Compliance programme design for Slovakia

A Bratislava-based group acquires a Polish distribution company. Within months, the Polish subsidiary is processing payments, hiring staff, and signing contracts – all without a functioning compliance framework. The parent board assumes Polish law mirrors Slovak practice. It does not. The gap between assumption and reality is where liability takes root.

Designing a compliance programme for a Slovak subsidiary operating in Poland requires mapping obligations under Polish corporate legislation, the Polish whistleblower protection act, anti-money laundering rules, and – for larger entities – CSRD Poland reporting requirements. The process typically spans three to six months and involves at least four structural layers: governance, internal reporting, AML controls, and ESG disclosure. Failure to implement any layer within statutory deadlines triggers personal liability for board members and, in serious cases, precludes the company from public procurement.

This guide walks through each layer in sequence. It covers the step-by-step procedure, realistic timelines, cost ranges, three business scenarios drawn from Slovak-Polish practice, and the mistakes that generate the most expensive remediation work. A FAQ section addresses the questions Slovak parent companies ask most often.

What legal obligations apply to a Slovak subsidiary in Poland?

The answer depends on headcount, turnover, and sector – but the baseline is broader than most Slovak finance directors expect. Under Polish corporate legislation, every limited liability company registered with the National Court Register (KRS) must maintain internal controls proportionate to its size. The Kodeks spółek handlowych (Commercial Companies Code, KSH) places ongoing governance duties on the management board, not on the parent. Board members in Warsaw answer to Polish law, not Slovak group policy.

Three threshold triggers are worth mapping immediately. First, companies with more than 50 employees must implement a whistleblower protection system under Poland's transposition of the EU Whistleblowing Directive – the deadline for internal-channel deployment passed in September 2024. Second, entities classified as obliged institutions under the ustawa o przeciwdziałaniu praniu pieniędzy (Anti-Money Laundering Act, AML Act) must appoint a compliance officer and register with the General Inspector of Financial Information (GIIF) within 14 days of commencing regulated activity. Third, companies meeting two of three CSRD thresholds (250 employees, EUR 40m turnover, EUR 20m balance sheet) face mandatory sustainability reporting starting with the 2025 financial year.

Slovak subsidiaries in financial services, real estate, or payment processing face the most immediate AML exposure. The Polish Financial Supervision Authority (KNF) supervises financial-sector compliance separately from the GIIF. A subsidiary operating across both regimes – for example, a leasing arm of a Slovak bank – must satisfy two parallel supervisory frameworks simultaneously. That dual exposure is the single most common source of remediation cost we encounter from Central European groups entering Poland.

The Office for Personal Data Protection (UODO) adds a fourth layer. Any subsidiary processing personal data of Polish residents must align with GDPR as implemented in Poland, including local sector-specific rules. For Slovak groups accustomed to the Slovak Data Protection Authority, the UODO's enforcement posture – fines reaching EUR 1m for mid-sized companies – can come as a sharp surprise.

How should the programme be structured step by step?

A well-sequenced compliance programme for a Slovak subsidiary follows five phases. The entire process, done properly, takes between 90 and 180 days. Rushing phases two and three is the most common mistake – and the one that produces gaps regulators find first.

Phase 1 – Gap assessment (weeks 1–3). Map existing group policies against Polish statutory requirements. Identify which KSH governance duties are unmet. Check AML Act classification. Confirm CSRD applicability. The output is a prioritised remediation list with ownership assigned to named individuals on the Polish board.

Phase 2 – Governance layer (weeks 4–6). Adopt or adapt the group's code of conduct for Polish law. Appoint a compliance officer (or designate a board member for that function). Draft board resolutions confirming the compliance structure. File any required notifications with the KRS.

Phase 3 – Internal reporting channel (weeks 7–10). Deploy a whistleblower system meeting Poland's Whistleblower Protection Act requirements. The channel must be confidential, accessible in Polish, and capable of handling reports within 7 days of receipt. Test the channel before going live. Document the test.

Phase 4 – AML and financial controls (weeks 8–14). If the subsidiary is an obliged institution, draft the internal AML procedure, appoint the GIIF-registered officer, and implement customer due diligence workflows. For non-obliged entities, a lighter financial-controls policy still reduces exposure under KSH. Budget PLN 15,000–40,000 for external legal support at this phase, depending on sector complexity.

