AI Act implementation timeline – what Polish

A Warsaw-based software house receives a contract to supply a recruitment screening tool to a major Polish employer. The tool ranks candidates automatically. Nobody on the legal team has heard of the Rozporządzenie w sprawie sztucznej inteligencji (EU Artificial Intelligence Act, AI Act). The deadline for full compliance passed months ago – and the penalties are already accruing.

The AI Act entered into force on 1 August 2024 and applies in full from 2 August 2026 for most high-risk AI systems. Polish companies deploying, developing, or distributing AI must classify their systems, implement governance structures, and register certain applications in the EU database before that date. Failure to comply exposes operators to fines of up to EUR 35 million or 7% of global annual turnover – whichever is higher.

This guide walks through the AI Act's phased timeline, the classification methodology, the governance steps Polish companies must complete, and the three business scenarios that most frequently arise in practice. It also addresses common mistakes and the FAQ questions clients ask most often.

What is the AI Act's phased timeline and when do Polish obligations begin?

The AI Act does not impose all obligations at once. It operates in four distinct phases, each with its own deadline and scope. Understanding which phase applies to your organisation is the starting point for any compliance project. Polish companies that miss the phase structure risk front-loading unnecessary work – or, worse, missing the dates that matter most.

Phase one began on 2 February 2025. From that date, all organisations using AI systems in Poland must comply with the prohibition on unacceptable-risk AI. This covers systems that manipulate human behaviour subliminally, exploit vulnerabilities of specific groups, or enable social scoring by public authorities. Any system falling into this category must be discontinued immediately. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) and the future Polish AI supervisory authority will both have oversight here.

Phase two runs from 2 August 2025. It covers obligations for general-purpose AI (GPAI) model providers. If a Polish company develops or fine-tunes a foundation model – even for internal use – it must maintain technical documentation, comply with copyright transparency rules, and, for systemic-risk models, conduct adversarial testing. The threshold for systemic risk is training compute exceeding 10^25 FLOPs.

Phase three, the main event for most businesses, arrives on 2 August 2026. High-risk AI systems listed in Annex III of the AI Act must by then meet conformity assessment requirements, be registered in the EU AI database, and carry CE marking where applicable. This phase captures recruitment tools, credit scoring systems, biometric categorisation, and AI used in critical infrastructure – all common in the Polish market.

Phase four extends to 2 August 2027 for AI systems embedded in regulated products already subject to third-party conformity assessment (medical devices, machinery, vehicles). Polish manufacturers in these sectors gain an extra year, but the documentation work should begin now. Waiting until 2027 to start is not a strategy.

How should Polish companies classify their AI systems?

Classification is the foundation of the entire compliance exercise. The AI Act uses a four-tier risk pyramid: unacceptable risk (prohibited), high risk (Annex III list plus regulated products), limited risk (transparency obligations only), and minimal risk (no mandatory obligations). Getting the classification wrong – in either direction – creates either unnecessary cost or unmanaged legal exposure.

We secured a compliance reclassification for a fintech client in the Mazowieckie region (spring 2026) whose internal legal team had incorrectly flagged a customer churn prediction tool as high-risk. The reclassification avoided a six-figure conformity assessment spend. Classification errors cut both ways.

The classification process involves three steps. First, map every AI system in use – including third-party tools integrated via API. Many Polish companies discover during this exercise that they are deploying AI they did not consciously procure: embedded scoring models in HR software, recommendation engines in CRM platforms, or automated moderation in customer service tools. Second, match each system against the Annex III categories. The list covers eight domains: biometric identification, critical infrastructure, education, employment, essential private and public services, law enforcement, migration, and administration of justice. Third, assess whether any exemption applies. Annex III systems used purely for research or with a human override that prevents binding decisions may qualify for a reduced regime.

For cross-border deployments – a Polish subsidiary using a system developed by a German parent, for instance – the question of who bears the provider obligations and who bears the deployer obligations must be resolved contractually. This intersects directly with IP protection strategy for tech companies operating across Central European jurisdictions, where allocation of compliance responsibility is a recurring negotiation point.

