Compliance programme design for Sweden

A Swedish manufacturing group sets up a Polish subsidiary in Wrocław. Six months later, the parent board asks a simple question: does the Polish entity have a working compliance programme? The answer – a folder of untranslated Swedish policies – is not reassuring. The gap between a parent's home-country framework and a locally effective programme is where legal risk quietly accumulates.

Designing a compliance programme for a Swedish subsidiary operating in Poland requires adapting the parent's governance culture to Polish statutory obligations. Polish law imposes specific requirements on whistleblower channels, anti-money laundering controls, and ESG reporting that cannot be satisfied by simply translating Swedish documents. A properly structured programme must address the ustawa o ochronie sygnalistów (Whistleblower Protection Act), the ustawa o przeciwdziałaniu praniu pieniędzy (Anti-Money Laundering Act, AML Act), and CSRD Poland obligations – each with its own deadline and penalty regime.

This guide walks through the design process step by step. It covers the legal baseline, common mistakes Swedish groups make in Poland, three business scenarios, and a practical checklist. The guide is written for in-house counsel and CFOs who need a clear map rather than a theoretical overview.

What Polish law requires from a subsidiary compliance programme?

Polish law does not prescribe a single "compliance programme" statute. Instead, obligations flow from several parallel tracks. The Whistleblower Protection Act requires companies with 50 or more employees to maintain an internal reporting channel, appoint a designated recipient, and protect reporters from retaliation. The deadline for most entities passed in September 2024. Non-compliance carries fines reaching PLN 40,000 per violation.

The AML Act applies to entities classified as "obligated institutions" – which includes financial intermediaries, real estate agents, and certain professional service providers. For a Swedish group with a Polish subsidiary in financial services, AML compliance is not optional. The Generalny Inspektor Informacji Finansowej (General Inspector of Financial Information, GIIF) supervises compliance and can impose administrative penalties exceeding PLN 1m for systemic failures. Even non-financial subsidiaries may have AML exposure if they handle large cash transactions or trust arrangements.

CSRD Poland obligations layer on top of both. Under the Corporate Sustainability Reporting Directive, large Polish subsidiaries of EU-listed parents must produce sustainability reports aligned with European Sustainability Reporting Standards (ESRS). Swedish parents listed on Nasdaq Stockholm are already subject to CSRD at group level. The Polish subsidiary must feed accurate data upward – and that requires a local ESG reporting infrastructure, not just a group template.

Whistleblower channel: mandatory for entities with 50+ employees (deadline: September 2024)
AML internal controls: mandatory for obligated institutions under the AML Act
CSRD data collection: mandatory for subsidiaries contributing to a CSRD-reporting parent
Data protection: GDPR compliance managed through the Polish subsidiary's own records
Competition law: local Polish competition authority (Urząd Ochrony Konkurencji i Konsumentów, Office of Competition and Consumer Protection, UOKiK) enforcement risk

The Krajowy Rejestr Sądowy (National Court Register, KRS) records the subsidiary's registered details and changes to its management board. Any compliance officer or data protection officer appointment should be reflected in internal governance documents even where KRS registration is not required. Getting the baseline right at the KRS level prevents later disputes about authority to act.

How should Swedish groups structure the design process in practice?

The design process runs in four phases. Phase one – gap analysis – typically takes two to four weeks. A compliance lawyer in Warsaw reviews the parent's existing policies against Polish statutory requirements. The output is a gap matrix showing which obligations are unmet, partially met, or met but undocumented. This phase is the most important: skipping it leads to retrofitting later at significantly higher cost.

Phase two covers drafting and localisation, usually four to six weeks. Polish-language versions of key policies are prepared: a whistleblower policy, an AML risk assessment (where required), a conflicts-of-interest policy, and a gifts-and-hospitality register. Swedish parent policies that are compatible with Polish law are adapted rather than replaced. This preserves group coherence while meeting local requirements. Translation alone is insufficient – Polish legal concepts do not map directly onto Swedish equivalents.

We secured adoption of a fully localised compliance framework for a Swedish logistics subsidiary in the Mazowieckie region (autumn 2025), covering whistleblower channels, AML risk assessment, and CSRD data feeds – completed within eight weeks of the initial gap analysis.

Phase three is implementation: training, channel activation, and record-keeping setup. Employee training on the whistleblower channel must be documented. The AML risk assessment must be approved by the management board and reviewed at least annually. Phase four is ongoing monitoring – quarterly reviews, incident logs, and annual policy updates. Budget for phases one through three: typically EUR 8,000 to EUR 18,000 depending on entity size and sector. Ongoing monitoring adds EUR 3,000 to EUR 6,000 annually.

For a tailored strategy on compliance programme design for your Swedish subsidiary in Poland, reach out to info@kordeckipartners.com.

What are the most common mistakes Swedish subsidiaries make in Poland?

The most frequent error is assuming that a group-level programme satisfies Polish local requirements. It does not. The Whistleblower Protection Act requires a Polish-language policy, a designated recipient who is accessible to Polish-speaking employees, and a 7-day acknowledgement deadline followed by a 3-month response deadline. A Swedish-language channel hosted on a parent intranet fails on all three counts.

A second common mistake involves AML risk assessments. Swedish groups often assume their Polish subsidiaries fall outside the AML Act's scope. The scope is broader than many expect. A subsidiary providing tax advisory, accounting, or legal services – even internally to group companies – may qualify as an obligated institution. Failing to conduct a risk assessment when required forfeits the entity's ability to rely on good-faith defences in a GIIF investigation.

