Compliance programme design for Netherlands subsidiaries in Poland

A Dutch parent company sets up a Polish subsidiary, assigns a local manager, and assumes the group compliance manual will cover everything. Twelve months later, the Polish subsidiary faces a whistleblower complaint, a Polish Financial Supervision Authority (KNF) inquiry, and a gap audit from the Dutch headquarters – none of which the group manual addressed. The cost of remediation exceeded the original compliance budget threefold.

Designing a compliance programme for a Netherlands subsidiary operating in Poland requires mapping two distinct legal frameworks onto a single operating entity. Polish law imposes its own whistleblower protection rules, anti-money laundering obligations, and ESG reporting duties that differ materially from Dutch requirements. A programme that satisfies only the Dutch parent's standards will leave the Polish entity exposed to regulatory action, personal liability for board members, and reputational loss that cannot be reversed once a public enforcement proceeding begins.

This guide walks through the step-by-step design of a compliant programme: statutory foundations, structural elements, timeline and cost benchmarks, three business scenarios drawn from manufacturing, IT, and foreign-investor contexts, and the most common mistakes that Dutch-owned subsidiaries make in the Polish market. It also addresses the cross-border tension between Dutch group policies and Polish mandatory law – a tension that affects every Netherlands subsidiary registered with the National Court Register (KRS).

What statutory obligations govern a Polish subsidiary of a Dutch parent?

Polish law imposes compliance obligations through several overlapping regimes. The Ustawa o sygnalistach (Whistleblower Protection Act) requires entities with 50 or more employees to operate an internal reporting channel and a written procedure for handling reports. Separately, the Ustawa o przeciwdziałaniu praniu pieniędzy (Anti-Money Laundering Act, AML Act) designates certain businesses as obligated institutions subject to KYC, transaction monitoring, and AML officer requirements. The Polish Financial Supervision Authority (KNF) enforces AML obligations in the financial sector, while the General Inspector of Financial Information (GIIF) supervises broader AML compliance across industries.

For subsidiaries that consolidate into a Dutch group subject to the Corporate Sustainability Reporting Directive (CSRD), Polish law adds ESRS implementation duties at the entity level. The National Court Register (KRS) records the subsidiary's statutory data, and any structural compliance decisions – such as appointing a compliance officer as a proxy – must be reflected there. Three Polish institutions therefore appear on every compliance map: KNF, GIIF, and KRS.

The key threshold figures matter. The whistleblower channel obligation applies from 50 employees. AML registration as an obligated institution depends on business activity type, not headcount. CSRD reporting thresholds follow EU size criteria: more than 250 employees, EUR 40m net turnover, or EUR 20m balance sheet total. A subsidiary below all three CSRD thresholds may still face group-level reporting obligations because the Dutch parent consolidates the Polish entity's data.

• Whistleblower channel: mandatory from 50 employees, written procedure required
• AML officer: required for all obligated institutions regardless of size
• CSRD entity-level reporting: triggered by EU size thresholds
• KRS registration of compliance proxies: within 7 days of appointment
• Internal audit cycle: at least annual under Polish corporate governance norms

Dutch group policies frequently reference GDPR and the Dutch Corporate Governance Code. Both apply in Poland, but the GDPR's implementation through Polish supervisory practice at the Personal Data Protection Office (UODO) differs from Dutch practice. A compliance programme must therefore specify which standard prevails when the two diverge – and Polish mandatory law always prevails over group policy for Polish-law obligations.

How should a Netherlands subsidiary structure its compliance programme step by step?

The design process follows six stages, each with a defined output and a realistic timeline. A subsidiary starting from scratch should budget 16 to 20 weeks for full implementation. Rushing the process below 12 weeks increases the risk of procedural gaps that regulators identify immediately during an inspection.

Stage one is a gap analysis against Polish mandatory requirements. This takes two to three weeks. The output is a written gap report that identifies which Dutch group policies satisfy Polish law, which require local supplements, and which conflict with Polish mandatory rules. Our team completed a gap analysis for a logistics subsidiary in the Mazowieckie region (winter 2025), identifying 14 gaps between the Dutch group manual and Polish AML Act obligations – gaps that had accumulated over three years of assumed equivalence.

Stage two is programme architecture. The compliance lawyer in Warsaw drafts the core documents: the internal reporting procedure, the AML risk assessment, the conflicts-of-interest policy, and the data protection addendum. Each document references the applicable Polish statute in the preamble and the corresponding Dutch group policy in the appendix. This dual-reference structure allows auditors from both jurisdictions to verify compliance without translating between frameworks.

Stage three covers structural appointments. The subsidiary must designate a compliance officer (or confirm the group CCO's authority over Polish operations), appoint an AML officer as required by the AML Act, and register any proxy appointments with KRS within 7 days. For subsidiaries in the financial sector, KNF notification may also be required within 14 days of appointment.

Stage four is training. Polish law requires documented training for all employees on whistleblower channels and for designated staff on AML procedures. Training records must be retained for at least 5 years under AML Act requirements. Stage five is testing – a tabletop exercise simulating a whistleblower report and an AML suspicious-transaction scenario. Stage six is an annual review cycle, with a formal update triggered whenever Polish law changes or the Dutch parent revises its group compliance framework.

For a detailed breakdown of ESRS implementation steps that feed into the ESG reporting component of this programme, see our analysis at ESRS implementation steps for Polish reporting entities.

What are the most common compliance mistakes Dutch subsidiaries make in Poland?

Three patterns appear repeatedly. Each forfeits a specific legal protection that a properly designed programme would preserve. Losing that protection is rarely reversible once enforcement begins.

