• PL
  • EN
  • Proud Member of Alliott Global Alliance — Chambers Top Ranked Global 2023
    Zespół doradców compliance i ESG w nowoczesnym biurze

    Compliance and ESG

    We build and implement compliance systems — from anti-corruption and AML to whistleblower protection and ESG — and we train teams so those systems actually work inside the organization.

    Home Services Compliance and ESG

    Regulatory compliance today is not just an obligation but a matter of risk and reputation management — spanning anti-corruption, AML/CFT, whistleblower protection, data protection and increasingly ESG. We support businesses on two levels: we advise on and implement compliance systems tailored to an organization’s scale and sector, and — because a system only works if people know how to use it — we train management boards, compliance teams and employees so procedures don’t stay on paper. The practice is led by Kinga Miller, Partner and Approved Compliance Expert and Approved ESG Officer (certifications from the Compliance Institute), with Łukasz Kudela supporting the AML and FinTech/crypto-assets regulatory side.

    What we cover

    Advisory and implementation of compliance systems

    Anti-corruption systems

    Designing and implementing anti-corruption policies (anti-corruption / anti-bribery) tailored to an organization’s scale and sector. The engagement delivers a concrete set of documents and tools:

    • an anti-corruption policy and code of conduct,
    • a gifts-and-hospitality procedure and a conflict-of-interest management procedure,
    • a corruption risk assessment for key processes and business relationships,
    • KYC and counterparty due-diligence procedures — screening business partners, intermediaries and agents, including sanctions-screening elements in dealings with counterparties.

    AML/CFT

    Implementing and reviewing an internal anti-money-laundering and counter-terrorist-financing procedure for obliged institutions, in line with the Polish Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing. Scope includes:

    • an AML risk assessment for the obliged institution,
    • customer identification and verification procedures (KYC/CDD/EDD) and beneficial-owner verification,
    • support in appointing the person responsible for AML duties and the senior-management representative,
    • mandatory AML training for employees.

    The team has additional experience implementing AML/CFT regulations in the FinTech and crypto-assets sector, including in the context of the EU MiCA Regulation and CASP licensing.

    Whistleblower protection

    Implementing reporting channels and internal procedures compliant with the Polish Act of 14 June 2024 on the Protection of Whistleblowers (implementing EU Directive 2019/1937). Deliverables include:

    • a reporting channel fitted to the organization — oral (by phone) and written (electronic or paper),
    • an internal reporting procedure setting out how reports are received, examined and followed up,
    • a reporting register kept for the legally required retention period,
    • designation of an impartial unit or person responsible for handling reports.

    Data protection (GDPR)

    GDPR compliance implementations and audits, plus ongoing support in the Data Protection Officer role. Scope includes:

    • a data-processing compliance audit and remediation recommendations,
    • GDPR documentation (records of processing activities, security policies, data-processing agreements),
    • acting as external DPO (outsourced DPO) or supporting an in-house DPO,
    • handling data-protection incidents and breaches, including notifications to the Polish DPA (UODO),
    • GDPR training for employees and management.

    ESG

    Support in building and implementing ESG policies and supply-chain due-diligence procedures, led by a certified Approved ESG Officer. Scope includes:

    • an ESG policy and a code of conduct for suppliers/counterparties,
    • supply-chain due diligence covering environmental, social and governance risks,
    • ESG risk mapping and governance recommendations,
    • support in building an internal accountability structure and internal ESG reporting procedures.

    Anti-mobbing

    Implementing anti-mobbing policies and internal procedures compliant with Article 94(3) of the Polish Labour Code, which obliges employers to counteract mobbing/workplace bullying. Deliverables include:

    • an anti-mobbing policy and a code of good practice / code of ethics,
    • a procedure for reporting and investigating mobbing and discrimination cases, including rules for appointing an anti-mobbing commission or a trusted mediator,
    • support in conducting internal investigations,
    • training for management and HR teams on recognizing and responding to mobbing.

