On paper, the procedure looks straightforward. In practice, Polish anti-corruption compliance has become one of the fastest-moving areas of business law – and the gap between what companies think they have in place and what regulators expect is widening every quarter.

Polish anti-corruption law draws on three overlapping frameworks: the Criminal Code provisions on bribery, the Act on Counteracting Money Laundering and Terrorist Financing (ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu, AML Act), and the whistleblower protection regime introduced by the Act on the Protection of Whistleblowers (ustawa o ochronie sygnalistów) that entered into force in September 2024. Companies with 50 or more employees must maintain internal reporting channels. Failure to do so triggers fines of up to PLN 1.5 million per violation. The obligation is not optional – it is a compliance baseline.

This alert covers three areas: what has changed in the regulatory framework, which companies are affected and at what thresholds, and what immediate steps boards and compliance teams should take before the next supervisory cycle begins.

What has changed in Poland's anti-corruption framework?

The most significant shift is the convergence of three previously separate compliance tracks into a single supervisory expectation. The Centralne Biuro Antykorupcyjne (Central Anti-Corruption Bureau, CBA) has expanded its cooperation with the Generalny Inspektor Informacji Finansowej (General Inspector of Financial Information, GIIF) and the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF). Regulators now cross-reference AML transaction monitoring, whistleblower channel data, and corporate governance disclosures in a single risk profile for each supervised entity.

The whistleblower protection law is the most operationally demanding change. Companies with 50 or more employees were required to establish internal reporting channels by 25 September 2024. Those with 250 or more employees faced an earlier deadline. Both groups must now maintain a documented procedure, designate a responsible person or unit, and confirm receipt of each report within seven days. Failure to acknowledge a report – or to take follow-up action within three months – constitutes a separate statutory violation.

CSRD Poland obligations add a further layer. Under the Corporate Sustainability Reporting Directive as transposed into Polish law, large public-interest entities must disclose anti-corruption and anti-bribery policies, targets, and outcomes in their sustainability reports. For financial years beginning 1 January 2024, this is already mandatory for the largest companies. Smaller entities follow in 2025 and 2026. ESG reporting is no longer a voluntary narrative – it is a compliance document subject to audit.

We secured a reversal of a regulatory penalty exceeding PLN 800,000 for a manufacturing client in the Mazowieckie region (autumn 2025) by demonstrating that the company had implemented a documented anti-corruption programme before the inspection date. Documentation timing matters as much as substance.

Who is affected and what are the thresholds?

Three company profiles face the highest immediate exposure. First, entities classified as obligated institutions under the AML Act – banks, payment institutions, auditors, tax advisors, and real estate agents – must maintain anti-corruption controls as part of their AML compliance programme. The GIIF can impose fines of up to PLN 5 million or 10% of annual turnover, whichever is higher. Second, companies with 50 or more employees must operate a whistleblower channel regardless of sector. Third, companies subject to CSRD Poland reporting must document anti-corruption policies with measurable indicators.

Foreign-owned subsidiaries face a compounding risk. A Dutch or German parent subject to its own anti-bribery regime – whether the UK Bribery Act, the US Foreign Corrupt Practices Act, or local equivalents – cannot simply export its group policy into Poland and assume compliance. Polish law requires a locally adapted procedure, registered with the Krajowy Rejestr Sądowy (National Court Register, KRS) governance documents where relevant, and capable of demonstrating local implementation. For guidance on structuring compliance programmes for Netherlands subsidiaries operating in Poland, see our compliance programme design guide.

The threshold question also arises in property transactions. Beneficial ownership verification requirements under the AML Act apply to real estate purchases above EUR 10,000 in cash. Any professional involved in such a transaction – including legal advisors – becomes an obligated institution. For a full analysis of AML obligations in property contexts, our property purchase guide sets out the relevant steps.

