A Kyiv-based engineering group expands into Poland, establishing a subsidiary in Warsaw. Within eighteen months, the Polish entity faces a National Labour Inspectorate audit, a request from the General Inspector of Financial Information (GIIF) on AML procedures, and a whistleblower complaint routed through an improperly configured reporting channel. Each issue is manageable in isolation. Together, they signal a compliance programme that was never properly designed for the Polish regulatory environment.
Designing a compliance programme for a Ukraine subsidiary operating in Poland requires mapping at least four overlapping regulatory frameworks: Polish corporate law, AML obligations under Polish financial intelligence rules, whistleblower protection legislation enacted in 2024, and ESG reporting requirements under CSRD Poland timelines. The process typically takes three to six months and involves documented risk assessment, policy drafting, training, and a functioning internal reporting channel. Failure to complete each layer forfeits both legal protection for the entity and personal liability shields for its management board.
This guide walks through the full design process step by step. It covers the legal baseline every Ukrainian-owned Polish entity must meet, the practical sequencing of documents and training, the three most common structural mistakes, and a realistic cost and timeline estimate. Three business scenarios – manufacturing, IT services, and a foreign investor – illustrate how the framework applies in different contexts.
What is the legal baseline for a Ukraine subsidiary in Poland?
Every Polish limited liability company (spółka z ograniczoną odpowiedzialnością, sp. z o.o.) or joint-stock company (spółka akcyjna, SA) with Ukrainian beneficial ownership must satisfy a defined floor of compliance obligations before it can claim any safe-harbour protection. The baseline spans three statutes and two EU regulations. Missing any single layer exposes the entity to administrative sanctions reaching PLN 1,000,000 for AML breaches alone.
The first layer is registration. The entity must be entered in the National Court Register (KRS) and, if it processes payment transactions or extends credit, notified to the Polish Financial Supervision Authority (KNF). Beneficial ownership data – including Ukrainian natural persons holding more than 25 percent of shares – must be reported to the Central Register of Beneficial Owners (CRBR) within seven days of any change. Non-disclosure of Ukrainian UBOs is itself an AML offence under Polish financial intelligence legislation.
The second layer is AML. Polish AML law, implementing the EU's Fourth and Fifth Anti-Money Laundering Directives, requires obligated entities to conduct a written risk assessment, appoint an AML compliance officer, and maintain an internal procedure document. For subsidiaries of Ukrainian groups, the risk assessment must address cross-border payment flows, Ukrainian-resident counterparties, and any transactions routed through jurisdictions on the EU high-risk list. The assessment must be reviewed at least annually.
The third layer is whistleblower protection. Poland's Whistleblower Protection Act, which entered into force in September 2024, requires entities with 50 or more employees to operate an internal reporting channel within 14 days of crossing that threshold. The channel must guarantee anonymity, acknowledge receipt within seven days, and provide a substantive response within three months. A Ukrainian-owned subsidiary that outsources this channel to a group-level system in Kyiv – without a Polish-law compliant local procedure – forfeits the safe-harbour entirely and precludes reliance on good-faith defences in enforcement proceedings.
How should the programme be sequenced and documented?
Sequencing matters as much as content. A compliance programme assembled in the wrong order – policies before risk assessment, training before policies – creates documentation gaps that regulators identify quickly. The correct sequence runs from risk mapping through policy drafting, then governance assignment, then training, then channel activation, then a first internal audit. Completing this sequence typically requires between 90 and 180 days, depending on entity size and group complexity.
Step one is a written compliance risk assessment covering all material risk categories: AML, labour law, data protection under the General Data Protection Regulation (GDPR), sanctions exposure (particularly relevant for entities with any Russian or Belarusian counterparties), and ESG reporting obligations. For Ukrainian subsidiaries, sanctions screening deserves separate attention. The Office of Foreign Assets Control (OFAC) and EU consolidated sanctions lists must both be checked for any counterparty connected to currently sanctioned persons or entities. This screening should be documented and dated.
Step two is policy drafting. The core documents are: an AML internal procedure, a whistleblower reporting channel procedure, a data protection policy, a conflicts-of-interest policy, and a gifts-and-hospitality register. Each document must be in Polish. An English translation is useful for the Ukrainian parent but carries no legal weight before Polish authorities. Policies should cross-reference each other – the AML procedure should reference the whistleblower channel, and both should reference the disciplinary procedure.
