Doing Business In: From Compliance to Litigation: the new frontiers of Corporate liability
Swift Litigation
View Firm Profile
Abstract
Compliance is no longer only about preventing legal risk; it is increasingly shaping the way corporate disputes are litigated. ESG, digital and collective litigation illustrate how internal compliance frameworks are becoming key evidentiary tools before the courts.
Author Julien Martinet is the founding partner of Swift Litigation. He advises and represents companies, financial institutions and their executives in complex commercial, regulatory and strategic litigation, with a particular focus on compliance, ESG, digital risks and corporate disputes.
Compliance has long been understood as a preventive function. Its purpose was to organise the company, meet regulatory expectations, document internal controls and reduce the risk of administrative sanctions. Portalis famously wrote that “the codes of nations are made over time; strictly speaking, they are not made at all.” The same observation aptly describes the way in which certain standards of corporate compliance are now being shaped.
That preventive approach remains essential. But it no longer fully captures the role compliance now plays in corporate life. Compliance frameworks are increasingly becoming litigation objects. Public commitments, risk maps, vigilance plans, sustainability reports, cyber procedures, anti-fraud policies, business continuity plans, outsourcing clauses and internal investigations are no longer reviewed only by regulators or auditors. They may now be produced, scrutinised and sometimes relied upon against the company before the courts.
The question is therefore no longer simply whether a company has a compliance framework in place. It is whether that framework is coherent, documented, effectively implemented and capable of being defended in litigation.
This does not mean that courts are taking over the strategic management of companies. Courts remain, in principle, reluctant to impose industrial, commercial or technological choices directly on businesses. They are, however, increasingly called upon to examine how a company identified a risk, assessed its seriousness, set its priorities, adopted measures and preserved evidence of its decision-making.
The boundary between compliance and litigation is therefore becoming narrower. Compliance is no longer only an upstream issue. It becomes material for defence, or for attack, once a dispute arises. This development is now visible on three main fronts: systemic risks, first and foremost climate and ESG; digital risks, including cyber, fraud, artificial intelligence and critical third-party providers; and collective or geopolitical risks, marked by the rise of group actions, sanctions, extraterritoriality and evidentiary battles.
I. Courts and systemic risks: climate, vigilance and ESG
Climate litigation is currently the most visible expression of a broader movement: the entry of systemic risks into the field of corporate litigation.
These risks are no longer merely matters of reporting, institutional communication or investor dialogue. They are becoming matters of liability. Companies are being questioned on their public commitments, the consistency of their transition pathways, the quality of their vigilance plans, the identification of their risks, the sincerity of their communications and the measures effectively adopted to prevent or mitigate identified harms.
This development extends beyond climate. It also concerns human rights in supply chains, biodiversity, sectoral policies, greenwashing allegations, the governance of non-financial risks and the consistency between public commitments and operational practices. ESG documents are no longer merely market-facing or reputational documents. They may be read as litigation exhibits.
The difficulty is that the behavioural standard expected of companies is not yet fully settled. Statutes and regulations impose duties of vigilance, reporting, transparency or governance. But they do not always say, with precision, what sufficient conduct should look like in the face of global, evolving and technically complex risks.
Climate provides the clearest example. Climate change is a global, cumulative and multifactorial phenomenon. It does not easily fit within traditional categories of liability, which are built around a wrongful act, damage and a causal link. Nor can it naturally be reduced to a specific preventive measure capable of being imposed uniformly on all companies.
This is what makes ESG litigation both powerful and delicate. It is not merely about applying an already written rule. It participates in the progressive construction of that rule. Legislators set a framework, regulators refine their expectations, courts gradually define the limits of their review and companies, through their own commitments, also contribute to charting the path.
This interaction is particularly sensitive in relation to the French duty of vigilance. A vigilance plan is not merely a regulatory document. It becomes a point of convergence between risk mapping, adopted measures, public commitments and proof of implementation. The court is not necessarily being asked to substitute its own strategic assessment for that of the company. It is, however, required to review the coherence between the risks identified and the measures adopted.
The judgment delivered on 25 June 2026 by the Paris Judicial Court in the TotalEnergies case illustrates this development, without it necessarily becoming a general rule applicable to all sectors.
The court accepted that climate risks could fall within the scope of the duty of vigilance and held that, for an oil and gas producer, scope 3 emissions had to be included in the risk mapping. But that reasoning remains closely connected to the activity at issue: an oil and gas company places on the market a product whose normal use leads to measurable emissions. Its transposition to other sectors, particularly financial services, is far from self-evident. A bank does not sell a product whose normal use consists in emitting greenhouse gases; it finances or supports clients who retain control over their industrial, commercial and operational decisions.
