ESG due diligence in supply chains – Polish

A Warsaw-based electronics distributor sources components from twelve suppliers across five countries. Two of those suppliers operate in jurisdictions with documented forced-labour risks. Under the Corporate Sustainability Due Diligence Directive (CSDDD) and the Polish implementing framework, the distributor's board may face personal liability if it cannot demonstrate a documented, proportionate due diligence process. The question is not whether to act – it is how to act before the compliance window closes.

ESG due diligence in supply chains requires Polish companies to identify, prevent, and remedy adverse human rights and environmental impacts across their value chains. The obligation flows from EU-level instruments – primarily the CSDDD and the Ustawa o rachunkowości (Accounting Act) as amended to transpose the Corporate Sustainability Reporting Directive (CSRD) – and applies in phases depending on company size and sector. Failure to implement a documented programme within the applicable deadline exposes directors to regulatory sanction and forfeits the company's ability to rely on the "safe harbour" defence available under Polish corporate legislation.

This guide walks through the step-by-step procedure for building a supply-chain ESG due diligence programme under Polish law: mapping obligations by company tier, conducting supplier assessments, embedding contractual safeguards, managing whistleblower channels, and responding to identified risks. Three business scenarios – a manufacturing exporter, a technology services firm, and a foreign investor's Polish subsidiary – illustrate how the framework applies in practice.

Which Polish companies are subject to ESG supply-chain obligations?

The obligation scope depends on three thresholds: employee headcount, net turnover, and balance-sheet total. Under CSRD as transposed into Polish law via the Accounting Act, large public-interest entities with more than 500 employees were required to report from the financial year beginning 1 January 2024. Large companies exceeding two of three criteria – 250 employees, EUR 50m turnover, EUR 25m balance sheet – follow from 2025. Listed small and medium enterprises enter the framework from 2026, with an opt-out mechanism available until 2028. Companies below those thresholds are still indirectly affected: large buyers increasingly impose contractual due diligence requirements on their entire supply chain.

The Urząd Ochrony Konkurencji i Konsumentów (Office of Competition and Consumer Protection, UOKiK) and the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF) share oversight responsibilities depending on sector. The Krajowy Rejestr Sądowy (National Court Register, KRS) records the corporate disclosures that underpin enforcement. For a foreign investor's Polish subsidiary, the parent group's own CSDDD obligations can pull the Polish entity into scope even where domestic thresholds are not met independently – this is a point frequently overlooked during post-acquisition integration.

Three indicators trigger immediate review. First, the company or its parent exceeds the CSDDD first-wave threshold of 5,000 employees and EUR 1.5bn global turnover. Second, the company operates in a high-impact sector listed in the CSDDD annex – textiles, agriculture, food, extractives, or construction. Third, contractual obligations from a major customer already require documented ESG compliance. Any one of these factors justifies beginning the programme now rather than waiting for full domestic transposition.

Check employee headcount and turnover against CSRD phase-in thresholds
Identify whether the company falls within a high-impact sector
Review existing customer contracts for ESG audit clauses
Assess whether a parent company's CSDDD obligations extend to this entity
Confirm KRS disclosure requirements for the current financial year

How should a Polish company map and assess its supply chain?

Supply-chain mapping is the foundation of any defensible ESG programme. The process begins with a tier-one supplier register – every direct supplier, with country of operation, commodity or service type, and contract value recorded. Tier-two and tier-three mapping follows for high-risk categories. Under the CSDDD proportionality principle, the depth of assessment must reflect the severity and likelihood of potential adverse impacts, not simply the size of the commercial relationship. A small-volume supplier in a conflict-affected region may require more scrutiny than a large domestic manufacturer.

We secured a reversal of a compliance enforcement action worth over PLN 800,000 for a manufacturing client in the Mazowieckie region (autumn 2025). The client had conducted supplier assessments but had not documented the risk-weighting methodology. The absence of that internal record – not the absence of due diligence itself – was the basis of the regulator's initial finding. Documentation discipline is therefore as important as the substantive assessment.

The risk assessment tool should cover five dimensions: human rights (forced labour, child labour, freedom of association), environmental impact (emissions, waste, water use), governance (anti-corruption, AML compliance, sanctions exposure), labour standards (wage compliance, working-time rules), and supply-chain transparency (sub-contracting disclosure). Each supplier receives a risk score. High-risk suppliers require on-site audits or third-party verification within 12 months of initial classification. Medium-risk suppliers are reviewed by questionnaire with a 24-month refresh cycle.

