A Warsaw-based software house receives a request from its largest client: certify that your AI-powered recruitment tool complies with the EU AI Act before renewing the contract in Q3 2026. The development team has heard of the regulation. The legal team has not yet mapped it. The clock is already running.

The EU AI Act entered into force on 1 August 2024 and applies in phases through August 2027. Polish companies that develop, deploy, or integrate AI systems must classify those systems by risk level, meet conformity requirements, and – for high-risk applications – register in the EU database before placing them on the market. Failure to comply before the applicable deadline precludes market access and exposes operators to fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher.

This guide walks through the implementation timeline phase by phase, identifies the steps Polish businesses must take now, and flags the most common mistakes that forfeit compliance credit already earned. It covers three business scenarios – a manufacturing company, an IT product firm, and a foreign investor entering the Polish market – and closes with a practical checklist and FAQ.

What does the AI Act timeline look like for Polish companies?

The AI Act does not arrive as a single deadline. It rolls out in four distinct phases, each activating new obligations. Polish companies must map their AI portfolio against each phase rather than waiting for a single "go-live" date. The first binding obligation – a ban on unacceptable-risk AI systems – became enforceable on 2 February 2025, six months after entry into force.

Phase two activates on 2 August 2025. From that date, obligations for General-Purpose AI (GPAI) model providers apply, along with governance rules for notified bodies and the requirement to establish internal AI literacy programmes for all staff who work with AI systems. Polish companies that use foundation models from third-party providers must obtain updated contractual assurances from those providers by this date or risk becoming liable as deployers.

Phase three – the core high-risk obligations – takes effect on 2 August 2026. This is the deadline that matters most for the majority of Polish businesses. High-risk AI systems in areas such as employment, credit scoring, biometric identification, and critical infrastructure must by then have completed conformity assessments, be registered in the EU AI Act database maintained by the European Commission, and carry CE marking where required. For companies that have not started the conformity process, twelve months is a tight window.

  • 2 February 2025 – prohibited AI practices banned
  • 2 August 2025 – GPAI obligations and AI literacy rules active
  • 2 August 2026 – high-risk AI system obligations fully enforceable
  • 2 August 2027 – high-risk AI in Annex I regulated products (machinery, medical devices) fully covered

Poland has not yet designated its national competent authority under the AI Act. The Office for Personal Data Protection (Urząd Ochrony Danych Osobowych, UODO) is widely expected to take a coordinating role alongside a new or expanded supervisory body. Until the designation is finalised, Polish companies should assume UODO will be the primary contact point – particularly where AI systems process personal data, which is the common case.

How should Polish companies classify and assess their AI systems?

Classification is the first substantive step. Every AI system a Polish company develops or deploys must be placed into one of four risk categories: unacceptable, high-risk, limited-risk, or minimal-risk. The classification determines the compliance burden. Getting it wrong in either direction is costly – under-classification exposes the company to enforcement; over-classification wastes resources on unnecessary conformity procedures.

Unacceptable-risk systems are already banned. These include social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), and AI that exploits psychological vulnerabilities. Any Polish company operating such a system after 2 February 2025 faces immediate enforcement action and personal liability for management board members who authorised continued use.

High-risk classification carries the heaviest obligations. The AI Act lists high-risk systems in two annexes: systems embedded in regulated products (medical devices, machinery, vehicles) and standalone systems in eight sensitive domains. Employment screening tools, credit risk models, and systems used in education or vocational training all fall here. A Warsaw IT company that sells an AI-driven CV-ranking tool to HR departments is, almost certainly, operating a high-risk system. That company must complete a conformity assessment – either self-assessment or third-party, depending on the product category – before August 2026.

We secured a reversal of a classification dispute for a fintech client in the Mazowieckie region (autumn 2025), where the company's AI credit-scoring module had initially been treated as minimal-risk by its own compliance team. Reclassification as high-risk required a full data-governance overhaul but ultimately protected the client from enforcement exposure ahead of the August 2026 deadline.

Limited-risk systems – chatbots, deepfake-generating tools, emotion-recognition interfaces – face transparency obligations only. Users must be informed they are interacting with an AI. This is the category most Polish e-commerce and customer-service platforms will occupy. Minimal-risk systems (spam filters, AI in video games) have no mandatory obligations, though voluntary codes of conduct will be published.

What are the step-by-step compliance obligations for high-risk AI?

For high-risk AI systems, the AI Act imposes a structured compliance pathway. Polish companies acting as providers – those who place an AI system on the market or put it into service under their own name – carry the full burden. Deployers (companies that use a provider's system in their own operations) carry a narrower but still significant set of duties. The distinction matters enormously for liability allocation in contracts.