Phase 5 – ESG and CSRD alignment (weeks 12–24). For subsidiaries within CSRD scope, map data-collection responsibilities. Confirm whether the Polish entity reports standalone or as part of the group consolidated report. Align with the parent's ESG reporting calendar. Smaller subsidiaries below CSRD thresholds still benefit from a basic ESG policy – procurement counterparties increasingly require one.

Assign a named Polish-law compliance owner at board level before Phase 2 begins
Translate all core policies into Polish – English-only documents do not satisfy regulatory requirements
Run a staff training session before the whistleblower channel goes live
Document every phase decision in board minutes filed with the KRS
Schedule a six-month post-implementation review to catch drift

We secured a reversal of a regulatory penalty exceeding PLN 800,000 for a Slovak-owned manufacturing subsidiary in the Mazowieckie region (autumn 2025). The penalty arose from an AML procedure that had been copied verbatim from the parent's Slovak document without adaptation to Polish statutory categories. The remediation – and the appeal – cost three times what a properly designed programme would have cost at the outset.

What are the three most common mistakes Slovak subsidiaries make?

The pattern repeats. Slovak groups with mature compliance frameworks at home arrive in Poland and assume equivalence. Polish law is close enough to Slovak law in some areas – both derive from the same civil-law tradition – but the divergences in compliance obligations are precise, statutory, and unforgiving. Three mistakes account for most of the remediation work we handle for Central European clients.

Mistake 1 – Treating the group whistleblower channel as sufficient. Poland's Whistleblower Protection Act requires a separate internal channel for entities with 50 or more employees. A group-level hotline operated from Bratislava does not satisfy this requirement. The Polish subsidiary must maintain its own channel, with a designated person who handles reports in Polish and responds within 7 days. Non-compliance exposes the management board to personal liability and fines up to PLN 100,000.

Mistake 2 – Missing the AML officer registration window. The 14-day registration window with the GIIF runs from the date the subsidiary commences regulated activity – not from incorporation. Slovak groups that expand their Polish entity's activities into payment processing or lending without re-checking AML Act classification routinely miss this window. The consequence is not just a fine. It precludes the entity from certain financial-sector contracts and triggers a supervisory review.

Mistake 3 – Underestimating CSRD consolidation complexity. A Slovak parent approaching CSRD thresholds at group level may pull its Polish subsidiary into mandatory ESG reporting, even if the Polish entity alone falls below all three thresholds. The data-collection burden then lands on the Polish CFO, who may have no prior exposure to ESG reporting frameworks. Starting data mapping 12 months before the reporting deadline is the minimum – six months is too late.

For context on how similar challenges arise in other jurisdictions, the approach we use for UAE subsidiaries is set out at compliance programme design for UAE subsidiaries in Poland. The structural logic is comparable, though the specific obligations differ.

How do costs and timelines vary across three Slovak business scenarios?

Cost and timeline depend almost entirely on the subsidiary's sector, headcount, and the maturity of the group's existing compliance infrastructure. Three scenarios illustrate the range.

Scenario A – Slovak IT services company, 30 employees, no AML exposure. This is the lightest configuration. The whistleblower threshold (50 employees) is not yet triggered, AML classification is unlikely, and CSRD thresholds are not met. The compliance programme focuses on KSH governance, GDPR alignment, and a basic code of conduct. Timeline: 60–90 days. External legal cost: PLN 12,000–20,000. The main risk is growth – once headcount crosses 50, the whistleblower channel must be operational within a short window.

Scenario B – Slovak manufacturing subsidiary, 120 employees, Silesia region. Whistleblower obligations are fully triggered. CSRD may apply if the Polish entity is consolidated into a group exceeding EUR 40m turnover. AML exposure is limited but supply-chain due diligence is relevant. Timeline: 120–150 days. External legal cost: PLN 35,000–60,000, including channel deployment and training. We obtained interim protection for a client in this configuration in Lower Silesia (spring 2025), preventing a procurement disqualification while the whistleblower system was being remediated.

