A German parent company acquires a mid-sized Polish distributor. During integration due diligence, counsel discovers the target has no documented anti-corruption policy, no whistleblower channel, and no third-party vetting procedure. The parent's compliance officer asks a straightforward question: what does Polish law actually require, and what happens if the company does nothing?
Polish anti-corruption law draws on three interlocking sources: the Kodeks karny (Criminal Code, KK), the Ustawa o odpowiedzialności podmiotów zbiorowych (Act on Liability of Collective Entities, UOPZ), and EU-derived obligations including the whistleblower protection directive transposed in 2024. Liability can attach to the company itself – not just to individual managers – where an organisational failure enabled a corrupt act. Sanctions under the revised UOPZ reach up to PLN 30 million per offence, with additional consequences including debarment from public procurement.
This analysis covers the doctrinal architecture of the framework, the practical compliance obligations it generates, the cross-border dimension for foreign-owned Polish entities, and the strategic steps that reduce exposure. Each section is structured around the questions compliance officers and board members most frequently bring to us.
What is the legal foundation of anti-corruption liability in Poland?
Polish anti-corruption law operates on two levels. Criminal liability for individuals sits in the Criminal Code, while organisational liability – the mechanism that reaches the company's balance sheet – rests in the UOPZ. Understanding both is necessary before designing any compliance programme.
The Criminal Code distinguishes active bribery (offering or giving a material benefit) from passive bribery (soliciting or accepting one). Both carry custodial sentences. The concept of "benefit" is interpreted broadly by Polish courts: it encompasses not only cash but hospitality, employment offers, favourable contract terms, and other advantages. Liability extends to acts committed abroad by Polish nationals or by persons acting on behalf of Polish-registered entities – a point foreign investors routinely underestimate.
The UOPZ was substantially amended in 2022. Under the revised framework, a collective entity – meaning any legal person or organisational unit operating for profit – faces corporate liability when a natural person acting in its name or interest commits a prohibited act, and that act resulted from or was facilitated by a failure of organisation. The phrase "failure of organisation" is the doctrinal pivot. It means the company can be liable even if no individual within it has been convicted, provided a court finds that proper procedures would have prevented the offence. That is a material shift from the prior regime, which required a prior criminal conviction.
Two Polish institutions play central enforcement roles here. The Centralne Biuro Antykorupcyjne (Central Anti-Corruption Bureau, CBA) investigates corruption offences and may refer matters to prosecutors. The Prokuratura Krajowa (National Prosecution Service) handles the most serious cases, including those involving public officials. Both bodies have powers to request internal documentation, interview employees, and apply for asset freezes at short notice – making the absence of compliance records particularly damaging.
One concrete figure deserves emphasis: PLN 30 million is the maximum fine under the UOPZ for a single offence. That ceiling applies per prohibited act, not per investigation, so an entity facing multiple counts can face aggregate exposure that significantly exceeds this figure. Courts may also order dissolution of the entity in the most serious cases. The irreversible consequences of corporate debarment – which precludes participation in public tenders for up to five years – are felt immediately in sectors dependent on government contracts.
What compliance obligations does the whistleblower directive create?
Poland transposed the EU Whistleblower Protection Directive through the Ustawa o ochronie sygnalistów (Act on Protection of Whistleblowers, AoW), which entered into force in September 2024. For any entity employing 50 or more persons, the AoW mandates an internal reporting channel, a written procedure governing how reports are handled, and protection of the reporting person against retaliation. Non-compliance carries a fine of up to PLN 60,000 for the employer and up to PLN 30,000 for anyone who retaliates.
The reporting channel must meet specific technical and procedural standards. Reports may be made verbally, in writing, or through an electronic platform. The employer must acknowledge receipt within seven days and provide feedback to the whistleblower within three months. Anonymous reports do not have to be accepted, but if an entity chooses to accept them, it must have a procedure for handling them. Many organisations have found the anonymity question to be one of the most contested design decisions – employees distrust channels that do not offer anonymity, yet anonymous reports create investigative challenges.
