Compliance programme design for Poland

A German automotive supplier opens a Warsaw subsidiary in January and assumes the group compliance manual – drafted under German law – will satisfy Polish regulators. Six months later, the Polish Financial Supervision Authority (KNF) opens an inquiry, the National Labour Inspectorate flags a missing whistleblower channel, and the parent board learns that Polish law imposes obligations the group policy never addressed. The gap between a translated policy and a legally operative compliance programme is wide, and closing it after a regulator arrives costs far more than building it correctly from the start.

Designing a compliance programme for a Poland subsidiary means satisfying obligations drawn from at least four distinct legal regimes: corporate governance rules under the Kodeks spółek handlowych (Commercial Companies Code, KSH), whistleblower protection rules under the Act implementing EU Directive 2019/1937, anti-money-laundering requirements under the ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering Act, AML Act), and ESG reporting obligations now entering force under CSRD Poland transposition. Failure to implement a functioning programme within the statutory deadlines triggers personal liability for board members and financial penalties reaching PLN 5 million per breach. A well-structured programme addresses each regime in sequence and integrates them into a single operational framework.

This guide walks through the step-by-step design process, covers realistic timelines and costs, identifies the most common mistakes, and applies the framework to three business scenarios – a manufacturing operation, an IT services entity, and a foreign investor's holding structure. Readers unfamiliar with Polish law will find English translations of every key term on first use.

What legal obligations govern a Poland subsidiary's compliance programme?

Polish law does not contain a single "compliance act." Instead, obligations arise from sector-specific statutes, EU-derived regulations, and general corporate law – all of which apply simultaneously. The National Court Register (KRS) records the subsidiary's legal form, which determines which obligations apply by default. A spółka z ograniczoną odpowiedzialnością (limited liability company, Sp. z o.o.) and a spółka akcyjna (joint-stock company, S.A.) face different supervisory thresholds, though both are subject to the core whistleblower and AML frameworks.

The whistleblower protection statute, which entered force in September 2024, requires every employer with 50 or more employees to establish an internal reporting channel within 14 days of crossing that threshold. Channels must allow anonymous reports, protect the reporter from retaliation, and route disclosures to a designated compliance officer or committee. The Office for the Protection of Personal Data (UODO) oversees data-processing aspects of those channels, adding a GDPR layer that many parent-group templates ignore.

AML obligations apply to any entity qualifying as an "obligated institution" under the AML Act – a category that includes financial intermediaries, real estate agents, accountants, and any subsidiary whose parent group falls within the regulated sector. Obligated institutions must appoint an AML officer, conduct customer due diligence, and file suspicious transaction reports with the General Inspector of Financial Information (GIIF). Non-compliance carries fines of up to PLN 5 million or 10 percent of annual turnover, whichever is higher.

CSRD Poland transposition brings ESG reporting into the compliance perimeter for subsidiaries with over 250 employees or those consolidated into a group that crosses the CSRD thresholds. The first CSRD-aligned reports covering financial year 2025 are due in 2026. Subsidiaries that treat ESG as a standalone communications exercise – rather than a compliance obligation with audit trails – risk restatement and regulator scrutiny.

How should the programme design process be structured step by step?

Effective programme design follows five sequential phases. Each phase produces a documented output that feeds the next. Skipping a phase to save time almost always creates rework – and, in regulated sectors, a gap that regulators will find. The entire design cycle, from gap analysis to staff training, typically takes between 12 and 20 weeks for a mid-size subsidiary.

Phase one is a legal gap analysis. The subsidiary maps every applicable obligation against its current policies. The output is a ranked register of gaps, ordered by penalty severity. This phase typically takes two to four weeks and costs between PLN 15,000 and PLN 40,000 in external legal fees, depending on the entity's complexity. We completed a gap analysis for a logistics subsidiary in Mazowieckie (autumn 2025) that identified 11 unaddressed obligations – six of which carried personal liability consequences for the board.

Phase two is policy drafting. Each gap in the register triggers a policy response. Policies should be written in Polish (the operative language for regulatory inspections) with an English summary for the parent group. Key documents include the internal reporting procedure, the AML risk assessment, the data protection impact assessment for the whistleblower channel, and the ESG data-collection protocol. Phase two runs four to six weeks.