    Training

    Compliance and ESG training

    Training programmes for boards, supervisory boards, compliance teams, HR and employees, tailored to the participant’s role, risk profile and sector. Topics include:

    • anti-corruption / anti-bribery,
    • KYC and counterparty due diligence,
    • sanctions screening,
    • AML/CFT,
    • whistleblower protection,
    • anti-mobbing and anti-discrimination,
    • GDPR,
    • ESG.

    Training is delivered in person, online or in hybrid format — as one-off implementation programmes or recurring compliance-maintenance programmes, sized to the organization.

    How we work

    Building a compliance system is a process, not a one-off document. We take clients through five stages:

    1

    Audit / diagnosis

    assessing the current state of compliance and identifying risks and gaps against applicable law and standards.

    2

    System design

    designing policies, procedures and an accountability structure fitted to the organization’s scale, sector and risk profile.

    3

    Implementation

    rolling out documentation, reporting channels and tools across the organization, working with the board and internal departments.

    4

    Training

    preparing the team to apply the new rules in practice, from the board to front-line employees.

    5

    Ongoing compliance-officer support

    continuous advisory, updating documentation as regulations change, and support on day-to-day compliance matters.

    Who this is for

    Boards and supervisory boards

    Responsible for oversight of the organization’s compliance system.

    Compliance officers and compliance teams

    Needing substantive and legal support to build and maintain the system.

    HR and legal departments

    Responsible for whistleblowing, anti-mobbing and GDPR implementations.

    Organizations in regulated sectors

    Regulated or compliance-risk-exposed sectors — including FinTech, crypto-assets and automotive, where the team has additional sector experience.

    What is compliance, and how does it differ from ESG?

    Compliance is a system of rules and procedures designed to keep a company operating in line with the law, industry regulation, and internal ethical standards — covering areas such as anti-bribery, KYC, sanctions screening, and whistleblower protection. ESG (Environmental, Social, Governance) is a framework for reporting on and managing a company’s environmental, social, and governance impact. The two overlap: a well-designed compliance program is one of the pillars of the „G” in ESG.

    Who has to report ESG in Poland in 2026?

    The ESG reporting obligation stems from the CSRD directive, transposed into Polish law by the act of 6 December 2024. Scope and timelines were subsequently modified by the „Omnibus I” package — so companies should confirm their current status with an advisor before relying on any specific date.

    GroupReporting for fiscal yearThreshold criteriaStatus
    Large public-interest entities (already under the former NFRD)FY2024Over 500 employeesObligation active
    Large companies (new CSRD wave)FY2025 (report published 2026)≥250 employees and/or EUR 50m net turnover and/or EUR 25m balance sheet total (2 of 3 criteria)Obligation active — exact scope and timing worth confirming with an advisor after the „Omnibus I” package
    Listed SMEsLower employee/turnover thresholdsTimeline pushed back by „Omnibus I” — to be confirmed with an advisor
    SMEs outside the statutory obligationNo formal obligation, but frequently required contractually by CSRD-obligated partners (value-chain effect — see below)

    A sustainability report prepared under the ESRS (European Sustainability Reporting Standards) is subject to mandatory assurance by a statutory auditor or other authorised body.

    The value-chain effect — why ESG matters even for smaller companies

    Even if your company does not formally meet the CSRD thresholds, a larger business partner that is itself subject to CSRD may contractually require you to supply ESG data — the so-called value-chain effect. In practice, a lack of ESG readiness can today be a real reason for exclusion from a tender or a large counterparty’s supply chain, independent of any statutory obligation.

    What is „double materiality” in ESG?

    Double materiality is an ESG reporting principle requiring companies to assess both impact materiality (how the company affects the environment and society) and financial materiality (how ESG issues affect the company financially). The ESRS standard requires both perspectives to be considered when scoping a report.

    Whistleblowing as part of compliance

    An internal reporting procedure for whistleblowers is a core element of a mature compliance program for companies with more than 50 employees: a reporting channel, a register, a strict ban on retaliation, and a duty to inform employees. We also run whistleblower-protection training for management and for staff handling reports — see Employee Training.

