A Warsaw-based fintech company discovered, six months before its product launch, that the credit-scoring model at the core of its platform fell squarely within the European Union's Rozporządzenie w sprawie sztucznej inteligencji (AI Act) high-risk classification. The compliance timeline was compressed. The commercial stakes were real. Re-engineering the system after launch would have been far more expensive – and potentially fatal to investor confidence.

The AI Act establishes a tiered classification system for artificial intelligence. Systems designated as high-risk must satisfy mandatory conformity requirements before they are placed on the market. For Polish companies and foreign investors operating in Poland, the classification decision is the first – and most consequential – step in the compliance process.

This case study traces how one client resolved its classification uncertainty, the strategy applied, the process followed, and the lessons that transfer directly to other affected sectors.

What triggered the high-risk classification question?

The client operated a consumer lending platform. Its AI model scored creditworthiness automatically, with no human reviewer involved in the initial decision. Under the AI Act, AI systems used in credit assessment for natural persons fall within the category of high-risk systems. That category triggers a mandatory conformity assessment before deployment.

The client had assumed – incorrectly – that because the model was developed in-house and not sold as a standalone product, it fell outside the regulation's scope. This is a common misconception. The AI Act applies to providers and deployers alike. A company that develops and uses an AI system for its own commercial purposes is both provider and deployer simultaneously.

Classification uncertainty had a direct commercial cost: the company's Series A term sheet contained a representation that all regulatory approvals were in place. Misclassification would have constituted a breach of that representation. The window to resolve the issue was 90 days before the scheduled closing date.

How did the legal strategy address classification and sector exposure?

The first task was a formal classification analysis. The AI Act's high-risk list covers eight sector annexes. Relevant here were systems used in access to essential private services – specifically credit and insurance. The analysis confirmed high-risk status within three working days. That confirmation, while unwelcome, was commercially valuable: it replaced uncertainty with a defined compliance roadmap.

We structured the response across three parallel workstreams. First, technical documentation under the AI Act's conformity requirements – covering risk management, data governance, and human oversight mechanisms. Second, a GDPR Poland alignment review, because automated credit decisions engage data subject rights under the General Data Protection Regulation, including the right to explanation. Third, a DORA compliance check, because the client's platform was integrated with a regulated payment institution, and DORA's ICT risk requirements applied to that contractual chain.

We obtained interim written confirmation from the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) that the client's planned human-oversight mechanism satisfied the "meaningful human review" threshold. That confirmation was obtained within 45 days of engagement. It was annexed to the investor disclosure schedule.

We secured a favourable classification opinion for a fintech client in the Mazowieckie region (autumn 2025), allowing the Series A to close on schedule with full regulatory disclosure in place.

What process lessons apply to other affected sectors?

The classification question recurs across multiple industries. Healthcare providers using AI for diagnostic triage, HR platforms using AI for candidate screening, and infrastructure operators using AI for access control all face the same threshold question: does this system fall within an annex category? Getting that answer wrong – in either direction – carries cost.

Under-classification means deploying a high-risk system without conformity documentation. The AI Act provides for market surveillance by national competent authorities. In Poland, the designated authority is expected to operate under the supervision of the Office of Competition and Consumer Protection (Urząd Ochrony Konkurencji i Konsumentów, UOKiK). Non-compliant deployment can result in fines reaching EUR 15 million or three percent of global annual turnover, whichever is higher.

Over-classification carries a different cost. A company that treats a general-purpose AI tool as high-risk will spend resources on conformity documentation that the regulation does not require. For early-stage companies, that misallocation can delay product launch by three to six months.

Our team also obtained a corrected classification for an IT services client in Lower Silesia (winter 2025), reversing an internal determination that had incorrectly designated a document-processing tool as high-risk. The correction saved an estimated four months of unnecessary compliance work.

For companies with IP-sensitive AI models, classification decisions intersect with trade secret protection. Conformity documentation may need to be submitted to regulators. Structuring what is disclosed – and what remains protected – requires coordination between AI Act compliance and IP strategy. For further guidance on protecting proprietary technology, see our analysis of trade secret protection strategies under Polish law.

What should affected companies prepare now?

The AI Act's high-risk provisions apply from August 2026 for most annex categories. That deadline is closer than it appears. Conformity documentation, risk management systems, and human oversight mechanisms all require lead time to implement properly.

Companies operating across jurisdictions – including those expanding into Poland from Ukraine or other markets – face an additional layer. The AI Act applies on a market basis: if the system is used in the EU, the regulation applies regardless of where the developer is incorporated. For cross-border technology strategies, see our guide on IP protection strategy for Ukraine tech companies in Poland.

The checklist below captures the minimum preparation steps for any company that has not yet completed a classification review:

  • Map all AI systems in use or under development against the eight high-risk annex categories
  • Identify whether the company acts as provider, deployer, or both for each system
  • Assess GDPR Poland obligations for any system making automated decisions about natural persons
  • Review contracts with regulated counterparties for DORA compliance exposure
  • Prepare a classification opinion document for investor and regulatory disclosure purposes

For companies with M&A activity in the pipeline, classification status is now a standard due diligence item. Buyers are asking. Sellers who cannot answer precisely are at a negotiating disadvantage. For the corporate structuring dimension, see our overview of corporate and M&A services in Poland.

Specific situations require specific analysis. A classification that is obvious in one sector may be contested in another. The August 2026 deadline does not allow time for a second attempt.

To discuss how the AI Act high-risk classification applies to your systems, email info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to a Polish company that uses a third-party AI tool rather than building its own?

A: Yes. The AI Act distinguishes between providers – who develop or place AI systems on the market – and deployers – who use AI systems in a professional context. A Polish company using a third-party high-risk AI system for commercial purposes is a deployer and carries its own set of obligations under the regulation. Those obligations include conducting a fundamental rights impact assessment in certain cases and maintaining human oversight. Deployer obligations apply from August 2026 for most high-risk categories.

Q: How long does a classification review typically take, and what does it cost?

A: A focused classification opinion for a single AI system typically takes five to ten working days, depending on the technical documentation available. Where the system is already documented, the process is faster. Cost varies with complexity, but most classification reviews fall within a defined fixed-fee engagement. Companies that delay classification reviews until the final quarter before the August 2026 deadline face compressed timelines and higher costs if remediation is needed.

Q: Is a trademark or IP registration relevant to AI Act compliance?

A: Trademark registration is not a direct AI Act requirement. However, companies submitting conformity documentation to regulators should ensure that model names, proprietary methodologies, and technical architecture details are protected before disclosure. An IP lawyer Warsaw-based clients work with can structure disclosure in a way that satisfies regulatory requirements without forfeiting trade secret protection. This is particularly relevant for AI systems where the algorithm itself is the core commercial asset.

About KORDECKI & Partners

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to IP, technology law, AI regulation, and DORA compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.