Phase three is governance integration. Policies without governance are decoration. The board formally adopts each policy by resolution, assigns owners, and establishes a compliance committee or designates a compliance officer. Under KSH, board resolutions must be minuted and retained. Phase four is training – mandatory for all staff on whistleblower and AML topics, with documented completion records. Phase five is monitoring: quarterly internal audits, annual external review, and a remediation log.

Phase 1 – Gap analysis: 2–4 weeks, PLN 15,000–40,000
Phase 2 – Policy drafting: 4–6 weeks, PLN 20,000–50,000
Phase 3 – Governance integration: 2–3 weeks (board resolutions, officer appointment)
Phase 4 – Staff training: 1–2 weeks (documented completion mandatory)
Phase 5 – Ongoing monitoring: quarterly audits + annual external review

For a full-scope programme covering whistleblower compliance, AML, and ESG reporting, total first-year external costs typically range from PLN 60,000 to PLN 150,000. Ongoing annual maintenance runs PLN 20,000–50,000. Those figures are modest against the PLN 5 million penalty exposure that an unaddressed AML deficiency creates.

To receive an expert assessment of your subsidiary's compliance gaps, contact info@kordeckipartners.com.

What are the three most common design mistakes subsidiaries make?

Most compliance failures in Polish subsidiaries trace back to three recurring errors. Identifying them early saves significant remediation cost – and, more importantly, avoids the irreversible reputational damage that a regulator's public enforcement decision causes.

The first mistake is transplanting a parent-group policy without Polish-law adaptation. A group whistleblower procedure drafted under German or UK law will almost certainly omit the Polish-specific data-retention limits set by UODO guidance (reports must be retained for no longer than five years), the Polish-language requirement for the reporting channel interface, and the specific protected categories of disclosure defined by the Polish implementing statute. A policy that does not satisfy these requirements provides no legal safe harbour – the subsidiary remains exposed even though a document exists.

The second mistake is treating AML as a banking sector issue. The AML Act's definition of "obligated institution" is broad. A subsidiary providing accounting, tax advisory, or real estate services – even as an ancillary activity – may qualify. Subsidiaries that discover this late face retroactive penalty exposure. The GIIF has increased enforcement activity since 2023, and fines in non-financial sectors have risen sharply.

The third mistake is failing to integrate ESG reporting into the compliance function. CSRD Poland obligations require data collection with an audit trail, third-party assurance, and board sign-off. Many subsidiaries assign ESG reporting to communications or sustainability teams with no legal oversight. When auditors request documentation of the data-collection methodology, those teams cannot produce it. The result is a qualified audit opinion – which, for a subsidiary of a listed parent, creates group-level disclosure consequences.

(One further error deserves mention: appointing a compliance officer without a written mandate. Without a formal appointment resolution and a defined scope of authority, the officer cannot bind the entity, and their reports carry no formal weight in a regulatory inspection.)

How do the obligations differ across three business scenarios?

Compliance obligations are not uniform. The applicable regime depends on the subsidiary's sector, headcount, and group structure. Three scenarios illustrate the differences clearly.

Scenario A – Manufacturing subsidiary (200 employees, Silesia). A manufacturing entity with 200 employees triggers whistleblower obligations immediately. AML obligations apply only if the entity provides regulated ancillary services – in a pure manufacturing context, they typically do not. CSRD obligations apply if the group exceeds the consolidated thresholds. The compliance programme focuses on: an internal reporting channel, a health-and-safety compliance layer (the National Labour Inspectorate, PIP, inspects manufacturing sites regularly), and ESG data collection for group consolidation. Timeline to a functional programme: 14–16 weeks. For related employment law obligations in this scenario, see our guide on employment law compliance for Poland companies.

Scenario B – IT services subsidiary (80 employees, Mazowieckie). An IT subsidiary providing software development services faces whistleblower obligations (over 50 employees), GDPR obligations managed through UODO, and potentially sector-specific obligations if the parent group falls under DORA from 2025. AML obligations arise only if the entity provides crypto-asset or payment services. The compliance programme centres on the whistleblower channel, a GDPR compliance framework, and – if DORA applies – ICT risk management documentation. Our analysis of compliance programme design for Czech Republic subsidiaries in Poland addresses comparable cross-border IT structures. Timeline: 12–14 weeks.