- Written compliance risk assessment (AML, sanctions, GDPR, ESG)
- AML internal procedure and compliance officer appointment
- Whistleblower reporting channel – Polish-law compliant, locally hosted
- Data protection policy and GDPR records of processing
- Conflicts-of-interest policy and gifts register
Step three is governance. The management board must formally adopt each policy by resolution. The compliance officer role – whether held by an internal employee or an external compliance lawyer Warsaw-based – must be defined in writing with a clear reporting line to the board. Step four is training: all employees must receive documented training within 30 days of policy adoption, with attendance records retained for at least five years. Step five is activating the reporting channel and testing it with a simulated submission before going live.
What are the most common design mistakes for Ukrainian-owned entities?
Three structural mistakes recur across Ukrainian-owned Polish subsidiaries. Each is avoidable. Each, left uncorrected, forfeits legal protection at the moment it matters most – during a regulatory inspection or a counterparty due diligence review.
The first mistake is treating the Ukrainian group's global compliance manual as a substitute for a Polish-law compliant programme. Group manuals are written for a different legal system. They typically omit the specific whistleblower channel requirements of Polish legislation, the CRBR notification obligations, and the AML risk-assessment format required by the General Inspector of Financial Information (GIIF). During a GIIF inspection, a 200-page English-language group manual earns no credit. The Polish entity needs its own documents, in Polish, referencing Polish law.
We secured a reversal of an AML administrative sanction exceeding PLN 400,000 for a manufacturing client in the Mazowieckie region (autumn 2025). The sanction had been imposed because the entity's AML procedure was a translated excerpt from a group manual and lacked the mandatory risk-assessment annex. A properly structured Polish-law compliant procedure, filed retrospectively with supporting documentation, led the GIIF to withdraw the penalty on appeal.
The second mistake is misclassifying the entity's AML status. Not every Ukrainian-owned Polish company is an "obligated institution" under Polish AML law. The classification depends on the entity's activity – trading companies, most service businesses, and holding vehicles are not obligated institutions unless they meet specific turnover or transaction thresholds. However, any entity that is not an obligated institution still has CRBR and sanctions-screening obligations. Misclassifying upward (treating a non-obligated entity as obligated) wastes resources. Misclassifying downward (treating an obligated entity as non-obligated) triggers sanctions of up to PLN 1,000,000 – an irreversible consequence once a GIIF inspection has opened.
The third mistake is ignoring ESG reporting timelines. CSRD Poland obligations apply to large entities – those meeting two of three criteria: more than 250 employees, net turnover above EUR 40 million, or total assets above EUR 20 million. A Ukrainian-owned Polish subsidiary that crosses these thresholds in 2025 must produce its first ESG reporting disclosure covering the 2025 financial year. Boards that discover this obligation in late 2026, when the disclosure is already overdue, face both reputational damage and potential civil liability to investors relying on the parent group's consolidated sustainability report.
How do costs and timelines differ across three business scenarios?
Cost and timeline vary significantly by entity type. The three scenarios below illustrate the realistic range. Each scenario assumes a newly established Polish subsidiary with no pre-existing compliance infrastructure.
Scenario A – Manufacturing company. A Ukrainian industrial group establishes a production plant in Silesia with 180 employees. This entity is not an AML obligated institution but has full whistleblower channel obligations (threshold: 50 employees), CRBR reporting requirements, GDPR obligations as an employer, and – given its size – will approach CSRD Poland thresholds within two to three years. The compliance programme covers: risk assessment, whistleblower channel (locally hosted, Polish-law compliant), employment compliance policies, and GDPR records. Estimated external legal cost: PLN 35,000 to PLN 55,000. Timeline: 90 to 120 days. The primary risk is the whistleblower channel – a manufacturing plant with shift workers needs a channel accessible by phone and in Ukrainian as well as Polish.
