Compliance programme design for Hungary

A Budapest-based group acquires a majority stake in a Polish distribution company. Within months, the subsidiary is processing payments, hiring staff, and handling personal data – yet no formal compliance programme exists. Polish regulators do not accept "we follow Hungarian group policy" as a defence. The subsidiary operates under Polish law, and Polish law sets its own obligations.

Designing a compliance programme for a Hungarian subsidiary in Poland requires mapping at least four distinct regulatory layers: anti-money laundering rules enforced by the General Inspector of Financial Information (GIIF), whistleblower protection obligations under the Act on the Protection of Persons Reporting Violations of the Law, ESG and sustainability reporting requirements under the Corporate Sustainability Reporting Directive (CSRD), and sector-specific rules supervised by the Polish Financial Supervision Authority (KNF). Each layer carries independent deadlines and penalties. Gaps between Hungarian group standards and Polish statutory requirements routinely trigger personal liability for board members of the Polish subsidiary.

This guide walks through the programme design process in four stages: legal mapping, structural build, implementation timeline, and ongoing monitoring. It also addresses the three most common business scenarios – a manufacturing subsidiary, an IT services entity, and a trading company – and flags the mistakes that generate the most exposure for Hungarian-owned groups.

What Polish law requires before you build anything?

Before drafting a single policy document, the subsidiary's management must understand which statutory regimes apply. Polish compliance obligations do not form a single code. They are scattered across at least six statutes, each enforced by a different authority. The National Court Register (KRS) records the entity's formal structure, but registration does not trigger automatic compliance status. Obligations attach based on activity, headcount, and revenue thresholds.

Whistleblower protection is mandatory for any private employer with 50 or more employees. The deadline to implement an internal reporting channel was June 2024. Companies that missed it face fines of up to PLN 1.5 million per violation. The channel must allow anonymous reporting, and retaliation against a reporting person is a criminal offence carrying up to three years' imprisonment for the responsible individual.

AML obligations under Polish anti-money laundering legislation apply automatically to entities classified as "obligated institutions" – including payment agents, currency exchange operators, and certain tax advisers. A Hungarian parent operating a fintech or payment-processing subsidiary in Poland almost certainly triggers GIIF supervision. The subsidiary must appoint a compliance officer, conduct customer due diligence, and file suspicious transaction reports. Failure to register with the GIIF where required exposes the entity to fines reaching PLN 5 million.

Identify the entity's legal form and activity code (PKD) in the KRS
Map headcount against the 50-employee whistleblower threshold
Check whether payment or financial services activities trigger GIIF registration
Assess annual net revenue against CSRD Poland reporting thresholds
Review sector licences held by the parent that may extend to the Polish subsidiary

The mapping exercise typically takes two to four weeks for a single-entity subsidiary. Groups with multiple Polish entities should budget six to eight weeks. This phase is not optional – skipping it and building on assumptions is the single most common cause of programme failure in cross-border structures.

How should the programme be structured for a Hungarian-owned entity?

A compliance programme for a Hungarian subsidiary in Poland needs a dual architecture. The first layer aligns with the Hungarian parent's group framework – codes of conduct, anti-corruption policies, and group reporting lines. The second layer addresses Polish statutory requirements that cannot be satisfied by group policy alone. The two layers must interlock without contradiction, and where they conflict, Polish law prevails for the Polish entity.

The structural core consists of four components. First, a compliance function: either a dedicated compliance officer or a named responsible person within management. Polish whistleblower legislation requires the responsible person to be identified in the internal reporting procedure. Second, an internal reporting channel: technically secure, accessible to employees and contractors, and capable of receiving anonymous reports. Third, a risk register: documenting identified compliance risks, their likelihood, and the controls in place. Fourth, a training programme: documented, role-specific, and repeated at least annually.

We secured the implementation of a fully documented whistleblower and AML compliance programme for a Hungarian-owned manufacturing subsidiary in the Mazowieckie region (autumn 2025). The programme passed a KNF-adjacent regulatory review without material findings. The key was separating the group policy layer from the Polish statutory layer in a single, readable document set.

Hungarian groups frequently try to satisfy Polish requirements by translating their Budapest headquarters policy into Polish and declaring it adopted. This approach fails for two reasons. Polish whistleblower law requires the procedure to be agreed with employee representatives – a step that a translated Hungarian document cannot satisfy retrospectively. AML rules require the compliance officer to hold specific Polish-law qualifications in regulated sectors. Translation is not adoption.

For a detailed breakdown of ESG and compliance obligations under Polish law, the practice area overview sets out the current regulatory framework and upcoming changes through 2027.

What does the implementation timeline look like?

A realistic implementation timeline for a mid-size Hungarian subsidiary – between 50 and 250 employees, single activity, no GIIF registration required – runs to approximately 90 days. Larger or more complex entities, including those with financial services components, should plan for 120 to 180 days. The timeline below assumes a standing-start build rather than remediation of an existing programme.

Days 1 to 30 cover legal mapping and gap analysis. This phase produces a written report identifying which obligations apply, which are already satisfied by group policy, and which require standalone Polish measures. The gap analysis is the document that protects management if regulators ask what steps were taken and when. It also determines the budget for the remaining phases.

Days 31 to 60 cover drafting. The internal reporting procedure, the AML compliance manual (where applicable), the risk register, and the training materials are prepared. The internal reporting procedure must be submitted to employee representatives for consultation. They have up to 10 working days to respond. This consultation step delays many programmes – groups that skip it face procedural invalidity.

Days 61 to 90 cover rollout: management sign-off, employee communication, training delivery, and activation of the reporting channel. The reporting channel must be operational before the procedure is formally adopted. Testing the channel before go-live is not a formality – it is the only way to confirm that anonymous submissions are genuinely anonymised at the technical layer.

