AI Act implementation timeline – what Polish

A Warsaw-based software company receives a request from its largest client: confirm in writing that your AI-powered recruitment tool complies with the EU AI Act. The compliance team opens the regulation for the first time. What they find is a layered framework with staggered deadlines, risk-tier classifications, and technical documentation requirements that span dozens of pages. The clock is already running.

The EU AI Act entered into force on 1 August 2024 and applies in Poland – as in all EU member states – without any need for separate national transposition. Obligations take effect in phases: the first prohibitions applied from 2 February 2025, high-risk AI system requirements become mandatory from 2 August 2026, and general-purpose AI model rules apply from 2 August 2025. Polish companies that deploy, develop, or import AI systems must map their exposure now and begin structured compliance work before each deadline passes.

This guide walks through the four-phase implementation timeline, explains how to classify your systems, and identifies the most common mistakes Polish businesses make at each stage. Three business scenarios – a manufacturing firm, an IT company, and a foreign investor – illustrate how the obligations land in practice. A checklist and FAQ close the guide.

What does the AI Act risk classification mean for Polish operators?

Risk classification is the first practical step. The AI Act places every AI system into one of four tiers: unacceptable risk (prohibited), high risk, limited risk, and minimal risk. Your compliance obligations depend entirely on which tier your system falls into. Getting this wrong at the outset forfeits your ability to plan resources and timelines accurately – a costly mistake that is difficult to reverse once regulators begin enforcement.

Prohibited systems include AI that manipulates human behaviour through subliminal techniques, real-time remote biometric identification in public spaces (with narrow exceptions), and social scoring by public authorities. These prohibitions applied from 2 February 2025. Any Polish company still operating a prohibited system after that date faces fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher.

High-risk systems cover eight regulated domains: biometric identification, critical infrastructure, education, employment, access to essential services, law enforcement, migration management, and administration of justice. If your AI tool screens CVs, scores creditworthiness, or monitors employees, it almost certainly falls here. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) and the designated national market surveillance authority will both have oversight roles, alongside the European AI Office established under the regulation.

Limited-risk systems – chatbots, deepfakes, emotion-recognition tools – face transparency obligations only. Users must be told they are interacting with an AI. Minimal-risk systems, such as spam filters or basic recommendation engines, carry no mandatory obligations, though voluntary codes of conduct are encouraged. Mapping your portfolio against these tiers, before August 2026, is non-negotiable.

What is the step-by-step implementation timeline?

The AI Act's phased structure gives companies a runway – but only if they use it. Four deadlines define the compliance calendar. Missing any one of them triggers escalating consequences, and the later deadlines build directly on work that should have been completed earlier. A company that skips phase one will find phase three structurally impossible to complete on time.

Phase 1 – Prohibited practices ban (2 February 2025). All unacceptable-risk AI systems must have been withdrawn or redesigned before this date. If your organisation has not yet audited for prohibited practices, that audit is overdue. Conduct it immediately and document the findings.

Phase 2 – General-purpose AI model obligations (2 August 2025). Providers of general-purpose AI models – large language models and similar foundation models – must maintain technical documentation, comply with EU copyright law, and publish summaries of training data. Models with systemic risk face additional adversarial testing requirements. Polish IT companies licensing or fine-tuning such models should review their contractual chain: obligations may flow upstream to the original provider or downstream to the deployer, depending on the agreement structure.

Phase 3 – High-risk system requirements (2 August 2026). This is the most operationally demanding phase. High-risk system providers must implement a quality management system, maintain technical documentation, register in the EU database for high-risk AI systems, conduct conformity assessments, and affix CE marking. Deployers must conduct fundamental rights impact assessments and implement human oversight measures. Budget at least 6 to 12 months for this work. Starting in early 2026 is already late for complex systems.

Phase 4 – Full application (2 August 2027). Certain high-risk systems already on the market before August 2026 receive a transitional grace period until this date. However, new systems placed on the market after August 2026 must comply immediately. The distinction between "existing" and "new" systems will be contested ground for regulators and companies alike.

How do three Polish business scenarios map onto AI Act obligations?

Abstract timelines become concrete when applied to real business contexts. Three scenarios illustrate the range of obligations Polish companies face. Each scenario involves different risk tiers, different documentation burdens, and different internal stakeholders who must be engaged.

Manufacturing company in Silesia. A mid-sized manufacturer uses an AI-based predictive maintenance system and a computer-vision tool for quality control on the production line. Predictive maintenance falls under minimal risk. The quality-control vision system, however, may qualify as a safety component of machinery – a high-risk category under the AI Act. The company must conduct a conformity assessment, maintain technical documentation for at least 10 years, and register the system before deploying it after August 2026. GDPR Poland compliance is a parallel obligation if the system captures worker biometric data – a point where AI Act rules and data protection law intersect directly.

IT company in Warsaw. A software house develops an AI-powered recruitment screening tool sold to HR departments across Poland and the EU. As a provider of a high-risk system, it bears the heaviest obligations: quality management system, technical documentation, conformity assessment, EU database registration, and post-market monitoring. It must also ensure its contracts with deployer clients allocate responsibilities clearly. IP lawyer Warsaw-side advice on model licensing, IP protection strategy for technology companies operating in Poland, and trademark clearance for AI-branded products should run in parallel with regulatory compliance work.

