Compliance programme design for Lithuania subsidiaries in Poland

A Vilnius-based group recently discovered that its Polish subsidiary had been operating without a whistleblower channel for over a year – a direct breach of Polish law that took effect in September 2024. The gap was found during a routine group-level audit, not by regulators. That distinction matters: had the National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) found it first, the exposure would have been immediate and personal for the subsidiary's board.

Lithuanian groups operating Polish subsidiaries must now align with three overlapping compliance frameworks: the Polish Whistleblower Protection Act (in force since September 2024), AML obligations under the Polish Anti-Money Laundering Act, and CSRD Poland reporting requirements phased in from 2025 onward. Each framework carries its own thresholds, deadlines, and enforcement bodies. Failure to implement a compliant programme before the applicable deadline triggers personal liability for board members and forfeits the subsidiary's ability to claim good-faith defence in regulatory proceedings.

This alert sets out what has changed, which Lithuanian subsidiaries are affected, and the concrete steps that must be taken now. The structure follows the three-framework logic: whistleblower compliance first, then AML, then ESG reporting obligations.

What has changed for Polish subsidiaries of Lithuanian groups?

Three regulatory events have converged in a short window. First, Poland's Whistleblower Protection Act came into force in September 2024, requiring entities with 50 or more employees to maintain an internal reporting channel. The National Court Register (Krajowy Rejestr Sądowy, KRS) is the reference point for verifying entity structure, and the PIP is the primary enforcement authority. Second, the Polish Financial Intelligence Unit (Generalny Inspektor Informacji Finansowej, GIIF) intensified AML supervision of foreign-owned entities in 2025, focusing on whether internal AML procedures reflect the actual ownership and transaction profile of the group. Third, CSRD Poland obligations now apply to large Polish entities – those exceeding two of three thresholds: 250 employees, EUR 50m turnover, or EUR 25m balance sheet total.

For Lithuanian groups, the combined effect is significant. A subsidiary that is large enough to trigger CSRD reporting is almost certainly also subject to the whistleblower channel requirement and enhanced AML scrutiny. These frameworks do not operate in silos. A compliance programme designed for one obligation will have gaps if it ignores the others. The irreversible consequence of a fragmented approach is that each regulator assesses its own framework independently – a clean AML file does not mitigate a whistleblower enforcement action.

One practical complication: Lithuanian parent entities often assume that group-level policies drafted under Lithuanian or EU law are sufficient for Polish subsidiaries. They are not. Polish law requires locally adapted procedures, in Polish, accessible to employees at the subsidiary level. A group policy hosted on a Vilnius intranet does not satisfy the PIP's requirements.

Which Lithuanian subsidiaries are affected – and by when?

The whistleblower channel obligation applies immediately to any Polish subsidiary with 50 or more employees. For subsidiaries with between 50 and 249 employees, the deadline was December 17, 2023 – meaning many are already in breach. Subsidiaries with fewer than 50 employees are exempt from the internal channel requirement but remain subject to AML and, where applicable, CSRD obligations. The personal liability of board members for non-compliance is not capped: under Polish corporate legislation, directors may be held personally responsible for regulatory fines and for damages suffered by employees who were denied a functioning reporting channel.

AML obligations apply to any entity classified as an "obligated institution" under Polish AML law – this includes financial intermediaries, real estate agents, accountants, and certain holding structures. Lithuanian groups with Polish subsidiaries in financial services or real estate should treat GIIF compliance as a priority. The GIIF can impose fines of up to PLN 1m per violation, and repeat failures can result in a public announcement of the breach – a reputational consequence that is genuinely difficult to reverse.

We secured a reversal of an AML-related administrative decision exceeding PLN 800,000 for a Baltic-owned financial services subsidiary in the Mazowieckie region (autumn 2025). The key was demonstrating that the internal AML procedure had been substantively updated before the inspection, even though the update had not yet been formally approved by the board. Timing the documentation correctly proved decisive.

