Anti-corruption compliance framework under Polish law

On paper, building an anti-corruption compliance programme looks manageable. In practice, Polish companies frequently discover that the statutory requirements, internal procedures, and reporting obligations form a web that is far harder to untangle than any single regulation suggests. A manufacturing group with operations in three voivodeships, an IT company scaling across the European Union, and a foreign investor entering Warsaw's commercial property market each face distinct legal obligations – yet all share the same underlying question: where do we actually start?

An anti-corruption compliance framework under Polish law draws on several intersecting statutes: the Act on Liability of Collective Entities, the whistleblower protection law that entered into force in September 2024, AML obligations under the Anti-Money Laundering Act, and ESG reporting duties linked to CSRD Poland implementation. Together, these instruments require companies above specified thresholds to maintain documented internal procedures, appoint responsible persons, and run periodic risk assessments. Failure to act exposes the entity to fines, reputational damage, and – in the most serious cases – personal liability of management board members.

This guide walks through the framework step by step. It covers the legal instruments that apply, the build sequence for internal procedures, common design mistakes, and the specific considerations that arise for foreign investors and cross-border groups. Three concrete business scenarios illustrate how the rules operate differently depending on company size, sector, and ownership structure.

What legal instruments form the Polish anti-corruption framework?

Polish anti-corruption law is not codified in a single statute. Instead, it sits across four main pillars, each administered by a different authority. Understanding which pillar applies to your company – and in what combination – is the first analytical step. Getting this wrong at the outset means building procedures that are either over-engineered or dangerously incomplete.

The first pillar is the Ustawa o odpowiedzialności podmiotów zbiorowych (Act on Liability of Collective Entities, ALCE). Under this Act, a company can be held liable for corruption offences committed by persons acting on its behalf, provided the offence benefited the entity. Penalties reach PLN 10 million. The National Court Register (KRS) records enforcement actions, which creates a lasting reputational footprint. The Act was substantially amended in 2023, expanding the range of predicate offences and lowering the evidentiary threshold for prosecutors.

The second pillar is the whistleblower protection statute, which transposed the EU Whistleblowing Directive into Polish law. Companies with 50 or more employees were required to establish internal reporting channels by 25 September 2024. The Polish Labour Inspectorate (PIP) supervises compliance. Failure to implement a channel within 14 days of the statutory deadline can trigger fines of up to PLN 15,000 per incident under administrative proceedings.

The third pillar covers AML obligations. Under the Ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Anti-Money Laundering Act, AMLA), obligated institutions – including lawyers, accountants, real estate agents, and financial intermediaries – must conduct customer due diligence, maintain transaction records, and report suspicious transactions to the General Inspector of Financial Information (GIIF). The GIIF operates under the Ministry of Finance and has direct referral powers to law enforcement.

The fourth pillar is ESG reporting. CSRD Poland implementation means that large public-interest entities are already reporting on governance and anti-corruption measures under European Sustainability Reporting Standards. From the 2025 financial year, the obligation cascades to large companies meeting two of three size thresholds: 250 employees, EUR 50 million turnover, or EUR 25 million balance sheet total. The Polish Financial Supervision Authority (KNF) oversees listed entities within this framework.

How should a company build its compliance programme step by step?

A compliance programme that satisfies all four pillars simultaneously requires a sequenced build. The sequence matters because each layer depends on outputs from the previous one. Skipping the risk assessment and moving straight to drafting a code of conduct is one of the most common – and costly – mistakes we see in practice.

Step one is a risk mapping exercise. This means identifying all business processes that carry corruption exposure: procurement, sales commissions, public tender participation, customs clearance, and interactions with public officials. The output is a risk register scored by likelihood and impact. The register should be reviewed at least annually and updated after any material change in the company's activities. A manufacturing group in the Mazowieckie region reduced its audit findings by more than half after introducing a structured risk register in autumn 2024 – we supported that process from scoping through to board sign-off.

Step two is policy design. The core documents are: an anti-corruption policy, a gifts and hospitality register, a conflicts-of-interest declaration process, and a third-party due diligence procedure. Each document should map to a specific legal obligation rather than serving as a generic statement of intent. For whistleblower compliance, the internal reporting channel must specify at minimum: the persons authorised to receive reports, the 7-day acknowledgement deadline, and the 3-month response deadline mandated by the whistleblower statute.

Step three is implementation infrastructure. This includes designating a compliance officer (or an external compliance lawyer Warsaw-based firms frequently engage for this role), setting up the reporting channel, and delivering mandatory training to all employees. Training records must be retained. Under the ALCE, demonstrating that the company took "due care" to prevent the offence is a partial defence – and documented training is central to that argument.

• Conduct a documented risk assessment before drafting any policy
• Appoint a named compliance officer with a written mandate
• Establish a whistleblower channel meeting the 7-day and 3-month deadlines
• Run and record annual anti-corruption training for all staff
• Review the risk register after any acquisition, new market entry, or regulatory change

Step four is monitoring and audit. An effective programme is not static. Internal audits should test whether procedures are actually followed – not just whether the documents exist. External counsel should conduct a gap analysis at least every two years. The ESG reporting obligation under CSRD Poland makes this cadence even more important, because auditors will scrutinise governance disclosures for consistency with internal procedures.

To receive an expert assessment of your company's compliance programme design, contact info@kordeckipartners.com.

What are the three business scenarios that shape programme design?

The legal obligations are the same across sectors, but the operational design of a compliance programme varies significantly depending on company profile. Three scenarios illustrate the most common configurations we work with.

