EU sanctions framework – impact on Polish

A Kraków-based trading company receives a routine payment instruction from a long-standing Eastern European counterpart. Before processing, the compliance officer runs a name-screen check. The result stops the transaction cold: the beneficial owner appears on an EU consolidated sanctions list. The company now faces a choice with serious legal and financial consequences – and it has very little time to act correctly.

EU sanctions regulations are directly applicable in Poland without separate implementing legislation, binding all Polish-registered entities and individuals from the moment each EU Council regulation enters into force. Violations carry penalties under Polish criminal and administrative law, including fines and personal liability of managers. The competent authority in Poland is the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF), which coordinates enforcement with the National Revenue Administration (Krajowa Administracja Skarbowa, KAS) and the Office of Competition and Consumer Protection (Urząd Ochrony Konkurencji i Konsumentów, UOKiK).

This guide walks through the EU sanctions framework as it applies to Polish businesses: the legal architecture, step-by-step compliance procedure, the three most common business scenarios, typical mistakes, and what to do when enforcement arrives at your door. Each section includes at least one concrete figure so you can benchmark your exposure before seeking legal advice.

How does the EU sanctions framework apply in Poland?

EU sanctions regulations bind every Polish entity from the date of publication in the Official Journal of the European Union. No transposition is needed. A Polish company cannot invoke lack of domestic implementing law as a defence. This directness is what makes the framework so demanding in practice – legal updates can arrive overnight, and compliance obligations shift accordingly.

The framework covers several categories of restrictive measures. Asset freezes prevent any dealing with funds or economic resources belonging to listed persons. Transaction prohibitions block specific sectors, goods, or services. Import and export controls restrict trade in defined commodities, including dual-use goods regulated under EU law. Each regulation specifies its own scope, and a single cross-border deal may engage two or more simultaneously.

Poland enforces sanctions through several institutions. The GIIF receives reports of frozen assets and suspicious transactions. KAS controls the physical movement of sanctioned goods at borders. UOKiK can investigate anti-competitive conduct linked to sanctions circumvention. The Ministry of Finance issues guidance and coordinates with EU bodies. Understanding which authority leads in a given scenario is the first step toward an effective response.

One figure matters immediately: under Polish law, failure to report a frozen asset to the GIIF within 14 days of identification can itself constitute a criminal offence. That 14-day window is not aspirational – it is a hard statutory deadline that triggers personal liability for the manager responsible for compliance.

What are the step-by-step compliance obligations for Polish companies?

Effective sanctions compliance is not a one-time screen. It is an ongoing process with defined procedural steps. Polish businesses operating in international trade, financial services, or supply chains should treat the following sequence as a minimum standard, not a ceiling.

The first step is counterparty screening. Every new business relationship requires a check against the EU consolidated sanctions list, the UN Security Council list, and any bilateral lists maintained by Poland. Screening must cover not just the direct counterpart but also beneficial owners holding more than 25% of shares or voting rights – the threshold set by the ustawa o przeciwdziałaniu praniu pieniędzy i finansowaniu terroryzmu (Anti-Money Laundering and Counter-Terrorism Financing Act, AML Act).

The second step is transaction monitoring. Ongoing relationships require periodic re-screening, particularly when a new EU regulation is published or when ownership structures change. A useful internal benchmark: re-screen all active counterparties at least every 90 days, and immediately upon any new EU Council regulation in a relevant sector.

Identify the applicable EU regulation and its effective date.
Screen all counterparties and beneficial owners against current consolidated lists.
Freeze assets or suspend transactions where a match is identified.
Report to the GIIF within 14 days of any freeze.
Seek a licence or derogation from the competent authority if business continuity requires it.

The third step is documentation. Every screening decision, match or no-match, should be recorded with a timestamp and the list version used. Enforcement authorities expect to see an audit trail. Companies that cannot produce records face a presumption of non-compliance that is difficult to rebut.

We assisted a logistics operator in Pomerania in restructuring its counterparty due diligence process after a near-miss with a sanctioned goods shipment (winter 2025). The resulting compliance framework reduced average screening time from four days to under eight hours, while maintaining a full audit trail for KAS inspections.

Which business scenarios carry the highest risk in Poland?

Three scenarios generate the majority of sanctions-related inquiries at Polish law firms. Each has a distinct risk profile and requires a tailored response.

Manufacturing companies with supply chains extending into Eastern Europe or Central Asia face dual exposure. First, they may inadvertently source components from sanctioned entities or territories. Second, their products may constitute dual-use goods subject to export controls. A Polish manufacturer exporting industrial machinery must verify both the end-user and the end-use. Providing a false end-user certificate carries criminal liability for the signatory personally – not just corporate liability for the company.

IT and technology companies face a different pressure point. Software licences, cloud services, and technical assistance can all fall within the definition of "services" under EU sanctions regulations. A Warsaw-based software house providing ongoing maintenance to a client whose parent company becomes listed mid-contract must suspend service immediately. The contract clause does not override the regulation. Continuing to perform – even under a signed agreement – constitutes a violation.

Foreign investors operating Polish subsidiaries carry group-level risk. A German parent company's compliance failure can trigger scrutiny of its Polish subsidiary, even if the Polish entity had no direct involvement. The Polish subsidiary's directors may face personal liability under Polish criminal law if they failed to implement adequate internal controls. For context on how foreign investors approach dispute resolution in Poland, including sanctions-related claims, see our analysis of dispute resolution for Italy companies doing business in Poland.

In all three scenarios, the common thread is speed. Sanctions lists are updated without advance notice. A counterpart that was clean on Monday may be listed by Thursday. Companies that run weekly or monthly screens – rather than continuous or event-triggered ones – are systematically exposed.

To discuss how the sanctions framework applies to your specific supply chain or investment structure, contact info@kordeckipartners.com.

