A Warsaw-based IT company deploys a machine-learning tool to screen job applicants. Months later, its compliance officer discovers that the system falls squarely within the EU AI Act's high-risk category – triggering mandatory conformity assessments, documentation requirements, and post-market monitoring obligations that were never budgeted for. The cost of retrofitting compliance can easily exceed the original development spend.

The EU AI Act establishes a tiered classification framework in which certain AI systems are designated high-risk based on the sector they operate in and the functions they perform. High-risk systems must satisfy obligations covering risk management, data governance, technical documentation, transparency, human oversight, and accuracy before they are placed on the EU market or put into service. Providers and deployers operating in Poland must align with these requirements by the deadlines set out in the regulation's phased implementation schedule, with the core obligations for high-risk systems applying from August 2026.

This guide walks through the classification logic step by step, identifies the sectors most exposed, outlines the compliance procedure and its costs, and flags the mistakes that businesses in Poland most commonly make. Three business scenarios – manufacturing, IT services, and a foreign investor entering the Polish market – illustrate how the rules apply in practice.

How does the AI Act's high-risk classification work?

The classification system operates on two tracks. The first covers AI systems that are themselves safety components of products already regulated under EU product-safety law – think machinery, medical devices, or civil aviation equipment. The second track lists eight standalone areas where AI poses significant risk to health, safety, or fundamental rights. Both tracks carry equivalent obligations once a system is classified as high-risk.

The eight standalone areas include: biometric identification and categorisation; critical infrastructure management (energy, water, transport); education and vocational training; employment and worker management; access to essential private and public services; law enforcement; migration and border control; and administration of justice. Any AI system performing a function within these areas must be assessed against the high-risk criteria before it reaches users. Providers have 30 days from classification to register the system in the EU database maintained by the European Commission.

Classification is not permanent. A system may be reclassified if its intended purpose changes. This matters for Polish companies that update or retrain models after initial deployment. The National Court Register (KRS) filing for the operating entity does not change, but the AI Act compliance file must be updated to reflect the new intended purpose and the reclassification outcome.

One practical checkpoint: the regulation draws a clear line between "intended purpose" and actual use. A system marketed for HR analytics but deployed for individual performance scoring in a disciplinary context may cross into the employment-management category regardless of how the vendor describes it. Deployers – not only providers – carry direct obligations under Polish and EU law once they expand use beyond the intended purpose.

Which sectors in Poland face the highest exposure?

Four sectors account for the majority of high-risk deployments in Poland. Understanding the exposure in each sector is the starting point for any compliance programme. Registration in the EU database is mandatory before the system is placed on the market, and penalties for non-registration can reach EUR 10 million or 2 % of global annual turnover, whichever is higher.

Financial services and insurance. AI systems used for creditworthiness assessment, insurance underwriting, or fraud detection that affect access to financial products fall within the essential-services category. Polish entities supervised by the Polish Financial Supervision Authority (KNF) face a dual compliance burden: the AI Act's high-risk obligations run alongside DORA compliance requirements for ICT risk management. The overlap is not merely technical – the documentation formats differ and must be maintained separately.

Employment and HR technology. Recruitment screening, CV filtering, and performance-monitoring tools are explicitly listed. A mid-size Polish manufacturer using an automated shortlisting tool for factory-floor roles must conduct a conformity assessment, maintain a technical file, and appoint a human reviewer with genuine override authority. We helped a manufacturing client in the Mazowieckie region restructure its HR-tech stack to separate high-risk from low-risk modules, avoiding a full conformity assessment across the entire platform (autumn 2025).

Healthcare and medical devices. AI systems embedded in medical devices regulated under EU medical device law are classified high-risk by default. Polish hospitals and medtech companies must coordinate with the Office for Registration of Medicinal Products, Medical Devices and Biocidal Products (URPL) on device registration while simultaneously satisfying the AI Act's technical documentation requirements.

Education and public administration. Tools that determine access to education or assess students in ways that affect their academic trajectory are high-risk. Polish public-sector entities deploying such systems must align with both the AI Act and the requirements of the Personal Data Protection Office (UODO) under GDPR Poland frameworks, since many educational AI systems process special-category data.

What is the step-by-step compliance procedure?

Compliance for a high-risk AI system follows a defined sequence. Skipping steps does not reduce the obligation – it simply defers the risk until a market-surveillance authority or, in Poland, the designated national supervisory body conducts an inspection. The full procedure typically takes three to six months for a system already in development.

