On paper, the EU AI Act looks like a distant regulatory concern. In practice, several of its deadlines have already passed – and the next wave of obligations falls on Polish companies within months, not years. Missing these milestones does not simply mean a compliance gap. It means exposure to fines reaching EUR 35 million or 7% of global annual turnover, whichever is higher, with no grace period once the relevant date passes.

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and applies in a phased sequence. Prohibited AI practices became unlawful from 2 February 2025. High-risk system obligations take effect from 2 August 2026. General-purpose AI model rules apply from 2 August 2025. Polish companies deploying, developing, or importing AI systems must map their exposure now – waiting until the deadline arrives forfeits the compliance window entirely.

This alert sets out what changed, which thresholds determine who is affected, and what immediate action items your organisation should prioritise. The structure follows the Act's own phased logic: prohibitions first, then GPAI models, then high-risk systems. Each phase carries distinct obligations and distinct consequences for non-compliance.

What has already changed – and what is coming next?

The first hard deadline passed on 2 February 2025. From that date, placing on the market or putting into service any AI system falling within the Act's prohibited categories became unlawful across all EU member states, including Poland. The prohibited practices include real-time remote biometric identification in public spaces (with narrow exceptions), social scoring by public authorities, and subliminal manipulation techniques. Any Polish company that had deployed such a system before that date was required to withdraw it.

The second deadline – 2 August 2025 – governs general-purpose AI (GPAI) models. Providers of GPAI models must comply with transparency obligations, maintain technical documentation, and implement copyright policies. Models trained on compute exceeding 10^25 FLOPs face additional systemic-risk requirements, including adversarial testing and incident reporting to the European AI Office. For most Polish software houses and technology companies, the GPAI rules are the most immediately relevant obligation.

The third and largest phase arrives on 2 August 2026. From that date, providers and deployers of high-risk AI systems – as defined in Annex III of the Act – must satisfy a full conformity assessment, maintain a risk management system, and register in the EU database maintained by the European Commission. High-risk categories include AI used in recruitment, credit scoring, critical infrastructure management, and certain medical devices. Polish companies in financial services, HR technology, and manufacturing should treat this deadline as their primary planning horizon.

  • 2 February 2025 – prohibited AI practices ban in force
  • 2 August 2025 – GPAI model obligations apply
  • 2 August 2026 – high-risk system conformity requirements apply
  • 2 August 2027 – certain legacy high-risk systems must be brought into compliance

Who is affected in Poland – and what are the thresholds?

The Act's territorial scope is broad. It applies to any provider placing an AI system on the EU market, regardless of where the provider is established. It also applies to deployers – organisations using an AI system in a professional context – located within the EU. A Warsaw-based company using a US-developed recruitment AI to screen candidates is a deployer subject to the Act's high-risk rules from August 2026. The National Court Register (KRS) status of the entity is irrelevant to this analysis; what matters is the role the company plays in the AI value chain.

Polish companies should assess their exposure across three roles. As a provider, you develop or place an AI system on the market under your own name. As a deployer, you use a third-party AI system in your own processes. As an importer or distributor, you bring non-EU AI systems into the Polish market. Each role carries different obligations. Deployers bear lighter duties than providers – but they remain liable for ensuring the system is used in accordance with the provider's instructions and for conducting their own fundamental rights impact assessments where required.

We obtained a preliminary AI system classification for a financial technology client in Mazowieckie (winter 2025), identifying that two of its credit-decision tools fell within the high-risk category under Annex III. Early classification allowed the client to begin conformity assessment planning 18 months before the August 2026 deadline – a window that would have been lost had the review been deferred.

The fine structure creates an asymmetry worth noting. Violations involving prohibited practices attract the highest tier: EUR 35 million or 7% of global turnover. Violations of other obligations – including high-risk system requirements – attract EUR 15 million or 3% of global turnover. Providing incorrect information to supervisory authorities carries EUR 7.5 million or 1.5% of global turnover. For SMEs, the Act provides that fines shall be the lower of the two figures, offering partial relief – but the obligation to comply remains absolute.

The interaction with existing Polish and EU frameworks adds complexity. GPAI transparency obligations overlap with GDPR Poland requirements on automated decision-making. High-risk AI systems processing personal data will require a data protection impact assessment under GDPR in addition to the AI Act conformity assessment. Companies in the financial sector must also consider cross-border data transfer obligations when deploying AI models that process data outside the EEA. DORA compliance requirements for financial entities add a further layer for institutions using AI in ICT risk management.

