A Polish technology company wins a grant under the Krajowy Plan Odbudowy (National Recovery and Resilience Plan, KPO). The disbursement agreement runs to 200 pages. Six months later, an audit by the Centrum Obsługi Projektów Europejskich Ministerstwa Spraw Wewnętrznych i Administracji (European Projects Service Centre, COPEMSWA) flags three procurement irregularities. The company faces a demand to return the entire grant – with interest. That outcome was avoidable.

EU funds compliance under Poland's KPO and the broader Recovery and Resilience Facility (RRF) framework imposes layered obligations on beneficiaries: procurement rules, anti-fraud and anti-corruption controls, ESG reporting, and audit-readiness requirements that persist for up to five years after project closure. Failure to meet any single requirement may trigger partial or full repayment of the grant, plus statutory interest. Polish law gives the implementing institution discretionary power to impose financial corrections ranging from 5% to 100% of the affected expenditure.

This page maps the full compliance architecture – from the moment a grant agreement is signed to the post-project retention period. It covers the key instruments, the most common pitfalls Polish and foreign beneficiaries encounter, the cross-border dimension for subsidiaries of foreign groups, and a practical self-assessment checklist. The analysis draws on the regulatory framework applicable from May 2026.

What legal framework governs KPO and RRF compliance in Poland?

Poland's KPO is the domestic implementation vehicle for the EU-level RRF, established by Rozporządzenie Parlamentu Europejskiego i Rady (UE) 2021/241 (EU RRF Regulation). At the national level, the principal statute is the ustawa o zasadach realizacji zadań finansowanych ze środków europejskich w perspektywie finansowej 2021–2027 (Act on the Principles of Implementing European-Funded Tasks, the Implementation Act). Together, these instruments create a dual compliance standard: beneficiaries must satisfy both EU-level milestones and Polish domestic procedural rules simultaneously.

The Ministerstwo Funduszy i Polityki Regionalnej (Ministry of Funds and Regional Policy, MFiPR) acts as the national coordinating body. The Centrum Projektów Polska Cyfrowa (Digital Poland Project Centre, CPPC) and sector-specific intermediate bodies administer individual funding streams. The Najwyższa Izba Kontroli (Supreme Audit Office, NIK) retains an independent audit mandate over all public expenditure, including KPO disbursements. Beneficiaries must be prepared to respond to all three institutions – sometimes simultaneously.

The RRF Regulation links disbursements to milestone and target completion rather than to individual expenditure claims. This means a beneficiary's compliance failure can affect not only its own grant but also Poland's ability to draw down the next tranche of EU funding. The systemic stakes are therefore considerably higher than under traditional structural funds. A single major irregularity reported by NIK can delay national-level payments by several months.

One feature specific to KPO is the accelerated timeline. Poland's KPO must be implemented by August 2026, with all expenditure certified by that date. Beneficiaries operating on 18-to-24-month project cycles have very little margin for procedural delays. A procurement challenge lodged with the Krajowa Izba Odwoławcza (National Appeals Chamber, KIO) can consume six to eight weeks – time that most KPO schedules cannot absorb without triggering a milestone breach.

What are the core compliance obligations for KPO beneficiaries?

Every KPO grant agreement imposes at least five categories of obligation. These are not optional or aspirational – they are conditions precedent to disbursement and grounds for clawback if breached. Understanding each category is the first step toward building a defensible compliance programme.

The five core categories are:

  • Procurement compliance – public and private beneficiaries must follow the ustawa Prawo zamówień publicznych (Public Procurement Law, PZP) where applicable, or at minimum the principle of competitive selection where PZP thresholds are not met.
  • Anti-fraud and anti-corruption controls – beneficiaries must implement internal controls to detect and prevent fraud, including conflicts of interest in procurement decisions.
  • ESG reporting and CSRD Poland alignment – larger beneficiaries and those in regulated sectors must document environmental and social impacts, consistent with emerging CSRD Poland obligations.
  • Whistleblower compliance – Poland's ustawa o ochronie sygnalistów (Whistleblower Protection Act) requires beneficiaries with 50 or more employees to maintain an internal reporting channel; KPO grant agreements often extend this obligation to smaller entities.
  • Documentation and audit trail – all project documents, financial records, and procurement files must be retained for five years after final payment, and made available to auditors within 15 working days of a request.

