EU funds compliance – KPO and RRF requirements

A Warsaw-based technology company wins a grant under Poland's National Recovery and Resilience Plan. The funds arrive. Then the audit notice follows – and the team discovers that three compliance conditions were never properly documented. The risk is not a warning. It is full repayment of the grant, with interest.

EU funds compliance under Poland's National Recovery and Resilience Plan (Krajowy Plan Odbudowy, KPO) requires beneficiaries to satisfy a layered set of procedural, reporting, and governance obligations drawn from both EU Regulation 2021/241 – the Recovery and Resilience Facility (RRF) Regulation – and Polish implementing rules. Failure to meet any single milestone or target can trigger a financial correction ranging from a partial deduction to full repayment of the disbursed amount. The Polish implementing authority – the Ministry of Funds and Regional Policy (Ministerstwo Funduszy i Polityki Regionalnej) – monitors compliance through the KPO IT system and periodic on-site inspections.

This guide walks through the step-by-step compliance procedure, key deadlines, cost exposure, and the most common mistakes made by Polish and foreign beneficiaries. Three business scenarios – manufacturing, IT, and a foreign investor – illustrate how the rules apply in practice. A checklist and FAQ close the guide.

What does KPO compliance actually require?

KPO compliance is not a single act. It is a continuous obligation running from the grant agreement signing date through the durability period – typically five years after the final payment. Three elements define the core requirement: milestone and target fulfilment, documentation retention, and anti-fraud and conflict-of-interest controls.

Every KPO investment component carries a set of milestones (qualitative conditions) and targets (quantitative results). The Ministry of Funds and Regional Policy verifies these against the national recovery plan submitted to the European Commission. A beneficiary that cannot demonstrate milestone completion within the agreed reporting window faces a financial correction. Corrections are calculated as a percentage of the affected expenditure – minor procedural gaps may attract a 25 percent flat rate, while systematic failures can reach 100 percent.

Documentation retention is a parallel obligation. Beneficiaries must keep all procurement records, financial statements, contracts, and proof of milestone completion for at least ten years from the date of the last payment. The National Revenue Administration (Krajowa Administracja Skarbowa, KAS) and the Supreme Audit Office (Najwyższa Izba Kontroli, NIK) both hold inspection powers over KPO beneficiaries, independently of the managing authority.

Grant agreement and all annexes
Procurement documentation for every expenditure above the EU threshold
Evidence of milestone and target achievement (reports, certificates, photos)
Conflict-of-interest declarations for all decision-makers
Anti-fraud control logs and audit trails

Foreign investors operating through a Polish subsidiary (spółka z ograniczoną odpowiedzialnością, sp. z o.o.) should note that the Polish entity – not the parent – bears legal responsibility for compliance. The National Court Register (Krajowy Rejestr Sądowy, KRS) data for the Polish entity must be current at every reporting date.

How does the step-by-step procedure work?

The compliance procedure follows five defined stages, each with its own deadline. Missing a stage does not automatically trigger repayment, but it shifts the burden of proof to the beneficiary. Acting early – before the audit notice – is the only reliable strategy.

Stage one is grant agreement execution. The beneficiary signs the agreement with the implementing institution (typically a ministry or a designated agency such as the Polish Development Fund, Polski Fundusz Rozwoju, PFR). The agreement specifies milestone schedules, payment tranches, and the applicable financial correction matrix. Read every annex before signing. Corrections for non-compliance with procurement rules alone can reach 25 percent of the affected contract value.

Stage two is procurement. All expenditure above the EU public procurement threshold must follow the Prawo zamówień publicznych (Public Procurement Law, PZP). Private beneficiaries below the threshold must still apply the "best value for money" principle and document the selection process. A German investor secured interim protection for a procurement dispute exceeding EUR 3m in the Silesia region (winter 2025) – the dispute arose precisely because the selection documentation was incomplete at the time of the audit.

Stage three is milestone reporting. Reports are submitted through the dedicated KPO IT portal within deadlines set in the grant agreement – usually every six months. Each report must attach supporting evidence. Late submission triggers a formal deficiency notice; the beneficiary then has 14 days to cure the deficiency or provide an explanation.

Stage four is the payment claim. After milestone verification, the beneficiary submits a payment claim. The implementing institution has 90 days to process the claim and authorise disbursement. Disputed items are withheld pending clarification.

Stage five is the durability check. For investment projects, the beneficiary must maintain the funded asset and its intended purpose for five years after the final payment (three years for SME investments in some components). Any change of use, sale, or relocation of assets within this window is a compliance breach and triggers proportional financial correction.

To discuss how the KPO compliance procedure applies to your specific project, reach out to info@kordeckipartners.com.

What are the most common compliance mistakes – and how do they arise?

Most KPO compliance failures are procedural, not substantive. The funded activity was completed. The money was spent correctly. But the documentation trail was broken, and the beneficiary cannot prove what actually happened. That gap – not fraud – drives the majority of financial corrections.

The three most frequent mistakes follow a recognisable pattern. First, procurement files are incomplete. A beneficiary runs a competitive selection process but fails to retain all offers received, including rejected ones. Under PZP and RRF rules, every offer must be documented. Missing offers = presumed irregularity. Second, conflict-of-interest declarations are collected at project start and never updated. If a key decision-maker acquires a financial interest in a supplier mid-project, the undeclared conflict can invalidate the entire procurement. Third, milestone evidence is collected informally – photos on a personal phone, emails deleted after the project closes. Formal archiving of all milestone evidence is not optional.