Critically for anti-corruption purposes, the AoW expressly lists corruption offences among the areas covered by protected disclosures. A whistleblower who reports a bribery concern through an internal channel therefore receives full statutory protection. This creates a direct operational link between the whistleblower infrastructure and the anti-corruption programme: the two cannot be designed in isolation.
We assisted a technology services client in Mazowieckie (spring 2025) in designing a combined whistleblower and anti-corruption reporting structure. The client had previously operated a generic "ethics hotline" that was not compliant with the AoW and lacked a defined escalation path for corruption reports. Restructuring the system to meet the statutory requirements – including appointing a dedicated case handler and drafting a procedure approved by employee representatives – took approximately six weeks from instruction to go-live.
One misconception is worth addressing directly: some boards believe that outsourcing the reporting channel to a third-party provider fully discharges the legal obligation. It does not. The entity remains responsible for the procedure, the response timeline, and the protection of the whistleblower. The provider manages the technical infrastructure; the legal accountability stays with the employer. That distinction matters when the Państwowa Inspekcja Pracy (State Labour Inspectorate, PIP) conducts an audit.
How does AML intersect with anti-corruption compliance?
Anti-money laundering obligations under the Ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorism Financing Act, AML Act) interact with anti-corruption compliance at several pressure points. Bribery and corruption are predicate offences for money laundering under Polish and EU law. An entity that processes payments connected to corrupt acts – even unknowingly – may face liability under the AML Act as well as under the UOPZ.
Obligated institutions under the AML Act include banks, payment service providers, accountants, tax advisers, and lawyers conducting certain transactions. For these entities, the AML framework imposes customer due diligence, enhanced due diligence for politically exposed persons (PEPs), suspicious transaction reporting to the Generalny Inspektor Informacji Finansowej (General Inspector of Financial Information, GIIF), and internal AML procedures updated at least every two years. The GIIF has powers to freeze assets for 96 hours pending further investigation.
For companies outside the obligated-institution category, the AML intersection is less direct but remains relevant. Third-party due diligence – assessing whether agents, distributors, or joint venture partners may be conduits for corrupt payments – draws on AML methodology even where the AML Act does not directly apply. The key concepts of beneficial ownership verification, PEP screening, and adverse media checks are tools that anti-corruption programmes borrow from the AML world regardless of formal obligation.
The practical implication: an anti-corruption compliance framework that ignores AML methodology is incomplete. The reverse is equally true – an AML programme that treats corruption as someone else's problem misses the most common predicate. Integrated compliance design, where both streams share the same due diligence database and escalation path, avoids duplication and closes the gap between them.
What are the cross-border risks for foreign-owned Polish entities?
For a French or Romanian parent company with a Polish subsidiary, the compliance question has two dimensions: what Polish law requires of the subsidiary, and what the parent's home jurisdiction may require of the group as a whole. These often point in the same direction – but the gaps between them create exposure.
Poland's UOPZ applies to entities registered in Poland regardless of ownership. A Polish subsidiary of a foreign group is therefore subject to Polish corporate liability rules even if the group has a group-wide compliance programme governed by French or German law. Conversely, the parent may face liability in its home jurisdiction if it knew – or should have known – that its Polish subsidiary was engaging in corrupt practices. The UK Bribery Act's "adequate procedures" defence, for example, requires demonstrable group-wide controls, not merely a head-office policy.
The compliance programme design for France subsidiaries in Poland analysis on this site addresses the specific layering problem: how a French parent can structure its sapin II obligations alongside Polish UOPZ requirements without creating conflicting documentation. Similarly, the compliance programme design for Romania subsidiaries in Poland article examines how Romanian anti-corruption frameworks interact with Polish obligations for dual-registered groups.