AML obligations intersect with KPO compliance wherever a beneficiary channels funds through third parties or subcontractors. The ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu (Anti-Money Laundering Act, AML Act) requires beneficiary-side due diligence on contractors receiving grant-funded payments above prescribed thresholds. Ignoring this requirement does not merely create a regulatory risk – it can constitute grounds for treating the entire subcontract as an irregularity.

We secured a reversal of a financial correction exceeding PLN 1.8m for a manufacturing client in the Mazowieckie region (autumn 2025). The correction had been imposed on the basis of an alleged procurement irregularity. Our review showed the implementing body had misapplied the competitive-selection threshold. The grant was reinstated in full within four months of the challenge.

For a tailored strategy on KPO grant compliance, reach out to info@kordeckipartners.com.

Where do beneficiaries most commonly fail compliance checks?

Audit experience across KPO and predecessor structural-fund programmes points to four recurring failure modes. Each is avoidable with proper preparation. Each, if missed, can trigger financial corrections that far exceed the cost of prevention.

The first and most frequent failure is procurement documentation gaps. Beneficiaries often conduct a competitive selection correctly in practice but fail to document the process in the prescribed manner. An auditor who cannot reconstruct the selection from the paper trail will treat the expenditure as ineligible. The implementing body is not required to give the benefit of the doubt. Documentation must be contemporaneous – reconstructed records prepared after an audit notice are rarely accepted.

The second failure mode is conflict-of-interest blind spots. Polish implementing guidelines require beneficiaries to screen all procurement decision-makers against the contractor's ownership and management structure. This screening must be documented using a prescribed declaration form. Companies that rely on informal familiarity with their contractors – rather than formal declarations – routinely fail this check. A single undeclared connection between an evaluator and a winning bidder can void the entire contract value.

Third is milestone misreporting. KPO milestones are defined in precise, measurable terms. A beneficiary that achieves the substance of a milestone but reports it using different metrics from those specified in the grant agreement risks a finding of non-completion. This is not a technicality – under the RRF framework, milestone non-completion is a basis for withholding disbursement at the national level.

Fourth is change management failure. Project scope, budget, and timeline changes require prior written approval from the implementing body. Beneficiaries that make changes first and seek approval later – or do not seek approval at all – expose themselves to full clawback of expenditure incurred after the unapproved change. The implementing body has no discretion to waive this requirement retroactively.

For context on how board-level liability intersects with grant compliance failures, see our analysis of board liability for tax arrears under Polish law. The personal liability principles discussed there apply with equal force where a board approves an unapproved project change that later triggers a repayment demand.

How do cross-border structures affect KPO compliance obligations?

Foreign-owned subsidiaries operating in Poland face an additional compliance layer that purely domestic beneficiaries do not. The grant agreement binds the Polish legal entity – but group-level decisions made abroad can create domestic compliance breaches. This asymmetry is the source of many of the most serious problems we encounter in practice.

Consider a German parent that requires all group procurement to go through a central purchasing function located in Frankfurt. The Polish subsidiary's KPO grant agreement requires competitive selection under Polish rules. If the central purchasing function selects a contractor without following Polish procedure – even for legitimate group-efficiency reasons – the Polish subsidiary bears the compliance risk. The implementing body will not accept group policy as a justification for deviating from Polish procurement rules.

