced in Russia.

Restrictions on Belarus

Belarus is again treated as part of the same sanctions landscape. The EU has adopted parallel Belarus measures, extending and aligning the Belarus regime in areas such as trade controls, crypto, cybersecurity services, legal protections and tourism-related services.

Overall conclusion

More generally and if compared with previous sanctions packages, the 20th package does not necessarily introduce anything revolutionary new in terms of the restrictive measures, but, instead, tightens the connective tissue of the overall sanctions regime. The package deepens the pressure on Russia’s energy revenues, but also targets vessels, ports, tanker sales, LNG services and maritime infrastructure. It expands trade controls, but also introduces a country-specific anti-circumvention measure. It adds banks, but also targets payment agents, crypto platforms, digital assets and settlement structures. It lists new entities, but also creates legal tools to counter Russian retaliation against EU companies. So you can say that the overall package’s theme is not merely “more sanctions”. It is a more networked, enforcement-oriented sanctions system.

PRACTICAL COMPLIANCE RECOMMENDATIONS

The first practical step is to treat the 20th package as a systems update. Product classification tables, customer and supplier screening, bank screening, vessel screening, port and logistics screening, crypto/payment screening and contract templates all need review. A company that simply updates its restricted-party list may miss the most important changes.

Contracts should be re-screened by effective date and wind-down period. Some measures apply immediately, while others have later operative dates or transition windows. Trade contracts, tanker-sale arrangements, LNG-related agreements, cybersecurity service contracts, payment arrangements, crypto-related relationships and contracts involving newly listed goods should be prioritized.

Companies should also expand diversion-risk diligence beyond Russia and Belarus. Transactions involving Central Asia, the South Caucasus, Türkiye, the UAE, China, Hong Kong and other known diversion hubs should be assessed for routing, end-use, resale rights, consignee profile, freight forwarders, unusual payment terms and sudden volume changes. The Kyrgyzstan measure shows that third-country risk is no longer merely a policy concern; it can become a direct EU legal restriction.

“No Russia” clauses should be reviewed with care. They should not be treated as generic sanctions boilerplate. Where legally required or commercially prudent, they should address resale, transfer, deployment, ownership changes, end-use, documentation obligations, audit rights, termination rights and indemnities. The tanker-sale provisions are a reminder that contractual controls are increasingly part of the EU’s expected compliance toolkit.

Financial due diligence should become more granular. It is no longer enough to screen the customer’s bank. Companies should review correspondent banks, payment agents, netting structures, set-off arrangements, crypto wallets, crypto-asset service providers, decentralized platforms, digital rouble exposure, RUBx exposure and links to Russian financial messaging systems. Payment facilitation is now a sanctions target in its own right.

Legal teams should also map services and internal support functions. The managed-security-services restrictions make it necessary to understand who provides cybersecurity, IT, monitoring, incident response and related services to any Russia or Belarus-linked operation. Similar mapping should be done for finance, treasury, legal, technical support, engineering, software, IP, licensing and shared-service functions.

Finally, companies with legacy Russian assets, subsidiaries, receivables, trademarks, technology, arbitration clauses or Russian litigation should evaluate the new legal-protection measures. These provisions may offer defensive tools against Russian expropriation, abusive claims or unauthorized IP use, but they will require coordinated sanctions, litigation, arbitration and asset-recovery strategy.

The likely next steps are already visible. The EU may activate the maritime services ban once G7 coordination is achieved. More shadow-fleet vessels, ports, ship managers, insurers and tanker owners are likely to be targeted. The anti-circumvention tool may be used against additional jurisdictions if trade data shows persistent diversion. Crypto and payment restrictions will likely continue to expand. Additional legal-protection annexes may be populated with Russian or third-country actors involved in expropriation, abusive enforcement or IP misuse.