Compliance programme design for Poland

A foreign-owned subsidiary operating in Poland faces a specific compliance burden that many parent companies underestimate at the outset. Polish law imposes obligations on local entities that sit alongside – and sometimes conflict with – the group-level policies drafted in Amsterdam, Stockholm, or Frankfurt. The gap between a global code of conduct and a locally valid compliance programme is where regulatory risk accumulates silently, often until an inspection or a whistleblower disclosure makes it visible.

Designing a compliance programme for a Poland subsidiary requires mapping at least four distinct regulatory regimes: anti-money laundering under the ustawa o przeciwdziałaniu praniu pieniędzy (Anti-Money Laundering Act, AML Act), whistleblower protection under the ustawa o ochronie sygnalistów (Whistleblower Protection Act, WPA), ESG disclosure obligations under the Corporate Sustainability Reporting Directive (CSRD) as transposed into Polish law, and sector-specific rules from the Polish Financial Supervision Authority (KNF). Each regime carries its own deadlines, thresholds, and sanctions. A programme that addresses all four – and integrates them into day-to-day operations – is the only structure that genuinely limits personal liability for board members and management.

This page explains the instruments available, the pitfalls most subsidiaries encounter, and the cross-border considerations that make Poland-specific design non-negotiable. The structure follows a practical sequence: regulatory framing, core instruments, common mistakes, cross-border strategy, and a self-assessment checklist. Each section is written for a decision-maker who needs to act, not merely to understand.

What regulatory obligations define the compliance baseline for Poland subsidiaries?

The compliance baseline for a Poland subsidiary is set by at least three overlapping frameworks. The AML Act applies to a defined list of obligated institutions – including financial intermediaries, law firms, and accountants – and requires internal procedures, risk assessments, and transaction monitoring. The WPA, in force since September 2024, requires any employer with 50 or more employees to maintain an internal reporting channel and a non-retaliation policy. CSRD Poland obligations begin for large public-interest entities for financial years starting 1 January 2024, with the first wave of in-scope subsidiaries reporting in 2025.

The National Court Register (KRS) holds the official record of a subsidiary's legal form and management structure. That structure determines which obligations attach directly to the entity. A spółka z ograniczoną odpowiedzialnością (limited liability company, sp. z o.o.) with a supervisory board faces different governance expectations than a branch of a foreign company. The Polish Financial Supervision Authority (KNF) adds a further layer for regulated entities: financial institutions must maintain compliance functions that meet KNF guidelines, with documented annual reviews. The General Inspector of Financial Information (GIIF) oversees AML compliance and can impose fines of up to PLN 5 million per violation on obligated institutions that fail to implement adequate internal controls.

For subsidiaries outside the regulated financial sector, the Office for Personal Data Protection (UODO) adds a data-protection dimension. Any internal reporting channel must be designed to comply with the General Data Protection Regulation (GDPR) simultaneously with the WPA. Failure to reconcile these two frameworks is one of the most common structural errors we see. The compliance programme must therefore treat GDPR and WPA as a single design problem, not two separate workstreams.

One concrete figure anchors the baseline: the WPA requires the internal reporting channel to be operational within 14 days of the employer reaching the 50-employee threshold. Missing that window is not a technical irregularity – it forfeits the subsidiary's ability to rely on the safe harbour the WPA provides when a whistleblower later escalates externally.

What are the core instruments of a Poland-compliant programme?

A Poland-compliant programme rests on four instruments: a risk register, an internal policy suite, a reporting channel, and a training architecture. Each must be adapted to Polish legal requirements – translating a group policy is not adaptation. The risk register must reflect the subsidiary's specific business activities, counterparty profile, and geographic exposure. A manufacturing subsidiary in Silesia faces different bribery and AML risks than a fintech sp. z o.o. in Warsaw's Mokotów district.

The internal policy suite typically includes a code of conduct, an anti-bribery and anti-corruption policy, a conflict-of-interest procedure, a gifts and hospitality register, and an AML internal procedure (where the entity is an obligated institution). Polish employment law – the Kodeks pracy (Labour Code) – requires that any workplace policy binding on employees be introduced through a specific internal act, either a regulamin (internal regulation) or a collective agreement. A policy that exists only as a PDF on a group intranet has no binding force under Polish law and will not withstand scrutiny from the State Labour Inspectorate (PIP).

We secured a reversal of a compliance-related employment sanction exceeding PLN 800,000 for a manufacturing client in the Silesia region (autumn 2025). The core issue was that the client's code of conduct had never been properly introduced as a regulamin under the Labour Code – rendering it unenforceable and exposing the company to liability it believed it had eliminated.