Transfer pricing and intercompany transactions present a related risk. KPO rules prohibit grant-funded expenditure on transactions with related parties unless those transactions are demonstrably at arm's length and competitively priced. A subsidiary that procures IT services from a group entity at a transfer-pricing rate set by the parent's tax department must demonstrate that the rate reflects market pricing. The compliance lawyer Warsaw-based teams advise on this intersection between tax structuring and grant compliance – the two disciplines must be aligned before the grant agreement is signed.

Our team obtained interim protective measures for a German investor's subsidiary in Lower Silesia (spring 2026) after a dispute arose over the eligibility of intercompany IT expenditure charged to a KPO-funded digital transformation project. The measures prevented the implementing body from issuing a repayment decision while the merits were assessed.

For subsidiaries of Swiss groups, the compliance programme design considerations are similar but with additional complexity around data governance and AML. Our detailed analysis is available at compliance programme design for Switzerland subsidiaries in Poland. For Ukrainian and CIS-owned entities operating in Poland, the equivalent framework is covered at compliance programme design for Ukraine subsidiaries in Poland.

The cross-border dimension also affects whistleblower compliance. A group that operates a single EU-wide reporting channel must verify that the channel meets Polish requirements under the Whistleblower Protection Act – including language accessibility, response timeframes of no more than seven days for acknowledgement, and three months for substantive follow-up. A non-compliant group channel does not satisfy the Polish statutory obligation, even if it satisfies the requirements of another EU member state.

Specific situation requiring immediate attention: if your group is preparing a KPO disbursement request and intercompany transactions represent more than 15% of eligible expenditure, the eligibility of those costs should be reviewed before the request is submitted. A post-submission audit finding is considerably harder to reverse than a pre-submission adjustment.

To receive an expert assessment of your cross-border KPO compliance structure, contact info@kordeckipartners.com.

What is the ESG and CSRD reporting dimension of KPO compliance?

ESG reporting obligations are not merely a parallel regulatory track. For KPO beneficiaries, they are directly embedded in grant conditions. Many KPO investment streams – particularly those under the green transition and digital transformation pillars – require beneficiaries to document environmental impact, energy consumption reductions, and social outcomes as part of milestone reporting. Failure to produce this documentation is treated as milestone non-completion.

CSRD Poland requirements are accelerating this dynamic. Large Polish companies and large Polish subsidiaries of foreign groups that meet the CSRD thresholds (500 employees, or EUR 40m turnover and EUR 20m balance sheet) became subject to CSRD-aligned sustainability reporting from financial year 2024. For KPO beneficiaries in this category, the sustainability report is increasingly the primary source document for ESG-related milestone evidence. A beneficiary that has not yet implemented CSRD-compliant data collection will struggle to produce the evidence that implementing bodies now expect.

ESG reporting under KPO also intersects with the EU Taxonomy Regulation. Green KPO investments must demonstrate that funded activities do not significantly harm any of the six environmental objectives. This Do No Significant Harm (DNSH) assessment must be documented at the project design stage – it cannot be added retrospectively. Beneficiaries that signed grant agreements in 2023 or 2024 without completing a proper DNSH assessment face a latent compliance risk that will surface at the first substantive audit.

Three business scenarios illustrate the practical scope of this issue. A manufacturing company in Silesia investing KPO funds in production line automation must document energy efficiency gains against a baseline measured before project start. An IT company in Małopolska using KPO funds for cloud infrastructure migration must demonstrate that the chosen cloud provider meets the Taxonomy's climate adaptation criteria. A foreign investor establishing a logistics facility in Pomerania with KPO co-financing must complete a DNSH assessment covering waste management, water use, and biodiversity impact before breaking ground.

The compliance programme must therefore integrate ESG data collection from day one of project implementation. Retrofitting an ESG reporting system after the project is under way is technically possible but operationally costly – and the data quality is rarely sufficient to satisfy an experienced auditor.