Step one is a risk-management system. Providers must establish, implement, document, and maintain a risk-management system throughout the AI system's lifecycle. This is not a one-time audit. It is a continuous process that must be updated whenever the system is substantially modified. Polish companies should build this into their product development cycle no later than Q1 2026 to leave time for remediation before August.

Step two covers data governance. Training, validation, and testing datasets must meet quality criteria: they must be relevant, representative, and free from errors that could produce discriminatory outputs. For Polish companies processing personal data in AI training sets, this obligation intersects directly with GDPR requirements enforced by UODO. A data-protection impact assessment under GDPR and a technical documentation package under the AI Act will often need to run in parallel.

Step three is technical documentation and the EU declaration of conformity. Providers must prepare a technical file covering system architecture, training methodology, performance metrics, and intended purpose. This file must be kept for ten years after the system is placed on the market. The declaration of conformity – a formal statement that the system meets AI Act requirements – must accompany the system and be available to national supervisory authorities on request.

  • Establish a risk-management system (continuous, documented)
  • Implement data-governance procedures for training datasets
  • Prepare technical documentation and keep it for 10 years
  • Register the system in the EU AI Act database before market placement
  • Affix CE marking where required by applicable product legislation

Step four is registration. Before placing a high-risk AI system on the market, providers must register it in the EU database. This database is publicly accessible for most entries. The registration requirement alone creates a disclosure dynamic that many Polish companies have not anticipated: competitors, clients, and regulators will be able to see what AI systems a company has placed on the market and under what risk classification.

How do three Polish business scenarios compare in AI Act exposure?

The compliance burden varies sharply depending on the company's role, sector, and AI use case. Three scenarios illustrate the range – and reveal where the lost-opportunity risk is sharpest for companies that delay action.

Scenario one: a manufacturing company in Silesia uses AI-powered predictive maintenance software embedded in its production line. If the software is integrated into machinery covered by EU product safety legislation, it falls under the Annex I high-risk category and must comply by August 2027 – one year later than standalone high-risk systems. This extra year is a genuine planning advantage, but it does not eliminate the obligation. The company must begin technical documentation and risk-management work in 2026, not 2027.

Scenario two: a Warsaw IT company develops and sells an AI recruitment platform to corporate clients across Central and Eastern Europe. This is a standalone high-risk system in the employment domain. The August 2026 deadline applies. The company is a provider and carries the full conformity assessment burden. Its clients – the HR departments that use the platform – are deployers and must conduct fundamental-rights impact assessments before deploying the system. The contractual allocation of these responsibilities should be addressed now, not at the point of renewal.

For a German investor with a Polish subsidiary that deploys AI-based customer credit-scoring tools, the exposure is layered. The subsidiary is likely a deployer, not a provider – but deployer obligations under the AI Act are not trivial. The subsidiary must verify that the provider has completed conformity assessment, maintain logs of system use, and report serious incidents to the national supervisory authority. Cross-border compliance – particularly where the provider is based outside the EU – requires careful due diligence. Our team obtained interim contractual protections for a German investor's Polish subsidiary in Lower Silesia (spring 2026) when its AI vendor failed to deliver the required conformity documentation on time.

The common thread across all three scenarios is timing. Companies that begin classification and gap analysis in Q1 2026 can realistically complete high-risk compliance before August. Companies that wait until Q2 2026 will almost certainly miss the deadline – and will forfeit the ability to place or continue operating their AI systems lawfully until remediation is complete.

What are the most common mistakes Polish companies make in AI Act preparation?

The most expensive mistake is misclassification in the direction of minimal risk. Polish companies frequently assume that because their AI tool is sold as a productivity feature – a document summariser, a scheduling assistant – it cannot be high-risk. But the AI Act classifies by intended purpose and actual use, not by how the tool is marketed. An AI system that assists in performance evaluation decisions, even as a "recommendation engine," may well be high-risk under the employment domain.

The second common mistake is treating AI Act compliance as an IT project rather than a legal and governance one. Technical documentation is only one component. Risk-management systems, fundamental-rights impact assessments, human oversight mechanisms, and post-market monitoring all require legal and operational input. Polish companies that assign the entire compliance programme to their development team will produce documentation that satisfies engineers but fails regulatory scrutiny.

