A Warsaw-based IT distributor ships hardware to a new client. The deal closes. Payment arrives. Three weeks later, the company's bank freezes the account – the counterparty appears on the EU Consolidated Sanctions List. The distributor faces asset freezes, potential criminal exposure, and a reputational crisis that no press release can undo.

Polish businesses are subject to EU sanctions regulations directly applicable in Poland, supplemented by national enforcement under the Act on Special Measures against Counteracting Terrorism and related legislation. A structured sanctions screening process requires identifying all relevant lists, establishing screening frequency, documenting results, and maintaining an audit trail. Failure to screen – or screening inadequately – exposes directors to personal liability and the company to fines exceeding EUR 1 million under EU enforcement frameworks.

This guide walks through the full screening procedure step by step: which lists apply, how to set up internal workflows, what the three main business scenarios look like in practice, and where most Polish companies make mistakes they later cannot reverse.

Which sanctions lists must Polish businesses screen against?

The starting point for any compliance programme is list identification. Polish businesses must screen against at least three distinct regulatory layers. Each carries different legal consequences, and missing one layer can void an otherwise careful process.

The first layer is the EU Consolidated Sanctions List, maintained by the European Commission's Financial Sanctions Files (FSF) service. This list is directly applicable in Poland without any domestic implementing act. It covers asset freezes, travel bans, and trade restrictions targeting individuals, entities, and vessels. The National Court Register (Krajowy Rejestr Sądowy, KRS) does not automatically flag sanctioned entities, so businesses cannot rely on corporate registry checks as a substitute for list screening.

The second layer is the UN Security Council Consolidated List. EU regulations incorporate most UN designations, but not all. A counterparty may appear on the UN list without yet appearing on the EU list. Screening both is therefore mandatory for any business with cross-border exposure – including exporters, logistics providers, and financial intermediaries.

The third layer is national Polish legislation. The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) maintains registers relevant to financial institutions. The General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) – Poland's primary AML authority – publishes lists of domestic politically exposed persons and high-risk entities. For businesses subject to AML obligations, GIIF lists are mandatory screening inputs.

  • EU Consolidated Sanctions List (FSF) – direct applicability, updated daily
  • UN Security Council Consolidated List – updated irregularly, often ahead of EU adoption
  • OFAC SDN List (US) – relevant for USD-denominated transactions and US-nexus contracts
  • KNF and GIIF registers – mandatory for regulated entities and AML-obliged institutions
  • UK OFSI Consolidated List – relevant for UK-connected supply chains post-Brexit

Businesses with US-dollar transactions or US-nexus contracts must also screen the US Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list. Ignoring OFAC exposure because the company is Polish is a common and costly error. Secondary sanctions risk is real. One Mazowieckie-region trading company learned this in winter 2025 when a US correspondent bank blocked a EUR 400,000 payment over an OFAC-listed beneficial owner the Polish company had never screened.

How should the screening workflow be structured?

A functioning sanctions screening workflow has five sequential stages. Each stage must be documented. Undocumented screening is, from a regulatory perspective, equivalent to no screening at all. The General Inspector of Financial Information expects to see written records during inspections, and the absence of documentation removes any good-faith defence.

Stage one is counterparty identification. Before any transaction, the business must collect full legal name, registered address, country of incorporation, and beneficial ownership information. For legal entities, beneficial ownership means tracing through to natural persons holding more than 25 percent – consistent with Poland's Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych, CRBR). The CRBR is a public register; querying it costs nothing and takes under five minutes.

Stage two is name-matching against the applicable lists. Manual matching against the EU FSF list is feasible for low-volume businesses. For companies processing more than 50 counterparty relationships per month, automated screening software is effectively mandatory. Fuzzy-matching algorithms handle transliteration variants – a particular issue with Russian, Arabic, and Chinese names. A threshold of 85 percent match confidence is a common industry standard, though regulators do not prescribe a specific figure.

Stage three is hit review. Every potential match generates a "hit." A compliance officer – not the commercial team – must review each hit and determine whether it is a true match or a false positive. This separation of duties is essential. Allowing sales staff to clear their own counterparty hits is a structural weakness that regulators and courts treat as evidence of inadequate governance.

Stage four is escalation and decision. True matches must be escalated to senior management within 24 hours. The company must freeze any pending transaction and, if funds have already moved, notify the GIIF within the statutory deadline – which Polish AML law sets at no more than two business days for suspicious transaction reports. Failing to report within this window is a separate infringement, distinct from the underlying sanctions violation.

