On paper, the EU AI Act looks like a single unified regulation. In practice, it imposes layered transparency duties that differ sharply depending on what your system does, who deploys it, and where your users are located. For AI providers operating in Poland – whether a Warsaw-based startup or a foreign company placing systems on the Polish market – the compliance clock is already running.
The EU AI Act (Regulation (EU) 2024/1689) applies directly in Poland and imposes transparency obligations on providers of AI systems from August 2026 for general-purpose AI models, with earlier obligations for prohibited systems already in force since February 2025. Providers must disclose that users are interacting with AI, label synthetic content, and maintain technical documentation. Non-compliance carries fines of up to EUR 15 million or 3% of global annual turnover, whichever is higher.
This alert sets out what has changed, which thresholds determine your obligations, and the concrete steps your legal and technical teams must take before the next compliance deadline.
What did the AI Act change for providers in Poland?
The AI Act introduced a tiered framework built around risk levels. The first tier – prohibited AI practices – became enforceable on 2 February 2025. This matters immediately: any Polish entity or foreign provider placing AI systems on the Polish market must already be clear of the prohibited list. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) and the designated national market surveillance authority will both play enforcement roles. The Urząd Komunikacji Elektronicznej (Office of Electronic Communications, UKE) is also expected to have oversight functions for certain AI-enabled services.
The transparency obligations that affect the broadest range of providers take effect from 2 August 2026. These apply to general-purpose AI (GPAI) systems and to AI systems that interact directly with natural persons. The core duty is straightforward: users must be informed they are engaging with an AI system, not a human. Providers of emotion recognition systems and biometric categorisation tools face additional labelling requirements. Operators of deepfake generators must mark outputs as artificially generated – a requirement with direct relevance to media, marketing, and legal-tech companies active in Poland.
One threshold deserves particular attention. GPAI models trained on compute exceeding 1025 FLOPs are classified as posing systemic risk. Providers of those models face stricter duties: adversarial testing, incident reporting to the European AI Office, and cybersecurity measures aligned with DORA compliance standards. Most Polish startups will fall below this threshold, but any company integrating third-party foundation models must verify the provider's classification.
Who is affected and what are the immediate action items?
The obligation falls on the "provider" – the entity that develops or places an AI system on the market under its own name. If a Polish company customises a third-party model and deploys it as its own product, it becomes the provider for AI Act purposes. Distributors and deployers carry lighter duties, but they are not exempt. This distinction is critical for IT companies, SaaS platforms, and legal-tech firms advising clients through AI-assisted tools.
Three categories of Polish business face the most immediate exposure. First, companies using AI chatbots or virtual assistants in customer-facing roles must implement disclosure notices before August 2026 – a 16-month window that sounds generous but is not, given the documentation requirements. Second, HR technology providers using automated CV screening or candidate ranking tools must assess whether their systems qualify as high-risk under Annex III of the AI Act; if so, conformity assessments are mandatory. Third, any provider generating synthetic audio, video, or text for commercial distribution must embed machine-readable watermarks or equivalent technical markers.
We secured a compliance roadmap and documentation package for an IT services client in the Mazowieckie region (winter 2026), enabling them to restructure their AI product line ahead of the August deadline without interrupting client delivery.
- Audit your AI systems portfolio and classify each by risk tier before June 2026.
- Implement user-facing disclosure notices for all conversational AI tools.
- Review contracts with third-party AI model providers for transparency pass-through clauses.
- Prepare technical documentation and conformity assessment files for any high-risk systems.
- Align synthetic content labelling with the AI Act's machine-readable marking requirements.
GDPR Poland obligations intersect directly with the AI Act where personal data is processed. Providers must ensure that their AI transparency notices do not conflict with existing privacy notices under the General Data Protection Regulation. UODO has indicated it will coordinate enforcement with the AI supervisory authority. An IP protection strategy for tech companies in Poland should now incorporate AI Act compliance as a standard component, particularly for firms holding trademark and software IP assets tied to AI products.
Cross-border providers face an additional layer of complexity. A company established outside the EU that places AI systems on the Polish market must appoint an EU authorised representative. For groups with holding structures – for example, those using data transfer mechanisms from Poland to third countries – the interaction between AI Act obligations and data localisation rules requires careful mapping. Our analysis of data transfer from Poland to the UAE illustrates how multi-jurisdictional compliance chains can create unexpected exposure points.
We obtained a full regulatory gap analysis for a German-owned SaaS provider operating in Lower Silesia (spring 2026), identifying three transparency gaps that would have triggered supervisory review under the August 2026 regime.
Board members should also note that AI Act non-compliance can feed into broader corporate liability exposure. Where an AI system causes harm and the provider failed to meet transparency obligations, directors may face questions about governance failures. The principles discussed in our overview of board liability under Polish law apply by analogy: personal liability follows from systemic organisational failures, not just individual decisions.
Specific compliance timelines to track: prohibited AI practices – enforceable since 2 February 2025; GPAI model obligations and transparency rules for direct-interaction systems – 2 August 2026; high-risk system conformity assessments for new market entrants – 2 August 2027. Missing the August 2026 deadline for transparency disclosures is not a technical oversight. It is a regulatory failure that precludes the safe-harbour protections available to compliant providers and forfeits the right to self-certify conformity.
Your company's specific AI product mix determines which obligations apply and in what sequence. Acting after a supervisory inquiry opens is irreversible – it removes the option of voluntary compliance and triggers formal proceedings.
To receive an expert assessment of your AI Act compliance position, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the AI Act apply to a Polish company that only uses AI tools internally, without selling AI products?
A: A company that deploys AI systems developed by third parties for internal use is classified as a "deployer," not a provider. Deployers carry lighter obligations – primarily around high-risk system use and employee transparency – but are not fully exempt. If the company customises a third-party model and makes it available to clients, even without a separate licence fee, it likely becomes a provider and faces the full transparency regime. The boundary between deployer and provider should be assessed against the specific contractual and technical arrangement, not assumed.
Q: How long does it take to prepare the required technical documentation for a high-risk AI system?
A: For a moderately complex AI system, assembling the technical file required under the AI Act typically takes between 8 and 16 weeks, depending on how well the development process was documented. The file must cover system architecture, training data governance, risk management procedures, and post-market monitoring plans. Starting this process after the August 2026 deadline is not an option for new market entrants – the conformity assessment must be completed before placing the system on the market. Companies that have not begun documentation by early 2026 face a real risk of missing the window.
Q: Is an IP lawyer in Warsaw the right adviser for AI Act compliance, or is this purely a regulatory matter?
A: AI Act compliance sits at the intersection of IP law, data protection, and technology regulation. An IP lawyer Warsaw-based with experience in technology transactions can address the trademark, software copyright, and licensing dimensions – but the compliance programme itself requires regulatory expertise specific to the AI Act framework. The most effective approach combines IP counsel with a specialist in GDPR Poland and AI regulation. At KORDECKI & Partners, our IP and tech practice handles both dimensions, including DORA compliance for financial sector clients deploying AI-enabled systems.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP protection, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.