The broader lesson is therefore not the mechanical extension of scope 3 reasoning to all companies. It is rather the attention courts may pay to the intensity of the link between the relevant activity, the risk relied upon and the levers which the company itself acknowledges that it has.
The same judgment is also interesting because of the balance it seeks to strike as to the court’s powers. On the one hand, the court accepts that it may review the completeness of the plan, the quality of the risk mapping and the existence of coherent measures. On the other hand, it recalls that the 2017 law does not, in principle, empower the court to substitute itself for the company by imposing precise and detailed measures directly.
This is probably where the core of future ESG disputes lies: not in judicial management of the company, but in a review of coherence, completeness and credibility. The court does not necessarily determine the company’s climate, social or environmental strategy. But it may assess whether identified risks are being addressed seriously, whether public commitments are consistent with internal policies, and whether announced measures are supported by sufficient data, resources and governance.
This development creates a paradox. In the absence of a clearly defined legal standard, courts may be tempted to look for the standard in the conduct of companies themselves. Where a company states that it measures a risk, has levers to mitigate it or commits to following a particular pathway, those elements may later be relied upon to argue that the company acknowledged its ability to act and should have drawn the necessary consequences.
Voluntary commitments therefore have a dual nature. They enhance the company’s credibility, structure its strategy and respond to the expectations of investors, customers and stakeholders. But they may also become litigation footholds. The more a company asserts that it can act directly on a risk, the more it may be required to justify the adequacy of the measures actually taken.
The answer is obviously not for companies to abandon ambition or hide behind empty formulations. That would be the wrong response. The point is rather that greater ambition requires greater discipline. Climate policies, transition plans, sectoral policies, sustainability reports and public commitments should be drafted as documents that may one day be read by a court.
This requires a clear distinction between legal obligations, voluntary objectives, trajectories, indicators, market assumptions and firm commitments. It also requires avoiding overly absolute language that may suggest direct control over risks which the company in fact controls only partially.
This requirement applies to large corporate groups generally. ESG litigation leads compliance, reporting and communication documents to be reread as evidentiary materials. What matters is therefore not only the ambition displayed, but its consistency with available resources, underlying data, sector-specific constraints, internal trade-offs and the company’s actual ability to act.
In the new generation of ESG disputes, the standard is therefore not written by the legislature alone. It is also built from regulatory guidance, court decisions, market standards and the commitments companies themselves make.
II. Courts and digital risks: cyber, AI, fraud and critical providers
The same transformation can be seen in the digital sphere. Cyber risks, payment fraud, artificial intelligence, IT incidents and dependence on critical third-party providers are no longer merely technical issues. They are becoming litigation risks.
A digital incident often presents itself, at first, as an operational event: a cyberattack, an IT failure, a fraud, a service outage, an algorithmic error, a data leak or the compromise of credentials. But the resulting litigation quickly moves beyond the incident itself. It leads to scrutiny of the company’s prior organisation: its procedures, controls, delegations of authority, alerts, incident response, evidence preservation and the quality of its third-party providers.
The comparison between cybersecurity and artificial intelligence is instructive.
In cybersecurity, the path is already relatively advanced. Regulated companies are subject to governance, control, alert, risk mapping and documentation obligations. Supervisors no longer merely publish general principles; they carry out concrete reviews of systems and controls. This type of supervision contributes to transforming technical requirements into operational standards: governance, incident management, risk mapping, control frameworks, outsourcing, documentation and response capability.
In this area, litigation can therefore rely on a relatively dense body of material. Legislation, supervisory reviews, recommendations and sectoral best practices make it possible to discuss, in fairly concrete terms, what a company should have put in place. The litigation question then becomes whether the framework was proportionate, known, tested, documented and effectively applied.
DORA, applicable since 17 January 2025, illustrates this development for financial entities. It establishes a digital operational resilience framework designed to enable them to withstand, respond to and recover from ICT-related disruption, including cyberattacks and system failures.
This framework is not only relevant to the relationship between financial institutions and their supervisors. It also influences the way in which liability may be argued in civil or commercial litigation. When an incident occurs, claimants will not confine themselves to the specific technical failure. They will seek to determine whether the company had identified its critical dependencies, tested its arrangements, supervised its providers, provided for business continuity, handled alerts and preserved relevant evidence.
The NIS2 Directive forms part of the same movement. It establishes a common legal framework to strengthen cybersecurity across many critical sectors within the European Union. The Cyber Resilience Act adds another dimension by imposing requirements on products with digital elements. These instruments progressively contribute to defining what diligent conduct may mean in a digitalised economy.
Even where they are not directly applicable to a given company or a particular dispute, they nourish a normative environment in which the robustness of systems, governance of digital risks and response to incidents become criteria of assessment.