  • 50+ employees: mandatory internal whistleblower reporting channel
  • 250+ employees: earlier implementation deadline (already passed)
  • AML obligated institutions: fines up to PLN 5 million or 10% of turnover
  • CSRD-in-scope companies: mandatory anti-corruption disclosure from 2024 onward
  • Real estate transactions above EUR 10,000 in cash: beneficial ownership check required

Our team obtained interim protection for a compliance programme audit for an IT services company in Lower Silesia (spring 2026), preventing a supervisory finding from escalating into a formal enforcement action. Early engagement with the regulator – before the inspection closes – is almost always more effective than a post-decision appeal.

What should your company do now?

Three immediate actions should be completed before the next supervisory cycle. First, audit your whistleblower channel. Confirm that the procedure is documented, that a responsible person is designated, and that the seven-day acknowledgement and three-month follow-up timelines are built into your workflow. A channel that exists on paper but is not operationally tested will not satisfy a CBA or labour inspectorate review.

Second, map your AML exposure. If your company falls within the definition of an obligated institution under the AML Act, your anti-corruption controls must be integrated into your AML risk assessment – not maintained as a separate document. The GIIF expects a unified compliance framework. For a full breakdown of AML compliance obligations for Polish companies, see our AML compliance guide.

Third, review your CSRD Poland disclosure obligations. If your company is in scope for financial year 2024 or 2025, your anti-corruption policy must contain specific targets and outcome indicators – not general statements of intent. A compliance lawyer Warsaw-based or otherwise advising on ESG reporting should confirm whether your current disclosure meets the audit standard.

What to prepare before your next compliance review:

  • Written internal reporting procedure with named responsible person
  • Log of reports received, acknowledgement dates, and follow-up actions
  • AML risk assessment updated to reflect anti-corruption controls
  • CSRD anti-corruption policy with measurable indicators and prior-year comparison
  • Training records for employees with access to the reporting channel

Personal liability for board members is a real exposure here. Under Polish corporate legislation, directors who fail to implement legally required compliance measures can face personal liability for resulting damages. That risk is not theoretical – the CBA has opened enforcement files against individual managers, not just companies. The window to remediate before an inspection is finite. Once a supervisory visit begins, the company's ability to demonstrate good faith is significantly reduced.

Specific compliance gaps in your company's anti-corruption framework may have irreversible consequences if left unaddressed before a regulatory inspection. A documented programme implemented after an enforcement action has been opened carries far less weight than one already in place.

If your company has 50 or more employees, operates as an AML-obligated institution, or falls within CSRD Poland scope – we will review your existing framework, identify gaps against current regulatory expectations, and deliver a prioritised remediation plan: info@kordeckipartners.com.

Frequently asked questions

Q: Does a small company with fewer than 50 employees need an anti-corruption compliance programme?

A: The whistleblower channel obligation applies only from 50 employees. However, the Criminal Code provisions on bribery apply to all companies regardless of size. Any company operating in a regulated sector – financial services, real estate, auditing – will also fall within AML Act obligations. A basic anti-corruption policy is advisable even below the 50-employee threshold, particularly if the company works with public procurement contracts.

Q: How long does it take to implement a compliant whistleblower channel?

A: A documented internal reporting procedure can be implemented in four to six weeks if management is engaged and a responsible person is designated from the outset. The procedure must be consulted with employee representatives or trade unions before adoption, which adds time. Companies that have not yet implemented their channel are already in breach and should treat this as an urgent remediation item.

Q: Is a group-level anti-corruption policy sufficient for a Polish subsidiary?

A: A group policy is a starting point, not a substitute for local compliance. Polish law requires a locally adapted procedure that reflects Polish legal obligations – including the whistleblower Act, the AML Act, and CSRD Poland requirements where applicable. The procedure must be accessible to employees in Polish and must designate a local responsible person. Regulators will not accept a reference to a parent company document as evidence of local compliance.

About KORDECKI & Partners

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, anti-corruption frameworks, whistleblower programme design, and AML advisory. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.