EU funds compliance – KPO and RRF requirements

A Warsaw-based technology company wins a grant under Poland's National Recovery and Resilience Plan. The project launches. Eighteen months later, an audit by the Ministry of Funds and Regional Policy flags three documentation gaps. The entire subsidy – sometimes exceeding PLN 5 million – becomes recoverable with statutory interest. That scenario plays out more often than beneficiaries expect.

EU funds compliance under Poland's Krajowy Plan Odbudowy (National Recovery and Resilience Plan, KPO) and the broader Recovery and Resilience Facility (RRF) requires beneficiaries to meet layered obligations: financial documentation standards, ESG and sustainability milestones, anti-fraud and antykorupcyjne (anti-corruption) declarations, and public procurement rules. Non-compliance triggers repayment demands, exclusion from future calls, and – for company officers – potential personal liability under Polish administrative and criminal law. The compliance window is narrow: most cure periods run no longer than 30 days from the audit finding.

This page sets out the regulatory framework, the instruments that govern KPO and RRF compliance in Poland, the practical pitfalls that most often catch beneficiaries off guard, and a cross-border perspective for foreign investors. A self-assessment checklist closes the guide.

What regulatory framework governs KPO and RRF compliance in Poland?

The KPO and RRF sit at the intersection of EU and national law. At EU level, Regulation (EU) 2021/241 establishes the RRF and sets the milestone-and-target architecture that Poland must satisfy before each disbursement tranche. At national level, the Ministry of Funds and Regional Policy (Ministerstwo Funduszy i Polityki Regionalnej) acts as the implementing body, while the Bank Gospodarstwa Krajowego (BGK, the state development bank) channels most KPO financing directly to beneficiaries. The National Court Register (KRS) is a key reference point for verifying entity eligibility at the application stage.

Polish beneficiaries operate under a dual compliance duty. First, they must meet the milestones and targets agreed between Poland and the European Commission – including green transition and digital transformation benchmarks. Second, they must comply with domestic grant agreements, which incorporate the Ustawa o finansach publicznych (Public Finance Act) and sector-specific regulations. Failure on either level can trigger recovery independently.

ESG reporting obligations add another layer. Beneficiaries receiving KPO support above certain thresholds must demonstrate alignment with the EU Taxonomy and, increasingly, with CSRD Poland requirements as those rules phase in. The Polish Financial Supervision Authority (KNF) plays a supervisory role where KPO-linked financing intersects with capital markets or regulated entities.

AML compliance is non-negotiable. Every beneficiary must complete beneficial ownership verification and submit declarations consistent with the Central Register of Beneficial Owners (CRBR). Gaps in AML documentation are among the top three audit findings across KPO calls reviewed in 2024 and 2025.

Which compliance instruments apply to KPO beneficiaries?

KPO compliance rests on four interlocking instruments: the grant agreement, the project implementation schedule, the financial documentation framework, and the whistleblower compliance channel. Each creates distinct obligations with its own deadline architecture. Missing any single deadline – even by one day – can convert a technical breach into a financial correction.

The grant agreement is the primary instrument. It specifies eligible costs, co-financing rates (often 80–100% of eligible expenditure), reporting periods, and the audit trail requirements that must be maintained for at least five years after the final payment. Amendments to project scope require prior written consent from BGK or the relevant intermediary body. Unilateral changes – even commercially sensible ones – are treated as non-compliant deviations.

We secured the reinstatement of a KPO subsidy exceeding PLN 3.2 million for a manufacturing client in the Mazowieckie region (autumn 2025). The intermediary body had flagged a scope deviation as non-compliant. We demonstrated that the change fell within the de minimis modification threshold and had been implicitly accepted through the body's own correspondence. The recovery demand was withdrawn within 45 days.

The project implementation schedule sets milestone dates. Delays beyond the contractual tolerance – typically 30 days per milestone – trigger formal warning notices. Two consecutive warnings can lead to partial termination. Beneficiaries should build schedule contingency into the original application, not as an afterthought during implementation.