Fraud litigation also illustrates this shift. For a long time, the dispute focused primarily on the challenged transaction: the payment order, authorisation, the victim’s negligence, authentication or the chronology of events. Today, the debate frequently broadens to the quality of the anti-fraud framework: anomaly detection, management of authorisations, alert thresholds, internal procedures, staff training, blocking of suspicious transactions, post-incident response and client information.
A successful fraud thus becomes the entry point for organisational litigation. The claimant will seek to show that it was not merely the result of external deception, but the symptom of an internal control failure. The defendant company, conversely, will need to demonstrate that its framework was proportionate, that the expected steps were taken and that the incident does not necessarily evidence fault.
Payment fraud, social engineering, fraudulent transfer orders, compromised email accounts or transactions initiated in a distorted digital environment all give rise to debates that go beyond the payment act itself. They call into question the decision-making chain, the controls in place, the quality of alerts, the traceability of approvals and the response following the incident.
The rise of artificial intelligence opens another, less settled front.
The AI Act now provides a European framework. But the scale of the operational, evidentiary and organisational disruption remains difficult to assess. Companies are beginning to integrate AI tools into internal processes, client relationships, data analysis, compliance decisions, support functions and monitoring tools, without it yet being clear where the main areas of litigation will emerge.
This is precisely what makes the subject strategic. AI-related litigation will not concern only system providers. It will also concern the companies that integrate, deploy or use those systems in internal processes, client relationships or operational decisions.
The central difficulty will often be one of attribution. It will be necessary to determine who decided, who controlled, who validated the data, who was able to understand how the tool worked, detect the error or correct the bias: the provider, the integrator, the user, the business unit, the third-party provider, the committee that approved the tool, or the company that embedded it within its organisation.
These disputes will therefore be less about AI in the abstract than about the conditions of its deployment: traceability of decisions, auditability of the system, human oversight, data quality, documentation of choices, allocation of responsibilities and the ability to demonstrate, after the event, that use of the tool was controlled. AI must therefore be treated not only as a performance tool, but as an evidentiary object.
Unlike ESG, where France began collecting non-financial information in the early 2000s, and unlike cyber, where supervisors already have experience of reviewing systems and controls, AI opens a field that remains largely exploratory. The standard is being formed at the same time as use cases are spreading. It is often in this interval — between innovation, regulation and litigation — that the most significant risks crystallise.
Outsourcing further reinforces these issues. Companies increasingly depend on critical third-party providers: hosting providers, cloud providers, software vendors, payment service providers, integrators, cybersecurity operators, AI providers, maintenance companies and technical subcontractors. Outsourcing does not make the risk disappear. It shifts it and, in some cases, makes it more complex to defend.
In litigation, contracts with third-party providers then become central exhibits. Audit, security, incident notification, subcontracting, reversibility, business continuity, data localisation and limitation of liability clauses may determine the company’s ability to establish that it reasonably managed its exposure.
This is one of the major lessons of digital risks: the litigation defence is prepared before the incident. It is prepared in the drafting of internal policies, the negotiation of contracts, the retention of logs, alert procedures, resilience testing and incident governance.
When an incident occurs, evidence preservation is critical. Internal exchanges, alerts, incident reports, remediation decisions, communications with authorities, client notifications and audit reports may later be relied upon. Companies must therefore consider at a very early stage how these materials will be protected, produced, explained or challenged.
Digital risk thus illustrates a broader point: technical compliance creates a litigation language. It defines the standards by reference to which fault, diligence, causation and loss will be debated. Companies should therefore not treat cyber, AI or anti-fraud policies as mere technical appendices. They are potential defence documents.
III. Courts and collective or geopolitical risks: group actions, sanctions and evidence
The third front is procedural and geopolitical. Companies are no longer exposed only to bilateral disputes, opposing a claimant and a defendant in relation to a particular contractual relationship or harmful event. They are increasingly facing collective, cross-border, coordinated or media-sensitive disputes.
The reform of the French group action regime forms part of this movement. By harmonising and broadening the applicable framework, it contributes to making collective redress a clearer and potentially more readily available tool against companies. For corporate groups, the issue goes beyond procedural technique. Group actions change the economics of litigation.
An incident that might previously have resulted in scattered individual claims can become a structured, visible and financially significant dispute. This may potentially affect many areas: consumer law, products, personal data, financial services, environmental matters, commercial practices, healthcare, competition and digital platforms.
The massification of disputes also changes the way in which they must be defended. It is no longer enough to handle each claim in isolation. The company must consider overall consistency: consistency of documents, positions, communications, litigation strategy and any settlement discussions. Evidence must be organised consistently. Individual defences must be articulated with the response to the common allegation. Reputational risk must be integrated without ever overriding the requirements of legal defence.
