Anti-corruption compliance framework under Polish

A Kraków-based IT company wins a public tender worth PLN 8m. Three months later, the contracting authority launches an investigation after an anonymous tip alleges that a sales manager offered gifts to a procurement officer. The company has no written anti-corruption policy, no training records, and no whistleblower channel. The consequences reach beyond the contract itself – they extend to potential criminal liability for the company and personal liability for its board.

Polish anti-corruption law draws on several overlapping sources: the Kodeks karny (Criminal Code), the Act on Liability of Collective Entities, the Whistleblower Protection Act of 2024, and European Union directives transposed into domestic law. Together, these instruments create a framework under which companies that fail to implement adequate internal controls face fines of up to PLN 5m and a ban on public procurement participation. Building a compliant anti-corruption programme is not optional for medium and large enterprises operating in Poland.

This guide sets out the step-by-step process for constructing an anti-corruption compliance framework under Polish law. It covers the legal sources you must address, the practical steps for building internal controls, the three most common implementation mistakes, and answers to the questions clients most frequently ask. Three business scenarios – a manufacturing firm, an IT company, and a foreign investor – illustrate how the framework applies across different operating models.

What legal sources govern anti-corruption obligations in Poland?

Polish anti-corruption law is not contained in a single code. It emerges from at least four distinct layers of regulation, each imposing different obligations on different actors. Understanding which layer applies to your company is the first step in designing an effective programme. Failure to map the applicable sources correctly forfeits the "due diligence" defence available under the Act on Liability of Collective Entities.

The Criminal Code establishes the primary offences: active and passive bribery of public officials, commercial bribery between private parties, and trading in influence. These offences carry imprisonment of up to eight years for individuals. The company itself does not face Criminal Code prosecution directly – that is where the Act on Liability of Collective Entities enters.

The Act on Liability of Collective Entities (the "Collective Entities Act") allows Polish courts to impose fines on legal persons whose representatives commit corruption offences for the company's benefit. The fine ceiling is PLN 5m, and courts may additionally order a ban on public contracts for up to five years. The National Court Register (KRS) records such bans, making them publicly visible to all contracting authorities. A company can reduce its exposure by demonstrating that it had adequate internal controls in place before the offence occurred – this is the statutory due diligence defence.

The Whistleblower Protection Act, which entered into force in September 2024, requires companies with at least 50 employees to establish an internal reporting channel within three months of crossing that threshold. The Polish Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) supervises compliance. Non-compliant employers face fines of up to PLN 30,000 per violation. Anti-money laundering obligations under the AML Act (implementing the EU's Sixth Anti-Money Laundering Directive) layer additional due diligence requirements onto obligated institutions, including law firms, auditors, and certain financial intermediaries.

For companies subject to ESG reporting under CSRD Poland rules – generally those with more than 250 employees or listed on a regulated market – anti-corruption metrics form part of the mandatory governance disclosures. The Polish Financial Supervision Authority (KNF) oversees listed entities, while the Office of Competition and Consumer Protection (UOKiK) monitors certain compliance-related market practices. Mapping all four layers before drafting your programme prevents gaps that prosecutors and regulators exploit.

How should a company build its anti-corruption compliance programme step by step?

Building an effective programme follows a defined sequence. Skipping steps – particularly the risk assessment – produces policies that look complete on paper but fail in practice. The typical implementation timeline for a mid-size company (100–300 employees) runs between 10 and 16 weeks from kick-off to first training cycle. Costs vary, but internal project teams typically budget PLN 40,000–80,000 for external legal support across the full build.

Step one is the corruption risk assessment. This involves mapping all business processes where employees interact with public officials, procurement counterparties, or third-party intermediaries. High-risk processes typically include sales, procurement, licensing, and government relations. The assessment should produce a risk register with likelihood and impact ratings for each identified exposure. A manufacturing firm in Silesia (autumn 2025) discovered during this phase that its logistics subcontractors were making informal payments to customs officers – a liability the company had not previously recognised.

Step two is policy drafting. The core documents are: an anti-corruption policy, a gifts and hospitality policy (with a specific monetary threshold – commonly PLN 200 per gift), a conflict-of-interest policy, and a due diligence procedure for third parties. Each policy must be written in plain language and translated into the working languages of all employees. A compliance lawyer Warsaw-based practitioners recommend reviewing these documents against the Collective Entities Act's due diligence criteria before finalising.