Costs vary by scope. A standalone whistleblower programme for a 50-person entity typically runs between PLN 8,000 and PLN 18,000 in external legal fees. Adding an AML layer doubles the estimate. Full ESG reporting integration for a CSRD-in-scope entity adds a further PLN 20,000 to PLN 50,000 depending on data infrastructure. These figures assume no prior programme exists and no regulatory proceedings are underway.

Which mistakes do Hungarian subsidiaries make most often?

Three patterns account for the majority of compliance failures in Hungarian-owned Polish subsidiaries. Each is preventable. Each carries consequences that cannot be undone once a regulatory inquiry begins – because the inquiry itself creates a record, and that record follows the entity.

The first mistake is treating Polish compliance as a translation exercise. Group policies drafted under Hungarian law do not satisfy Polish statutory requirements simply because they cover the same subject matter. The employee consultation requirement for whistleblower procedures, the specific GIIF registration forms, and the CSRD Poland reporting format are Polish-specific. No Hungarian equivalent substitutes for them.

The second mistake is underestimating the personal liability exposure of subsidiary directors. Under Polish corporate legislation, board members of a Polish subsidiary are personally liable for compliance failures that occur on their watch – even if the failure originated in a group decision made in Budapest. The subsidiary's management board signs the AML compliance manual. They appoint the compliance officer. They bear the personal consequences if those steps are omitted.

The third mistake is building the programme once and never updating it. Polish compliance obligations are changing rapidly. CSRD reporting requirements are expanding in scope through 2026 and 2027. Whistleblower protection rules are being interpreted by courts for the first time. The AML framework is being revised in line with EU AML Package updates. A programme that was adequate in 2024 may be deficient by the time a regulator reviews it in 2026. Annual review cycles are not optional.

Our team assisted a Hungarian IT services subsidiary in Małopolska (winter 2025) in remedying a programme that had been built from translated group documents. Three specific gaps were identified: no employee consultation record for the reporting procedure, no designated Polish-qualified AML officer, and no documented risk register. Remediation took six weeks. Had a GIIF inquiry been underway, remediation would not have been possible – the record of the gap would have remained.

For context on how cross-border insolvency intersects with compliance failures in Polish-Hungarian group structures, see our analysis of cross-border insolvency involving Poland and Hungary.

What should a compliance programme checklist include?

A working compliance programme for a Hungarian subsidiary in Poland should be documented, auditable, and role-specific. The following checklist covers the minimum viable programme for an entity with 50 or more employees and no GIIF registration requirement. Entities in regulated sectors need additional items.

Written gap analysis signed by management, dated and version-controlled
Internal reporting procedure adopted following employee consultation, with the consultation record attached
Named compliance officer or responsible person identified in writing
Reporting channel tested and operational before the procedure's effective date
Annual training programme with attendance records for each session

For GIIF-registered entities, add: AML compliance manual, customer due diligence procedures, suspicious transaction reporting log, and documented staff AML training. For CSRD-in-scope entities, add: materiality assessment, sustainability reporting timetable aligned with the financial reporting calendar, and data collection procedures for each ESG reporting topic.

The checklist is also a self-assessment tool. If any item cannot be located or verified within 30 minutes of a regulator's request, the programme has an operational gap – regardless of what the policy documents say. Accessibility and retrievability are as important as the content of the documents themselves.

Three business scenarios illustrate how the checklist applies in practice. A manufacturing subsidiary with 150 employees and no financial services activity needs the core programme plus CSRD readiness planning if it is part of a group exceeding the CSRD thresholds. An IT services subsidiary with 60 employees processing payments for group entities likely triggers GIIF registration and needs the full AML layer. A trading company with 45 employees falls below the whistleblower threshold today but should build the programme voluntarily – the threshold may be lowered, and voluntary adoption is a mitigating factor in any future enforcement.

For a comparison with compliance programme design in another EU jurisdiction, the guide on compliance programme design for Italy subsidiaries in Poland sets out how the structural approach differs when the parent entity is subject to Italian rather than Hungarian group governance.

Frequently asked questions

Q: Can a Hungarian subsidiary rely on its parent company's ISO 37301 certification to satisfy Polish compliance requirements?

A: ISO 37301 certification is a useful governance signal but it does not satisfy Polish statutory obligations. Polish whistleblower protection law requires a specific internal procedure agreed with employee representatives – a certification does not substitute for that document. AML rules require registration with the GIIF and appointment of a qualified compliance officer. These are legal requirements, not quality standards, and they must be met independently of any certification held by the group.

Q: How long does it take to implement a whistleblower reporting channel, and what does it cost?

A: Technical implementation of a reporting channel typically takes five to ten business days once the vendor is selected. The legal preparation of the internal reporting procedure, including employee consultation, adds two to four weeks. Total elapsed time from instruction to go-live is typically six to eight weeks for a straightforward entity. External legal costs for the procedure alone range from PLN 5,000 to PLN 12,000 depending on entity complexity and whether the AML layer is included.

Q: Is it a common misconception that CSRD reporting applies only to listed companies?

A: Yes – this is one of the most frequent misunderstandings among Hungarian parent groups. CSRD Poland obligations extend to large non-listed undertakings meeting two of three criteria: more than 250 employees, net revenue exceeding EUR 40 million, or total assets exceeding EUR 20 million. A mid-size Polish subsidiary of a larger Hungarian group may cross these thresholds even if neither entity is publicly traded. The first reporting year for large non-listed entities under CSRD is 2025, with reports due in 2026.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, AML, and whistleblower protection. We work with Polish entrepreneurs, foreign investors – including Hungarian-owned groups – and in-house legal teams navigating multi-layer regulatory obligations. To discuss your situation, contact info@kordeckipartners.com.