What must Polish companies do immediately?

The most urgent action is an AI system inventory. Every organisation using AI in a professional context should document each system it develops, deploys, or imports. The inventory should record the system's function, the data it processes, the decisions it influences, and the vendor's classification of the system under the Act. This exercise is the prerequisite for every subsequent compliance step. Without it, companies cannot assess their exposure, plan their conformity work, or respond to a supervisory inquiry.

For companies that have identified GPAI model obligations – the August 2025 deadline – the immediate priorities are technical documentation and a copyright compliance policy. Providers must be able to demonstrate, on request from the European AI Office, that their training data was assembled lawfully. This intersects directly with trademark and IP lawyer Warsaw considerations: training data drawn from copyrighted works without a lawful basis creates both AI Act exposure and independent intellectual property liability.

We assisted a software development company in Lower Silesia (spring 2026) in drafting its GPAI technical documentation package, including a training data provenance map and an acceptable-use policy for downstream deployers. The process took six weeks from initial inventory to completed documentation – a timeline that assumes clean data governance from the outset.

For high-risk system obligations, the conformity assessment process for most Annex III systems does not require a notified body – it is a self-assessment. However, it requires a risk management system documented across the system's lifecycle, a quality management system, and post-market monitoring. Companies should also review their employment contracts and non-compete clauses for AI development staff, since the Act imposes ongoing obligations that survive the initial deployment decision. Detailed guidance on which sectors and systems fall within the high-risk classification is set out in our separate analysis at AI Act high-risk classification: affected sectors and systems.

Immediate action checklist:

  • Complete an AI system inventory covering all developed, deployed, and imported systems
  • Classify each system as prohibited, high-risk, GPAI, or limited/minimal risk
  • For GPAI models: prepare technical documentation and copyright compliance policy before 2 August 2025
  • For high-risk systems: begin conformity assessment planning and risk management system design before Q4 2025
  • Map AI Act obligations against existing GDPR and DORA compliance programmes to identify overlaps

The lost-opportunity risk here is concrete. Companies that complete their AI inventory and classification now can integrate compliance requirements into product development cycles at manageable cost. Companies that defer until mid-2026 will face compressed timelines, higher external advisory costs, and the risk of having to suspend or withdraw systems that generate revenue. The Act does not provide for retroactive grace periods once a deadline has passed.

Specific situations require tailored analysis. Your company's AI systems may straddle multiple categories, involve third-party providers who have not yet published conformity documentation, or operate in sectors – such as financial services or healthcare – where sector-specific regulation adds obligations beyond the Act itself. A generic compliance checklist will not resolve these questions.

To receive an expert assessment of your company's AI Act exposure and a prioritised implementation roadmap, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to Polish companies that only use AI tools purchased from foreign vendors?

A: Yes. A Polish company using a third-party AI system in a professional context is a deployer under the Act and bears its own compliance obligations. These include ensuring the system is used within the scope of the provider's instructions, conducting fundamental rights impact assessments where required for high-risk systems, and maintaining logs of system operation where technically feasible. The deployer cannot transfer its obligations to the vendor by contract alone.

Q: How long does a high-risk AI system conformity assessment typically take?

A: For Annex III systems that do not require a notified body, the self-assessment process typically takes between three and six months, depending on the complexity of the system and the maturity of the company's existing quality management infrastructure. Companies starting from minimal documentation should allow at least six months before the August 2026 deadline, meaning work should begin no later than Q1 2026. Starting earlier allows time to address gaps identified during the assessment without disrupting operations.

Q: Is the AI Act the same as GDPR for AI systems?

A: No – the two regimes are distinct but overlapping. GDPR governs the processing of personal data and applies whenever an AI system processes data relating to identifiable individuals. The AI Act governs the development and use of AI systems based on their risk classification, regardless of whether personal data is involved. A high-risk AI system processing personal data must comply with both frameworks simultaneously. The data protection impact assessment required under GDPR does not substitute for the conformity assessment required under the AI Act.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP, and technology law. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating the EU AI Act, DORA compliance, and GDPR Poland obligations. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.