Compliance programme design for Poland

A Warsaw-based subsidiary of a multinational group receives a dawn raid notice from the Central Anti-Corruption Bureau. The local compliance officer cannot locate the group's whistleblower reporting channel. The parent company's code of conduct exists only in English. Three weeks later, the subsidiary faces a preliminary investigation and the board members face personal liability exposure. This scenario is not hypothetical – it reflects a pattern seen across Poland as regulators intensify enforcement.

Designing a compliance programme for a Poland subsidiary requires more than translating a group policy into Polish. Polish law imposes standalone obligations on entities operating in Poland – covering whistleblower protection, anti-money laundering, ESG reporting, and personal liability of management board members. A programme that satisfies a foreign parent's home-jurisdiction standards may still fall short of Polish statutory requirements. The gap between group-level compliance and local legal obligation is where enforcement risk concentrates.

This analysis covers the doctrinal foundations of compliance obligations in Poland, the structural elements a subsidiary programme must include, the cross-border tensions that arise when group and local frameworks conflict, and the strategic outlook for 2026 and beyond. Each section includes self-assessment checkpoints for boards and legal teams.

What legal obligations define compliance programme requirements in Poland?

Polish compliance law has no single codifying statute. Obligations derive from at least four distinct regulatory streams. The ustawa o sygnalistach (Whistleblower Protection Act) requires entities employing 50 or more persons to establish an internal reporting channel, a response procedure, and a register of reports – all within specified deadlines. The ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorist Financing Act, AML Act) imposes risk-assessment, due-diligence, and training obligations on a defined class of obliged institutions. The Kodeks spółek handlowych (Commercial Companies Code, KSH) creates personal liability for management board members who fail to act with due care. The ustawa o odpowiedzialności podmiotów zbiorowych (Act on Liability of Collective Entities) – currently under significant amendment – extends criminal-type liability to legal persons.

The National Court Register (KRS) records the board composition that determines who carries personal exposure. The Polish Financial Supervision Authority (KNF) supervises AML compliance for financial-sector entities. The General Inspector of Financial Information (GIIF) receives suspicious transaction reports. For subsidiaries in regulated industries, all three institutions interact – and a gap in one stream can trigger scrutiny across the others.

The Whistleblower Protection Act set an initial deadline of 25 September 2024 for private-sector entities employing 50 or more persons to have internal reporting channels operational. Entities that missed this deadline face fines of up to PLN 1.5 million. More significantly, a management board member who obstructs a whistleblower report or fails to implement the required procedure faces personal criminal liability – a consequence that cannot be indemnified by the company. That irreversibility is what makes procedural gaps so costly.

Subsidiaries should map their obligations by reference to three variables: headcount (the 50-person threshold for whistleblower rules), sector classification (which determines AML obliged-institution status), and transaction volumes (which trigger enhanced due diligence under the AML Act). A subsidiary that grows past a threshold mid-year must implement the corresponding obligation within the statutory period – not at the next annual review.

Whistleblower reporting channel: mandatory for 50+ employees
AML risk assessment: mandatory for obliged institutions
KSH due-care standard: applies to all management board members
Collective entity liability: reform expanding corporate criminal exposure
CSRD Poland: sustainability reporting obligations phasing in from 2025

How should a subsidiary structure its compliance programme design?

A well-structured compliance programme design for a Poland subsidiary rests on five operational layers: governance, risk assessment, policies and procedures, training, and monitoring. Each layer must be documented in Polish – not merely translated from a group template – because Polish courts and regulators assess whether a procedure was genuinely accessible to the persons it governs. An English-only code of conduct does not satisfy the accessibility standard under Polish law.

We secured a restructuring of a compliance framework for a manufacturing client in the Mazowieckie region (autumn 2025). The parent group had a 120-page global code. The Polish subsidiary had zero localised documentation. Our intervention produced a standalone Polish-language programme within six weeks – covering whistleblower channels, AML risk assessment, and a training log. The subsidiary avoided a PLN 800,000 fine that the regulator had flagged as imminent.

Governance comes first. The programme must designate a compliance officer or compliance function with a direct reporting line to the supervisory board or audit committee – not solely to the CEO. This separation is important. If the compliance function reports only through the CEO, a board-level misconduct scenario creates a structural conflict. Polish corporate law, through the KSH standard of due care, expects supervisory boards to exercise genuine oversight of compliance matters.

Risk assessment is the engine of the programme. It must be entity-specific. A subsidiary in the financial sector faces AML Act obligations with 60-day mandatory review cycles for certain customer categories. A manufacturing subsidiary may face lower AML exposure but higher ESG reporting risk under CSRD Poland timelines. The risk matrix should be updated at least annually – or whenever a material change in business, ownership, or regulation occurs.