Self-assessment checklist and compliance programme structure

A defensible KPO compliance programme has three layers: preventive controls, detective controls, and response protocols. All three must be in place before the first disbursement request is submitted. Implementing them after an audit notice has been received forfeits most of the protective value.

Preventive controls begin with the grant agreement itself. Every obligation, deadline, reporting requirement, and change-approval trigger must be mapped into an internal calendar. This calendar should be owned by a named compliance officer – not the project manager, whose incentives are focused on delivery rather than process. The compliance officer must have direct access to the board and a clear mandate to halt expenditure if a compliance risk is identified.

Detective controls centre on internal audit. Beneficiaries should conduct a mock audit at the midpoint of the project – before the implementing body conducts its own check. A mock audit conducted by external counsel with EU funds experience will identify documentation gaps while there is still time to address them. The cost of a mock audit is a fraction of the cost of a financial correction.

What to prepare before your first KPO disbursement request:

  • Complete procurement file for each contract, including evaluation records, declaration of no conflict of interest, and signed contract with all annexes.
  • DNSH assessment for all activities funded under green or digital KPO streams.
  • Whistleblower channel documentation confirming compliance with the Whistleblower Protection Act, including language accessibility and response-time records.
  • Intercompany transaction analysis where group entities are involved as contractors or subcontractors.
  • ESG baseline data covering the metrics specified in the grant agreement's milestone definitions.

Response protocols matter because audits are not always avoidable. When an implementing body issues an audit notice, the beneficiary has 15 working days to produce documents. This deadline cannot be extended unilaterally. Having a pre-prepared document management system – with all project files indexed and retrievable – is the difference between a smooth audit and a chaotic one. Chaotic audits tend to produce adverse findings, even where the underlying compliance position is sound.

The decision matrix for responding to a financial correction demand follows a clear sequence: first, assess whether the correction is legally founded; second, identify whether the implementing body applied the correct correction rate; third, determine whether an administrative appeal or judicial review is the more effective challenge route. Appeals to the implementing body must be lodged within 14 days of the correction decision. Missing this deadline forfeits the right to challenge the correction amount, even if the correction was unlawful.

Your company's specific situation may involve combinations of these risks that require an integrated response. The irreversible consequence of inaction – repayment of the full grant with interest, plus potential exclusion from future EU funding – is a risk that no compliance programme should leave unaddressed.

To discuss how the KPO compliance framework applies to your project, email info@kordeckipartners.com.

Frequently asked questions

Q: How long does a KPO beneficiary need to retain project documentation after the grant is closed?

A: The standard retention period under Polish implementing rules is five years from the date of final payment by the implementing body. For projects involving state aid, the retention period may extend to ten years from the date the aid was granted. Beneficiaries should confirm the applicable period in their specific grant agreement, as individual agreements sometimes impose longer retention obligations than the statutory minimum. Documents must be produced within 15 working days of an audit request.

Q: Is it true that private companies are not subject to public procurement rules when using KPO funds?

A: This is a common misconception. Private-sector beneficiaries that do not meet the legal definition of a contracting authority under the Public Procurement Law are not bound by that statute's full procedural requirements. However, all KPO grant agreements – regardless of the beneficiary's legal form – impose a competitive selection obligation for contracts above specified thresholds, typically EUR 30,000 net. The implementing body will apply a financial correction if this obligation is not met, even where the PZP did not formally apply.

Q: What is the typical timeline and cost for challenging a financial correction imposed by a KPO implementing body?

A: An administrative appeal to the implementing body takes between two and four months. If the appeal is rejected, judicial review before the administrative court (WSA) adds a further 12 to 18 months at first instance. Total legal costs for a well-prepared challenge typically range from PLN 30,000 to PLN 120,000, depending on the complexity of the case and the amount at stake. For corrections above PLN 500,000, the economics of a professional challenge are almost always favourable relative to the repayment demand.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to EU funds compliance, ESG reporting, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating KPO, RRF, and structural-fund requirements. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.