A mid-sized logistics company operating out of Warsaw discovers, during a routine internal audit, that a procurement manager has been channelling contracts to a supplier in exchange for undisclosed payments. The company has no documented anti-corruption policy, no whistleblower channel, and no training records. Under Polish law, that gap is no longer merely a governance shortcoming – it now carries direct legal and financial consequences for the board.

Poland's anti-corruption compliance framework has tightened significantly following the transposition of the EU Whistleblowing Directive into the ustawa o ochronie sygnalistów (Whistleblower Protection Act), which entered force in September 2024. Companies employing 50 or more workers must maintain an internal reporting channel and a written anti-retaliation procedure. Failure to do so exposes the organisation to criminal fines and personal liability of managing board members for each month of non-compliance.

This alert covers three areas: what the current framework requires, which entities are affected and at what thresholds, and the immediate action items that boards should complete before the next regulatory cycle. The analysis draws on the Whistleblower Protection Act, the Kodeks karny (Criminal Code), and the ustawa o odpowiedzialności podmiotów zbiorowych (Corporate Criminal Liability Act) – the last of which is currently under legislative revision that would dramatically expand enforcement reach.

What has changed in Poland's anti-corruption rules?

Three instruments now form the core of Poland's anti-corruption compliance architecture. The Whistleblower Protection Act, the revised Corporate Criminal Liability Act framework, and the ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorist Financing Act, AML Act) together create overlapping obligations. Each carries its own threshold, deadline, and enforcement body.

The Whistleblower Protection Act is the most immediate change. From September 2024, every employer with at least 50 employees must operate a functioning internal reporting channel. The channel must allow anonymous submissions, guarantee confidentiality of the reporter's identity, and produce a written acknowledgement within seven days of receipt. Follow-up action must be documented within three months. The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) and the public prosecutor's office share enforcement authority.

The Corporate Criminal Liability Act revision – still moving through the Polish legislature as of early 2026 – would remove the current requirement that a natural person first be convicted before the company itself can be prosecuted. Under the proposed text, the company faces a fine of up to PLN 30 million if a management failure enabled the corrupt act. That single change converts compliance from a reputational exercise into a direct financial exposure. The General Prosecutor's Office (Prokuratura Generalna) would gain expanded investigative powers over corporate structures.

  • Whistleblower channel – mandatory for employers with 50+ employees from September 2024
  • AML obligated institutions – must appoint a compliance officer and conduct risk assessments annually
  • Corporate criminal liability – proposed fines up to PLN 30 million per offence
  • CSRD Poland reporting – anti-corruption metrics required in sustainability statements from 2025 for large listed entities
  • ESG reporting obligations – anti-bribery governance disclosures now part of ESRS S1 and G1 standards

We secured a compliance programme review and remediation plan for a manufacturing client in the Mazowieckie region (autumn 2025), identifying three structural gaps in their internal reporting chain that would have triggered PIP enforcement had they not been corrected before the inspection cycle.

Who is affected and what are the thresholds?

The Whistleblower Protection Act uses a tiered structure. Employers with 50 to 249 employees had until 17 December 2023 to implement internal channels – though enforcement has intensified since the Act's full entry into force in September 2024. Employers with 250 or more employees faced an earlier deadline. Municipalities with fewer than 10,000 inhabitants benefit from a temporary exemption, but private-sector entities do not. The threshold is calculated on a headcount basis, not revenue.

AML obligations apply to a defined list of obligated institutions under the AML Act. These include banks, payment institutions, insurance companies, auditors, tax advisers, legal professionals handling client funds, and real estate agents. For legal professionals, the trigger is involvement in transactions above EUR 10,000 in cash. Each obligated institution must maintain a written AML risk assessment, reviewed at least annually, and report suspicious transactions to the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF).

For companies subject to CSRD Poland obligations, anti-corruption governance is now a mandatory disclosure item. Large listed entities preparing sustainability statements under the European Sustainability Reporting Standards (ESRS) must report on anti-bribery policies, training coverage, and confirmed incidents. That disclosure requirement creates a secondary compliance incentive: gaps visible in public ESG reporting attract regulatory and investor scrutiny simultaneously. A compliance lawyer Warsaw-based or otherwise advising on ESRS G1 should treat the anti-corruption section as a live legal risk, not a narrative exercise.