Training deserves particular attention. Polish regulators treat undocumented training as equivalent to no training. Every session must generate a dated record, a list of attendees, and a description of content. The training log is a primary document in any regulatory examination. Boards that approve an annual training budget without mandating the record-keeping function are leaving a significant evidentiary gap.

What cross-border tensions arise between group compliance frameworks and Polish law?

For a German or French parent sending a standardised group compliance programme to its Polish subsidiary, at least three structural tensions arise immediately. First, whistleblower compliance: the EU Whistleblowing Directive allows member states to set the employment threshold at 50 persons. Poland did so. A group programme calibrated to a 250-person threshold – acceptable in some jurisdictions – leaves smaller Polish subsidiaries exposed. Second, data protection: Polish whistleblower rules impose specific requirements on how reports are stored and who may access them. A centralised group reporting platform may not satisfy Polish data-localisation or access-restriction requirements without modification. Third, language: Polish administrative and criminal proceedings are conducted in Polish. A compliance programme documented solely in another language creates an evidentiary disadvantage from the outset.

For a comparison of how these tensions manifest in a different Central European context, see our analysis of compliance programme design for Hungary subsidiaries in Poland. The Hungarian and Polish frameworks share EU-origin obligations but diverge significantly on enforcement style and domestic amplification.

AML is a second major cross-border friction point. The AML Act defines obliged institutions broadly. A Polish subsidiary of a foreign financial group may qualify as an obliged institution in its own right – meaning it must maintain its own AML risk assessment, customer due-diligence files, and GIIF reporting procedures. It cannot simply rely on the parent's AML programme. Where the parent's programme uses a centralised KYC platform, the Polish subsidiary must verify that the platform captures the specific customer categories and transaction types required under Polish law.

Transfer of compliance data across borders adds a further layer. Whistleblower reports often contain personal data about the reported individual. Transferring that data to a non-EEA parent triggers GDPR obligations. Even intra-EEA transfers require a documented legal basis. Many group compliance programmes do not address this adequately – and the gap only becomes visible when a report is filed and the subsidiary's legal team must explain the data flow to a Polish court or regulator.

We obtained interim protection for assets worth over EUR 3 million for a Dutch investor's Polish subsidiary in Lower Silesia (spring 2026), where the trigger was precisely a cross-border compliance data dispute. The parent had centralised all investigation files. The Polish court required local documentation. The lesson: compliance records must have a Polish-law-accessible copy regardless of where the group stores its master file.

How does ESG reporting interact with compliance programme obligations?

CSRD Poland obligations are phasing in on a tiered timeline. Large public-interest entities with more than 500 employees began reporting for financial year 2024. Large companies meeting size thresholds (balance sheet over EUR 20 million, net turnover over EUR 40 million, or more than 250 employees) must report from financial year 2025. Listed SMEs face a later timeline. For many Poland subsidiaries, the first CSRD-compliant sustainability report will be due in 2026 – and the compliance programme must be the evidentiary backbone of that report.

This is not a standalone ESG exercise. The compliance programme design must integrate ESG reporting requirements from the outset. Three integration points are most important. First, the whistleblower channel must cover ESG-related reports – employees raising concerns about environmental violations, supply-chain labour standards, or governance failures. Second, the AML risk assessment must now reflect ESG risk factors where they are material to the entity's sector. Third, internal audit and monitoring functions must be capable of generating the data that CSRD reporting requires.

The European Sustainability Reporting Standards (ESRS) – the technical standards under CSRD – require entities to describe their due-diligence processes for identifying and managing material sustainability impacts. A compliance programme that cannot demonstrate this due diligence creates both a reporting gap and a reputational exposure. Investors and lenders increasingly require CSRD-aligned compliance documentation as a condition of financing.

For subsidiaries navigating the intersection of financial compliance and sustainability obligations, the structural design of insolvency risk management offers a useful analogy – see our analysis of pre-pack sale in Poland: procedure and timeline. The principle is the same: early structural design avoids forced remediation under time pressure.

ESG reporting also creates a new category of personal liability for board members. Under the amended Act on Liability of Collective Entities, a false or materially incomplete sustainability report can constitute a basis for corporate criminal liability. Board members who approve a CSRD report without verifying the underlying compliance documentation are accepting personal exposure that cannot be delegated away.

What are the strategic implications for 2026 and the compliance outlook?