Map all AI systems, including third-party integrations
Match each system against Annex III categories
Assess exemptions (research use, no binding output)
Allocate provider vs. deployer obligations contractually
Document classification rationale in writing

What governance steps must high-risk AI operators complete before August 2026?

For companies operating high-risk AI systems, the AI Act imposes a structured set of governance obligations. These must be in place before 2 August 2026. The obligations fall on both providers (those who develop or substantially modify a system) and deployers (those who use a system under their own authority). Polish companies are frequently both – building a proprietary tool and deploying it commercially.

Providers must establish a quality management system covering data governance, technical documentation, logging, human oversight mechanisms, and accuracy and robustness testing. The technical documentation must be maintained for ten years after the system is placed on the market. This is a significant records management obligation for companies without existing document retention policies aligned to the Krajowy System e-Faktur (National e-Invoice System, KSeF) or similar regulatory frameworks.

Deployers carry a distinct but overlapping set of duties. They must conduct a fundamental rights impact assessment before deploying any Annex III system in a public-facing context. They must assign human oversight to a named individual with the authority and competence to intervene. They must also notify employees and their representatives – under Polish labour law, this may require consultation with the Państwowa Inspekcja Pracy (State Labour Inspectorate, PIP) in certain contexts. Ignoring the labour dimension is one of the most common mistakes we see.

Registration in the EU AI database is mandatory for most high-risk systems. The database is operated by the European Commission. Polish companies must register before deployment, not after. The registration requires the system's intended purpose, the conformity assessment procedure used, and the name of the notified body where applicable. Non-registration precludes lawful deployment – a genuinely irreversible consequence if a product launch is already scheduled.

For advice on how these obligations interact with data transfer requirements – particularly for AI systems that process personal data routed through non-EEA servers – see our analysis of data transfer from Poland to Switzerland: legal mechanisms.

What are the three business scenarios Polish companies face most often?

Three scenarios recur in our practice. Each has a different risk profile and a different compliance path. Understanding which scenario applies to your organisation determines the budget, timeline, and governance structure required.

Scenario one: the Polish software house as provider. A Warsaw-based IT company builds a document processing tool powered by a large language model and sells it to corporate clients across the EU. The company is a provider under the AI Act. It must complete conformity assessment, prepare technical documentation, affix CE marking, and register in the EU AI database before its first commercial deployment. If the tool processes employment-related documents – contracts, performance reviews – it likely falls under Annex III. Budget for conformity assessment: EUR 15,000 to EUR 50,000 depending on system complexity and whether a notified body is required.

Scenario two: the manufacturing company as deployer. A Silesian manufacturer integrates a predictive maintenance AI system purchased from a German vendor. The company is a deployer. Its obligations are lighter than the provider's but still significant: fundamental rights impact assessment, human oversight assignment, employee notification, and contractual clarification with the German vendor on documentation access. The vendor must supply the technical documentation; the deployer must ensure it exists before going live.

Scenario three: the foreign investor entering Poland. A US technology group acquires a Polish AI startup. The startup has never conducted a system classification exercise. The investor discovers, during legal due diligence, that the target's flagship product is a high-risk AI system with no conformity assessment, no technical documentation, and no registration. This creates both a pre-closing risk (the deal price) and a post-closing liability (personal liability of the management board for non-compliance). We obtained interim measures protecting transaction value for a foreign investor in Lower Silesia (autumn 2025) in a comparable situation by structuring a compliance escrow arrangement.

Each scenario also intersects with intellectual property questions. AI-generated outputs, training data rights, and model ownership are live issues in Polish IP practice. Our broader analysis of cross-border structuring for companies operating in Poland addresses how these IP considerations interact with corporate structure choices.

To receive an expert assessment of your company's AI Act exposure, contact info@kordeckipartners.com. Our team will map your systems, identify applicable obligations, and prepare a phased compliance roadmap.