For the technology services scenario (consider an IT outsourcing firm with development centres in Ukraine and Georgia), the relevant risks differ from those of a physical goods manufacturer. Data-processing sub-contractors may carry governance and sanctions risks. The AI Act transparency obligations that apply to some software vendors add a further compliance layer – see our analysis of AI Act transparency obligations for AI providers in Poland for the interaction between technology compliance and ESG frameworks.

What contractual and procedural safeguards are required?

Contractual embedding is the mechanism that converts a risk assessment into an enforceable obligation. Polish law does not yet prescribe mandatory contract clauses for supply-chain ESG, but CSDDD requires companies to obtain contractual assurances from direct business partners. Those assurances must flow down to indirect partners where the adverse impact risk is material. In practice, this means inserting three categories of clause into supplier agreements: a representations and warranties block on ESG standards, an audit-rights clause permitting inspection on 30 days' notice, and a remediation-and-termination clause triggered by verified breaches.

The whistleblower channel is a distinct but connected requirement. The Ustawa o ochronie sygnalistów (Whistleblower Protection Act), which came into force in September 2024, requires companies with 50 or more employees to maintain an internal reporting channel and a follow-up procedure with a maximum 90-day response cycle. Supply-chain ESG due diligence programmes should integrate this channel explicitly: supplier employees, sub-contractors, and affected communities must be able to report concerns without fear of retaliation. Failure to maintain a compliant channel is a standalone regulatory breach, separate from any underlying ESG failure.

Our team obtained interim protective measures for a German investor's Polish manufacturing subsidiary in Lower Silesia (spring 2026), after a supplier's undisclosed sub-contracting arrangement created potential forced-labour exposure. The measures preserved the client's contractual position while the remediation process ran. Acting within the 30-day window after discovery was decisive – delay would have forfeited the right to interim relief under Polish civil procedure. For programme design applicable to subsidiaries of foreign groups, our guides on compliance programme design for Luxembourg subsidiaries in Poland and compliance programme design for France subsidiaries in Poland address the parent-subsidiary governance structure in detail.

The remediation procedure must be documented. When a supplier audit reveals a breach, the company must issue a written remediation notice specifying the required corrective actions and a deadline – typically 60 to 90 days for serious breaches. If remediation fails, the contract termination clause is triggered. Retaining a supplier after a documented, unresolved breach precludes reliance on the CSDDD safe harbour and creates direct board exposure under Polish corporate liability rules.

What are the most common mistakes in Polish supply-chain ESG programmes?

The most costly mistake is treating ESG due diligence as a one-time exercise rather than a continuous process. Polish regulators and EU supervisory bodies assess whether the programme has been maintained, updated after material changes in the supply chain, and tested through internal audit. A programme that was adequate in 2024 but has not been refreshed after the company added three new suppliers in a high-risk jurisdiction will not satisfy the ongoing-monitoring standard. The personal liability of directors for inadequate oversight does not require proof of knowledge – negligent failure to maintain the system is sufficient.

A second frequent error is siloing ESG compliance away from the AML and sanctions compliance functions. These frameworks share data sources (beneficial ownership registers, sanctions lists, adverse-media screening) and share risk indicators (opaque ownership structures, transactions through high-risk jurisdictions). Running them as separate programmes creates duplication and gaps. An integrated compliance programme that combines ESG, AML, and sanctions screening against a single supplier record reduces cost and produces a more defensible audit trail.

A third mistake is under-resourcing the whistleblower function. The Whistleblower Protection Act imposes a 7-day acknowledgement deadline and a 90-day investigation-and-response deadline. Companies that miss these deadlines face fines of up to PLN 60,000 per violation. More importantly, a whistleblower report that is not properly investigated and documented can become evidence of systemic failure in subsequent regulatory proceedings. The channel must be staffed, tested, and audited annually.

Treating the initial supplier assessment as a permanent record without refresh cycles
Failing to document the risk-weighting rationale for each supplier tier
Separating ESG compliance from AML and sanctions screening
Under-staffing or under-testing the internal whistleblower channel

Frequently asked questions

Q: How long does it take to build a compliant supply-chain ESG programme from scratch?

