Compliance programme design for France

A French parent company establishes a Polish subsidiary, assigns a local manager, and assumes the group's internal code of conduct will cover everything. Six months later, a whistleblower complaint arrives at the National Labour Inspectorate (PIP), and the subsidiary has no documented internal reporting channel, no designated compliance officer, and no evidence of employee training. The parent's French programme de conformité does not satisfy Polish statutory requirements. The gap is real, and the consequences are personal.

Designing a compliance programme for a French subsidiary operating in Poland requires mapping two overlapping legal frameworks. Polish law imposes its own obligations on whistleblower channels, anti-money laundering controls, and ESG reporting – independent of any French group policy. A subsidiary with fewer than 50 employees may avoid certain thresholds, but subsidiaries with 50 or more staff must implement an internal reporting channel within the deadlines set by the Polish Whistleblower Protection Act. Failure to do so carries fines of up to PLN 1.5 million and personal liability for the manager responsible.

This guide walks through the four stages of compliance programme design: regulatory mapping, structural build, documentation, and ongoing monitoring. It addresses the specific pressure points French parent companies face – Sapin II alignment, devoir de vigilance obligations, and the interaction with Polish corporate law under the Kodeks spółek handlowych (Commercial Companies Code, KSH). The guide also covers three business scenarios, a preparation checklist, and a FAQ section.

What regulatory framework applies to a French subsidiary in Poland?

The starting point is jurisdictional. A Polish-registered subsidiary – whether a spółka z ograniczoną odpowiedzialnością (limited liability company, Sp. z o.o.) or a spółka akcyjna (joint-stock company, S.A.) – is a separate legal entity governed by Polish law. French group policies apply contractually and structurally, but they do not replace Polish statutory requirements. This distinction matters for every compliance element: whistleblowing, AML, ESG reporting, and data protection.

Polish whistleblower law, adopted in 2024, transposes the EU Whistleblowing Directive and requires all private employers with 50 or more workers to establish an internal reporting channel. The National Labour Inspectorate (PIP) and the Office for the Protection of Personal Data (UODO) both have supervisory roles. Separately, the General Inspector of Financial Information (GIIF) oversees anti-money laundering (AML) obligations under Polish AML legislation. Each regulator operates independently of French authorities.

French law adds a second layer. The loi Sapin II requires French parent companies with over 500 employees and EUR 100 million in revenue to implement an anti-corruption programme covering subsidiaries. The loi sur le devoir de vigilance imposes supply chain due diligence obligations on large French groups. Both laws are enforced in France, but their practical effect reaches Polish operations through group governance. A compliance programme for a French subsidiary must satisfy both sets of rules simultaneously – and the requirements do not always align neatly.

For subsidiaries active in financial services, insurance, or real estate, AML obligations are particularly demanding. Obligated institutions under Polish AML law must appoint a compliance officer, implement customer due diligence procedures, and file suspicious transaction reports with the GIIF. The threshold for AML compliance status is sector-based, not purely headcount-based. This means a small but sector-active subsidiary can face the full AML compliance burden from day one.

How should the compliance programme be structured step by step?

A well-designed compliance programme follows four sequential stages. Each stage has a defined output document and a realistic timeline. Skipping a stage – or treating a French group template as a substitute for Polish-specific work – creates gaps that regulators will find. The full build, from regulatory mapping to first monitoring cycle, typically takes four to six months for a mid-size subsidiary.

Stage 1 – Regulatory mapping (weeks 1–4). Identify every Polish law that applies to the subsidiary's sector, headcount, and activities. Key instruments include the Whistleblower Protection Act, the AML Act, the Kodeks pracy (Labour Code), CSRD Poland reporting requirements for larger entities, and KSH governance rules. Map these against the French group's existing Sapin II programme. The output is a gap analysis document listing obligations not yet covered by group policy.

Stage 2 – Structural build (weeks 5–12). Appoint a local compliance officer or designate a senior manager. Draft Polish-language internal reporting channel procedures and register the channel with the PIP if required. Establish an AML compliance function if the subsidiary is an obligated institution. Adapt the group's code of conduct into a Polish-language version reviewed by local counsel. This stage costs between PLN 20,000 and PLN 60,000 depending on complexity.

Stage 3 – Documentation and training (weeks 13–20). Finalise all policy documents, obtain employee acknowledgements, and run at least one compliance training session. Training records are critical – they are the first thing a PIP inspector or a GIIF auditor requests. Document the training date, attendees, and content covered. For subsidiaries subject to CSRD Poland reporting, prepare the ESG data collection framework at this stage.

Stage 4 – Monitoring and review (from month 6 onward). Schedule an annual compliance review. Test the internal reporting channel with a simulated report. Update policies when Polish or EU law changes. The monitoring function does not need to be large – a quarterly review meeting with documented minutes satisfies most regulatory expectations for subsidiaries under 250 employees.

We assisted a French manufacturing client in the Mazowieckie region (autumn 2025) in completing all four stages within five months. The project involved aligning a Sapin II anti-corruption module with Polish whistleblower channel requirements and drafting bilingual documentation for a 120-person workforce.

What are the most common mistakes French subsidiaries make?

The most persistent mistake is assuming that a French group compliance programme is sufficient. It is not. Polish law requires Polish-language documentation, Polish-registered reporting channels, and compliance officers who understand local regulatory expectations. A French-language code of conduct distributed to Polish employees satisfies none of these requirements and forfeits the subsidiary's ability to demonstrate compliance to a PIP inspector.

The second common mistake involves the whistleblower channel deadline. Subsidiaries with 50 or more employees were required to have an operational internal channel in place by the deadlines set in the 2024 Act. Many French subsidiaries missed this date because the group's legal team treated it as a matter for French implementation only. The PIP can impose fines of up to PLN 1.5 million per violation. The manager responsible – often the local CEO or managing director – faces personal liability. This consequence is irreversible once a complaint is filed.