Grant agreement – eligible costs, co-financing rate, audit trail (5-year retention)
Implementation schedule – milestone dates, 30-day tolerance per milestone
Financial documentation – invoices, bank transfers, payroll records, asset registers
Whistleblower channel – mandatory for entities with 50+ employees under the Ustawa o ochronie sygnalistów (Whistleblower Protection Act)
Beneficial ownership declarations – CRBR-consistent, updated within 14 days of any change

The Whistleblower Protection Act, which entered into force in September 2024, requires entities employing 50 or more people to operate an internal reporting channel before they can certify full compliance under KPO grant conditions. Failure to implement the channel within the required timeframe forfeits the beneficiary's ability to make a clean compliance declaration – blocking the next disbursement tranche.

For a tailored strategy on KPO grant compliance and documentation architecture, reach out to info@kordeckipartners.com.

What are the most common KPO compliance pitfalls?

Practical experience across dozens of KPO audits points to a consistent cluster of errors. Most are avoidable. All carry financial consequences. The three highest-risk areas are procurement irregularities, documentation gaps, and sustainability milestone misreporting.

Procurement irregularities account for the largest share of financial corrections. KPO beneficiaries that are not classical contracting authorities under the Prawo zamówień publicznych (Public Procurement Law, PZP) are still bound by the "competitive selection" obligation written into their grant agreements. Many beneficiaries incorrectly assume that PZP exemptions apply to KPO procurement. They do not. A single-source award above PLN 130,000 without a documented competitive process typically triggers a 25% financial correction on the affected expenditure.

Documentation gaps are the second major risk. The audit trail must link every euro of expenditure to an eligible activity, a paid invoice, a bank transfer record, and a delivery confirmation. Digital records are accepted, but they must be stored in an unalterable format. Beneficiaries who rely on shared cloud folders without version control regularly fail this test. The five-year retention obligation runs from the date of the final payment under the grant – not from project completion.

Our team obtained reversal of a financial correction exceeding PLN 1.8 million for an IT services client in Lower Silesia (spring 2026). The audit had flagged missing delivery confirmations for software licences. We reconstructed the audit trail using supplier correspondence, system access logs, and contemporaneous project reports. The correction was reduced to zero.

Sustainability milestone misreporting is an emerging risk as KPO tranches increasingly depend on green and digital targets. Beneficiaries must not only implement the required measures but document them in a format that the European Commission's audit services can verify. ESG reporting obligations – including alignment with the EU Taxonomy's Do No Significant Harm (DNSH) principle – are not optional add-ons. They are disbursement conditions. A mismatch between reported and actual DNSH compliance can delay the entire national tranche, creating pressure on all beneficiaries.

How do cross-border structures affect KPO compliance obligations?

For a German or Italian investor operating a Polish subsidiary, KPO compliance introduces obligations that sit at the group level as well as the entity level. The Polish subsidiary is the formal beneficiary and carries primary liability. The parent, however, may be drawn into the compliance perimeter through related-party transaction rules, intercompany service agreements, and beneficial ownership declarations.

Related-party transactions within KPO-funded projects require arm's-length pricing and documentary evidence equivalent to transfer pricing documentation. BGK auditors increasingly request intercompany service agreements, board minutes approving the transactions, and comparable market benchmarks. A foreign parent that provides management services to the Polish beneficiary without a formal, priced agreement creates an immediate audit risk.

Beneficial ownership verification is a cross-border compliance pressure point. The CRBR requires disclosure of every natural person holding more than 25% of shares or voting rights, including through foreign holding structures. Multi-layer ownership chains – common in private equity and family office structures – must be unwound to the ultimate beneficial owner. Delays in updating CRBR entries after corporate restructurings have triggered grant suspensions pending re-verification.

Foreign investors should also note that KPO grant agreements routinely require the beneficiary to maintain its registered office and principal operations in Poland for at least three years after the final payment. Relocating operations – even partially – within that period constitutes a compliance breach. For compliance programme design considerations relevant to foreign subsidiaries, see our guide on compliance programme design for Spain subsidiaries in Poland and the parallel analysis for compliance programme design for Italy subsidiaries in Poland.