Foreign investor entering Poland. A German group deploying an AI-based credit scoring tool through a Polish subsidiary is both a provider (if the model is customised locally) and a deployer. It must navigate the interaction between AI Act obligations, GDPR Poland requirements, and sector-specific rules – in financial services, DORA compliance obligations add a further layer for digital operational resilience. For context on how spatial and regulatory frameworks affect infrastructure decisions, see our analysis of spatial planning and zoning rules in Poland, which is relevant when siting AI-dependent data centres. The group should appoint an EU-based authorised representative if it has no EU establishment.

We assisted a fintech client in Małopolska (winter 2025) in restructuring its AI-assisted loan decisioning system to comply with high-risk requirements, reducing projected remediation costs by more than PLN 800,000 compared with a full system rebuild.

What are the most common mistakes Polish companies make in AI Act compliance?

Compliance failures tend to cluster around a small number of recurring errors. Identifying them in advance is far cheaper than correcting them under regulatory scrutiny. The following mistakes appear consistently across sectors and company sizes in Poland.

Mistake 1: Treating classification as obvious. Many companies assume their system is minimal risk without conducting a structured analysis. The AI Act's high-risk categories are broader than they appear. An HR tool that "just filters" applications is still a high-risk system if it influences employment decisions. Misclassification that goes uncorrected personal liability risks for board members who sign off on compliance declarations.

Mistake 2: Conflating GDPR and AI Act obligations. GDPR Poland compliance does not substitute for AI Act compliance. The two frameworks overlap – both require impact assessments, data governance, and transparency – but they are not identical. A system that passes a GDPR data protection impact assessment may still require a separate fundamental rights impact assessment under the AI Act. Running them in parallel, rather than sequentially, saves time and avoids gaps.

Mistake 3: Ignoring the contractual chain. The AI Act allocates obligations differently between providers and deployers. Many Polish companies are both – they use a third-party foundation model and then customise it for clients. Unless contracts clearly allocate responsibility, both parties may face concurrent obligations and neither may have the documentation the other needs. Review your AI vendor agreements now. For deeper analysis of how AI systems are classified and which sectors face the strictest requirements, see our dedicated guide on AI Act high-risk classification, affected sectors and systems.

Mistake 4: Underestimating documentation lead time. Technical documentation for high-risk systems is not a form to fill in. It includes architecture descriptions, training data summaries, accuracy metrics, and human oversight protocols. Assembling this documentation retroactively – after a system is already in production – can take 3 to 6 months and often requires rebuilding audit trails that were never created. Start documentation as part of the development process, not after deployment.

We helped an e-commerce client in Pomerania (spring 2026) navigate a supplier audit triggered by a major retail partner requiring AI Act documentation. The engagement resolved within 8 weeks because foundational documentation had been partially prepared in advance.

What should Polish companies prepare before each deadline?

A structured checklist prevents the most common omissions. The items below apply to any Polish company that develops, deploys, or imports AI systems. Prioritise by deadline proximity and risk tier.

AI system inventory: catalogue every AI tool in use, under development, or procured from third parties, with a preliminary risk-tier assessment for each.
Prohibited practice audit: confirm no system falls within the unacceptable-risk category; document the analysis and retain it.
Contractual chain review: identify whether your organisation is a provider, deployer, or both for each system; update vendor and client contracts to reflect AI Act allocations.
Documentation programme: for high-risk systems, begin technical documentation, quality management system design, and human oversight protocol development at least 12 months before the relevant deadline.
GDPR and AI Act alignment: run GDPR data protection impact assessments and AI Act fundamental rights impact assessments in parallel, not sequentially.

The checklist is a starting point, not a substitute for legal analysis. The interaction between AI Act obligations, DORA compliance requirements for financial sector entities, GDPR Poland rules, and sector-specific regulations requires tailored advice for each company's specific system portfolio.

Every Polish company using AI in a regulated sector faces a specific compliance gap that widens with each passing month. The August 2026 deadline for high-risk systems is closer than it appears when 12 months of documentation work is factored in. Delaying classification and documentation work now precludes the orderly, cost-efficient compliance path – and forces a reactive, expensive remediation instead.

To receive an expert assessment of your company's AI Act exposure and a tailored implementation roadmap, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to Polish companies that only use AI tools built by foreign providers?

A: Yes. Polish companies that deploy AI systems – even systems entirely built by non-EU providers – are "deployers" under the AI Act and carry their own set of obligations. These include conducting fundamental rights impact assessments for high-risk systems, implementing human oversight measures, and informing employees when AI monitoring is used. The foreign provider's compliance does not discharge the Polish deployer's obligations. Contracts with foreign vendors should explicitly address which party bears which documentation and notification duties.

Q: How long does it take to complete a conformity assessment for a high-risk AI system?

A: For most high-risk systems, a conformity assessment – including technical documentation, quality management system review, and (where required) third-party notified body involvement – takes between 6 and 12 months from the point at which documentation work begins in earnest. Companies that begin in early 2026 for August 2026 systems are already at the boundary of what is achievable without significant resource commitment. Systems requiring notified body assessment face additional scheduling constraints, as accredited bodies have limited capacity across the EU.

Q: Is there a common misconception about which AI systems qualify as "high risk"?

A: The most frequent misconception is that a system is not high risk simply because it produces a recommendation rather than a final decision. The AI Act's high-risk classification focuses on the intended purpose and the domain of use, not on whether a human formally approves the output. An AI tool that ranks job candidates is high risk even if a recruiter makes the final call. Similarly, an AI system that influences credit decisions is high risk regardless of whether a loan officer signs the approval. Classification must be based on a structured legal analysis of the system's function and deployment context, not on how the company internally describes the tool.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to IP, technology law, AI regulation, and DORA compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.