Collective actions also create the risk of a parallel forum. The dispute does not unfold only in the courtroom. It also plays out in public communications, social media, campaigns by associations, NGO reports, press releases and sometimes shareholder meetings. For large groups, litigation strategy must therefore be coordinated with communications, governance and institutional relations, without compromising evidence and confidentiality requirements.
Geopolitical litigation follows a different logic, but produces the same effect: it makes compliance decisions justiciable.
International sanctions, embargoes, freezing measures, export restrictions and anti-circumvention rules place companies in difficult decision-making situations. A decision to suspend a commercial relationship, refuse a transaction, freeze a payment or terminate a contract may be necessary in light of sanctions risk. But it may also be challenged by a commercial partner, client, counterparty or beneficial owner.
The EU Blocking Statute illustrates this tension. It seeks to protect EU operators against the extraterritorial application of certain third-country laws. It may place European companies in difficult situations when they must reconcile foreign requirements, EU rules, their contractual obligations and their commercial or financial exposure.
These rules generate complex litigation scenarios. A company may be caught between several competing imperatives: complying with foreign sanctions to avoid market or enforcement risk, respecting European rules that prohibit certain forms of compliance, preserving contractual relationships, protecting management and avoiding the characterisation of its decision as a breach.
The litigation then concerns less the abstract existence of a sanctions regime than the way in which the company made its decision. Did it carry out a documented legal analysis? Did it identify the persons, entities, flows, currencies, banks or assets concerned? Did it consider alternative measures? Did it inform the competent authorities? Did it comply with its contractual obligations? Did it preserve evidence of its decision-making?
In these disputes, evidence often becomes the true battlefield. Internal documents, legal advice, investigation reports, exchanges with authorities, committee minutes, compliance memoranda, audits, crisis emails or contracts with third-party providers may become decisive.
The difficulty is that these documents are both necessary to the company’s defence and potentially sensitive. They may contain strategic information, trade secrets, personal data, legal analysis, privileged material or information that may be sought by a foreign authority. Evidence management therefore requires anticipating, from the moment documents are created, their possible future use.
Internal investigations lie at the heart of this issue. They are often launched from a compliance perspective: to understand an incident, verify an alert, identify a failure, prepare a notification to an authority or decide on disciplinary measures. But they also generate documents that may be sought in later litigation.
A poorly structured internal investigation may weaken the company. An unclear scope, poorly documented interviews, insufficient preservation of evidence, confusion between legal analysis and factual findings, or excessive circulation of conclusions may create new risks. Conversely, a properly structured investigation may become a powerful defence tool. It enables the company to demonstrate responsiveness, rigour of analysis, proportionality of measures and the reality of remediation.
This connection between compliance, investigation and litigation is one of the most important issues for legal departments. The litigation reflex should not arise only once proceedings have been served. It should exist from the alert, the incident, the request from an authority or the first public communication.
The point is not artificially to turn every aspect of corporate life into litigation. It is to recognise that certain events — cyberattack, fraud, industrial accident, ESG alert, sanctions issue, termination of a commercial relationship, suspicion of corruption, product incident or failure by a provider — may very quickly become complex disputes. The way in which they are documented in the first hours or days may determine the company’s ability to defend itself several years later.
The same logic applies to collective actions. An isolated incident must be analysed in light of its possible reproducibility. Are there other persons in a comparable situation? Can the alleged breach be formulated in general terms? Are the documents provided to clients, consumers or partners uniform? Can the position taken in one case be used against the company in a hundred others?
This change of scale requires companies to think of litigation strategy as a strategy of consistency. Consistency of documents. Consistency of decisions. Consistency of communications. Consistency of evidence. Consistency between regulatory requirements and litigation positions.
Conclusion
The next generation of corporate litigation will not be confined to the traditional categories of contractual, tortious or regulatory liability. It will increasingly concern the way in which companies identify, govern and document the complex risks to which they are exposed.
Climate, cyber, fraud, artificial intelligence, sanctions, collective actions and outsourcing do not belong to the same legal fields. They are governed by different texts, authorities and logics. But they have one thing in common: they transform internal compliance frameworks into objects of evidence and judicial debate.
In this environment, companies are not assessed only on the formal existence of policies or procedures. They are assessed on their coherence, implementation, traceability and ability to withstand judicial scrutiny.
Compliance must therefore be conceived as a defensible architecture. It must enable the company not only to prevent risks, but also to explain its choices, justify its priorities and demonstrate the reality of its efforts when litigation arises.
This is the main lesson of the new frontiers of corporate liability: litigation strategy begins before litigation. It begins when risks are mapped, policies are drafted, commitments are announced, providers are selected, incidents are handled and evidence is preserved.
The boundary between compliance and litigation has not disappeared. But it has become narrower, more fluid and more strategic. For companies, the issue is therefore no longer merely to comply. It is to build frameworks capable of being defended.
Julien Martinet