Scenario B – IT services company. A Ukrainian software house establishes a Warsaw entity with 60 developers providing services to EU clients. The entity processes personal data at scale and likely qualifies as an obligated institution if it provides payment-adjacent services. The compliance programme must include a full AML procedure, a Data Protection Officer (DPO) appointment if data processing meets GDPR Article 37 thresholds, a whistleblower channel, and an IP and confidentiality framework. Estimated cost: PLN 45,000 to PLN 70,000. Timeline: 120 to 150 days. The primary risk is data transfer – processing EU client data on servers outside the EU triggers supplementary transfer mechanism documentation.
Our team obtained a clean regulatory opinion for a Ukrainian IT services entity in Pomerania (spring 2025), after restructuring its data transfer agreements and AML classification within a 90-day window ahead of a KNF-adjacent review.
Scenario C – Foreign investor holding structure. A Ukrainian family business establishes a Polish holding company to manage EU-facing investments. The holding entity itself may have minimal employees, but its AML obligations as a shareholder of regulated subsidiaries are significant. CRBR notifications must reflect the full beneficial ownership chain, including Ukrainian natural persons. The compliance programme focuses on CRBR accuracy, sanctions screening of counterparties, and a lightweight internal procedure. Estimated cost: PLN 20,000 to PLN 35,000. Timeline: 60 to 90 days. For context on how treaty provisions affect the holding structure's tax exposure, see our analysis of the double tax treaty between Poland and Ukraine.
For entities with supply chains extending beyond Poland, ESG due diligence obligations add a further layer. Our guide on ESG due diligence in supply chains covers the Polish perspective on Corporate Sustainability Due Diligence Directive (CSDDD) implementation.
What to prepare before engaging a compliance lawyer:
- Corporate structure chart showing all Ukrainian UBOs with ownership percentages
- Current employee headcount and projected 12-month growth
- List of all regulated activities (payment services, lending, data processing at scale)
- Any existing group compliance documents (even if not Polish-law compliant)
- Details of any ongoing or past regulatory correspondence with GIIF, KNF, or labour inspectorate
Entities with subsidiaries in other EU jurisdictions will find structural parallels in our comparison guide for Netherlands subsidiaries operating in Poland. The sequencing methodology is consistent; the AML risk-assessment content differs by jurisdiction.
The specific compliance requirements of your Polish subsidiary depend on its activity classification, employee count, and group structure. An incorrect classification – in either direction – produces either unnecessary cost or uninsured regulatory exposure. Both outcomes are avoidable with a proper legal mapping conducted before the programme is drafted.
To receive an expert assessment of your subsidiary's compliance baseline, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does a Ukrainian-owned Polish company need a separate compliance programme if the parent group already has one?
A: Yes. Polish regulators – including the General Inspector of Financial Information and the National Labour Inspectorate – assess the Polish entity's own documentation, in Polish, referencing Polish law. A group-level manual in English or Ukrainian does not satisfy the requirements of the Whistleblower Protection Act or Polish AML legislation. The Polish entity must maintain its own policies, its own reporting channel, and its own training records, even if these mirror group standards in substance.
Q: How long does it take to implement a compliant whistleblower reporting channel?
A: The channel itself – a dedicated email address or a third-party platform – can be activated within two to four weeks. The compliant procedure document, required under the Whistleblower Protection Act, takes an additional two to three weeks to draft and adopt by board resolution. The full cycle, including employee training and a test submission, runs approximately 30 to 45 days from engagement. Entities that crossed the 50-employee threshold before September 2024 and have not yet implemented a channel are already in breach and face fines of up to PLN 5,000 per violation.
Q: Is CSRD Poland reporting mandatory for a Ukrainian-owned Polish subsidiary?
A: It depends on size. ESG reporting under CSRD Poland applies to large entities meeting two of three criteria: more than 250 employees, net turnover above EUR 40 million, or total assets above EUR 20 million. A subsidiary that meets these thresholds must produce a standalone sustainability statement or ensure its data is captured in the parent group's consolidated report. A common misconception is that CSRD obligations apply only to listed companies. They apply to large undertakings regardless of listing status, which means a privately held Ukrainian-owned manufacturing subsidiary in Poland may be caught from the 2025 reporting year onward.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, AML advisory, ESG reporting, and cross-border regulatory matters. We operate a dedicated Ukrainian Desk and CIS Desk, supporting Ukrainian entrepreneurs and investors at every stage of their Polish operations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.