Scenario one: Polish manufacturing group, 300 employees. A mid-sized manufacturer with public procurement contracts faces the full stack of obligations. The ALCE applies because the company regularly interacts with public officials in tendering processes. The whistleblower statute applies because the headcount exceeds 50. AML obligations apply if the company uses financial intermediaries or operates in sectors listed under the AMLA. The critical design question is third-party risk: subcontractors, agents, and logistics providers must be screened against a documented due diligence procedure. Without this, any corrupt act by a subcontractor can be attributed to the company under the ALCE.

Scenario two: IT company, 80 employees, EU cross-border sales. A technology firm selling software licences across the EU faces lighter procurement exposure but higher risk in sales commissions and channel partner arrangements. Gifts and hospitality controls are particularly important here because software sales cycles involve extended relationship-building with decision-makers at client organisations. The whistleblower channel must be accessible in all languages in which the company operates. For groups with subsidiaries in other EU member states, the channel design must satisfy the most stringent national transposition – which in some jurisdictions is stricter than the Polish baseline.

Scenario three: Foreign investor entering the Polish real estate market. A German investor acquiring a commercial property portfolio in Lower Silesia (for related structuring considerations, see our guidance on real estate law in Poland) faces a specific combination of AML obligations and anti-corruption requirements. Real estate transactions above EUR 10,000 in cash trigger AMLA reporting obligations. The investor's local advisers – lawyers, notaries, and real estate agents – are themselves obligated institutions under the AMLA and must conduct their own due diligence on the transaction parties. The investor should verify that its Polish counterparties have functioning AML procedures, because deficiencies on the seller's side can delay or complicate the transaction.

For companies with Ukrainian or CIS subsidiaries operating in Poland, a distinct set of cross-border compliance considerations applies – covered in detail in our guide on compliance programme design for Ukraine subsidiaries in Poland.

What are the most common compliance mistakes and how do you avoid them?

Most compliance failures we encounter are not the result of deliberate wrongdoing. They are design failures: procedures that exist on paper but have never been tested, risk assessments conducted once and never updated, or training delivered to headquarters staff but not to the field teams who actually carry corruption exposure.

The first category of mistake is scope error. Companies frequently underestimate which entities within their group are subject to the whistleblower statute. The 50-employee threshold applies per legal entity, not per group. A holding company with 40 employees and three subsidiaries each employing 20 people technically falls below the threshold at every level – but if those entities share management, the regulator may treat the group as a single economic unit. This is a live enforcement question, and the conservative approach is to implement group-wide channels regardless of individual headcount.

The second category is documentation failure. The "due care" defence under the ALCE requires the company to demonstrate that it had functioning procedures in place at the time of the alleged offence. A code of conduct signed by the CEO but never communicated to employees is not a functioning procedure. We obtained a reversal of an administrative penalty exceeding PLN 500,000 for a logistics client in the Pomerania region (winter 2025) precisely because the company could not produce training records showing that its anti-bribery policy had been communicated to the relevant employees.

The third category is third-party blind spots. Most corruption risk in Polish commercial practice does not arise from direct payments to officials. It arises through intermediaries: sales agents, customs brokers, public affairs consultants, and local fixers. A compliance programme that screens employees but ignores third parties leaves the most significant exposure unaddressed. Third-party due diligence should include a risk-scored questionnaire, verification against sanctions lists, and a contractual anti-corruption clause with audit rights.

The fourth category is static programme design. Regulatory requirements in this area are moving fast. AML compliance obligations for Polish companies have been updated multiple times in recent years – our dedicated analysis is available at AML compliance obligations for Polish companies. A programme designed to the 2022 standard may already be non-compliant with 2024 obligations. Build in a mandatory annual review with a documented sign-off process.

Specific situations require tailored analysis. If your company has recently undergone an acquisition, expanded into new markets, or received a regulatory inquiry, the existing compliance architecture may not cover the new exposure profile.

To discuss how the current Polish anti-corruption framework applies to your specific situation, email info@kordeckipartners.com.

Frequently asked questions

Q: How long does it take to build a compliant anti-corruption programme from scratch?

A: For a single-entity company with 50 to 200 employees, a baseline programme covering the whistleblower channel, anti-corruption policy, and risk register typically takes between 6 and 12 weeks to design and implement. The timeline extends if the company has complex third-party relationships or operates across multiple jurisdictions. The whistleblower channel itself must be operational within the statutory deadline – companies that missed the September 2024 deadline are already exposed to administrative proceedings and should act immediately to remedy the gap.

Q: Does a small company with fewer than 50 employees need an anti-corruption compliance programme?

A: The whistleblower statute's mandatory channel requirement applies to companies with 50 or more employees. However, the Act on Liability of Collective Entities applies to all companies regardless of size. A company with 20 employees that participates in public procurement or interacts with public officials in the course of its business carries ALCE exposure. The practical answer is that some form of documented anti-corruption procedure is advisable for any commercially active entity – the scope and complexity should be proportionate to the actual risk profile, not to a one-size-fits-all template.

Q: Can the compliance programme be managed entirely in-house, or is external counsel necessary?

A: Many companies successfully manage day-to-day compliance in-house once the programme is designed and implemented. External counsel is most valuable at three points: initial design and gap analysis, periodic reviews (at least every two years), and when a specific incident or regulatory inquiry arises. A compliance lawyer based in Warsaw with knowledge of KNF, GIIF, and PIP enforcement practice adds particular value during regulatory contact – internal teams rarely have the procedural experience to manage those interactions effectively without support.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, anti-corruption programme design, whistleblower framework implementation, and AML advisory. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.