The reporting channel deserves particular attention. The WPA requires the channel to guarantee confidentiality of the whistleblower's identity and to provide a written acknowledgement of receipt within 7 days. The investigation must be completed within 3 months of acknowledgement, extendable to 6 months in complex cases. These are not aspirational targets – they are statutory deadlines whose breach triggers personal liability of the management board member responsible for compliance oversight.

Risk register: updated at least annually, covering bribery, AML, data protection, and sector-specific risks
Policy suite: introduced as binding internal acts under the Labour Code, available in Polish
Reporting channel: WPA-compliant, GDPR-integrated, with documented response timelines
Training architecture: role-differentiated, with completion records retained for at least 5 years
Audit trail: documented evidence of programme operation, available for regulatory inspection

For a tailored strategy on compliance programme design, reach out to info@kordeckipartners.com.

The training architecture is frequently underinvested. Polish law does not prescribe a specific training frequency, but regulators – including the GIIF for AML and the KNF for regulated entities – assess training records during inspections. A programme without documented, role-differentiated training is treated as a programme that does not exist. Board members, middle management, and front-line staff require different content. Conflating them into a single annual e-learning module is a compliance design failure, not a cost saving.

What pitfalls do Poland subsidiaries most commonly encounter?

The most damaging pitfall is assuming that group-level compliance infrastructure transfers automatically to the Polish subsidiary. It does not. Polish law requires local implementation acts. A group whistleblowing hotline operated from the Netherlands satisfies neither the WPA's confidentiality requirements nor its response-timeline obligations unless it has been formally adopted by the Polish entity and its data-processing arrangements have been documented under GDPR. The gap between group policy and local validity is where personal liability of Polish management board members is created.

A second pitfall involves AML risk assessments. The AML Act requires obligated institutions to conduct a documented business risk assessment and to update it whenever there is a material change in the entity's activities or counterparty profile. Many subsidiaries conduct this assessment once at incorporation and never revisit it. A static risk assessment does not satisfy the AML Act's requirement for ongoing monitoring. The GIIF has imposed fines of PLN 1 million or more on entities whose risk assessments were demonstrably outdated at the time of inspection.

ESG reporting creates a third category of pitfall. CSRD Poland obligations are phased, but subsidiaries of groups already subject to reporting at the parent level may be required to provide data to the parent under tight internal deadlines – sometimes months before the parent's external reporting date. A subsidiary that has not built ESG data-collection processes into its operations will find itself unable to supply accurate data on time. That failure does not stay internal: it affects the parent's published sustainability report and creates reputational and regulatory exposure at group level.

We obtained interim protective measures for a German investor's subsidiary facing a regulatory investigation in Lower Silesia (spring 2026). The investigation arose directly from the absence of a documented AML risk assessment – an oversight that had persisted for three years without triggering any internal alert, because the group's compliance monitoring focused on the parent entity rather than the Polish subsidiary.

A fourth pitfall is the conflict between GDPR and the WPA in the design of the reporting channel. The WPA requires that the whistleblower's identity be kept confidential even from the person accused of wrongdoing. GDPR gives the accused person rights of access to personal data held about them. Reconciling these two obligations requires a specific legal basis analysis and a documented balancing test. Subsidiaries that deploy a standard GDPR privacy notice for their reporting channel, without this analysis, are exposed to challenge from both directions.

How should cross-border group structures approach Poland-specific compliance design?

Cross-border group structures face a design choice: centralise compliance governance at the parent level, or delegate it to the Polish subsidiary. Neither pure model works. Full centralisation fails because Polish law requires local implementation acts that the parent cannot execute. Full delegation fails because it creates inconsistency with group policies and removes the economies of scale that make compliance programmes cost-effective. The functional answer is a hybrid: group-level framework policies, locally implemented through Polish-law instruments, with a documented governance interface between parent and subsidiary.

The governance interface must address at least three questions. First, which body within the Polish subsidiary is responsible for adopting the local implementation acts? Under Polish corporate legislation, this is typically the management board, acting by resolution. Second, how does the subsidiary's compliance function report upward to the group? The reporting line must be documented and must not compromise the independence of the local compliance officer. Third, what happens when group policy and Polish law conflict? The conflict-resolution mechanism must be written into the governance interface – not left to be resolved ad hoc when an inspection occurs.

For subsidiaries of Swedish, German, or Dutch parent companies, additional considerations arise. Readers structuring compliance programmes across Scandinavian subsidiaries may find the analysis of compliance programme design for Sweden subsidiaries in Poland directly relevant. The core principle applies across all parent jurisdictions: the Polish subsidiary's compliance programme must be a local legal instrument, not a translation of a foreign document.