Foreign subsidiaries are not exempt. A Netherlands-based parent operating a Polish subsidiary falls within the Polish framework if the subsidiary meets the employee threshold. For structuring considerations relevant to that scenario, see our analysis of compliance programme design for Netherlands subsidiaries in Poland. Czech-parent structures face equivalent obligations, addressed in our note on compliance programme design for Czech Republic subsidiaries in Poland.

What immediate action is required?

Boards that have not yet implemented a compliant internal reporting channel are already in breach. The immediate priority is a three-step remediation sequence: document the channel, train the personnel responsible for handling reports, and test the system with a simulated submission. That sequence should be completed within 30 days. Delay is not a neutral choice – each month without a compliant channel is a separate infringement under the Whistleblower Protection Act, and PIP has begun issuing fines in the range of PLN 5,000 to PLN 30,000 per case.

For entities within the AML Act's scope, the annual risk assessment review is the second priority. The assessment must be updated whenever there is a material change in the business – a new product line, a new jurisdiction, or a change in ownership structure. Failure to maintain a current assessment forfeits the company's ability to invoke a compliance defence in enforcement proceedings before the GIIF.

We assisted a technology services client in Małopolska (spring 2026) in restructuring its AML compliance documentation after a GIIF preliminary inquiry identified outdated risk classifications. The remediation, completed within six weeks, avoided a formal enforcement referral.

The checklist below captures the minimum actions required before the next regulatory review cycle:

  • Implement or audit the internal whistleblower reporting channel (50+ employee threshold)
  • Appoint or confirm an AML compliance officer and update the annual risk assessment
  • Adopt a written anti-corruption policy signed by the management board
  • Conduct anti-corruption training and retain attendance records

Foreign investment screening by the Office of Competition and Consumer Protection (Urząd Ochrony Konkurencji i Konsumentów, UOKiK) adds a further compliance dimension for acquisitions in sensitive sectors. Anti-corruption due diligence is now a standard component of UOKiK pre-clearance review. For the procedural framework, see our note on foreign investment screening in Poland and UOKiK powers.

Boards that treat anti-corruption compliance as a documentation exercise rather than an operational system face the sharpest exposure. The combination of the revised Corporate Criminal Liability Act, active PIP enforcement, and CSRD Poland ESG reporting requirements means that a compliance gap is now simultaneously a criminal, administrative, and reputational risk. Personal liability of directors for enabling a compliance failure is no longer a theoretical outcome – it is an enforcement tool that prosecutors are actively using.

Your company's specific situation determines which obligations apply first and how quickly the exposure becomes irreversible. A delayed implementation of the whistleblower channel or an outdated AML risk assessment can preclude access to compliance defences in enforcement proceedings – consequences that cannot be undone after the investigation opens.

If your organisation employs 50 or more people in Poland, operates as an AML-obligated institution, or prepares CSRD-aligned ESG reporting – we will assess your current compliance architecture, identify gaps against the Whistleblower Protection Act and AML Act requirements, and deliver a prioritised remediation plan: info@kordeckipartners.com.

Frequently asked questions

Q: Does the whistleblower channel requirement apply to Polish branches of foreign companies?

A: Yes. The Whistleblower Protection Act applies to all employers operating in Poland, including branches and subsidiaries of foreign entities, provided the 50-employee threshold is met. The headcount calculation includes workers employed at the Polish establishment, regardless of where the parent entity is incorporated. Branches that share a reporting channel with the parent must ensure the channel meets Polish procedural requirements, including the seven-day acknowledgement deadline and the three-month follow-up obligation.

Q: How much time does a company have to respond to a whistleblower report?

A: Under the Whistleblower Protection Act, the company must acknowledge receipt within seven days and complete follow-up action – meaning a documented response to the substance of the report – within three months of acknowledgement. That three-month window is a hard deadline, not a target. Missing it constitutes a separate infringement, independent of whether the underlying report was substantiated. Companies should build a case-management workflow that tracks both deadlines automatically.

Q: Is an anti-corruption policy the same as an AML programme?

A: No – and conflating the two is a common misconception. An AML programme addresses the specific obligations of institutions listed in the AML Act: risk assessment, transaction monitoring, suspicious activity reporting to the GIIF, and customer due diligence. An anti-corruption policy addresses bribery prevention, gifts and hospitality rules, third-party due diligence, and internal reporting. Both are required for many regulated entities, but they operate under different statutes, have different enforcement bodies, and require separate documentation. A single "compliance policy" document rarely satisfies both sets of requirements.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, anti-corruption programme design, and whistleblower framework implementation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.