On paper, building an anti-corruption programme looks manageable. In practice, Polish law now imposes overlapping obligations drawn from criminal legislation, the whistleblower protection act, and incoming ESG reporting rules – and the gaps between them are where liability accumulates silently.

Poland's anti-corruption compliance framework combines criminal-law prohibitions on bribery with mandatory internal reporting channels required under the Whistleblower Protection Act (ustawa o ochronie sygnalistów) and emerging ESG disclosure obligations under CSRD Poland. Companies employing 50 or more people must maintain a functioning internal reporting channel or face fines reaching PLN 60,000 per violation. Failure to act before the applicable deadlines forfeits the most effective defence against corporate liability.

This alert covers three areas: what has changed in the legal framework, which organisations are affected and at what thresholds, and the immediate action items your compliance team should prioritise now.

What has changed in Poland's anti-corruption legal framework?

The foundation remains the Kodeks karny (Penal Code, KK), which criminalises both active and passive bribery in public and commercial settings. Penalties reach 12 years' imprisonment for aggravated cases. What is new is the layer of procedural obligations sitting on top of those prohibitions.

The Whistleblower Protection Act, which entered into force in September 2024, requires employers with at least 50 employees to establish a verified internal reporting channel. The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) supervises compliance and may impose fines on organisations that fail to implement the channel or that retaliate against reporters. The PIP conducted its first round of inspections in early 2025.

Separately, the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) oversees AML obligations that intersect directly with anti-corruption work. Institutions subject to AML rules must identify beneficial owners, conduct enhanced due diligence on politically exposed persons (PEPs), and file suspicious activity reports. Failure to file triggers fines of up to EUR 1 million for regulated entities.

ESG reporting under CSRD Poland adds a third dimension. Large public-interest entities already report under the existing non-financial reporting rules. From financial year 2025 onwards, large companies meeting two of three size criteria – balance sheet above EUR 20m, turnover above EUR 40m, or more than 250 employees – must disclose anti-corruption and anti-bribery policies as part of their sustainability statement. That disclosure requirement creates a paper trail that regulators and counterparties will scrutinise.

Who is affected and what must they do immediately?

Three thresholds determine your obligations. First, 50 employees triggers the whistleblower channel requirement under the Whistleblower Protection Act. Second, 250 employees (or the financial thresholds above) triggers CSRD Poland sustainability disclosure. Third, operating in a regulated sector – banking, insurance, payment services, real estate brokerage – triggers AML compliance obligations regardless of headcount.

We secured a reversal of a regulatory penalty exceeding PLN 500,000 for a financial services client in the Mazowieckie region (spring 2025) by demonstrating that their internal reporting channel met the statutory requirements. The regulator's initial position was that the channel lacked the required confidentiality protections – a gap that a pre-inspection audit would have caught.

For organisations designing or reviewing their programmes, the immediate action list is short but non-negotiable:

  • Verify that your internal reporting channel covers corruption-related misconduct and meets the confidentiality requirements of the Whistleblower Protection Act.
  • Map your PEP exposure and confirm that enhanced due diligence procedures are documented and applied.
  • Review your CSRD Poland disclosure obligations for financial year 2025 – the reporting window opens in early 2026.
  • Conduct a gap analysis against the anti-corruption chapter of your ESG reporting framework before the disclosure deadline.

Our team obtained interim protection for a whistleblower at a manufacturing subsidiary in Lower Silesia (autumn 2025), preventing dismissal while a corruption investigation proceeded. The employer had failed to designate a confidential reporting channel, which the court treated as evidence of bad faith. That outcome – personal liability for the HR director and reputational damage to the parent – was entirely avoidable.

Foreign investors and subsidiaries face an additional layer. Parent-company anti-corruption programmes designed for French or German law do not automatically satisfy Polish requirements. The compliance programme design for France subsidiaries in Poland analysis sets out where the gaps typically arise. Separately, companies in financial difficulty should note that unresolved compliance failures can complicate restructuring proceedings in Poland – regulators treat an absent compliance programme as an aggravating factor in penalty assessments. For supply-chain exposure, the ESG due diligence in supply chains: Polish perspective guide addresses how anti-corruption requirements flow down to suppliers.

The compliance lawyer Warsaw market has seen a sharp increase in demand for gap analyses since the Whistleblower Protection Act inspections began. Waiting for an inspection notice before acting forfeits the ability to remediate voluntarily – and voluntary remediation is the single most effective mitigant in penalty negotiations.

A specific situation at your company requires an individual assessment before the next inspection cycle. Failing to act now precludes the voluntary remediation defence and may expose directors to personal liability under criminal law.

To receive an expert assessment of your anti-corruption compliance framework, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the whistleblower channel requirement apply to companies with fewer than 50 employees?

A: The Whistleblower Protection Act sets the threshold at 50 employees for mandatory internal channels. Companies below that threshold are not required to maintain a channel, but they remain subject to the Penal Code's bribery prohibitions and, if regulated, to AML obligations. Voluntary implementation of a channel is still advisable for smaller entities with significant public-sector exposure.

Q: How long does it take to implement a compliant internal reporting channel?

A: A basic channel covering the statutory minimum requirements can be operational within four to six weeks if the organisation has existing HR and legal capacity. A full programme – covering policies, training, investigation procedures, and CSRD Poland disclosure – typically takes three to four months. Starting after an inspection notice is issued is almost always too late to avoid a fine.

Q: Is an anti-corruption policy alone sufficient for CSRD Poland compliance?

A: No. CSRD Poland requires disclosure of both the policy and evidence of its implementation – including targets, monitoring mechanisms, and outcomes. A policy document without documented application will not satisfy the sustainability statement requirements. Auditors and the Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) will look for operational evidence, not just written commitments.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower protection, AML, and anti-corruption programme design. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.