We secured a reversal of a financial correction exceeding PLN 1.8m for a manufacturing client in the Mazowieckie region (spring 2025). The correction had been imposed on the basis of an incomplete procurement file. Reconstruction of the original selection process from secondary records – supplier invoices, correspondence, bank transfers – restored the required evidentiary chain.

ESG reporting obligations add a further layer for KPO components linked to green transition or digital transformation. Beneficiaries receiving funds under these components must demonstrate compliance with the "do no significant harm" (DNSH) principle throughout the project lifecycle. CSRD Poland requirements are increasingly referenced in KPO audit checklists, even for beneficiaries not yet subject to mandatory CSRD reporting. Whistleblower compliance – specifically, the obligation to maintain an internal reporting channel under the EU Whistleblowing Directive – is a standard grant condition in several KPO investment streams.

How do the three business scenarios differ in practice?

KPO compliance obligations look similar on paper. In practice, the risk profile differs sharply depending on the type of beneficiary. A manufacturing company, an IT firm, and a foreign investor face distinct pressure points – and the corrective actions available to each are not identical.

A manufacturing company applying under KPO component B2 (green energy transition) must document both the procurement of equipment and the environmental outcome. DNSH compliance requires an environmental impact assessment aligned with EU Taxonomy criteria. The durability obligation runs for five years. Any disposal or repurposing of funded machinery within that window triggers a correction proportional to the residual value of the asset at the time of disposal.

An IT company receiving KPO funds for digital infrastructure faces a different challenge. Milestone evidence is often intangible – software deployment logs, user adoption metrics, cybersecurity certification. The implementing institution may not have the technical expertise to assess the evidence without external review. Build your milestone documentation assuming the reviewer has no IT background. Attach plain-language summaries to every technical report.

For a foreign investor operating through a Polish subsidiary, the core risk is governance. The parent company may impose procurement or approval processes that conflict with PZP requirements. AML compliance obligations for the Polish entity – governed by the Ustawa o przeciwdziałaniu praniu pieniędzy (Anti-Money Laundering Act) – apply independently of KPO rules but are checked during the same audit cycle. For a detailed breakdown of AML obligations, see our guide on AML compliance obligations for Polish companies. Foreign investors should also review spatial planning requirements before committing to infrastructure investments; our article on spatial planning and zoning rules in Poland covers the key constraints.

For a tailored compliance strategy covering your specific KPO component and entity structure, contact info@kordeckipartners.com.

What should you prepare before the first audit?

Audit readiness is not the same as compliance. A beneficiary may be fully compliant but still fail an audit because the evidence is not organised in a format the auditor can follow. Preparation has a direct impact on audit duration, correction risk, and the cost of any legal defence.

The audit window for KPO projects extends to ten years after the final payment. The European Anti-Fraud Office (OLAF) and the European Public Prosecutor's Office (EPPO) both hold jurisdiction over RRF-funded projects in Poland. An EPPO investigation is a criminal proceeding – the standard of evidence required, and the consequences of non-compliance, are qualitatively different from an administrative audit. Personal liability of board members may arise where fraud or gross negligence is established.

Compliance programmes for subsidiaries of foreign groups operating in Poland should be reviewed against both KPO-specific requirements and general Polish compliance obligations. Our article on compliance programme design for Romania subsidiaries in Poland provides a useful cross-border framework.

Audit readiness checklist – what to prepare:

Complete procurement file for every expenditure, including rejected offers
Updated conflict-of-interest declarations for all project decision-makers
Milestone evidence archive with index and retrieval guide
DNSH documentation for green or digital components
Internal reporting channel records (whistleblower compliance)

A compliance lawyer Warsaw-based teams can engage will typically conduct a pre-audit mock review – checking documentation gaps before the official auditor arrives. The cost of a mock review is a fraction of the cost of a financial correction. For projects with disbursements above PLN 5m, a pre-audit review is advisable at least six months before any anticipated inspection.

Frequently asked questions

Q: How long does a KPO compliance audit typically take?

A: An administrative audit by the implementing institution usually runs between 30 and 90 days from the notice date, depending on project complexity and the volume of documentation requested. OLAF or EPPO investigations follow a different timeline and have no fixed statutory limit. Beneficiaries should budget for legal support costs from the moment an audit notice is received – delays in responding to document requests can be treated as obstruction and attract additional sanctions.

Q: Is it a common misconception that private beneficiaries are exempt from public procurement rules?

A: Yes. Private companies receiving KPO funds are not contracting authorities under the Public Procurement Law and are not subject to its full procedural requirements. However, the grant agreement almost always imposes equivalent obligations by contract. The "best value for money" principle applies to all KPO expenditure regardless of beneficiary type, and the implementing institution can impose financial corrections for procurement irregularities even where no statutory PZP breach occurred.

Q: What happens if a milestone cannot be achieved due to circumstances beyond the beneficiary's control?

A: Force majeure provisions exist in most KPO grant agreements, but their scope is narrowly interpreted. The beneficiary must notify the implementing institution immediately – within 14 days of the triggering event – and provide documentary evidence. Retroactive force majeure claims are rarely accepted. Where a milestone is genuinely unachievable, the preferred approach is to renegotiate the milestone schedule before the reporting deadline, not after a correction notice has been issued.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to EU funds compliance, ESG reporting, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating KPO, RRF, and related compliance obligations. To discuss your situation, contact info@kordeckipartners.com.