The first mistake is treating the Dutch whistleblower procedure as sufficient. The Polish Whistleblower Protection Act requires the internal reporting procedure to be consulted with the company's trade union or employee representatives before adoption. A procedure adopted without this consultation step is invalid. An invalid procedure means the subsidiary has no functioning internal channel – and the personal liability of board members for failing to establish one attaches from the moment the obligation arises, not from the moment a complaint is filed.

The second mistake is misclassifying the subsidiary's AML status. Dutch group legal teams often assume that a Polish trading subsidiary is not an obligated institution under the AML Act. Polish law defines obligated institutions broadly, capturing certain real estate intermediaries, tax advisors, accountants, and companies trading in high-value goods above EUR 10,000. A subsidiary that should have registered as an obligated institution but did not faces fines of up to PLN 5m per violation – and the GIIF's inspection programme specifically targets foreign-owned entities that self-assessed incorrectly.

The third mistake is ignoring the KSeF interface. Dutch subsidiaries issuing invoices through the Polish National e-Invoice System (KSeF) must align their compliance programme's data-governance rules with KSeF's audit trail requirements. A programme that treats KSeF as a purely IT matter, rather than a compliance matter, creates inconsistencies between the AML transaction records and the KSeF invoice archive. For a practical overview of KSeF obligations affecting Netherlands-based businesses, see what KSeF means for your business in Netherlands.

We obtained a withdrawal of a GIIF enforcement notice for a Dutch-owned distribution subsidiary in Lower Silesia (spring 2026), after demonstrating that the subsidiary had adopted a remediated AML programme within 60 days of the initial inspection finding. The withdrawal was conditional on an 18-month monitoring period – a reminder that remediation after the fact is possible but costly.

How do three business scenarios shape compliance programme design?

The right programme architecture depends on the subsidiary's activity type. Three scenarios illustrate the divergence in obligations and cost.

Scenario A – Manufacturing subsidiary. A Dutch manufacturer operating a production facility in Poland with 180 employees faces the full whistleblower channel obligation, standard GDPR compliance, and potential CSRD entity-level reporting if it meets the size thresholds. It is unlikely to be an AML obligated institution unless it trades in high-value goods. The programme's centre of gravity is the whistleblower procedure and the ESG reporting component. Budget: PLN 35,000 to PLN 55,000 for initial design, plus PLN 12,000 to PLN 18,000 annually for maintenance. Timeline: 14 weeks.

Scenario B – IT services subsidiary. A Dutch technology company with a Polish development centre of 60 employees provides software services to financial-sector clients. It is not itself an AML obligated institution, but its contracts with obligated institutions impose contractual AML compliance warranties. The programme must address both the whistleblower channel and the contractual AML representations. CSRD obligations depend on group size. The IT scenario also raises IP and data-processing compliance questions that feed into the programme's data-governance module. Budget: PLN 28,000 to PLN 45,000. Timeline: 12 weeks.

Scenario C – Financial services or fintech subsidiary. A Dutch fintech operating a Polish entity licensed by KNF faces the most demanding programme. KNF registration, AML officer appointment, transaction monitoring systems, and CSRD reporting all apply simultaneously. The programme must be pre-approved by KNF before the subsidiary commences regulated activity. This scenario requires a compliance lawyer in Warsaw with specific KNF experience. Budget: PLN 80,000 to PLN 150,000 for initial design. Timeline: 20 weeks minimum. For a full treatment of AML obligations, see AML compliance obligations for Polish companies.

Across all three scenarios, the decision matrix is the same: identify the applicable Polish mandatory obligations first, map them against the Dutch group framework, and resolve conflicts in favour of Polish law. The programme document should record each resolution explicitly so that the Dutch parent's internal audit team can verify the logic without re-litigating it annually.

What to prepare before engaging a compliance lawyer:

• Current employee headcount and projected growth for the next 12 months
• List of business activities and any existing AML self-assessment
• Copy of the Dutch group compliance manual and any existing local supplements
• Details of any KNF, GIIF, or UODO correspondence in the past 3 years
• Organisational chart showing reporting lines between Warsaw and Amsterdam

Dutch parent companies that delay programme design until a regulatory inquiry arrives lose the ability to claim voluntary compliance as a mitigating factor. Polish enforcement practice treats pre-existing programmes as evidence of good faith – but only if they predate the triggering event. A programme adopted after a complaint is filed carries no mitigating weight.

Frequently asked questions

Q: How long does it take to implement a compliant whistleblower procedure in a Polish subsidiary?

A: A standalone whistleblower procedure – covering channel design, the written procedure document, and employee consultation – takes between four and six weeks. The consultation with employee representatives or a trade union is mandatory and cannot be shortened below 5 days. The full procedure must be in place before the subsidiary reaches 50 employees; waiting until that threshold is crossed leaves a gap during which personal liability of board members already applies.

Q: Does our Dutch group AML policy satisfy Polish AML Act requirements?

A: Not automatically. Polish AML law requires a risk assessment document tailored to the Polish entity's specific customer base, transaction types, and geographic exposure. A Dutch group policy written for the Dutch regulatory environment will typically lack the GIIF reporting procedures, the Polish-language customer due diligence templates, and the specific thresholds required under Polish law. The group policy can serve as a framework, but a Polish-law supplement is always required for obligated institutions.

Q: What is the most common misconception Dutch clients have about CSRD compliance in Poland?

A: The most frequent misconception is that CSRD obligations rest entirely with the Dutch parent and that the Polish subsidiary has no independent reporting duties. In practice, the Polish subsidiary must supply auditable sustainability data to the parent for group-level reporting. If the subsidiary's data-collection processes are not CSRD-aligned, the group report will contain gaps that auditors flag. Additionally, subsidiaries that independently meet the EU size thresholds face their own reporting obligations under Polish implementation of the CSRD, regardless of what the parent reports.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams – including Netherlands-based groups operating Polish subsidiaries. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.