    Compliance and ESG training

    Training programmes for management boards, supervisory boards, compliance and HR teams, and employees — tailored to the participant’s role, the organisation’s risk profile and the client’s industry. Topics include, among others:

    • anti-corruption / anti-bribery,
    • KYC and counterparty due diligence,
    • sanctions screening,
    • AML/CFT,
    • whistleblower protection,
    • anti-harassment and anti-discrimination,
    • GDPR,
    • ESG.

    Training is delivered on-site, online or in a hybrid format — as one-off (implementation) programmes or recurring ones (maintaining compliance), tailored to the size and structure of the organisation. See our full training offer on the Employee training page.

    Hotel training room prepared for a compliance and ESG training session

    Our experts

    The lawyers who will build and implement the compliance system in your organization — from design to team training.

    Kinga Miller

    Kinga Miller

    Partner, Advocate,
    Approved Compliance Expert, Approved ESG Officer

    Kinga has 15 years of professional experience, including designing and implementing labour-law compliance systems for organizations employing several hundred people. A graduate of the Postgraduate Compliance Studies programme at the Warsaw School of Economics (SGH) and a certified Approved Compliance Expert and Approved ESG Officer of the Compliance Institute, she advises businesses on effectively building and implementing compliance management systems and ESG policies.

    Contact KingaClick the card to see the full profile ›
    Łukasz Kudela

    Łukasz Kudela

    Senior Associate, Legal Counsel (Radca Prawny),
    Cryptocurrency Project Manager

    Łukasz co-develops compliance systems tied to Polish and EU AML regulations, with a particular focus on the FinTech and crypto-assets sector. He advises on implementing the EU MiCA Regulation and on obtaining CASP licences for crypto-asset businesses, and his anti-money-laundering experience is reflected in his co-authorship of the Poland chapter of the “Blockchain & Crypto-Assets 2026” guide published by Chambers and Partners, covering the legal framework for the crypto-assets market in Poland and AML.

    Contact ŁukaszClick the card to see the full profile ›
    Marta Solarska-Kaleńczuk

    Marta Solarska-Kaleńczuk

    Partner, Chief Operating Officer,
    Data Protection Officer

    Marta oversees compliance with data protection regulations — since 2015 she has held this role at Hyundai Motor Poland, first as Information Security Administrator and later as Data Protection Officer. She handles GDPR, labour-law and corporate compliance implementations, and regularly delivers training grounded in the client’s specific business context.

    Contact MartaClick the card to see the full profile ›
    Oliwia Koper

    Oliwia Koper

    Associate, Advocate

    Oliwia specializes in comprehensive legal services for businesses, with particular focus on the automotive industry, the new technology sector and life sciences. She advises on negotiating and drafting complex commercial contracts, implementing data protection policies and procedures, compliance and information security.

    Contact OliwiaClick the card to see the full profile ›

    Frequently asked questions

    Do SMEs have to report ESG?

    As a rule, the CSRD obligation applies to large entities meeting specific employee and financial thresholds. SMEs outside the statutory obligation are nonetheless increasingly asked for ESG data by larger business partners who are themselves obligated to report — the value-chain effect. It is worth confirming your company’s current status with an advisor.

    When does CSRD apply in Poland?

    CSRD was transposed by the act of 6 December 2024, with scope and timelines modified by the „Omnibus I” package. Exact deadlines depend on the company category — see the threshold table above.

    How is compliance different from internal audit?

    Compliance prevents violations on an ongoing basis through policies, procedures, and training. Internal audit verifies after the fact whether adopted procedures — including compliance — are actually being followed. The two functions complement each other but serve different roles.

    Does an ESG report need to be verified by a statutory auditor?

    Yes — a sustainability report prepared under ESRS is subject to mandatory assurance by a statutory auditor or other authorised body, similar to the audit of financial statements.

    How do we start implementing a compliance program?

    Typically with a gap analysis of existing procedures against legal requirements, followed by building or updating policies (anti-corruption, KYC, whistleblowing), employee training, and appointing a compliance owner — in-house or outsourced.

    Want to build or verify a compliance system in your organization?

    Let’s talk about the scope of advisory support or training that fits your company.

    Get in touch