The third mistake is ignoring the GPAI layer. Many Polish companies use large language models or other foundation models as components in their own products. From August 2025, providers of GPAI models with systemic risk face enhanced obligations. But Polish companies that build on top of those models also have obligations: they must understand the capabilities and limitations of the underlying model, obtain technical documentation from the GPAI provider, and ensure their own system's conformity assessment reflects the model's known limitations. Contracts with GPAI providers signed before August 2025 may not contain the required disclosures – and renegotiating them takes time.

Ignoring the intersection with GDPR is the fourth and arguably most operationally disruptive mistake. The Urząd Ochrony Danych Osobowych (Office for Personal Data Protection, UODO) has already demonstrated active enforcement in Poland. For AI systems that process personal data – which covers most high-risk categories – GDPR obligations run alongside AI Act obligations, not instead of them. Companies that have already invested in GDPR compliance infrastructure are well-placed to extend it. Those that have not face a double compliance build.

Frequently asked questions

Q: Does the AI Act apply to Polish companies that only use AI tools built by others, rather than developing their own?

A: Yes. The AI Act distinguishes between providers (who develop and place AI systems on the market) and deployers (who use those systems in their own operations). Polish companies that deploy high-risk AI systems built by third-party vendors must verify the provider's conformity, conduct fundamental-rights impact assessments, maintain use logs, and report serious incidents. The deployer's obligations are narrower than the provider's, but they are legally binding and enforceable from August 2026.

Q: How much does AI Act compliance typically cost for a Polish SME with one high-risk AI system?

A: Costs vary widely depending on system complexity and existing documentation. For a straightforward standalone high-risk system with an existing data-governance framework, legal and technical compliance work typically runs between EUR 15,000 and EUR 50,000. Systems requiring third-party conformity assessment, or where data-governance gaps are significant, can exceed EUR 100,000. Investing now is substantially cheaper than remediation after enforcement, which can trigger fines of up to EUR 15 million or 3% of global turnover for non-compliance by deployers.

Q: Is it a misconception that the AI Act only applies to AI companies?

A: It is. The AI Act applies to any company that develops, places on the market, puts into service, or deploys an AI system in the EU – regardless of the company's primary sector. A bank using AI for credit decisions, a hospital using AI for triage, a logistics company using AI for route optimisation, and a law firm using AI for document review are all within scope if those systems meet the relevant risk-level thresholds. Sector is relevant only in determining which annex applies to the classification.

What should Polish companies prepare now?

The window for orderly compliance is closing. Companies that act in Q1 2026 can complete the process before August. Companies that do not will find themselves either placing non-compliant systems on the market or pulling products while remediation continues – both outcomes forfeit competitive position and client trust.

The checklist below covers the minimum preparation steps for a Polish company with at least one potentially high-risk AI system.

  • Complete an AI system inventory and preliminary risk classification by February 2026
  • Identify your role (provider or deployer) for each system and allocate compliance responsibilities in contracts
  • Launch data-governance review and align with existing GDPR documentation maintained under UODO oversight
  • Begin technical documentation for high-risk systems and establish the risk-management system by April 2026
  • Register high-risk systems in the EU AI Act database and finalise CE marking (where required) before August 2026

For companies with AI systems embedded in regulated products – medical devices, machinery, vehicles – the August 2027 deadline allows additional time. But technical documentation and risk-management work should begin no later than early 2027 to avoid the same last-minute pressure that the August 2026 cohort now faces.

Polish companies with cross-border AI deployments should also review the interaction between the AI Act and sector-specific EU law. DORA compliance requirements for financial-sector AI, the Medical Device Regulation for health-sector systems, and trademark and IP protection strategies for AI-generated outputs each create parallel obligations. A guide to IP protection strategy for technology companies operating across borders is available at IP protection strategy for Slovak tech companies in Poland. Companies receiving EU-funded support for AI development should also review procurement and state-aid conditions: EU funds compliance – KPO and RRF requirements in Poland covers the relevant KPO and RRF framework. For the UODO enforcement context that will shape AI Act supervision, see GDPR fines in Poland – UODO enforcement trends.

The specific situation of each company requires individual analysis. Waiting for full regulatory clarity – including Poland's designation of its national competent authority – is not a viable strategy. The August 2026 deadline is fixed. Remediation after that date precludes lawful operation of non-compliant high-risk systems until the deficiency is cured.

If your company develops, deploys, or integrates AI systems and has not yet completed a risk classification exercise, the time to act is now. To receive an expert assessment of your AI Act exposure and a tailored compliance roadmap, contact info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP protection, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating EU regulatory frameworks including the AI Act, DORA, and GDPR. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.