The steps are:

  • Classification audit – map the system's intended purpose against the two-track classification framework. Document the outcome with legal sign-off.
  • Risk management file – establish and maintain a continuous risk management process covering known and foreseeable risks throughout the system's lifecycle.
  • Technical documentation – compile the mandatory file covering system architecture, training data, performance metrics, and known limitations.
  • Conformity assessment – for most high-risk systems, self-assessment against the Act's requirements is permitted; systems involving biometric identification or certain safety components require third-party assessment by a notified body.
  • EU database registration – register the system within 30 days of classification; providers established outside the EU must appoint an authorised representative in Poland or another member state.

Post-deployment, providers must implement post-market monitoring and report serious incidents to the supervisory authority within 15 days of becoming aware of them. This ongoing obligation has no fixed end date – it runs for the system's operational life.

For a foreign investor entering Poland, the authorised-representative requirement deserves early attention. An IP lawyer Warsaw-based can structure the representative appointment efficiently, but the appointment must be in place before the system is placed on the Polish market – not after a complaint is filed.

What are the common mistakes and how can they be avoided?

Three mistakes appear repeatedly in early AI Act compliance work. Each carries an irreversible consequence if it is not corrected before the August 2026 deadline for high-risk obligations.

Treating classification as a one-time exercise. Classification must be revisited whenever the system's intended purpose changes, when training data is substantially updated, or when the system is deployed in a new sector. A Polish IT services company that classified its document-processing tool as non-high-risk in 2024 may find that a 2025 update – adding automated decision-making on loan applications – triggers reclassification. Failure to reclassify precludes the company from lawfully placing the updated system on the market and forfeits the protection of the conformity assessment already completed.

We obtained a favourable classification opinion for a fintech client in Silesia that had inadvertently expanded its system's use case without triggering a reclassification review – allowing it to complete a compliant market launch before the competitor that had filed first (spring 2026).

Conflating GDPR and AI Act documentation. GDPR Poland data protection impact assessments and AI Act technical files serve different purposes and are reviewed by different authorities. The Personal Data Protection Office (UODO) oversees GDPR compliance; the designated AI supervisory body will oversee the AI Act. Submitting a DPIA as a substitute for a technical file will not satisfy an inspection. Companies should maintain both documents in parallel, cross-referencing where appropriate.

Ignoring the deployer's obligations. Many Polish businesses assume that purchasing a CE-marked high-risk AI system from a vendor transfers all compliance responsibility. It does not. Deployers must conduct a fundamental-rights impact assessment before deploying certain systems, implement human oversight measures, and report serious incidents independently. The vendor's conformity assessment covers the system as supplied; it does not cover the deployer's specific use case. This distinction is particularly relevant for trademark and IP management tools that use AI to assess infringement risk – the deployer's legal team remains responsible for the outputs.

Frequently asked questions

Q: Does the AI Act apply to AI systems already deployed in Poland before August 2026?

A: Yes, with a transitional period. Systems placed on the market or put into service before the high-risk obligations apply have until August 2027 to achieve compliance, provided the system has not undergone a significant change in design or intended purpose. A significant change restarts the compliance clock. Companies should document the system's status as of the cut-off date to establish the baseline for the transitional period.

Q: How much does AI Act compliance cost for a high-risk system in Poland?

A: Costs vary significantly by system complexity. A self-assessment for a straightforward employment-screening tool typically requires 80 to 150 hours of legal and technical work, translating to a professional-services cost in the range of PLN 40,000 to PLN 120,000 depending on the firm and the system's complexity. Third-party conformity assessment by a notified body adds a further EUR 15,000 to EUR 50,000. Post-market monitoring is an ongoing operational cost that should be budgeted annually.

Q: Is it a misconception that open-source AI models are exempt from high-risk classification?

A: Largely, yes. The AI Act contains a limited exemption for open-source general-purpose AI models released under open licences, but this exemption does not extend to high-risk AI systems. If an open-source model is integrated into a system that performs a high-risk function – such as automated CV screening – the provider of that integrated system carries the full high-risk obligations. The open-source origin of the underlying model is not a defence against non-compliance.

To receive an expert assessment of your AI system's classification status and compliance roadmap, contact info@kordeckipartners.com.

Specific circumstances vary significantly between organisations. Misclassifying a system as non-high-risk – or failing to update a classification after a significant change – precludes lawful market placement and forfeits the window for orderly compliance before enforcement begins.

If your company deploys or plans to deploy AI systems in any of the sectors identified above, our team will conduct a classification audit, draft the required technical documentation, and coordinate the EU database registration: info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Jakub specialises in IP, technology law, AI regulation, and DORA. His work on AI Act classification matters spans financial services, HR technology, healthcare, and public-sector deployments across Poland and the wider CEE region. For further reading on cross-border data and enforcement matters relevant to AI compliance, see our guides on data transfer from Poland to Switzerland, enforcing arbitral awards in Poland, and our earlier overview of AI Act high-risk classification fundamentals.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.