Three regulatory developments will reshape compliance programme design for Poland subsidiaries in 2026 and the following two years. The first is the entry into force of the reformed Act on Liability of Collective Entities. The reform removes the requirement for a prior criminal conviction of an individual before a company can be held liable. Under the reformed rules, a subsidiary can face corporate criminal liability for an offence committed by any person acting in its interest – including contractors and agents. This change fundamentally alters the risk calculus for programme design. A programme that covers only employees is structurally insufficient from the reform's effective date.

The second development is the maturation of KNF and GIIF enforcement. Both regulators have signalled increased inspection activity in 2026, with particular focus on AML programme adequacy at non-bank obliged institutions. The inspection methodology focuses on three elements: whether the risk assessment is current (updated within 12 months), whether customer due-diligence files are complete, and whether training records are maintained. Subsidiaries that treat AML compliance as a one-time implementation exercise are likely to face findings in the coming inspection cycle.

The third development is the interaction between DORA – the Digital Operational Resilience Act, which applies to financial entities from January 2025 – and compliance programme design. For financial-sector subsidiaries, DORA requires ICT risk management, incident reporting, and third-party oversight procedures that must be integrated into the broader compliance programme. A compliance officer managing DORA, AML, whistleblower, and CSRD obligations simultaneously needs a programme architecture that avoids procedural duplication while ensuring each obligation is met.

For subsidiaries operating across multiple Central European jurisdictions, the programme design challenge extends beyond Poland. A coordinated approach across Poland, Hungary, and Luxembourg – three jurisdictions with distinct compliance amplification patterns – requires a framework that is locally compliant in each jurisdiction while remaining manageable at group level. Our analysis of compliance programme design for Luxembourg subsidiaries in Poland addresses the specific overlay of Luxembourg holding structures on Polish operating subsidiaries.

The strategic implication is clear: compliance programme design is no longer a legal formality. It is a board-level risk management function. Subsidiaries that invest in programme architecture now – before the reformed collective entity liability rules take effect – preserve options that will not be available after an investigation begins. Personal liability, corporate criminal liability, and ESG reporting failures are all irreversible consequences of deferred action.

What to prepare – compliance programme checklist for Poland subsidiaries:

Whistleblower reporting channel documentation in Polish, with a dated implementation certificate
AML risk assessment updated within the last 12 months, signed by the compliance officer
Training log with dated records, attendee lists, and content descriptions
CSRD readiness map identifying which reporting obligations apply and in which financial year
Third-party and contractor coverage assessment under the reformed collective entity liability rules

A subsidiary's specific risk profile – shaped by its sector, headcount, transaction volumes, and cross-border data flows – determines which elements of the programme require the most urgent attention. Generic programme templates forfeits the evidentiary value that a tailored, documented programme provides when a regulator arrives.

To receive an expert assessment of your subsidiary's compliance programme design, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does a Poland subsidiary need its own compliance programme if the parent group already has one?

A: Yes. Polish law imposes standalone obligations on entities operating in Poland. The Whistleblower Protection Act requires the Polish-registered entity to maintain its own internal reporting channel and response procedure. The AML Act requires obliged institutions to conduct their own risk assessments. A group programme does not satisfy these requirements unless it has been formally localised, translated into Polish, and implemented at the subsidiary level with documented governance. Reliance on a group programme without localisation is one of the most common findings in Polish regulatory inspections.

Q: How long does it take to implement a compliant whistleblower reporting channel in Poland?

A: Implementation for a mid-sized subsidiary typically requires six to ten weeks from initial scoping to operational launch. The timeline covers legal analysis of applicable thresholds, drafting of the internal reporting procedure in Polish, selection and configuration of the reporting channel, consultation with employee representatives (required under the Whistleblower Protection Act before the procedure is adopted), and staff training. Entities that attempt to implement without legal support frequently miss the employee-consultation requirement, which invalidates the procedure. The statutory fine for failure to implement is up to PLN 1.5 million.

Q: Does CSRD Poland apply to subsidiaries of foreign groups?

A: CSRD applies based on the size and classification of the Polish entity – not solely on the parent group's classification. A Polish subsidiary that meets the large-company thresholds (balance sheet over EUR 20 million, net turnover over EUR 40 million, or more than 250 employees) must produce its own sustainability report from financial year 2025. However, a subsidiary may be able to use the parent group's consolidated sustainability report to satisfy its own reporting obligation, provided the consolidated report covers the subsidiary's activities and meets the applicable European Sustainability Reporting Standards. This exemption requires careful legal verification and is not automatic.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, whistleblower compliance, and AML. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Anna specialises in compliance, ESG, and internal investigations.