Stage five is ongoing monitoring. A counterparty cleared today may be designated tomorrow. Continuous monitoring – re-screening at least monthly, and in real time for high-risk relationships – closes this gap. For a compliance lawyer in Warsaw advising on ESG reporting and compliance programme design, ongoing monitoring is consistently the stage that Polish businesses implement last and inadequately.

What do the three main business scenarios look like in practice?

Sanctions screening obligations differ materially depending on business model. Three scenarios illustrate the range: a manufacturing exporter, an IT services company, and a foreign investor's Polish subsidiary.

Manufacturing exporter. A Silesian manufacturer exports machinery to distributors across the Middle East, Central Asia, and Eastern Europe. Its screening obligation is dual: it must screen end-customers under EU trade sanctions (dual-use goods controls administered by the Ministry of Development and Technology) and screen financial counterparties for asset-freeze purposes. The manufacturer must also obtain end-user declarations for controlled goods. Failure to obtain these declarations before export – not after – forfeits the good-faith defence entirely. We secured a reversal of a customs penalty exceeding PLN 800,000 for a manufacturing client in the Silesia region (spring 2025) by demonstrating that an undocumented legacy screening process had nonetheless produced contemporaneous records sufficient to establish due diligence.

IT services company. A Warsaw-based software provider licenses SaaS tools to clients across 15 countries. Software is not a physical good, but EU sanctions apply to services as well. Since the Russia sanctions packages adopted from 2022 onward, IT services provided to Russian entities are restricted. The company must screen both the contracting entity and the ultimate user. If the SaaS platform is white-labelled and resold, the provider must conduct due diligence on the reseller's end-user base – a requirement many IT companies overlook entirely.

Foreign investor's Polish subsidiary. A German parent establishes a Polish subsidiary to serve Central European markets. The subsidiary must comply with both EU sanctions (directly applicable) and – depending on its activities – potentially German and US secondary sanctions frameworks. The parent's group-level compliance programme does not automatically satisfy Polish regulatory requirements. The subsidiary needs its own documented screening process, its own designated compliance officer, and its own GIIF notification procedures. For further guidance on structuring compliance programmes for foreign subsidiaries, see our analysis of compliance programme design for Netherlands subsidiaries in Poland and compliance programme design for Czech Republic subsidiaries in Poland.

What are the most common mistakes in Polish sanctions screening?

Most enforcement actions in Poland do not arise from deliberate evasion. They arise from process failures that were foreseeable and preventable. Understanding the pattern of common mistakes is, in practice, more useful than memorising the list of prohibited counterparties.

The first and most frequent mistake is screening only at onboarding. A counterparty designated after onboarding remains in the database as a cleared entity. Without periodic re-screening – at minimum every 30 days – the company continues transacting with a sanctioned party in good faith but without any legal protection. Good faith requires ongoing diligence, not a one-time check.

The second mistake is ignoring beneficial ownership. Sanctions circumvention typically works through chains of intermediary companies. An entity may not itself appear on any list, but if a sanctioned individual holds 30 percent of its shares, transacting with it constitutes a sanctions violation. Polish law requires businesses subject to AML obligations to trace beneficial ownership to the natural-person level. The CRBR is the starting point, but it is not exhaustive – discrepancies between CRBR records and actual ownership structures are common, particularly for foreign-owned Polish entities.

The third mistake is treating sanctions compliance as a legal department issue rather than a business-wide process. Sanctions exposure arises in procurement, logistics, finance, and IT – not only in contracting. A logistics manager who routes a shipment through a sanctioned port operator without screening creates liability for the entire company. Whistleblower compliance mechanisms – required under the EU Whistleblower Directive, implemented in Poland from September 2024 – provide a channel for employees to flag potential sanctions issues internally before they become regulatory problems.

The fourth mistake is maintaining no audit trail. When the GIIF or a prosecutor requests documentation of a screening decision, "we checked and it was fine" is not an answer. The company must produce the date of the screen, the lists checked, the name variants used, the match results, and the name of the reviewing officer. This documentation costs almost nothing to maintain in real time. Reconstructing it retrospectively – if that is even possible – costs considerably more.