Scenario C – Foreign investor's holding structure (financial services, Warsaw). A holding entity providing intra-group financing or acting as a payment intermediary qualifies as an obligated institution under the AML Act. The programme must include a full AML risk assessment, customer due diligence procedures, a designated AML officer registered with the GIIF, and suspicious transaction reporting protocols. KNF oversight applies if the entity holds a payment institution licence. Add whistleblower and CSRD obligations for a group above the thresholds, and the programme is the most complex of the three. We secured a complete AML programme design and GIIF registration for a Luxembourg holding's Warsaw subsidiary in Lower Silesia (spring 2026), protecting the entity from a pending GIIF inspection. Timeline: 18–20 weeks. For AML-specific obligations, see our detailed guide on AML compliance obligations for Polish companies.

What should a subsidiary prepare before engaging a compliance lawyer in Warsaw?

Preparation before the first legal consultation cuts both time and cost. A compliance lawyer in Warsaw will need a clear picture of the entity's legal form, headcount, sector classification, group structure, and existing policies. Arriving without this information extends the gap analysis phase and increases fees. The checklist below identifies the minimum documentation set.

KRS extract (current, showing legal form, share capital, and board composition)
Group organisational chart identifying regulated entities and consolidated thresholds
Existing group compliance policies (in any language) with date of last update
Headcount figure and any planned changes in the next 12 months
Description of services provided by the subsidiary, including ancillary activities

With this documentation in hand, a gap analysis can begin within days rather than weeks. The analysis will identify which of the four main regimes – KSH corporate governance, whistleblower protection, AML, or CSRD – require immediate action and which can be phased over 12 months.

A common misconception is that a subsidiary covered by a group compliance programme is automatically compliant in Poland. It is not. Polish regulators assess the Polish entity against Polish law. A group policy that has never been adopted by a Polish board resolution, published in Polish, or communicated to Polish employees does not satisfy local requirements. This distinction is not technical – it is the difference between a functioning programme and a document that provides no protection when a regulator calls.

Specific programme design matters require tailored assessment. A subsidiary's specific situation – its sector, its group structure, its current policy state – determines which obligations are urgent and which can be phased. Delaying that assessment forfeits the ability to implement a programme before a regulator or auditor identifies the gap, and that window, once closed, cannot be reopened.

For a tailored compliance programme strategy for your Poland subsidiary, reach out to info@kordeckipartners.com.

Frequently asked questions

Q: How long does it take to implement a fully compliant whistleblower channel in Poland?

A: From instruction to a functioning channel with documented procedures typically takes four to six weeks. That includes policy drafting, GDPR impact assessment, board adoption by resolution, staff communication, and designation of the reporting officer. Entities with more than 50 employees that have not yet established a channel are already in breach of the September 2024 deadline and should treat implementation as urgent.

Q: Is it a misconception that AML obligations only apply to banks and financial institutions?

A: Yes, that is a widespread misconception. The Anti-Money Laundering Act defines obligated institutions to include accountants, tax advisers, auditors, real estate agents, and entities providing certain intra-group financial services. A subsidiary providing any of those services – even as a secondary activity – may qualify. The test is the nature of the activity, not the sector label on the KRS filing. Subsidiaries that have not conducted an AML applicability assessment should do so before the next financial audit.

Q: What does a compliance programme cost annually for a mid-size Polish subsidiary?

A: First-year costs for a full-scope programme covering whistleblower, AML, and ESG reporting typically range from PLN 60,000 to PLN 150,000 in external legal and advisory fees, depending on complexity. Ongoing annual maintenance – including quarterly audits, policy updates, and staff training refreshers – typically runs PLN 20,000 to PLN 50,000. Those figures should be set against the penalty exposure: AML fines alone can reach PLN 5 million or 10 percent of annual turnover.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, whistleblower channel implementation, and AML advisory. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.