Transfer pricing and intra-group service agreements add a further dimension. If the parent charges the Polish subsidiary for compliance services provided centrally, the arrangement must be documented at arm's length and must genuinely reflect the services delivered to the Polish entity. A lump-sum management fee that covers "compliance support" without specifying deliverables will not satisfy the tax authority's transfer-pricing scrutiny – and will not satisfy a Polish regulator's inspection either, because it cannot demonstrate that the subsidiary actually received the compliance infrastructure it paid for.

What does a self-assessment checklist for Poland compliance readiness look like?

A self-assessment checklist translates the regulatory baseline into actionable questions that a subsidiary's management board can answer without specialist input. The purpose is not to replace legal advice – it is to identify the gaps that make legal advice urgent. A subsidiary that can answer "yes" to every item on the checklist has achieved a defensible compliance posture. A subsidiary that cannot is accumulating unquantified regulatory risk, which is the definition of a lost opportunity to limit liability before an inspection or disclosure event occurs.

The checklist also serves a governance function. Completing it annually and retaining the results as a board document creates an audit trail showing that management took compliance seriously. Polish corporate legislation holds management board members personally liable for losses caused by their failure to exercise due diligence in managing the company's affairs. A documented annual compliance self-assessment is evidence of due diligence. Its absence is evidence of the opposite.

Has the entity identified all regulatory regimes that apply to it (AML, WPA, CSRD, GDPR, sector-specific rules)?
Are all internal policies introduced as binding instruments under the Labour Code, available in Polish?
Is the internal reporting channel operational, with documented response timelines meeting WPA requirements?
Has an AML risk assessment been conducted within the last 12 months (if the entity is an obligated institution)?
Are training records maintained for all employees, differentiated by role, for the last 5 years?

Subsidiaries preparing for CSRD Poland reporting should also review the practical steps involved in data collection and disclosure. The detailed analysis of ESRS implementation steps for Polish reporting entities sets out the sequencing and documentation requirements that feed directly into a complete compliance programme. Office infrastructure considerations – including how lease arrangements affect registered-office obligations and regulatory correspondence – are addressed in the office lease review key points for Poland tenants guide, which is relevant for subsidiaries establishing or consolidating their Polish operational base.

The decision matrix for compliance programme design follows a clear logic. A subsidiary with fewer than 50 employees and no AML-obligated activities needs a baseline policy suite and GDPR-compliant data protection documentation. A subsidiary crossing the 50-employee threshold needs to add a WPA-compliant reporting channel within 14 days. A subsidiary that is an AML-obligated institution needs a full AML internal procedure, a documented risk assessment, and GIIF-ready transaction monitoring. A subsidiary in scope for CSRD Poland reporting needs an ESG data-collection architecture integrated into its financial reporting cycle, typically 6 months before the first reporting date.

Specific compliance situations require specific advice. A subsidiary facing an imminent inspection, a whistleblower disclosure, or a group restructuring that changes its regulatory profile cannot rely on a checklist alone. To receive an expert assessment of your subsidiary's compliance posture, contact info@kordeckipartners.com.

Frequently asked questions

Q: How long does it take to design and implement a compliance programme for a Poland subsidiary from scratch?

A: A baseline programme – covering the policy suite, reporting channel, and initial risk register – typically takes 8 to 12 weeks from engagement to operational readiness. The timeline depends on the subsidiary's size, regulatory profile, and the responsiveness of the parent's group compliance function. Programmes that must also address AML internal procedures or CSRD data-collection architecture require an additional 4 to 8 weeks. Starting the process at least 6 months before a regulatory deadline is strongly advisable.

Q: Is it true that a group whistleblowing hotline satisfies the Polish Whistleblower Protection Act automatically?

A: This is a common misconception. A group hotline operated from another jurisdiction satisfies the Whistleblower Protection Act only if the Polish entity has formally adopted it through a local implementation act, the data-processing arrangements comply with GDPR as applied in Poland, and the response timelines – 7 days for acknowledgement, 3 months for investigation conclusion – are met for reports submitted by Polish employees. A hotline that is technically available but not formally adopted by the Polish entity provides no legal protection to the management board.

Q: What does compliance programme design cost for a mid-sized Poland subsidiary?

A: Cost depends on scope. A baseline programme for a subsidiary with 50 to 200 employees, no AML-obligated activities, and no CSRD reporting obligations typically involves a fixed-fee engagement in the range of PLN 25,000 to PLN 60,000, depending on complexity and the extent of existing group policies that can be adapted. AML internal procedures and CSRD data-architecture work are scoped separately. Annual maintenance – policy updates, risk-register refresh, training delivery – is typically structured as a retainer.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating the intersection of AML, whistleblower compliance, CSRD Poland obligations, and Polish corporate governance requirements. To discuss your situation, contact info@kordeckipartners.com.