A Warsaw-based technology company wins a KPO grant in spring 2026. The contract is signed. The funds arrive. Then, six months later, an audit finds that the company's internal compliance programme failed to meet the cross-cutting requirements embedded in the grant agreement. The entire disbursement is subject to recovery. This is not a hypothetical scenario – it is the pattern that Polish beneficiaries are encountering as the National Recovery and Resilience Plan (KPO) and the broader Recovery and Resilience Facility (RRF) move from disbursement into intensive verification.

EU funds compliance under KPO and RRF in Poland requires beneficiaries to satisfy a layered set of obligations that go well beyond project delivery. These include anti-fraud and anti-corruption controls, ESG reporting commitments, whistleblower protection mechanisms, and AML-aligned due diligence on subcontractors. Polish implementing institutions – principally the Ministry of Funds and Regional Policy and the National Fund for Environmental Protection and Water Management (NFOŚiGW) – have intensified audit activity since late 2025. Beneficiaries that fail to document compliance face clawback demands, exclusion from future calls, and personal liability for management boards.

This alert covers three areas: what the requirements now demand in practice, which organisations are most exposed, and what immediate steps reduce risk before the next audit cycle.

What have the KPO compliance requirements changed?

The shift is not legislative in the narrow sense. The underlying RRF Regulation has been in force since 2021. What changed is enforcement intensity. The European Commission's audit missions to Poland in 2025 identified weaknesses in beneficiary-level controls. In response, Polish implementing bodies tightened grant agreement templates and introduced new compliance annexes effective from the fourth quarter of 2025. Beneficiaries who signed earlier agreements have received amendment notices requiring retroactive alignment within 90 days.

Three requirements now receive the most scrutiny. First, anti-fraud controls: beneficiaries must maintain a documented conflict-of-interest policy and run procurement checks against the Early Detection and Exclusion System (EDES). Second, whistleblower channels: Poland's transposition of the EU Whistleblowing Directive – through the Act on the Protection of Whistleblowers – requires any entity receiving public funds above PLN 100,000 to operate a compliant internal reporting channel. Third, ESG reporting: grant agreements in the green and digital components of KPO now require beneficiaries to demonstrate alignment with the Do No Significant Harm (DNSH) principle, with documentary evidence updated annually.

The whistleblower compliance requirement catches many mid-size companies off guard. A manufacturing client in Wielkopolska (winter 2025) discovered during a pre-audit review that its reporting channel lacked the required response timeline documentation – a deficiency that would have triggered a 25% financial correction under its grant agreement. Early remediation avoided the penalty.

  • Conflict-of-interest policy: documented, signed, and version-controlled
  • EDES procurement screening: logged for every subcontractor above EUR 10,000
  • Whistleblower channel: operational, with a maximum 3-month response deadline
  • DNSH evidence file: updated within 12 months of each reporting period
  • AML due diligence: beneficial ownership verification for all key contractors

For organisations already subject to CSRD Poland obligations or NIS2 implementation requirements, these KPO controls can be integrated into existing compliance frameworks. That integration is far more efficient than running parallel systems. Entities that have already mapped their ESRS implementation steps for Polish reporting entities will find significant overlap with the DNSH documentation requirements.

Who is affected, and what must they do immediately?

The exposure is broader than many beneficiaries assume. The compliance requirements apply to direct grant recipients, but also – through contractual flow-down clauses – to subcontractors and consortium partners. Any entity receiving KPO or RRF-linked funds above PLN 100,000 falls within scope. For consortium arrangements, the lead entity bears primary liability, but audit findings against a subcontractor can trigger recovery against the entire consortium.

Three categories of organisations face the highest immediate risk. First, companies that signed grant agreements before October 2025 and have not yet received or responded to amendment notices. Second, foreign-owned subsidiaries operating in Poland that applied group-level compliance policies without verifying Polish-law specifics – particularly the whistleblower channel requirements under Polish legislation. Third, entities in the health, energy, and digital infrastructure components of KPO, where audit frequency is highest.

We secured a full reversal of a proposed financial correction exceeding PLN 1.8m for an IT services client in the Mazowieckie region (autumn 2025). The correction had been triggered by gaps in subcontractor AML documentation. Structured remediation – including retroactive beneficial ownership verification and updated procurement logs – resolved the finding before the formal recovery decision was issued.

For organisations advising foreign investors or managing compliance programme design for Luxembourg subsidiaries in Poland, the KPO requirements add a specific Polish-law layer that standard group policies do not cover. The 90-day retroactive alignment window is the critical deadline. Missing it converts a correctable deficiency into a formal financial correction, which is significantly harder to reverse.

What to prepare before the next audit cycle:

  • Retrieve the current grant agreement and all annexes – check for amendment notices
  • Verify that the whistleblower channel meets Polish statutory requirements
  • Run EDES checks on all active subcontractors and document the results
  • Compile the DNSH evidence file with current-year data

Organisations that have already addressed NIS2 implementation in Poland will recognise the same logic: the cost of pre-audit remediation is a fraction of the cost of a formal correction proceeding. A compliance lawyer Warsaw-based or otherwise should be engaged before the audit notice arrives, not after.

Specific situations require tailored assessment. If your organisation has received a KPO amendment notice, is preparing for an audit, or is structuring a consortium arrangement, the 90-day window may already be running.

To receive an expert assessment of your KPO compliance position, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the whistleblower channel requirement apply to small companies receiving KPO grants?

A: Yes. Under Polish legislation transposing the EU Whistleblowing Directive, any entity receiving public funds above PLN 100,000 must operate an internal reporting channel. The channel must allow anonymous reporting, and the organisation must respond within three months. Size does not exempt a beneficiary from this obligation.

Q: How long does a financial correction proceeding take, and can it be reversed?

A: A formal financial correction proceeding typically runs three to six months from the initial finding to a recovery decision. Reversal is possible but requires documented evidence that the deficiency either did not exist or was remediated within the applicable window. Acting before the formal proceeding begins – ideally within the 90-day amendment alignment period – produces substantially better outcomes than challenging a recovery decision after the fact.

Q: What is the relationship between KPO compliance and CSRD obligations?

A: The DNSH documentation required under KPO grant agreements overlaps significantly with ESG reporting obligations under CSRD Poland. Entities already building CSRD-aligned data systems can reuse environmental and social performance data for DNSH purposes. However, the specific format and timing requirements differ, and a compliance review is needed to confirm that existing ESG reporting satisfies the grant agreement's particular demands.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to EU funds compliance, ESG, and regulatory matters. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.