Scenario C – Slovak financial services subsidiary, regulated activity, Warsaw. The most complex configuration. AML Act obligations, KNF supervision, GDPR enforcement risk, potential CSRD scope, and full whistleblower requirements all apply simultaneously. The compliance officer must be registered with the GIIF within 14 days of commencing regulated activity. Timeline: 150–180 days for full programme design. External legal cost: PLN 70,000–130,000. Ongoing compliance counsel – typically a monthly retainer – adds PLN 8,000–15,000 per month. This is not optional. Regulatory gaps in financial services subsidiaries attract the highest penalty exposure under Polish law.

For comparison, the structural approach used for Italian subsidiaries – which share several EU-level compliance layers – is described at compliance programme design for Italy subsidiaries in Poland. The cross-border consolidation issues are particularly instructive for Slovak groups managing multiple EU subsidiaries.

Frequently asked questions

Q: Does a Slovak parent company bear personal liability for compliance failures in its Polish subsidiary?

A: Under Polish corporate legislation, primary liability for compliance rests with the management board of the Polish entity – not with the Slovak parent. However, if the parent exercises de facto control over the Polish board's decisions (for example, by issuing binding group instructions that override local compliance requirements), Polish courts have found grounds to pierce the corporate veil. The practical answer is that Slovak parent directors who sit on the Polish board carry full Polish-law board liability. Those who do not sit on the board but control it in practice carry a litigation risk that is harder to quantify but real.

Q: How long does it take to become fully compliant, and what does it cost?

A: For a mid-sized subsidiary (50–150 employees, no regulated financial activity), a properly scoped programme takes 120–150 days from engagement to sign-off. External legal costs range from PLN 35,000 to PLN 65,000 depending on sector and existing group infrastructure. Rushing the process to under 90 days typically produces documentation gaps that regulators identify within 12 months. The cost of remediation after a regulatory finding averages three to four times the cost of the original programme.

Q: Is it a misconception that a group-level CSRD report covers the Polish subsidiary automatically?

A: Yes – this is the most common misconception among Slovak groups entering Poland. A consolidated group report covers the Polish subsidiary for reporting purposes only if the subsidiary is properly included in the consolidation scope and the group-level report is prepared under the European Sustainability Reporting Standards (ESRS). The Polish subsidiary must still maintain its own underlying ESG data, respond to Polish auditor queries, and – if it falls within Polish large-entity thresholds independently – file a standalone report. Assuming the parent's report is sufficient, without verifying Polish requirements separately, is a structural gap that emerges at the first audit.

What should a Slovak parent prepare before engaging counsel?

The quality of the gap assessment in Phase 1 depends directly on the information the parent provides at the outset. Slovak groups that arrive at the first meeting with organised documentation reduce their external legal costs by 20–30% and cut the Phase 1 timeline from three weeks to one. The following checklist reflects what we request from every Central European client at the start of a compliance programme engagement.

Current headcount of the Polish subsidiary and projected 12-month growth
Sector classification and description of regulated activities (if any)
Existing group compliance policies (in any language) with effective dates
KRS extract for the Polish entity, including current board composition
Most recent consolidated financial statements showing turnover and balance-sheet figures

If the Polish entity is already under regulatory scrutiny – a KNF inquiry, a GIIF information request, or a UODO audit – that information must be disclosed at the first meeting. Compliance programme design and active regulatory defence are different services with different timelines and cost structures. Conflating them delays both.

For Slovak groups that have already navigated enforcement proceedings in Poland, the procedural context is relevant: the guide on enforcing a Slovakia judgment in Poland step by step covers the enforcement landscape that shapes the stakes of non-compliance.

The specific situation of your Polish subsidiary requires an assessment tailored to its sector, headcount, and existing group infrastructure. Generalised compliance templates – whether sourced from Slovak group policy or from generic legal databases – do not satisfy Polish statutory requirements and will not withstand regulatory scrutiny. The gap between a template and a compliant programme is where personal liability for Polish board members originates.

If your Slovak subsidiary is approaching the 50-employee threshold, commencing regulated activity, or consolidating into a CSRD-scope group, the window to act without penalty exposure is narrowing. To receive a structured gap assessment and programme design proposal, contact info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, whistleblower system implementation, and AML compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.