Anti-corruption policy – sets out prohibited conduct, escalation paths, and disciplinary consequences
Gifts and hospitality register – records all items above the threshold; reviewed quarterly
Third-party due diligence procedure – applies to agents, distributors, and joint-venture partners
Conflict-of-interest declaration – completed annually by all employees in sensitive roles
Whistleblower channel – established under the Whistleblower Protection Act within the statutory deadline

Step three is implementation: training, communication, and the launch of the internal reporting channel. Training must be role-specific. A procurement officer needs different content from a factory-floor employee. Records of attendance and assessment scores serve as evidence of due diligence in any subsequent investigation. The whistleblower channel must allow anonymous reporting and must be operated independently of line management – a requirement the PIP enforces actively.

Step four is monitoring and review. Programmes that are built once and never revisited fail audits and regulatory inspections. Schedule an annual review of the risk register, a biennial update of all policies, and a quarterly review of the gifts register. For companies subject to CSRD Poland reporting, anti-corruption programme data feeds directly into the governance section of the sustainability statement.

We assisted a German investor establishing a Wielkopolska subsidiary (winter 2025) in completing all four steps within 12 weeks, including alignment with the parent company's global compliance framework. The key was sequencing the risk assessment before any policy drafting – a step the client had initially proposed to skip.

Your company's specific risk profile determines which elements of this framework require the most investment. An inadequate programme – one that exists on paper but lacks training records or a functioning whistleblower channel – precludes the due diligence defence and leaves the board personally exposed.

To receive an expert assessment of your company's anti-corruption programme, contact info@kordeckipartners.com.

What are the three most common implementation mistakes?

Most compliance failures do not result from deliberate wrongdoing. They result from predictable errors in programme design. Identifying these errors before implementation is far cheaper than correcting them during a regulatory investigation. The three patterns below appear consistently across industries and company sizes.

The first mistake is treating the anti-corruption policy as a standalone document rather than a system. A policy that is not supported by a gifts register, a third-party due diligence procedure, and a functioning reporting channel is not a compliance programme – it is a document. Courts applying the Collective Entities Act look at the totality of controls, not just whether a policy document exists. Companies that rely on a single-page policy forfeit the due diligence defence entirely.

The second mistake is failing to cover third parties. Under Polish law, a company can be held liable for corrupt acts committed by agents, distributors, and consultants acting on its behalf. Third-party due diligence – including background checks, contractual anti-corruption representations, and periodic recertification – must be built into the procurement and sales onboarding processes. This is particularly relevant for foreign investors entering the Polish market through local intermediaries, a scenario addressed in our guide on compliance programme design for Ukraine subsidiaries in Poland.

The third mistake is neglecting the whistleblower channel. Many companies set up a reporting inbox that routes directly to the head of HR or the CEO – the precise individuals a reporter may wish to report about. The Whistleblower Protection Act requires the channel to be operated independently of line management and to guarantee confidentiality. Channels that fail this requirement expose the company to PIP fines and, more seriously, signal to investigators that the programme is not genuine.

A related error worth flagging: companies that implement a programme for the parent entity but fail to extend it to Polish subsidiaries. The Collective Entities Act applies to each legal entity separately. A Polish subsidiary with no local programme cannot rely on its parent's group policy as a defence. For Czech-owned groups operating in Poland, we have addressed this gap in detail in our guide on compliance programme design for Czech Republic subsidiaries in Poland.

How do three business scenarios illustrate the framework in practice?

Abstract compliance requirements become clearer when mapped onto specific operating models. Three scenarios – manufacturing, IT, and a foreign investor – demonstrate how the same legal framework produces different practical priorities depending on the business.

A manufacturing company with 400 employees in Silesia faces its highest corruption risk in procurement and logistics. Its programme must prioritise supplier due diligence, a gifts register covering procurement staff, and training on customs-related payments. The Collective Entities Act's due diligence defence is particularly valuable here because procurement fraud is difficult to detect from the top. The company should also consider whether its size triggers CSRD Poland reporting obligations, which require anti-corruption metrics to be disclosed in the sustainability statement.

An IT company competing for public contracts faces a different risk profile. Its highest-risk interactions are with public procurement officers during the tender phase and with government IT departments during contract execution. The anti-corruption policy must explicitly address what hospitality is permissible during procurement processes – the answer is: very little. Polish public procurement law imposes a 30-day exclusion period during which any contact with procurement officers outside the formal process is prohibited. Breaching this rule voids the tender submission and may trigger a criminal referral.