CSRD Poland implementation has also brought sanctions indirectly into ESG reporting obligations. Under CSRD, companies must disclose governance risks including sanctions exposure in their sustainability reports. A company with a weak sanctions screening process now faces dual exposure: regulatory enforcement and ESG reporting deficiencies that institutional investors and lenders will flag. For businesses structuring their Polish tax and investment position alongside compliance obligations, our guide on tax structuring for Poland investors entering Poland addresses related governance considerations.

We obtained interim protective measures for a Małopolska-region logistics company (autumn 2024) facing asset freeze proceedings after a counterparty designation. The key factor was that the company had maintained contemporaneous screening records – even though its process was imperfect – which allowed us to demonstrate good faith and limit personal liability exposure for the board.

What to prepare: sanctions screening checklist

Building a defensible screening programme requires assembling the right documentation and infrastructure before the first regulatory inquiry arrives. The following items represent the minimum viable compliance baseline for a Polish business with cross-border exposure.

  • Written sanctions screening policy, approved by the management board and reviewed annually
  • List of applicable sanctions regimes (EU, UN, OFAC, OFSI) with designated update monitoring responsibility
  • Documented counterparty onboarding procedure including CRBR beneficial ownership check
  • Screening log recording date, lists checked, match results, reviewer name, and decision
  • Escalation and GIIF notification procedure with 24-hour and 2-business-day deadlines mapped

The policy document alone is insufficient. Regulators assess whether the policy is implemented, not whether it exists. Internal training records – showing that staff have been trained on sanctions obligations within the past 12 months – are equally important. A compliance programme that exists only on paper is worse than no programme at all, because it demonstrates awareness of the obligation without the will to meet it.

Costs vary by company size. A manual screening process for a small business processing fewer than 20 counterparties per month can be maintained for under PLN 5,000 per year in staff time. Automated screening software for mid-sized companies typically costs between EUR 3,000 and EUR 15,000 annually, depending on volume and list coverage. Legal advisory costs for designing and auditing a programme range from PLN 8,000 to PLN 40,000 depending on complexity.

The cost of non-compliance is asymmetric. EU sanctions enforcement fines in Poland have reached six figures in EUR terms in recent enforcement cycles. Personal liability of directors – who can be held individually responsible under Polish corporate legislation for compliance failures – adds a dimension that no insurance policy fully covers.

Specific situations require tailored analysis. If your company processes more than 100 counterparty relationships per month, operates in sectors with heightened sanctions exposure (energy, defence, technology, financial services), or has recently expanded into new jurisdictions, a formal compliance gap assessment is the appropriate next step.

To receive an expert assessment of your company's sanctions screening programme, contact info@kordeckipartners.com.

Frequently asked questions

Q: How often should a Polish company re-screen existing counterparties?

A: Polish and EU regulations do not prescribe a specific re-screening interval for non-financial businesses. However, regulatory guidance and enforcement practice indicate that monthly re-screening is the minimum defensible standard for ongoing commercial relationships. High-risk relationships – counterparties in sanctioned jurisdictions, those with complex ownership structures, or those in sensitive sectors – should be monitored continuously using automated tools. A company that screens at onboarding only and never re-screens has no good-faith defence if a counterparty is subsequently designated.

Q: Does a Polish subsidiary need its own sanctions compliance programme if the parent group has one?

A: Yes. A common misconception is that a group-level compliance policy automatically satisfies the obligations of each subsidiary. Under Polish law, the management board of the Polish entity bears direct responsibility for compliance. If the GIIF or a prosecutor investigates the Polish subsidiary, they will look for evidence that the subsidiary's own management implemented and maintained the programme – not merely that a group policy existed. The subsidiary must have its own designated compliance officer, its own documented procedures, and its own training records. Group policies can serve as a framework, but local implementation is mandatory.

Q: What is the cost of implementing a basic sanctions screening programme for a small Polish business?

A: For a small business with fewer than 20 new counterparties per month, a manual screening process is feasible. The primary costs are staff time (typically two to four hours per month for screening and documentation), an annual legal review of the policy (PLN 3,000 to PLN 8,000 depending on scope), and initial programme design (PLN 8,000 to PLN 20,000 for a straightforward business). Automated solutions become cost-effective when counterparty volume exceeds approximately 50 per month. The initial investment in a defensible programme is invariably lower than the cost of a single enforcement action, which can include fines, legal fees, and reputational damage that affects banking relationships and client contracts.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to sanctions compliance, ESG reporting, and compliance programme design. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.