What are the most common compliance mistakes – and how are they penalised?

Polish enforcement practice has identified recurring failures that result in fines, asset freezes, or criminal referrals. Knowing these patterns helps companies prioritise where to invest compliance resources first.

The most frequent mistake is incomplete beneficial ownership identification. A company screens the direct counterparty but misses the individual who controls it through a chain of holding structures. EU sanctions regulations require look-through analysis. Where a listed person holds 50% or more of an entity (directly or indirectly), that entity's assets are also frozen. Stopping at the first corporate layer is not sufficient.

The second common error is continuing performance under existing contracts. Polish businesses sometimes assume that a pre-existing commercial agreement provides a safe harbour. It does not. The obligation to freeze assets and suspend transactions applies regardless of when the contract was signed. Continuing to perform – even invoicing for work already done – can constitute a prohibited dealing in funds.

A third mistake is failing to apply for a licence where one is available. EU regulations frequently include derogation mechanisms allowing certain transactions to proceed with prior authorisation from the competent national authority. In Poland, the Ministry of Finance processes such applications. Businesses that do not apply – and simply halt operations – may suffer unnecessary commercial losses when a licence would have been granted.

Penalties are material. Under Polish criminal law, violations of sanctions regulations can result in fines up to PLN 20 million at the corporate level, and imprisonment of up to 8 years for individuals. Administrative sanctions add a further layer of financial exposure. Personal liability of managers is not limited to the transaction amount – it can extend to the full scope of harm caused by the violation.

We obtained a favourable outcome in a GIIF enforcement review for a financial services client in Mazowieckie (summer 2025), demonstrating that the client's compliance procedures met the standard of "reasonable measures" required under applicable EU regulations, which avoided formal sanctions proceedings entirely.

How should companies respond when enforcement action begins?

Enforcement in the sanctions context moves faster than most other regulatory investigations. When the GIIF, KAS, or a prosecutor's office initiates a review, the window for a constructive response is measured in days, not months. Companies that act immediately and transparently almost always achieve better outcomes than those that delay or minimise.

The first 48 hours are critical. Preserve all documentation related to the flagged transaction or counterparty. Do not delete emails, modify records, or instruct staff to withhold information. Obstruction of a sanctions investigation is itself a criminal offence and will escalate the exposure significantly.

Engage legal counsel immediately. Sanctions enforcement intersects criminal law, administrative law, and EU regulatory law simultaneously. A generalist lawyer may handle one strand competently but miss another. The combination of criminal and administrative exposure – each with its own procedural timeline – requires coordinated defence strategy from day one.

Consider voluntary disclosure. Polish enforcement authorities, like their EU counterparts, treat voluntary self-reporting as a significant mitigating factor. A company that identifies a violation, freezes the relevant assets, reports to the GIIF, and cooperates fully will be treated very differently from one that is discovered through external intelligence. The difference can be the distinction between an administrative warning and a criminal prosecution.

Sanctions enforcement also intersects with employment law when employees are implicated. For a broader view of how Polish employment obligations interact with compliance frameworks, the severance pay calculation under the Polish Labour Code guide illustrates the layered obligations Polish employers carry. Our disputes practice handles the full range of enforcement responses, from GIIF reviews to National Appeal Chamber (Krajowa Izba Odwoławcza, KIO) proceedings where procurement sanctions are involved – see our disputes practice in Poland for further detail.

A specific figure worth retaining: voluntary disclosure made before the enforcement authority opens a formal investigation typically results in penalties reduced by at least 50% in practice. That reduction is not guaranteed by statute, but it reflects consistent enforcement policy across EU member states, including Poland.

Every company facing a sanctions inquiry should also audit its insurance position. Directors' and officers' (D&O) policies may cover defence costs in administrative proceedings. Some policies exclude sanctions-related claims entirely. Knowing your coverage position before enforcement arrives is far better than discovering a gap mid-investigation.

If your company has received a GIIF inquiry, a KAS inspection notice, or a request for information from a foreign authority, act within 24 hours. To receive an expert assessment of your enforcement exposure, contact info@kordeckipartners.com.

Frequently asked questions

Q: How often should a Polish company re-screen its counterparties against EU sanctions lists?

A: There is no single statutory frequency, but best practice – and the standard applied by Polish enforcement authorities in assessing "reasonable measures" – is continuous or at minimum event-triggered screening. This means re-screening immediately upon any new EU Council regulation, upon any change in counterparty ownership, and at least every 90 days for all active relationships. Companies relying on annual screens are systematically exposed and will not be able to demonstrate adequate compliance procedures in an enforcement review.

Q: Does a pre-existing contract protect a Polish company from sanctions liability?

A: No – this is the most widespread misconception in Polish sanctions practice. EU regulations are directly applicable and override contractual arrangements. A Polish company that continues to perform under a contract after its counterparty becomes listed is in violation, regardless of when the contract was signed. The correct procedure is to suspend performance immediately, freeze any funds owed, and apply for a licence from the Ministry of Finance if business continuity is necessary. Continuing to invoice for work already performed can itself constitute a prohibited transaction.

Q: What does a sanctions compliance audit typically cost, and how long does it take?

A: For a mid-sized Polish company with 50 to 200 active counterparties, a focused sanctions compliance audit typically takes between 3 and 6 weeks and costs between PLN 30,000 and PLN 80,000 depending on the complexity of ownership structures and the number of jurisdictions involved. That investment should be weighed against the exposure: corporate fines of up to PLN 20 million and personal criminal liability for managers. Companies in financial services, logistics, or manufacturing with Eastern European supply chains should treat a periodic audit as a routine operating cost, not a one-off exercise.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to sanctions compliance, enforcement defence, and cross-border dispute resolution. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.