One structural risk is worth naming explicitly: group-level compliance programmes often use a single code of conduct and a single reporting channel for all jurisdictions. Where that channel is operated from a non-EU country, it may not meet the technical and procedural requirements of the Polish AoW. The 50-employee threshold applies at entity level, not group level. A Polish subsidiary with 60 employees must have its own compliant channel – it cannot rely on a group channel based in, say, Singapore, unless that channel has been specifically adapted to AoW requirements.
We obtained a compliance gap assessment for a manufacturing group with subsidiaries in Lower Silesia (autumn 2024), identifying three areas where the group's global programme did not meet Polish UOPZ and AoW requirements. Remediation involved local policy amendments, appointment of a Polish-language case handler, and a revised third-party vetting procedure covering over 120 active suppliers. The group avoided a procurement disqualification that had been threatened by a public-sector client.
For decision-makers managing Polish exposure from abroad, the PIP enforcement powers in 2026 article provides relevant context on how Polish labour inspectors – who have audit rights relevant to whistleblower compliance – are expected to exercise those powers in the coming year.
How should a compliance programme be structured under Polish law?
A defensible anti-corruption compliance programme under Polish law has five core elements. Each element addresses a specific liability risk under the UOPZ or the AoW. Programmes that omit one element leave a gap that prosecutors and courts will identify.
The first element is a written anti-corruption policy. This document states the company's prohibition on bribery and facilitation payments, defines prohibited conduct with examples relevant to the sector, and identifies the persons responsible for implementation. It must be communicated to all employees and to relevant third parties. Polish courts look at whether the policy was genuinely embedded – not merely signed and filed.
The second element is a risk assessment. The UOPZ's "failure of organisation" standard implies that the company identified its corruption risks and addressed them proportionately. A risk assessment documents that process. It should cover geographic exposure, sector-specific risks (procurement, licensing, customs), and counterparty categories. For entities with public-sector clients, the risk profile is materially higher – and the assessment should reflect that.
Third is a third-party due diligence procedure. Corruption in Poland most commonly occurs through intermediaries: agents, consultants, and distributors who interact with public officials on behalf of the company. A due diligence procedure covering PEP connections, beneficial ownership, and adverse media checks – applied before onboarding and periodically thereafter – is the primary control for this risk. The procedure should set a proportionate threshold: enhanced due diligence for higher-risk counterparties, simplified for lower-risk ones.
Fourth is training. The UOPZ and case law both indicate that untrained employees cannot be expected to identify or resist corrupt solicitations. Annual training for all relevant staff, with documented completion records, is the baseline. Senior managers and procurement staff should receive enhanced training covering scenario-based exercises.
Fifth is the whistleblower channel, designed to meet AoW requirements as described above. The channel should be tested annually, and reports should be followed up within the statutory timelines.
- Written anti-corruption policy communicated to all staff and third parties
- Documented corruption risk assessment updated at least every two years
- Third-party due diligence covering agents, consultants, and distributors
- Annual training with completion records for all relevant personnel
- AoW-compliant internal reporting channel with a three-month feedback obligation
A compliance programme that includes all five elements does not eliminate liability. However, it materially reduces the probability of a finding of "failure of organisation" under the UOPZ and provides a documented basis for mitigation in sentencing. Polish prosecutors and courts do take compliance evidence into account when assessing corporate culpability – a programme that existed and was genuinely implemented is a meaningful mitigating factor, not merely a formality.
What is the strategic outlook for anti-corruption enforcement in Poland?
Polish anti-corruption enforcement is intensifying on two tracks simultaneously. Domestically, the CBA has expanded its investigative resources and is increasingly focusing on private-sector corruption rather than limiting itself to public official cases. Internationally, EU-level developments – including the proposed Anti-Corruption Directive and the CSRD Poland reporting requirements for large entities – are creating additional compliance obligations that overlap with the anti-corruption framework.