A foreign investor entering Poland through a local distributor or agent faces the third-party risk described above, compounded by unfamiliarity with local norms. The investor's home-country compliance programme – whether built under the UK Bribery Act, the US Foreign Corrupt Practices Act, or a German internal controls standard – does not automatically satisfy Polish law requirements. The investor must conduct a gap analysis comparing its existing programme against the Collective Entities Act criteria and the Whistleblower Protection Act obligations. Sanctions screening obligations for intermediaries are addressed separately in our guide on sanctions screening obligations for Polish companies.

Across all three scenarios, the critical differentiator is documentation. A company that can produce a dated risk assessment, signed policy acknowledgements, training records, and whistleblower channel logs is in a fundamentally different legal position from one that cannot.

Implementing an anti-corruption programme that satisfies Polish law requirements across all three scenarios requires sequencing the right steps in the right order. Gaps at any stage – particularly in third-party controls or the whistleblower channel – are irreversible once an investigation begins.

If your company operates across multiple Polish entities or has foreign ownership and needs a programme aligned with both local and group requirements, our team will conduct the gap analysis, draft the core documents, and deliver role-specific training: info@kordeckipartners.com.

What should companies prepare before launching a compliance programme?

Preparation quality determines implementation speed. Companies that arrive at the first project meeting without basic documentation waste two to four weeks on information gathering that could have been completed beforehand. The checklist below reflects what our team requests at the outset of every compliance programme engagement.

Organisational chart showing all entities in the Polish group and their employee headcounts
List of all third-party intermediaries (agents, distributors, consultants) with contract summaries
Any existing internal policies – even informal ones – relating to gifts, hospitality, or conflicts of interest
Records of any prior regulatory inquiries, audits, or internal investigations in the past three years
Details of any public contracts currently held or under tender, including the contracting authority

Beyond documentation, companies should identify an internal compliance owner before the project begins. This person does not need to be a lawyer. They need authority to require information from business units and to escalate issues to the board. Without a named owner, programmes stall at the implementation stage because no one has accountability for follow-through.

Timeline expectations also matter. A programme built in four weeks under deadline pressure will have gaps. The statutory 10-week implementation window under the Whistleblower Protection Act (for companies crossing the 50-employee threshold) is genuinely tight. Starting the legal analysis before the threshold is crossed is always preferable to starting after it.

Frequently asked questions

Q: Does a small company with fewer than 50 employees need an anti-corruption compliance programme?

A: The Whistleblower Protection Act's internal reporting channel requirement applies only to companies with 50 or more employees, so smaller companies are not subject to that specific obligation. However, the Collective Entities Act applies to all legal entities regardless of size – a company with 10 employees can still be fined up to PLN 5m if a representative commits a corruption offence for its benefit. Smaller companies should at minimum adopt a written anti-corruption policy and a gifts register. This creates a documented foundation for the due diligence defence without requiring the full programme infrastructure of a larger organisation.

Q: How long does it take and what does it cost to implement a compliant programme?

A: For a company with 100–300 employees and no existing compliance infrastructure, the typical timeline is 10–16 weeks from kick-off to first training cycle. External legal fees for the full build – risk assessment, policy drafting, training design, and whistleblower channel setup – generally range between PLN 40,000 and PLN 80,000, depending on complexity and the number of legal entities involved. Companies with existing group compliance frameworks that need Polish-law gap analysis only can expect a shorter engagement of four to six weeks. Annual maintenance – policy updates, training refresh, and monitoring review – typically costs PLN 10,000–20,000 per year.

Q: Is it a misconception that a group compliance policy covers Polish subsidiaries automatically?

A: Yes, and it is one of the most frequently encountered misconceptions in cross-border compliance work. The Collective Entities Act treats each Polish legal entity as a separate subject of liability. A Polish subsidiary cannot rely on its parent's group policy as a due diligence defence unless that policy has been formally adopted at the subsidiary level, translated into Polish, communicated to all employees, and supported by local training records and a locally operated whistleblower channel. Group policies that remain on a parent-company intranet – without local adoption steps – provide no statutory protection for the Polish entity.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, anti-corruption programme design, and whistleblower channel implementation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.