A technology company in Małopolska secured a grant under Poland's National Recovery and Resilience Plan (Krajowy Plan Odbudowy, KPO) in early 2025. Within three months of disbursement, a routine audit by the implementing institution flagged three compliance gaps. The company faced potential recovery of the full grant amount – over PLN 2.8 million – plus a suspension from future EU funding rounds.

Poland's KPO and the broader EU Recovery and Resilience Facility (RRF) impose layered compliance obligations on beneficiaries. These include anti-fraud controls, ESG reporting requirements, whistleblower protection mechanisms, and AML-linked due diligence. Failure to satisfy any single requirement can trigger repayment demands, exclusion from future programmes, and – for company directors – personal liability under Polish administrative law.

This case study traces how the company identified its exposure, restructured its internal compliance programme, and resolved the audit findings without repayment. The lessons apply to any Polish entity receiving KPO or RRF support in 2025 and 2026.

What compliance gaps triggered the KPO audit finding?

The audit, conducted by the implementing authority under oversight of the Ministry of Funds and Regional Policy (Ministerstwo Funduszy i Polityki Regionalnej), identified three distinct deficiencies. First, the company lacked a documented internal reporting channel meeting the requirements of the Whistleblower Protection Act (ustawa o ochronie sygnalistów). Second, its ESG reporting framework did not align with CSRD Poland transposition requirements applicable to public-interest entities receiving state-linked funding. Third, AML due diligence records for subcontractors were incomplete.

Each gap, taken alone, might have attracted only a corrective notice. Together, they met the threshold for a systemic deficiency finding. Under RRF rules, a systemic finding activates a proportional financial correction – in this case, set at 25 percent of the grant value. That figure translated to approximately PLN 700,000 at risk of immediate recovery.

The company had 30 days from formal notification to submit a remediation plan. Missing that window would have forfeited the right to contest the correction and triggered automatic recovery proceedings before the National Court Register (KRS) enforcement pathway. Time pressure was acute from the first day of our engagement.

How did the legal strategy address each compliance requirement?

Our team mapped every RRF milestone obligation against the company's existing internal controls within the first week. The exercise produced a gap matrix covering whistleblower compliance, ESG disclosure, AML, and procurement documentation. Each gap was assigned a remediation owner, a deadline, and an evidence standard acceptable to the implementing authority.

For whistleblower compliance, we drafted an internal reporting procedure aligned with the Whistleblower Protection Act and registered the channel with the relevant trade union representative within 14 days – the statutory minimum consultation period. The procedure was then published on the company's intranet and notified to all staff. This step resolved the first audit finding in full.

On ESG reporting, we prepared a bridge document mapping the company's existing sustainability disclosures to the CSRD Poland framework. The company was not yet subject to mandatory CSRD reporting, but the grant agreement incorporated CSRD-aligned indicators by reference. Demonstrating substantive alignment – even without formal CSRD obligations – was sufficient to satisfy the implementing authority's standard. We also addressed the AML gap by obtaining updated beneficial ownership confirmations for all subcontractors and cross-referencing them against the Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych, CRBR). Full documentation was submitted within 22 days of engagement.

What was the outcome and what lessons transfer to other beneficiaries?

We secured withdrawal of the financial correction in full for the Małopolska technology client (spring 2025). The implementing authority accepted the remediation plan as evidence that the deficiencies were isolated and had been rectified before any financial irregularity occurred. No repayment was required. The client retained access to the second tranche of the KPO grant, worth PLN 1.4 million, disbursed on schedule.

The transferable lessons are direct. KPO and RRF grant agreements in Poland routinely incorporate compliance requirements that go beyond the project's core subject matter. Beneficiaries often focus on technical deliverables and miss the procedural obligations embedded in the grant conditions. By the time an audit notice arrives, the 30-day remediation window leaves little room for structural change.

Three practical steps reduce exposure before any audit is triggered:

  • Review the grant agreement's compliance annexes within 30 days of signing – not at disbursement.
  • Establish a whistleblower channel and CRBR-linked AML check as baseline controls for any grant above PLN 500,000.
  • Map ESG reporting indicators in the grant against current disclosure practices and document any gap with a written bridge analysis.

Engaging a compliance lawyer Warsaw-side at the grant-signing stage costs a fraction of the cost of contesting a financial correction. For foreign investors structuring Polish subsidiaries to access KPO funds, our earlier analysis of compliance programme design for Netherlands subsidiaries in Poland and compliance programme design for France subsidiaries in Poland sets out the structural baseline that most implementing authorities expect. Entities with remote or hybrid workforces should also consider how the remote work framework under Polish labour law intersects with grant-funded project documentation requirements.

Specific compliance requirements differ across KPO components. Early legal review of the applicable component's conditions remains the single most effective risk-reduction measure available to any beneficiary.

Your company's specific situation may involve grant conditions that carry irreversible consequences if left unaddressed beyond the remediation window. A missed 30-day deadline forfeits the right to contest a financial correction – an outcome that cannot be reversed after the fact.

To discuss how KPO and RRF compliance requirements apply to your grant, contact us at info@kordeckipartners.com. We will review your grant agreement, identify live exposure, and prepare a remediation plan where needed.

Frequently asked questions

Q: How long does a KPO beneficiary have to respond to an audit finding?

A: The standard remediation window under Polish implementing rules is 30 days from formal notification of a finding. This period applies to both systemic and isolated deficiencies. Missing the deadline forfeits the right to contest any proposed financial correction, making early legal review of the audit notice essential. Extensions are granted only in exceptional circumstances and require a written, substantiated request to the implementing authority.

Q: Does a small company receiving a KPO grant need a formal whistleblower channel?

A: Many KPO grant agreements incorporate whistleblower protection requirements by reference, regardless of the beneficiary's size. The Whistleblower Protection Act sets thresholds based on employee headcount, but grant conditions can impose equivalent obligations on smaller entities as a contractual matter. Checking the compliance annex of the specific grant agreement – rather than relying on general statutory thresholds – is the correct approach.

Q: Is CSRD reporting mandatory for all KPO beneficiaries in Poland?

A: Mandatory CSRD reporting under Polish law applies on a phased schedule based on company size and public-interest status. However, KPO and RRF grant agreements frequently incorporate CSRD-aligned disclosure indicators as contractual obligations. A company that is not yet subject to mandatory CSRD reporting may still need to demonstrate substantive alignment with those indicators to satisfy grant conditions. This is a common misconception that leads to compliance gaps during audits.

About KORDECKI & Partners: KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, KPO and RRF grant management, and internal compliance programme design. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.