A Warsaw-based subsidiary of a German manufacturing group received a notice from the Polish Financial Supervision Authority (KNF) in late 2025. The issue: no documented whistleblower channel, no AML risk assessment, and no ESG reporting framework. The parent assumed Polish operations were covered by group-level policies. They were not.
Polish subsidiaries of foreign groups must maintain standalone compliance programmes that satisfy Polish law – not merely mirror parent-company frameworks. Three regulatory streams converged in 2025 and early 2026: the whistleblower protection regime under the Act on the Protection of Persons Reporting Violations of Law, AML obligations enforced by the General Inspector of Financial Information (GIIF), and CSRD Poland reporting requirements phased in from the financial year 2024 onward. Each stream carries its own thresholds, deadlines, and sanctions. Missing any one of them forfeits the subsidiary's ability to operate without regulatory exposure.
This alert identifies what changed, which subsidiaries are affected, and the three immediate actions your legal team should take before the next reporting cycle closes.
What has changed in the Polish compliance framework?
Three instruments reshaped the compliance baseline for subsidiaries operating in Poland. Together they create obligations that a group-level policy cannot satisfy on its own. Each requires a locally documented, locally maintained programme.
First, the whistleblower protection law – implementing EU Directive 2019/1937 – requires every employer with 50 or more employees to establish an internal reporting channel. The channel must be documented, accessible, and operational. Subsidiaries that failed to implement it by the statutory deadline face fines of up to PLN 1 million per violation. The National Labour Inspectorate (PIP) has begun auditing compliance in the manufacturing and logistics sectors.
Second, AML obligations under Polish anti-money laundering legislation apply to any entity classified as an "obligated institution." This includes financial intermediaries, real estate agents, accountants, and – critically – certain holding and management structures. The GIIF can impose administrative fines of up to PLN 5 million for inadequate AML procedures. Many subsidiaries underestimate this exposure because their parent handles AML at group level. Polish law requires a local risk assessment and a designated AML compliance officer.
Third, CSRD Poland obligations entered force for large public-interest entities from the financial year 2024. Subsidiaries meeting the large-company thresholds – more than 250 employees, EUR 40 million turnover, or EUR 20 million balance sheet – must prepare ESG reporting aligned with European Sustainability Reporting Standards (ESRS). Subsidiaries that miss this window lose the ability to demonstrate regulatory alignment to lenders, auditors, and counterparties.
Who is affected and what must they do now?
Threshold analysis determines which obligations apply. Not every subsidiary faces all three streams simultaneously. The table below maps the key triggers. Subsidiaries should run this check before the end of Q1 2026 – waiting until an audit notice arrives precludes a voluntary remediation defence.
- 50+ employees: whistleblower channel mandatory; internal reporting procedure must be documented and communicated to staff
- Classified as obligated institution under AML law: local risk assessment, AML officer designation, and transaction monitoring procedures required within 30 days of classification
- Large company thresholds met (250 employees / EUR 40m turnover / EUR 20m balance sheet): CSRD-aligned ESG reporting required from financial year 2024
- Any subsidiary in a regulated sector (finance, real estate, professional services): KNF or sector-specific regulator may impose additional compliance requirements
We secured a full compliance gap analysis and remediation roadmap for a logistics subsidiary in the Mazowieckie region (autumn 2025), identifying three missing programme elements before a scheduled KNF sector review.
The immediate action list is short but time-sensitive. First, map which regulatory streams apply using the thresholds above. Second, audit existing group policies against Polish-law requirements – group policies rarely satisfy the local documentation standard. Third, appoint a named compliance contact within the Polish entity. Regulators treat the absence of a designated officer as an aggravating factor in enforcement proceedings.
For subsidiaries with cross-border structures, the compliance design challenge is more layered. Entities operating in multiple Central European jurisdictions should review how their Polish programme interacts with frameworks in neighbouring markets. Our guide on compliance programme design for Ukraine subsidiaries in Poland and our analysis of compliance programme design for Czech Republic subsidiaries in Poland address the cross-border dimension in detail.
We also assisted a technology subsidiary in Małopolska (winter 2025) in restructuring its AML risk assessment after a GIIF inquiry, reducing the assessed penalty exposure from PLN 2 million to a formal warning. Early intervention – before enforcement proceedings open – remains the most effective tool available to subsidiaries.
One practical note: the whistleblower channel must be genuinely independent. A shared HR inbox does not satisfy the statutory requirement. The channel must allow anonymous reporting, and the subsidiary must maintain records of reports received and actions taken. Failure to maintain those records is itself a separate violation.
Subsidiaries involved in construction or development activity face an additional layer. Contract-level compliance obligations – including anti-corruption clauses and supply chain due diligence – interact with the programme design. Our analysis of development agreements in Poland: structure and risks sets out where those intersections arise.
What to prepare before your compliance review:
- Current employee headcount and financial thresholds for the Polish entity
- Existing group compliance policies with a note on whether they reference Polish law specifically
- Name of the designated AML officer (or confirmation that none has been appointed)
- Documentation of the whistleblower channel, if any exists
- Last ESG or sustainability report prepared at entity level
Specific gaps in your subsidiary's compliance programme carry irreversible consequences once an enforcement file is opened. Voluntary remediation before that point is treated differently – and more favourably – by Polish regulators than post-investigation corrections.
To receive an expert assessment of your subsidiary's compliance exposure, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does a group-level compliance programme satisfy Polish law for a local subsidiary?
A: No. Polish law requires locally documented procedures that reference Polish statutory requirements. A group policy may serve as a starting point, but it must be adapted, translated where necessary, and formally adopted by the Polish entity. Regulators assess the Polish entity's own documentation during audits.
Q: How long does it take to implement a compliant whistleblower channel?
A: A basic internal reporting channel can be operational within 30 days if the subsidiary acts promptly. The process involves drafting the reporting procedure, consulting employee representatives (where applicable), and establishing the technical channel. More complex implementations – including integration with group-level systems – typically take 60 to 90 days.
Q: What is the cost of a compliance gap analysis for a mid-size subsidiary?
A: Scope and cost depend on the number of regulatory streams applicable and the size of the entity. A focused gap analysis covering whistleblower, AML, and ESG obligations for a subsidiary with 100 to 500 employees typically takes two to four weeks of legal work. Contact info@kordeckipartners.com for a scoped estimate.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, AML programme design, and whistleblower implementation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.