What are the most common mistakes and how do you avoid them?

AI Act compliance projects fail in predictable ways. Identifying the failure modes early saves time and money. The following patterns appear repeatedly in our advisory work across Warsaw and Kraków.

Mistake one: treating AI Act compliance as an IT project. The AI Act is fundamentally a legal and governance instrument. Technical teams can map systems and build logging infrastructure. But fundamental rights impact assessments, contractual allocation of provider/deployer duties, and registration in the EU AI database require legal input. Companies that delegate the entire project to their IT department typically discover the legal gaps at the worst possible moment – during a regulatory inspection or a transaction due diligence.

Mistake two: ignoring GDPR Poland interaction. Most high-risk AI systems process personal data. The AI Act's data governance requirements and the Rozporządzenie Ogólne o Ochronie Danych (General Data Protection Regulation, GDPR) overlap substantially. A data protection impact assessment (DPIA) required under GDPR may partially satisfy the AI Act's fundamental rights impact assessment – but only if scoped correctly. Running two parallel processes without cross-referencing them wastes resources and creates inconsistencies that regulators notice.

Mistake three: assuming DORA compliance covers AI Act obligations. Financial sector companies that have invested heavily in DORA compliance sometimes assume this work carries over to the AI Act. It does not. DORA addresses ICT risk management and operational resilience. The AI Act addresses system classification, conformity assessment, and human oversight. The two frameworks are complementary but distinct. A bank that is fully DORA-compliant may still have unregistered high-risk AI systems.

Mistake four: missing the employment law dimension. Deploying AI in recruitment, performance management, or workforce monitoring triggers obligations under both the AI Act and Polish labour law. Failure to notify employees and their representatives before deployment can expose the company to a challenge under the Kodeks pracy (Labour Code) as well as an AI Act violation. The two-track exposure – regulatory fine plus employment dispute – is avoidable with proper sequencing.

What to prepare before August 2026:

Complete AI system inventory across all business units
Written classification rationale for each system
Technical documentation for any system you develop or substantially modify
Fundamental rights impact assessment for each Annex III deployment
Named human oversight officer with documented authority

For tailored guidance on your AI governance programme, reach out to info@kordeckipartners.com. Our team combines IP, technology, and employment law expertise to address the full compliance picture.

Frequently asked questions

Q: Does the AI Act apply to Polish companies using AI tools built by foreign vendors?

A: Yes. A Polish company that deploys a foreign-built AI system under its own authority is a deployer under the AI Act and bears deployer obligations regardless of where the system was developed. These include conducting a fundamental rights impact assessment, assigning human oversight, and ensuring the provider has made technical documentation available. Deployers cannot contract out of these obligations – they can only allocate cost and information-sharing duties between themselves and the provider.

Q: How long does a conformity assessment for a high-risk AI system typically take, and what does it cost?

A: Timeline and cost depend on whether the system requires third-party assessment by a notified body or whether a self-assessment route is available. Self-assessment for Annex III systems (where permitted) typically takes three to six months and costs EUR 10,000 to EUR 30,000 in external advisory and documentation work. Third-party assessment through a notified body can take six to twelve months and cost EUR 30,000 to EUR 80,000 or more. Companies should factor these timelines into product launch schedules now – not in the summer of 2026.

Q: Is it a misconception that minimal-risk AI systems require no action at all?

A: Partly. The AI Act imposes no mandatory obligations on minimal-risk systems, but three other frameworks may still apply. GDPR Poland requires a DPIA if the system processes personal data at scale. Polish labour law requires employee notification if the system monitors workplace behaviour. Trademark and IP considerations arise if the system generates outputs that could infringe third-party rights. Treating "minimal risk under the AI Act" as equivalent to "no legal obligations whatsoever" is a common and costly misconception.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating the AI Act, DORA compliance, GDPR Poland, and related frameworks. To discuss your situation, contact info@kordeckipartners.com.