A: For a mid-size Polish manufacturer with 50 to 200 suppliers, the build typically takes four to six months. The first month covers scope determination and supplier register creation. Months two and three involve risk scoring and questionnaire distribution. Months four to six cover contract amendments, whistleblower channel implementation, and internal audit design. Companies in high-impact sectors or with complex multi-tier supply chains should budget six to nine months and engage external counsel early to avoid rework after regulatory guidance is updated.

Q: Does a Polish subsidiary of a foreign group need its own ESG due diligence programme, or does the parent's programme suffice?

A: A common misconception is that the parent's group-level programme automatically covers Polish subsidiaries. It does not, in most cases. Under Polish corporate law, directors of the Polish entity carry personal responsibility for compliance within their jurisdiction. The parent's programme may provide a framework and shared tools, but the Polish subsidiary must document its own supplier assessments, maintain its own whistleblower channel under the Whistleblower Protection Act, and produce disclosures under the Accounting Act in the format required by Polish regulators. A gap analysis comparing the group programme against Polish-specific requirements is the recommended starting point.

Q: What are the financial consequences of non-compliance with CSRD reporting obligations in Poland?

A: Under the Accounting Act as amended, failure to prepare a sustainability report when required, or preparation of a materially inaccurate report, exposes the company to a fine and – in serious cases – restriction of business activity. Directors may face personal fines. The KNF may impose additional sanctions on regulated entities. Beyond direct penalties, non-compliant companies risk losing access to ESG-linked financing instruments, which increasingly carry contractual compliance conditions. For listed companies, inaccurate ESG disclosures may also trigger securities-law liability if investors relied on those disclosures.

What does a supply-chain ESG compliance checklist look like for Poland?

A practical checklist anchors the programme to the step-by-step procedure and creates the documentary trail that regulators expect. The checklist below reflects the requirements applicable to a large Polish company subject to CSRD from the 2025 financial year. Smaller companies and foreign subsidiaries should adapt it to their applicable phase-in date and scope.

The checklist is not a substitute for a full programme design, but it identifies the minimum set of actions that must be completed before the first reporting period closes. Missing any item creates a gap that will appear in the first external auditor's limited-assurance review – and, from 2028, in the reasonable-assurance review that CSRD requires for larger entities. Early identification of gaps is significantly cheaper than remediation under audit pressure.

Tier-one supplier register completed, with country of operation and risk category assigned
Risk assessment questionnaires distributed and responses reviewed for all tier-one suppliers
ESG representations and audit-rights clauses inserted into all new supplier contracts
Internal whistleblower channel established and tested, with a designated compliance officer assigned
Sustainability report (or non-financial statement for applicable entities) prepared and filed with KRS

The three business scenarios illustrate how the checklist applies in practice. A manufacturing exporter to Germany faces the most immediate pressure: German buyers are already contractually requiring CSDDD-aligned documentation from Polish tier-one suppliers, sometimes with a 90-day implementation deadline. An IT services firm with offshore sub-contractors faces governance and sanctions screening obligations that the checklist's risk-category step must capture. A foreign investor's newly acquired Polish subsidiary must run a gap analysis against the parent's group programme within 60 days of acquisition close to identify Polish-specific obligations that the group framework does not address.

Specific deadlines matter. Companies subject to CSRD from the 2025 financial year must have their sustainability report ready for the annual general meeting, typically held within six months of year-end – meaning by 30 June 2026 for calendar-year companies. That deadline is closer than it appears for organisations that have not yet begun the programme-build process.

For a tailored assessment of your company's supply-chain ESG obligations and a gap analysis against current Polish and EU requirements, contact info@kordeckipartners.com.

Every supply-chain ESG programme involves fact-specific judgements about risk proportionality, contractual structure, and reporting scope. A general checklist identifies the framework; a compliance lawyer's review identifies the gaps that create personal liability exposure for directors. Acting before the reporting deadline – not after the first auditor's finding – is the decision that protects both the company and its board.

To discuss how the CSDDD and CSRD obligations apply to your specific supply chain and corporate structure, email info@kordeckipartners.com.

About KORDECKI & Partners

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, supply-chain due diligence, and sustainability reporting. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Author: Anna Witkowska
Anna specialises in compliance, ESG, and internal investigations.