ESG due diligence in supply chains – Polish perspective

A Warsaw-based food manufacturer receives a request from its German parent: complete a full ESG due diligence review of all tier-one suppliers within 90 days. The compliance team opens a blank spreadsheet. Nobody knows where to start.

ESG due diligence in supply chains requires Polish companies to assess environmental, social, and governance risks across their supplier networks under both EU and domestic law. The ustawa o sprawozdawczości zrównoważonego rozwoju (Sustainability Reporting Act) implements the Corporate Sustainability Reporting Directive (CSRD) into Polish law, with the first wave of reporting obligations applying to large public-interest entities for financial years starting 1 January 2024. Companies in scope must identify, assess, and address material ESG risks – including those originating in their supply chains – or face regulatory scrutiny and reputational damage that can be difficult to reverse.

This guide walks through the step-by-step procedure for conducting supply chain ESG due diligence in Poland: which companies are in scope, what a compliant process looks like, where Polish businesses most often go wrong, and how three different business scenarios map onto the framework. The FAQ section addresses the questions clients ask most frequently before their first diligence exercise.

Which Polish companies are in scope – and when?

The answer depends on size, listing status, and the sector in which your company operates. Polish law follows the CSRD's phased timetable. Large public-interest entities with more than 500 employees were subject to CSRD-aligned reporting from 1 January 2024. Other large companies – those exceeding two of three thresholds (250 employees, EUR 50m turnover, EUR 25m balance sheet) – enter scope for financial years starting 1 January 2025. Listed small and medium enterprises follow from 2026, with an opt-out available until 2028.

The National Court Register (KRS) is the starting point for verifying whether a Polish entity qualifies as a "large undertaking." The Polish Financial Supervision Authority (KNF) supervises listed entities and has signalled active enforcement interest in sustainability disclosures. The Office of Competition and Consumer Protection (UOKiK) monitors supply chain practices for unfair trading patterns that often intersect with social ESG risks.

Even companies outside the direct CSRD scope face indirect pressure. A Polish supplier to a German or Dutch group will typically receive a supplier questionnaire within 12 months of the parent entering scope. Failure to respond – or to respond credibly – risks losing the contract. That consequence is often irreversible once the purchasing cycle closes.

• Check your employee headcount, turnover, and balance sheet against the three CSRD thresholds.
• Verify whether any group parent is already in scope and requires supplier data.
• Confirm your sector: high-impact sectors (textiles, food, minerals) face stricter timelines under the EU Corporate Sustainability Due Diligence Directive (CS3D).
• Review your existing contracts for ESG audit clauses – many already contain them.

What does a compliant ESG due diligence process look like?

A compliant process has five stages: scoping, risk mapping, supplier assessment, remediation planning, and disclosure. Each stage has a defined output. Skipping any stage creates gaps that auditors and regulators identify quickly. Expect the full cycle to take between 60 and 120 days for a mid-size supply chain of 50 to 200 tier-one suppliers.

Scoping begins with defining which suppliers are "in scope" for the current reporting period. Polish practice typically starts with tier-one direct suppliers, then extends to tier-two on a risk-prioritised basis. Risk mapping uses sector data, country-of-origin indicators, and commodity classifications. A Polish textile company sourcing from South Asia will assign higher inherent risk scores than a domestic IT services firm.

Supplier assessment involves sending standardised questionnaires aligned to the European Sustainability Reporting Standards (ESRS). The ESRS E1 through S4 categories cover climate, biodiversity, water, pollution, workforce conditions, and governance. Polish companies often use a 40-question baseline questionnaire, with a follow-up audit triggered where scores fall below a defined threshold. Document retention for at least 5 years is standard practice and supports whistleblower compliance obligations under the ustawa o ochronie sygnalistów (Whistleblower Protection Act).

We helped a manufacturing client in the Mazowieckie region complete a 180-supplier assessment cycle within 75 days (autumn 2025). The process identified three critical suppliers with unresolved environmental permit issues – findings that shaped the client's CSRD disclosure and supplier renegotiation strategy.

How do three business scenarios map onto the framework?

Scenario A – Polish manufacturing exporter. A Silesian steel components manufacturer supplies tier-one parts to four German automotive groups. All four parents entered CSRD scope in 2024 and have issued supplier codes of conduct requiring ESG data within 60 days of each annual reporting cycle. The Polish company is not itself in direct CSRD scope yet but faces contractual ESG obligations. The correct approach is to complete a self-assessment against the ESRS S1 (workforce) and E1 (climate) categories, document the results, and respond to each parent's questionnaire. Costs for a structured self-assessment with external legal review typically range from PLN 15,000 to PLN 40,000 depending on supply chain complexity.