A third mistake is failing to appoint a local AML compliance officer for subsidiaries in obligated sectors. Polish AML law requires a named individual, not a group function based in Paris. The GIIF can sanction both the entity and the individual for this gap. Fines under the AML Act can reach PLN 5 million or 10% of annual turnover, whichever is higher.

Finally, many subsidiaries overlook ESG reporting obligations. Under CSRD Poland implementation, large subsidiaries of EU parent companies must prepare sustainability reports aligned with European Sustainability Reporting Standards (ESRS). The first reporting period for large companies began in 2024. Subsidiaries that have not started ESG data collection are already behind. The gap widens each quarter.

What the mistakes share is a common root: treating compliance as a group-level project rather than a local-entity obligation. The solution is a subsidiary-specific programme, built on Polish law, reviewed by a compliance lawyer Warsaw-based or otherwise familiar with Polish regulatory practice.

How do the three main business scenarios affect compliance design?

Compliance programme design is not uniform. The right structure depends on the subsidiary's sector, size, and operational model. Three scenarios illustrate the most common French-subsidiary profiles in Poland.

Scenario 1 – French manufacturing group, 150 employees, Silesia. This subsidiary is not an AML obligated institution. Its primary compliance obligations are the whistleblower internal reporting channel (mandatory above 50 employees), a Polish-language code of conduct, labour law compliance under the Labour Code, and CSRD Poland sustainability reporting if the parent is subject to CSRD. The Sapin II anti-corruption module must be adapted into Polish procedures and documented separately from the French version. Timeline: four months. Estimated build cost: PLN 30,000–45,000.

Scenario 2 – French fintech subsidiary, 30 employees, Warsaw. Headcount is below the 50-employee whistleblower threshold, but the subsidiary is an obligated institution under Polish AML law. Full AML compliance is mandatory from day one: customer due diligence, beneficial ownership verification, a named AML compliance officer, and GIIF reporting procedures. The absence of a whistleblower channel obligation does not reduce overall compliance cost – AML build alone costs PLN 25,000–50,000. The parent's Sapin II programme must also be adapted for local use.

Scenario 3 – French real estate investor, Sp. z o.o. holding structure, Małopolska. Real estate activity triggers AML obligated institution status under Polish law. The holding structure must have AML procedures even if it has no employees. Polish property acquisition rules also interact with compliance obligations – for background on property acquisition by French nationals, see our guide on buying property in Poland as a France national. The compliance programme here focuses on AML, beneficial ownership registers, and KSH governance documentation. Timeline: six to eight weeks for an AML-focused programme.

We helped a French real estate holding in Małopolska (winter 2025) establish an AML compliance function from scratch, including beneficial ownership registration with the Central Register of Beneficial Owners (CRBR) and a full set of internal AML procedures reviewed by local counsel.

What should a French subsidiary prepare before engaging a compliance lawyer?

Preparation reduces legal fees and shortens the build timeline. Before engaging a compliance lawyer Warsaw or elsewhere in Poland, the subsidiary should gather the following materials. Having these documents ready at the first meeting typically saves two to three weeks of initial work.

The French parent's current Sapin II compliance programme (or summary) and any group code of conduct in force
The subsidiary's current headcount, sector classification, and a list of any regulated activities (financial services, real estate, insurance, payments)
Copies of any existing Polish-language internal policies, employment contracts, and management board resolutions
The subsidiary's most recent annual financial statements and, if available, any ESG reporting already prepared at group level
Contact details of the person who will serve as local compliance officer or the senior manager designated to hold that function

For subsidiaries that are part of a broader Central European structure, it is also worth reviewing compliance programmes already in place in comparable jurisdictions. Our guides on compliance programme design for Slovakia subsidiaries in Poland and compliance programme design for Luxembourg subsidiaries in Poland set out parallel frameworks that often share structural elements with a French-subsidiary programme.

A specific compliance situation carries consequences that group-level advice cannot prevent. The irreversible consequence of delayed action – a PIP fine, a GIIF sanction, or personal liability for the local manager – cannot be undone retroactively by implementing a programme after a complaint is filed.

To receive an expert assessment of your French subsidiary's compliance status in Poland, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does our French parent company's Sapin II programme satisfy Polish whistleblower law?

A: No. French Sapin II requirements and Polish whistleblower obligations are separate legal frameworks enforced by different regulators. Polish law requires a subsidiary with 50 or more employees to establish its own internal reporting channel, registered and operated in Poland, with Polish-language procedures. A French group programme does not substitute for this requirement. The Polish National Labour Inspectorate assesses compliance at the subsidiary level, not the group level.

Q: How long does it take and what does it cost to build a compliance programme for a mid-size French subsidiary?

A: For a subsidiary of 50–200 employees in a non-AML-regulated sector, the build typically takes four to six months from initial gap analysis to operational programme. Legal and advisory costs range from PLN 25,000 to PLN 60,000 depending on the complexity of the French group structure, the number of policy documents requiring adaptation, and whether ESG reporting obligations apply. AML-regulated subsidiaries face additional cost for the AML compliance function build.

Q: Is it a misconception that small subsidiaries have no compliance obligations in Poland?

A: Yes, this is a common and costly misconception. Subsidiaries with fewer than 50 employees are exempt from the mandatory whistleblower channel requirement, but they are not exempt from AML obligations if they operate in a regulated sector, from KSH governance requirements, or from CSRD Poland reporting if the group meets the relevant thresholds. A 20-person fintech subsidiary can face the full AML compliance burden, including a mandatory named compliance officer and GIIF reporting, from the first day of operation.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and AML advisory. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.