A Warsaw-based financial technology company approached our firm in late 2024 with a straightforward question: does our credit-scoring algorithm qualify as high-risk under the EU AI Act? The answer changed their product roadmap entirely.
The EU AI Act classifies certain AI systems as high-risk based on their deployment sector and potential harm to individuals. Systems used in credit scoring, employment screening, biometric identification, and critical infrastructure management fall within that category. Providers and deployers of high-risk AI systems face mandatory conformity assessments, technical documentation requirements, and ongoing human oversight obligations before placing a product on the EU market.
This case study traces the classification analysis we conducted, the compliance strategy we recommended, and the lessons that apply to any Polish or foreign company deploying AI in regulated sectors. The matter involved a fintech operating in Poland and expanding into two other EU member states.
What was the client's situation?
The client was a mid-sized fintech registered in Warsaw, processing consumer credit applications through a proprietary machine-learning model. The model assigned creditworthiness scores that determined whether applicants received loan offers and on what terms. The board had not conducted any formal AI Act classification review. They assumed the system fell outside the high-risk category because it did not make final decisions autonomously.
That assumption was legally incorrect. Under the AI Act, a system used in the assessment of creditworthiness of natural persons qualifies as high-risk regardless of whether a human formally approves the final outcome. The relevant factor is the system's role in the decision-making process, not its nominal autonomy. The Polish Financial Supervision Authority (KNF) and the National Court Register (KRS) both serve as reference points when assessing whether an entity is subject to sectoral financial regulation that intersects with AI Act obligations.
The client also operated a recruitment screening tool that ranked job applicants before human review. Employment-related AI systems constitute a second category of high-risk systems under the Act. Two separate high-risk systems in one company – neither formally identified as such.
How did we approach the classification analysis?
We began with a structured mapping exercise. Every AI system in the client's product stack was listed and assessed against the Act's Annex III criteria. That annex defines eight sectors where AI systems are presumed high-risk: biometric identification, critical infrastructure, education, employment, essential private and public services, law enforcement, migration management, and administration of justice. The credit-scoring model fell squarely within essential private services. The recruitment tool fell within employment.
We then assessed whether either system qualified for the limited exception applicable to narrow-purpose tools. The Act excludes systems that perform preparatory tasks for human assessment, provided those systems do not profile natural persons. Both tools profiled individuals. Neither exception applied. Our team secured a formal classification opinion within 14 days – a timeline that mattered because the client's Series B financing round required regulatory clarity before closing.
We also flagged the intersection with board-level liability considerations. Directors who place a non-compliant high-risk AI system on the market without completing the required conformity assessment risk personal exposure. That risk is not theoretical – it mirrors the personal liability framework that applies to other regulated compliance failures under Polish corporate legislation.
- Identify every AI system in the product stack
- Map each system against the eight Annex III sectors
- Assess whether profiling of natural persons occurs
- Check for applicable exceptions before concluding classification
- Document the classification rationale in writing
What compliance steps followed the classification finding?
Once both systems were confirmed as high-risk, we structured a phased compliance programme. Phase one covered technical documentation – the Act requires providers to maintain records of training data, model architecture, and accuracy metrics. The client's internal engineering team had partial documentation. Gaps existed in bias-testing records and data governance logs. We worked with their data protection officer to align AI Act documentation with existing GDPR Poland obligations, avoiding duplication where the frameworks overlapped.
Phase two addressed the conformity assessment. High-risk AI systems in the financial services sector must undergo a conformity assessment before deployment or, for systems already deployed, within the transitional period provided by the Act. The client's credit-scoring model had been live for 18 months. We advised that the transitional period created a compliance window of approximately 12 months from the Act's full application date, but that window forfeits if the system undergoes significant modification – a point often missed by product teams who treat model retraining as routine maintenance rather than a regulatory event.
We also reviewed the client's cross-border expansion plans in light of our technology law practice across multiple jurisdictions. For a company deploying AI systems in Poland, Germany, and the Netherlands simultaneously, the Act applies as EU regulation – directly binding without national transposition. However, national supervisory authorities retain enforcement roles. Coordinating compliance documentation across three jurisdictions required a single master technical file with jurisdiction-specific annexes. We finalised that structure within six weeks.
We secured a written compliance roadmap accepted by the client's investors in Małopolska (winter 2025), allowing the financing round to close on schedule. The roadmap covered both systems, mapped every outstanding documentation gap, and assigned internal ownership for each remediation task.
What lessons transfer to other companies?
The most transferable lesson is definitional. Companies routinely misread the high-risk threshold by focusing on autonomy rather than sector. If your AI system operates in one of the eight Annex III sectors and processes data about natural persons, the starting presumption is high-risk. Rebutting that presumption requires documented analysis, not intuition.
A second lesson concerns timing. The Act's transitional provisions protect companies that act promptly. A company that identifies a high-risk system, documents its classification reasoning, and begins a conformity assessment before the compliance deadline is in a materially different position from one that defers. Deferral precludes access to the transitional window and exposes the company to enforcement from day one of full application. That consequence is irreversible once the deadline passes.
IP protection intersects with this analysis in ways that are easy to overlook. Companies that build proprietary AI models often hold those models as trade secrets or seek IP protection strategies comparable to those used by Swiss technology companies in Poland. The technical documentation required by the AI Act – architecture records, training data logs, bias assessments – can, if improperly handled, expose commercially sensitive information. Structuring documentation to satisfy regulatory requirements without waiving trade-secret protection requires deliberate legal design. An IP lawyer Warsaw-based or otherwise familiar with DORA compliance and trademark frameworks can integrate those concerns from the outset.
Our team obtained a confirmed classification clearance and investor-ready compliance roadmap for a fintech client in the Mazowieckie region (autumn 2024), enabling a financing round to close without regulatory conditions attached. The lesson is not that compliance is easy. It is that early engagement converts a potential deal-blocker into a manageable workload.
To discuss how the AI Act's high-risk classification applies to your specific systems and sector, contact info@kordeckipartners.com for a tailored assessment.
Frequently asked questions
Q: Does a system that only supports human decisions still qualify as high-risk?
A: Yes. The AI Act does not require full autonomy for a system to be classified as high-risk. A system that profiles natural persons or materially influences decisions in an Annex III sector qualifies regardless of whether a human formally approves the outcome. The decisive factor is the system's role in the decision process, not its nominal independence.
Q: How long does a conformity assessment take, and what does it cost?
A: For most high-risk AI systems in the financial services or employment sectors, a conformity assessment takes between eight and sixteen weeks, depending on the completeness of existing technical documentation. Costs vary with complexity, but companies should budget for both legal advisory fees and internal engineering time to compile and verify records. Starting early reduces both timelines and costs substantially.
Q: Is there a common misconception about the Act's application to existing systems?
A: The most frequent misconception is that AI systems deployed before the Act's full application date are permanently exempt. They are not. The transitional provisions grant a limited compliance window, but that window closes if the system undergoes a significant modification – including major model retraining. Companies treating routine updates as outside the regulatory framework risk losing transitional protection without realising it.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology law, AI regulation, and IP protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.