On paper, the AI Act's transparency rules look manageable. In practice, Polish AI providers are discovering that "informing users" means far more than adding a disclosure line to a terms-of-service document. The obligations are layered, the deadlines are staggered, and the penalties for non-compliance reach EUR 15 million or 3% of global annual turnover – whichever is higher.

Regulation (EU) 2024/1689 – the EU AI Act – imposes direct transparency obligations on providers and deployers of AI systems placed on the Polish market. The rules apply in phases: obligations for general-purpose AI models became enforceable in August 2025, while obligations for high-risk AI systems apply from August 2026. Polish providers who miss these deadlines forfeit the right to continue deploying covered systems without regulatory exposure.

This alert covers three things: what the transparency rules actually require, which providers are caught by them, and what concrete steps must be taken now. Foreign investors operating Polish subsidiaries should read this alongside our analysis of AI Act high-risk classification, affected sectors and systems.

What have the AI Act transparency obligations changed?

The AI Act introduced a tiered disclosure framework that replaces the patchwork of national guidance that Polish providers had been navigating under Ustawa o świadczeniu usług drogą elektroniczną (the Act on Providing Services by Electronic Means). Three categories now carry hard transparency duties. First, providers of AI systems that interact with natural persons must disclose that the person is communicating with an AI – unless the context makes this obvious. Second, providers of emotion-recognition or biometric-categorisation systems must notify individuals at the point of use. Third, providers generating synthetic audio, video, image, or text content must label that content as AI-generated.

The labelling obligation is technically specific. Labels must be machine-readable and human-readable. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) has signalled it will treat inadequate labelling as a potential GDPR Poland violation where personal data is involved – creating a dual-enforcement risk. The Urząd Komunikacji Elektronicznej (Office of Electronic Communications, UKE) holds supervisory authority over certain digital-service providers, adding a third enforcement channel.

One detail that catches providers off guard: the obligation attaches to the provider placing the system on the market, not only to the entity that built the underlying model. A Warsaw-based SaaS company that integrates a third-party large language model and deploys it to Polish users is a provider for AI Act purposes. That status cannot be contracted away.

Who is affected, and what are the thresholds?

The AI Act applies to any provider that places an AI system on the market in the European Union – including Poland – regardless of where the provider is established. A Polish subsidiary of a US or Asian technology group is fully caught. So is a domestic startup with fewer than ten employees, unless it qualifies for the limited SME support measures in the regulation. Those measures ease documentation burdens but do not suspend the transparency obligations themselves.

For general-purpose AI (GPAI) models, the threshold that triggers the most demanding obligations is training compute exceeding 10^25 floating-point operations (FLOPs). Providers above that threshold must publish technical documentation, comply with EU copyright law, and release a summary of training data. Below that threshold, a lighter set of transparency duties still applies – including disclosure of model capabilities and known limitations to downstream deployers.

We secured a reversal of an administrative penalty for a technology client in the Mazowieckie region (autumn 2025) by demonstrating that the company's AI system fell outside the high-risk classification – a distinction the supervising authority had initially overlooked. Correct classification is the foundation of every compliance strategy.

Polish providers in the financial sector face a compounding obligation. DORA compliance requirements under Regulation (EU) 2022/2554 apply to ICT-related AI tools used by financial entities. A fintech deploying an AI credit-scoring tool must satisfy both AI Act transparency rules and DORA's ICT risk-management framework simultaneously. The overlap is not hypothetical – it is the default position for any regulated Polish financial institution using AI.

What must providers do now?

Three immediate actions carry the highest compliance value. First, map every AI system your organisation places on the Polish market against the AI Act's risk tiers. Systems interacting with users in real time – chatbots, recommendation engines, voice assistants – are the most immediate priority. The mapping exercise should produce a written register, because supervisory authorities will request it.

  • Conduct an AI system inventory and assign a risk tier to each system
  • Implement user-facing disclosure notices at the point of AI interaction
  • Apply machine-readable and human-readable labels to AI-generated content
  • Review contracts with third-party model providers to confirm transparency obligations are allocated
  • Appoint an internal AI compliance owner with a documented mandate

Second, review your contractual chain. If your product is built on a third-party model, your agreement with that provider must address who bears the transparency obligation. Many standard API agreements are silent on this point. Silence means the deployer – your company – carries the full exposure. This is also the moment to assess IP lawyer Warsaw-level review of any trademark or IP protections attached to AI-generated outputs, since the AI Act's content-labelling rules interact with intellectual property rights in ways that are still being tested before Polish courts.

Third, align your AI transparency documentation with existing GDPR Poland obligations. Where an AI system processes personal data, the transparency notice required by the AI Act must be consistent with the privacy notice required under GDPR. Inconsistent notices create dual exposure. Our team obtained interim compliance clearance for a software provider in Lower Silesia (spring 2026) by consolidating AI Act and GDPR disclosures into a single layered notice – a model that the UODO has not objected to in practice.

For technology companies with US operations or cross-border IP structures, the interaction between AI Act labelling and trademark protection deserves separate attention. Our analysis of IP protection strategy for US tech companies in Poland sets out how AI-generated content labelling affects brand and copyright positions. Separately, companies with Polish workforces deploying AI tools to employees should review the employment-law dimension covered in our guide on employment law compliance for Poland companies.

The window for voluntary self-assessment is narrowing. Supervisory authorities in Poland are building enforcement capacity. Providers who cannot demonstrate a documented compliance programme by the time the high-risk obligations take full effect in August 2026 will face not only financial penalties but the irreversible consequence of being required to withdraw systems from the market pending remediation.

A specific situation at your company requires a tailored assessment. Waiting until a supervisory inquiry arrives forfeits the ability to shape the compliance record proactively – a position that cannot be recovered once proceedings begin.

If your organisation deploys AI systems in Poland and has not yet mapped its transparency obligations under the AI Act, contact info@kordeckipartners.com. We will assess your system inventory, identify the applicable disclosure requirements, and produce a compliance roadmap with concrete deadlines.

Frequently asked questions

Q: Does the AI Act apply to a Polish company that only uses AI internally and does not sell AI products?

A: The AI Act distinguishes between providers (who place systems on the market or put them into service) and deployers (who use systems in a professional context). A company using an AI tool purely for internal HR screening is a deployer, not a provider. Deployers carry a narrower but still real set of obligations, including informing employees when AI systems are used in decisions affecting them. Under Polish employment legislation, this intersects with works-council consultation rights where a works council exists.

Q: How long does a provider have to implement transparency notices once a new AI system is launched?

A: The AI Act does not provide a grace period after launch. Transparency obligations apply from the moment a system is placed on the market or put into service. For systems already deployed before the relevant phase-in date, providers had until that date to achieve compliance. For new deployments after August 2025, compliance must be in place at launch. A 30-day remediation window is sometimes discussed informally, but it has no legal basis and should not be relied upon.

Q: Is AI Act compliance separate from GDPR, or can one notice cover both?

A: The obligations are legally separate – one arises under EU AI regulation, the other under EU data-protection law. However, a single layered notice can satisfy both sets of requirements if it addresses each element specifically. The UODO has not issued formal guidance on combined notices yet, but the approach is consistent with the GDPR principle of transparent processing. Legal review of the combined notice is advisable before publication, particularly where the AI system processes sensitive categories of personal data.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP protection, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.