Scenario B – Polish IT services group. A Warsaw-based software company with 300 employees and EUR 60m turnover enters CSRD scope for the financial year beginning 1 January 2025. Its supply chain consists primarily of cloud infrastructure providers and freelance developers. Material ESG risks are concentrated in governance (data ethics, AI Act compliance) and social (contractor working conditions). ESG reporting here focuses on governance disclosures rather than environmental metrics. The company should design its due diligence process around ESRS G1 (business conduct) and S2 (workers in the value chain), with particular attention to AML screening of payment flows to non-EU contractors. For guidance on structuring a compliance programme, see our analysis of compliance programme design for Germany subsidiaries in Poland.

Scenario C – Foreign investor entering Poland. A Dutch logistics group acquires a Polish distribution company with 180 employees and 90 subcontracted carriers. The acquirer's existing ESG due diligence framework was built for Western European supply chains and does not map cleanly onto Polish subcontracting structures. The correct approach is a gap analysis comparing the acquirer's existing framework against Polish legal requirements, followed by a supplier onboarding protocol for the 90 carriers. This scenario frequently arises in M&A contexts; for a cross-border enforcement dimension, see our note on enforcing arbitral awards in Poland.

What are the most common mistakes Polish companies make?

The most common mistake is treating ESG due diligence as a one-time documentation exercise rather than a continuous process. Polish companies frequently complete a supplier questionnaire in year one, file the results, and take no further action. Under CSRD and the forthcoming CS3D, due diligence must be repeated annually and must demonstrate that identified risks have been addressed. A static report forfeits the compliance defence entirely.

The second mistake is underestimating the scope of "supply chain." Polish law, following EU doctrine, treats the supply chain as extending beyond direct contractual counterparties. If a tier-one supplier subcontracts labour to a tier-two provider operating in conditions that breach ESRS S1 standards, the reporting company remains exposed. Mapping must go at least one level deeper than the direct supplier relationship.

Our team secured a successful regulatory response for a retail client in Małopolska (spring 2026) after an initial ESG audit had missed a critical subcontractor tier. We redesigned the diligence framework within 30 days, avoiding a formal inquiry by the supervisory authority.

A third frequent error involves whistleblower compliance. The Whistleblower Protection Act requires companies with 50 or more employees to maintain an internal reporting channel. Many Polish businesses have installed the channel but have not connected it to their ESG risk process. A supplier employee who reports a safety violation should trigger an ESG review – not just an HR response. For Swiss-structure subsidiaries operating in Poland, the same principle applies: see our guide on compliance programme design for Switzerland subsidiaries in Poland.

What to prepare before your first ESG supply chain review:

• A complete list of tier-one suppliers with country of origin, commodity category, and estimated annual spend.
• Copies of existing supplier contracts, including any audit rights and ESG clauses.
• Your company's existing whistleblower channel documentation and response log.
• Any prior ESG or AML screening results for key suppliers.
• Internal governance documents: code of conduct, anti-corruption policy, and environmental permits.

Companies that arrive at a first diligence meeting with these five items ready typically complete the scoping stage in under two weeks. Those that do not typically spend the first month gathering documents rather than assessing risk.

Supply chain ESG due diligence is not a compliance checkbox. It is a structured risk management process that, when done properly, protects against regulatory sanction, contract loss, and reputational harm that is difficult to undo. The complexity of the ESRS framework and the overlapping obligations under CSRD, CS3D, and the Whistleblower Protection Act make external legal support a practical necessity for most Polish companies entering scope for the first time.

For a tailored strategy on ESG due diligence design and implementation, reach out to info@kordeckipartners.com.

Frequently asked questions

Q: Does a Polish company outside CSRD scope need to conduct ESG due diligence at all?

A: Not under Polish law directly – but in practice, yes. A Polish supplier to a CSRD-in-scope European group will typically receive a contractual ESG data request within one to two years of the parent entering scope. Failure to respond credibly risks contract termination. Companies with 50 or more employees also face mandatory whistleblower channel requirements under the Whistleblower Protection Act regardless of CSRD scope. Starting a basic diligence process now, even informally, is far less costly than building one under time pressure when a contract is at risk.

Q: How long does a supply chain ESG due diligence review take, and what does it cost?

A: A baseline review of 50 to 100 tier-one suppliers typically takes 60 to 90 days from initial scoping to final report. Legal and advisory costs for a structured process with external support range from PLN 20,000 to PLN 80,000 depending on supply chain complexity, the number of high-risk suppliers requiring follow-up audit, and whether the company already has internal ESG data. Companies with existing ISO 14001 or ISO 45001 certifications typically reduce the assessment time by 20 to 30 percent because baseline environmental and safety data is already structured.

Q: Is it a misconception that ESG due diligence only covers environmental issues?

A: Yes – and it is one of the most common misunderstandings among Polish businesses entering the process for the first time. The ESRS framework covers five environmental categories (E1–E5), four social categories (S1–S4), and one governance category (G1). Social risks – including forced labour, unsafe working conditions, and fair pay practices across the value chain – are frequently the most material issues for Polish companies operating in manufacturing and logistics sectors. Governance risks, including AML and anti-corruption controls, are equally within scope. A diligence process focused only on carbon emissions will fail to satisfy CSRD reporting requirements.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, supply chain due diligence, and sustainability reporting. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.