Compliance programme design for Luxembourg subsidiaries in Poland

A Luxembourg holding company with a Polish operating subsidiary faces a compliance gap that is easy to miss. The parent entity runs a well-documented programme under Luxembourg law. The Polish entity, however, sits inside a separate legal order – one that has added new obligations in quick succession since 2023. The gap between what Luxembourg requires and what Polish law now demands is widening.

Luxembourg subsidiaries operating in Poland must maintain a standalone compliance programme that satisfies Polish statutory requirements, not merely the parent's group policy. Three overlapping regimes now apply: the whistleblower protection framework under the Act on the Protection of Persons Reporting Breaches of Law, the ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorist Financing Act, AML Act), and the corporate sustainability reporting obligations flowing from the Corporate Sustainability Reporting Directive (CSRD). Each carries its own thresholds, deadlines, and penalties for non-compliance.

This alert explains what has changed, which Polish subsidiaries are affected, and what must be done – and by when. The structure follows the three-step logic of a compliance audit: identify applicable obligations, assess current gaps, and implement remediation within the statutory window.

What has changed for Polish subsidiaries of foreign groups?

Three legislative shifts, each arriving in a different year, now combine to create a materially heavier compliance burden. Polish whistleblower law entered into force in September 2024, requiring employers with 50 or more employees to establish an internal reporting channel and a written procedure. That threshold captures most Luxembourg subsidiaries with meaningful Polish operations. Failure to implement the channel within the statutory period exposes the company to a fine of up to PLN 40,000 per breach – and, critically, precludes the subsidiary from invoking the "good faith" defence in any subsequent employment dispute linked to a reported matter.

The AML Act, as amended, extended the list of obligated institutions and tightened the requirements for beneficial ownership verification. Polish subsidiaries of Luxembourg holding structures are frequently caught by the financial services carve-in or by the real estate and corporate services thresholds. Under the National Court Register (KRS) rules, beneficial ownership data must be updated within 7 days of any change. The Central Register of Beneficial Owners (CRBR) imposes a PLN 1,000,000 penalty ceiling for non-disclosure – an irreversible reputational and financial consequence that a group-level policy filed in Luxembourg does not resolve.

CSRD Poland obligations are phasing in from financial year 2024 onward for large public-interest entities, with the first wave of non-listed large companies following in 2025. A Luxembourg parent that already reports under CSRD must verify whether its Polish subsidiary qualifies as a large undertaking under Polish accounting law. If it does, the subsidiary needs its own ESG reporting infrastructure, not a reference to the group's consolidated report. The Polish Financial Supervision Authority (KNF) and the National Labour Inspectorate (PIP) are the primary enforcement bodies for the financial and employment-related layers respectively.

Which subsidiaries are affected and what must they do now?

Scope depends on three variables: headcount, financial thresholds, and sector. A subsidiary with 50 or more employees must have a whistleblower channel in place immediately – the September 2024 deadline has already passed. A subsidiary that qualifies as a large undertaking (balance sheet above EUR 20m or net turnover above EUR 40m, with more than 250 employees) faces CSRD reporting obligations for the 2025 financial year. Any subsidiary that falls within AML-obligated categories must maintain a written internal procedure, conduct ongoing customer due diligence, and appoint an AML compliance officer.

• Implement an internal whistleblower reporting channel (written procedure + secure channel) if headcount reaches 50.
• Register and maintain beneficial ownership data in the CRBR within 7 days of any structural change.
• Appoint an AML compliance officer if the subsidiary operates in an obligated sector.
• Map CSRD applicability against the Polish accounting law thresholds for the 2025 reporting year.
• Review the group compliance policy for gaps against Polish-specific requirements.

We secured a full remediation of an AML compliance gap – including CRBR re-registration and internal procedure drafting – for a Luxembourg-owned financial services subsidiary in the Mazowieckie region (autumn 2025). The matter was resolved before the Polish Financial Supervision Authority commenced a supervisory review, preserving the subsidiary's operating licence.

The practical risk for Luxembourg structures is that group counsel assumes Polish compliance is covered by the parent's programme. It is not. Polish law requires a locally adapted document, locally appointed officers, and locally maintained registers. A gap here forfeits the procedural defences available under each statute – and those defences cannot be reconstructed retroactively.

For subsidiaries operating in the technology or IP-intensive sector, the compliance design must also address data protection and intellectual property controls. Our analysis of IP protection strategy for Luxembourg tech companies in Poland sets out the additional layer that applies to those entities. For the AML layer specifically, the obligations that apply to Polish companies more broadly are examined in our guide on AML compliance obligations for Polish companies. Subsidiaries of Swiss groups face a structurally similar challenge, addressed in our note on compliance programme design for Switzerland subsidiaries in Poland.

We assisted a Luxembourg-owned manufacturing group in Silesia (spring 2025) in designing a unified compliance programme that satisfied Polish whistleblower law, AML requirements, and the CSRD pre-assessment process within a single project timeline of 10 weeks.

Specific compliance needs require a tailored assessment. Group policies drafted for Luxembourg law will not, without adaptation, satisfy the Polish statutory requirements described above. The window to remediate without penalty exposure is narrowing.

To receive an expert assessment of your subsidiary's compliance gaps, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does our Luxembourg parent's whistleblower policy satisfy Polish law?

A: No. Polish whistleblower legislation requires a locally implemented internal reporting channel with a written procedure in Polish, covering the specific reporting categories defined under Polish law. A group policy drafted under Luxembourg law does not meet this requirement. The Polish subsidiary must adopt its own document and designate a person responsible for receiving reports.

Q: How long does it take to build a compliant programme from scratch?

A: A baseline programme covering whistleblower, AML, and CSRD pre-assessment can typically be designed and implemented within 8 to 12 weeks, depending on the subsidiary's size and sector. The critical path item is usually the AML internal procedure, which requires a risk assessment before the procedure can be finalised. Starting the process immediately avoids the penalty exposure that accrues from each day of non-compliance.

Q: Is CSRD reporting mandatory for all Luxembourg subsidiaries in Poland?

A: No. CSRD Poland obligations apply only to subsidiaries that qualify as large undertakings under Polish accounting law or that are listed on a regulated market. Smaller subsidiaries may still need to contribute data to the parent's consolidated sustainability report, but they are not independently required to publish a standalone sustainability statement unless they meet the relevant thresholds.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower programme design, AML advisory, and CSRD readiness. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Anna specialises in compliance, ESG, and internal investigations.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.