The CSRD Poland dimension is particularly significant for large entities already subject to sustainability reporting. The Europejskie Standardy Sprawozdawczości Zrównoważonego Rozwoju (European Sustainability Reporting Standards, ESRS) require disclosure of governance-related information including anti-bribery and anti-corruption policies, training coverage, and the number of confirmed corruption incidents. ESG reporting and anti-corruption compliance are therefore no longer separate workstreams – the reporting obligation forces companies to document and disclose the state of their compliance programme.
For companies not yet subject to CSRD mandatory reporting, the trajectory is clear. The threshold for mandatory ESG reporting will extend to smaller entities over the coming years. Building a documented compliance programme now – rather than as a crisis response to an enforcement action or a reporting deadline – is both strategically sounder and operationally cheaper. A programme built under pressure tends to be poorly designed and poorly embedded.
The enforcement outlook also points toward increased use of deferred prosecution-style mechanisms in Polish law. Amendments to the UOPZ and related procedural rules are expected to give prosecutors greater flexibility to resolve corporate liability cases through negotiated outcomes rather than full trials. That development favours companies that can demonstrate genuine compliance efforts: a documented programme, evidence of training, and records of internal investigations will all be relevant to any negotiated resolution.
For compliance lawyers advising Polish entities or foreign groups with Polish operations, the practical implication is that the question has shifted. It is no longer "does this company need a compliance programme?" – the answer to that question is almost always yes. The question is now "is this programme defensible under the UOPZ failure-of-organisation standard?" – and that requires a more granular analysis of programme design, documentation, and genuine implementation.
Frequently asked questions
Q: Does the UOPZ apply to a foreign company operating in Poland through a branch rather than a subsidiary?
A: A foreign company's branch registered in Poland is not a separate legal entity – it is an organisational unit of the foreign parent. The direct application of the UOPZ to a branch is narrower than to a subsidiary, but the foreign parent entity can face liability under the UOPZ if it conducts business activity in Poland and a prohibited act is committed in connection with that activity. Separately, the home-country anti-corruption legislation of the parent – such as the UK Bribery Act or the French Sapin II law – may apply extraterritorially to acts committed in Poland. A branch structure does not reduce group exposure; it shifts where the liability attaches.
Q: How long does a company have to implement a whistleblower channel after reaching the 50-employee threshold?
A: Under the Act on Protection of Whistleblowers, an entity that crosses the 50-employee threshold must implement a compliant internal reporting channel without undue delay. The law does not specify an exact number of days after the threshold is crossed, but regulators interpret the obligation as arising immediately upon the threshold being met. In practice, entities should treat the 50-employee point as the trigger and aim to have a compliant procedure in place within 30 days. Failure to implement a channel exposes the entity to a fine of up to PLN 60,000 per breach and creates a documented gap that would be unfavourable in any subsequent investigation involving a corruption report.
Q: Is a group-wide code of conduct sufficient to satisfy Polish anti-corruption requirements, or must there be a separate Polish document?
A: A group-wide code of conduct is a useful foundation but is not sufficient on its own. Polish law requires that the anti-corruption policy be communicated to employees in a way they can understand and act on – which in practice means a Polish-language document that addresses Polish-specific risks, references the applicable Polish legislation, and identifies the persons responsible within the Polish entity. A document published in English at group level and available on a global intranet does not meet this standard. The Polish entity must have localised documentation, even if it substantially mirrors the group policy. This is one of the most common compliance gaps we identify in cross-border integration projects.
To discuss how your company's compliance programme measures up against the UOPZ failure-of-organisation standard, contact info@kordeckipartners.com. Our team conducts compliance gap assessments and designs defensible programmes tailored to your sector and ownership structure.
If your organisation is facing an enforcement inquiry, a procurement disqualification threat, or a whistleblower report requiring investigation – situations where the absence of documented procedures becomes immediately consequential – reach out to info@kordeckipartners.com for a rapid initial assessment.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, anti-corruption programme design, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating the intersection of Polish and EU compliance obligations. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.