The third mistake is treating CSRD Poland as a future concern. For Swedish parents already reporting under CSRD at group level, the data collection obligation at subsidiary level is live now. Subsidiaries that cannot produce reliable ESG data by the parent's reporting deadline create audit qualifications and reputational risk upstream. This is an irreversible consequence: a missed reporting cycle cannot be reconstructed retroactively.

A fourth error – less discussed but equally damaging – is failing to integrate the compliance programme with the subsidiary's actual business processes. A policy manual that employees have never read and a whistleblower channel that nobody knows exists provide no protection when a regulator investigates. Personal liability of management board members can arise where a programme exists on paper but was never operationalised.

Three business scenarios: manufacturing, IT, and financial services?

Scenario one: a Swedish manufacturing group with a Polish production plant employing 300 people. The primary obligations are the whistleblower channel (mandatory, overdue if not yet implemented), CSRD data collection (active if the parent reports at group level), and basic competition-law training for procurement staff. AML obligations are unlikely unless the plant handles unusual payment structures. Timeline to full compliance: ten to twelve weeks. Estimated cost: EUR 10,000 to EUR 14,000.

Scenario two: a Swedish IT company with a Polish development centre of 80 engineers. The whistleblower channel is mandatory. GDPR documentation must be maintained locally, including records of processing activities and data transfer mechanisms for data flowing to Sweden. If the subsidiary provides software-as-a-service to financial-sector clients, it may face DORA (Digital Operational Resilience Act) obligations indirectly. Compliance programme design here must integrate IT security governance with legal compliance. Timeline: eight to ten weeks. Cost: EUR 9,000 to EUR 13,000.

We assisted a Swedish IT subsidiary in the Małopolska region (spring 2025) in restructuring its GDPR records and activating a bilingual whistleblower channel – avoiding a PLN 100,000 exposure identified during a pre-audit review.

Scenario three: a Swedish financial services group with a Polish brokerage subsidiary supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF). Here, AML compliance is non-negotiable and heavily scrutinised. The AML risk assessment must be granular, updated annually, and approved by senior management. The whistleblower channel must also meet KNF supervisory expectations, which go beyond the minimum statutory requirements. Compliance programme design for a KNF-supervised entity typically costs EUR 15,000 to EUR 22,000 and takes twelve to sixteen weeks. Failure to maintain adequate AML controls carries personal liability for board members and fines that can reach PLN 5m or more for serious breaches.

For a comparison of compliance programme requirements across EU jurisdictions, the guide on compliance programme design for Italy subsidiaries in Poland provides a useful reference point. Swedish groups with multi-country footprints may also find the compliance programme design for Ukraine subsidiaries in Poland guide relevant for CIS-adjacent operations.

What should you prepare before engaging a compliance lawyer in Warsaw?

Preparation reduces cost and accelerates the process. A compliance lawyer in Warsaw will need specific inputs to conduct a meaningful gap analysis. Arriving without these materials adds billable hours and delays the programme's activation date – time during which the subsidiary remains exposed.

Current headcount and entity classification (obligated institution status under the AML Act)
Existing group policies in any language, including Swedish originals
Organisational chart showing the Polish management board and reporting lines to the Swedish parent
List of services or products provided by the Polish entity that may trigger sector-specific obligations
Any prior regulatory correspondence with KNF, GIIF, UOKiK, or data protection authority (Urząd Ochrony Danych Osobowych, Personal Data Protection Office, UODO)

Swedish groups that have already implemented a compliance programme at group level under Swedish law will find that the gap analysis is shorter. However, the localisation phase remains necessary regardless of how mature the parent programme is. The gap between Swedish and Polish legal requirements is structural, not cosmetic. For context on how Polish tax obligations interact with the compliance calendar, the KSeF deadline timeline for companies in Sweden provides relevant background on the 2026–2027 e-invoicing transition that affects Polish subsidiaries of Swedish groups.

Specific circumstances of your Polish subsidiary require individual assessment. Waiting until a regulator makes contact precludes the good-faith compliance defence and forfeits the ability to set the terms of remediation.

To receive an expert assessment of your compliance programme gaps, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does our Swedish parent's whistleblower channel satisfy Polish law if Polish employees can access it?

A: Not automatically. The Whistleblower Protection Act requires the reporting channel to be accessible in Polish, with a designated recipient who can respond within 7 days of acknowledgement and provide a substantive response within 3 months. A parent-level channel that is not administered under Polish procedural rules – including confidentiality protections and non-retaliation commitments that meet Polish statutory standards – does not satisfy the local obligation. A separate or mirrored channel with Polish-language administration is typically required.

Q: How long does it take to build a compliance programme from scratch, and what does it cost?

A: For a mid-size subsidiary (50–200 employees, non-financial sector), the process from gap analysis to live programme typically takes eight to twelve weeks. Costs range from EUR 8,000 to EUR 15,000 for initial design and implementation. Ongoing maintenance – annual policy reviews, training refreshers, incident management – adds EUR 3,000 to EUR 6,000 per year. Financial-sector entities subject to KNF supervision face higher costs due to the depth of AML documentation required.

Q: Is ESG reporting the same thing as a compliance programme?

A: No – this is a common misconception. ESG reporting (including CSRD Poland obligations) is one component of a broader compliance framework. A compliance programme also covers conduct risk, whistleblower mechanisms, AML controls, data protection, and competition law. ESG reporting produces disclosures for external stakeholders. A compliance programme governs internal behaviour and reduces regulatory and legal risk. Swedish subsidiaries sometimes invest heavily in ESG reporting infrastructure while neglecting the conduct-risk and whistleblower elements that Polish regulators examine first.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and whistleblower compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.