CSRD Poland obligations phase in as follows: large public-interest entities (over 500 employees) report from financial year 2024; other large entities from 2025; listed SMEs from 2026. A Lithuanian group whose Polish subsidiary crosses the large-entity thresholds must begin ESG reporting for FY2025 – meaning the data collection infrastructure must be in place now, not at year-end.

What must Lithuanian subsidiaries do immediately?

The immediate action list is short but non-negotiable. First, verify the employee headcount and financial thresholds for each Polish entity in the group. This determines which frameworks apply and at what urgency level. Second, audit existing internal policies against Polish-law requirements – not group-level requirements. A policy gap analysis typically takes two to three weeks for a mid-size subsidiary. Third, implement or remediate the whistleblower channel. This means a written internal procedure, a designated recipient, a 7-day acknowledgement obligation, and a 3-month feedback obligation to the reporting person. Fourth, update the AML internal procedure to reflect the current ownership structure and transaction profile. Fifth, begin ESG data collection if the CSRD thresholds are met.

• Confirm employee headcount and financial thresholds for each Polish entity
• Conduct a Polish-law gap analysis of existing group compliance policies
• Implement a locally adapted whistleblower channel with a designated recipient
• Update the AML internal procedure to reflect current group structure
• Begin ESG data collection infrastructure if CSRD thresholds are crossed

For comparison, Lithuanian groups with German subsidiaries face a structurally similar challenge – the interaction of local whistleblower law, AML, and supply-chain due diligence creates overlapping obligations that require coordinated programme design. Our analysis of that framework is available at compliance programme design for Germany subsidiaries in Poland. Groups operating across multiple CEE jurisdictions should also review compliance programme design for Czech Republic subsidiaries in Poland, where similar convergence issues arise. Lithuanian groups with Polish VAT and invoicing obligations should additionally consult our note on what KSeF means for your business in Lithuania, as digital reporting infrastructure intersects with compliance programme design.

The compliance lawyer Warsaw market has seen a sharp increase in gap-analysis mandates from Baltic groups since Q4 2024. The pattern is consistent: group legal teams underestimate the localisation requirement and overestimate the portability of EU-harmonised policies. Polish law is EU-harmonised in framework but highly specific in procedural detail.

We obtained interim protective measures for a Lithuanian manufacturing group's Polish subsidiary in Lower Silesia (winter 2025), preventing enforcement of an administrative penalty while a whistleblower procedure remediation was completed. The window for such interim relief is narrow – typically 14 days from the enforcement notice.

A specific situation facing your subsidiary requires an assessment before the next regulatory inspection cycle. Gaps identified internally can be remediated; gaps found by the PIP or GIIF create a record that follows the entity and its directors.

If your Lithuanian group's Polish subsidiary has 50 or more employees, operates in a regulated sector, or crosses CSRD thresholds – we will conduct a gap analysis, draft or remediate your internal procedures, and coordinate across all three frameworks: info@kordeckipartners.com.

Frequently asked questions

Q: Does a Lithuanian parent company's group whistleblower policy satisfy Polish law for its Polish subsidiary?

A: No. Polish law requires a locally adapted procedure, in Polish, accessible to employees at the Polish entity. A group policy hosted on a foreign intranet does not meet the requirements of the Polish Whistleblower Protection Act. The procedure must name a designated recipient within the Polish entity and set out the 7-day acknowledgement and 3-month feedback timelines explicitly.

Q: How long does it take to implement a compliant compliance programme for a mid-size Polish subsidiary?

A: A gap analysis typically takes two to three weeks. Drafting and implementing a full programme – covering whistleblower, AML, and ESG data collection – takes four to eight weeks depending on the complexity of the group structure and the state of existing documentation. Entities already in breach should treat this as an urgent matter, not a scheduled project.

Q: Is it a common misconception that AML obligations only apply to financial institutions?

A: Yes, this is one of the most frequent misunderstandings. Polish AML law covers a broad range of "obligated institutions," including real estate intermediaries, accountants, tax advisors, and certain holding entities. Lithuanian groups with Polish subsidiaries in professional services or real estate should conduct an AML classification review before assuming the obligation does not apply.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and AML advisory. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.