Employment law compliance intersects with KPO obligations where the grant funds headcount expansion. Beneficiaries must maintain the committed number of new positions for the duration specified in the grant agreement – typically 12 to 24 months after the project end date. Redundancies within that window trigger pro-rata repayment obligations. For the full scope of employer duties in this context, see our analysis of workplace harassment and employer duties under Polish law, which covers the broader employment compliance framework applicable to KPO beneficiaries.

Your company's specific cross-border structure creates compliance exposures that a generic checklist cannot resolve. Personal liability for officers and the risk of full grant repayment are irreversible once a final recovery decision is issued. To receive an expert assessment of your cross-border KPO compliance position, contact info@kordeckipartners.com.

What does a KPO compliance self-assessment look like?

A structured self-assessment reduces audit risk and strengthens the beneficiary's position in any subsequent administrative proceedings. It should be conducted at least once per reporting period – typically every six months. The assessment covers five domains: documentation integrity, procurement compliance, sustainability milestones, employment obligations, and internal reporting infrastructure.

Documentation integrity review asks whether every item of eligible expenditure has a complete audit trail: invoice, payment confirmation, delivery record, and linkage to an eligible budget line. Any gap should be remediated immediately. Reconstructing documentation after an audit notice is possible but significantly weaker than contemporaneous records.

Procurement compliance review verifies that every procurement above PLN 130,000 followed a documented competitive process, that evaluation criteria were applied consistently, and that the selected supplier was not disqualified under exclusion grounds. Beneficiaries should retain all tender documentation for the full five-year period.

Documentation: complete audit trail for every eligible cost item
Procurement: competitive process documented above PLN 130,000
Sustainability: DNSH compliance evidenced and ready for EC verification
Employment: headcount commitments tracked against grant schedule
Internal reporting: whistleblower channel operational and tested

Sustainability milestone tracking requires beneficiaries to maintain a live register of green and digital indicators, updated in real time rather than assembled at reporting deadlines. The European Commission's audit teams have moved toward on-site verification of sustainability claims. A beneficiary that can demonstrate a live tracking system is materially better positioned than one that assembles evidence retrospectively.

Internal reporting infrastructure – the whistleblower compliance channel – must be tested at least annually. The test should confirm that reports can be submitted anonymously, that the designated handler is independent of management, and that response timelines comply with the 7-day acknowledgment and 3-month investigation completion deadlines set by the Whistleblower Protection Act. A channel that exists on paper but fails in operation provides no compliance protection and may itself be cited as a deficiency in a KPO audit.

Frequently asked questions

Q: How long does a KPO beneficiary have to respond to an audit finding before a recovery decision is issued?

A: The standard procedure allows 30 days from notification of the preliminary audit finding for the beneficiary to submit a written response and supporting evidence. In practice, intermediary bodies sometimes issue shorter deadlines for minor findings. Missing the response window does not automatically result in a recovery decision, but it significantly weakens the beneficiary's procedural position. Engaging a compliance lawyer Warsaw-based or otherwise qualified in public funds law at the first notice is strongly advisable.

Q: Does the Whistleblower Protection Act apply to all KPO beneficiaries regardless of size?

A: The mandatory internal reporting channel applies to entities employing 50 or more workers. Smaller beneficiaries are not legally required to operate a channel but may still be contractually required to certify a minimum compliance infrastructure under their grant agreements. A common misconception is that the Act only applies to listed companies or financial institutions. It applies to any employer meeting the threshold, including project-company structures created specifically for KPO implementation.

Q: What is the typical cost of a KPO compliance audit by an external legal team?

A: Costs vary with project size and complexity. A focused documentation review for a single-component project with eligible costs up to PLN 2 million typically requires 20 to 40 hours of legal work. A full compliance audit covering procurement, sustainability milestones, employment obligations, and beneficial ownership for a multi-component project above PLN 10 million may require 80 to 120 hours. Investing in pre-audit compliance review is consistently less expensive than defending a financial correction proceeding, which can run for 12 to 18 months.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to EU funds compliance, ESG reporting, AML, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating KPO and RRF obligations. To discuss your situation, contact info@kordeckipartners.com.