A Warsaw-based software company had been deploying a customer-facing chatbot for nearly eighteen months before the EU AI Act entered into force. The product team assumed existing GDPR disclosures were sufficient. They were not. When the firm's general counsel reviewed the new transparency requirements, it became clear that the chatbot's interaction design, its training data disclosures, and its documentation architecture all needed to be rebuilt – under a hard regulatory deadline.

The EU AI Act imposes direct transparency obligations on providers of AI systems deployed in Poland and across the European Union. Systems that interact with natural persons must disclose their artificial nature at the point of interaction. General-purpose AI models require technical documentation and copyright-related summaries. Non-compliance can trigger supervisory action by the Polish authority designated under the Act, with fines reaching EUR 15 million or 3% of global annual turnover for certain breaches.

This case study walks through how we helped the Warsaw company map its obligations, restructure its disclosure architecture, and prepare for supervisory review – and what similar providers can take from that process.

What was the background, and why did existing disclosures fall short?

The client operated a B2C platform in the financial services sector. Its chatbot handled account queries, product recommendations, and complaint triage. Under Rozporządzenie o ochronie danych osobowych (General Data Protection Regulation, GDPR), the company had a privacy notice and a lawful basis for processing. That framework, however, addresses data rights – not the distinct transparency duties created by the AI Act.

The AI Act introduces a separate disclosure layer. Any AI system designed to interact with natural persons must inform those persons, in a clear and timely manner, that they are interacting with an AI. The obligation applies at the moment of interaction, not buried in a terms-of-service page. The client's chatbot displayed a generic "virtual assistant" label that appeared only on first login. That fell short on two counts: it was not sufficiently prominent, and it did not appear at each interaction session.

The Office for Personal Data Protection (UODO) in Poland had already signalled, through its published GDPR enforcement trends, that it views layered disclosure failures seriously. The AI Act supervisory framework will sit alongside GDPR enforcement. Regulators are unlikely to treat the two regimes as separate silos. That context shaped our urgency assessment from day one.

We also identified a secondary gap. The client had licensed a third-party large language model (LLM) as the chatbot's underlying engine. Under the AI Act, providers who place an AI system on the market under their own name become responsible for compliance – even if the core model was built by someone else. The client had not yet obtained the technical documentation it needed from its LLM supplier.

How did we structure the compliance strategy?

The strategy had three phases, each with a defined output and a deadline. Phase one ran for 30 days and focused on gap mapping. Phase two – remediation design – ran for 45 days. Phase three covered documentation and supplier engagement, with a 60-day horizon. Total elapsed time: under five months from first instruction to a defensible compliance position.

In phase one, we conducted a system classification exercise. The AI Act distinguishes between prohibited AI practices, high-risk AI systems, and systems subject only to transparency obligations. Financial product recommendation engines can border on high-risk territory depending on their decision-making weight. We assessed the chatbot against the Act's Annex III criteria. Our conclusion: the system did not qualify as high-risk under the current classification, but it sat close enough to the boundary that we recommended the client maintain high-risk-equivalent documentation as a precaution.

That recommendation reflects a broader principle we apply across IP and technology matters. For clients entering the Polish market with technology products, we consistently advise building documentation to the higher standard when the classification is genuinely ambiguous. The cost of over-preparation is low. The cost of reclassification after a supervisory inquiry is not. Providers with cross-border IP portfolios face the same logic – as we discussed in our note on IP protection strategy for Switzerland tech companies in Poland.

Phase two produced three concrete outputs: a revised interaction-layer disclosure script, a user-facing transparency notice drafted to AI Act standard, and an internal conformity self-assessment template. The disclosure script required UX input – legal language alone does not satisfy the "clear and timely" standard if the interface buries it.

What did the process reveal about supplier contracts?

The supplier engagement in phase three produced the most commercially significant findings. The client's LLM licence agreement predated the AI Act. It contained no obligations on the supplier to provide technical documentation, no representation about training data copyright summaries, and no allocation of liability for transparency failures attributable to the model's architecture.

We secured a reversal of unfavourable contractual terms for a fintech client in the Mazowieckie region (spring 2026), renegotiating its AI supplier agreement to include mandatory documentation delivery within 20 days of any regulatory inquiry. That outcome became a template for the chatbot client's renegotiation. The revised agreement now requires the LLM supplier to deliver an updated technical summary within 15 business days of any material model change – a timeline that aligns with the client's own internal update cycle.

Supplier contract gaps are the single most common structural weakness we see in AI Act readiness reviews. Most providers focus on their own-facing disclosures and overlook the upstream documentation chain. The AI Act's transparency obligations for general-purpose AI models include a requirement to publish a summary of training data used for pre-training. Where a provider licences rather than builds the model, that summary must come from the supplier. Without a contractual mechanism to obtain it, the provider has no reliable path to compliance.

The M&A dimension matters here too. Companies acquiring technology businesses in Poland should treat AI Act supplier documentation as a due diligence item. The absence of compliant upstream contracts can affect valuation and post-closing liability. Our note on share deal vs asset deal structures addresses how liability allocation differs depending on transaction structure – a distinction that applies equally in AI-adjacent acquisitions.

What are the transferable lessons for AI providers?

Four lessons emerge from this matter that apply across sectors and company sizes.

  • GDPR compliance does not substitute for AI Act compliance. The two frameworks address different obligations. A valid privacy notice does not satisfy the interaction-layer disclosure requirement.
  • Classification uncertainty is itself a risk. If your system sits near the high-risk boundary, document to the higher standard while the regulatory guidance consolidates.
  • Supplier contracts must be reviewed and updated before any supervisory inquiry arrives. Reactive renegotiation under pressure produces worse outcomes than proactive revision.
  • Disclosure design is a UX question as much as a legal one. "Clear and timely" is a functional standard. Legal drafting must be tested against the actual user journey.

The client completed its compliance programme before the first enforcement cycle under the Act's transparency provisions. That timing matters. Supervisory authorities across the EU, including the Polish market surveillance bodies designated under the Act, are building their enforcement pipelines now. Providers who act in the next 90 days will be in a materially stronger position than those who wait.

For technology companies operating in Poland, DORA compliance obligations in the financial sector add a further layer of operational resilience requirements that interact with AI governance frameworks. Trademark and IP registration – particularly for AI-generated outputs and model names – also requires early attention. An IP lawyer in Warsaw with technology sector experience can identify registration windows before they close.

What to prepare before a supervisory review:

  • Interaction-layer disclosure script, reviewed against the "clear and timely" standard
  • System classification assessment with supporting reasoning
  • Technical documentation or, for licensed models, a supplier documentation agreement
  • Training data copyright summary (or contractual right to obtain one)
  • Internal conformity self-assessment, dated and version-controlled

The compliance window is open. It will not remain open indefinitely. Providers who treat AI Act transparency as a documentation exercise – rather than a structural redesign – will find themselves revisiting the work when the first enforcement decisions land.

The specific facts of your AI deployment will determine which transparency obligations apply and in what sequence. Waiting for supervisory guidance to crystallise before acting forfeits the ability to shape your compliance architecture on your own terms.

To discuss how the AI Act's transparency obligations apply to your system, email info@kordeckipartners.com. We will assess your current disclosure architecture, identify supplier contract gaps, and produce a prioritised remediation plan.

Frequently asked questions

Q: Does the AI Act apply to companies established outside the EU that deploy AI systems in Poland?

A: Yes. The Act applies to providers and deployers whose AI systems produce outputs used in the European Union, regardless of where the provider is established. A company based in the United States or Ukraine that operates a customer-facing AI system accessible to Polish users is within scope. The Polish market surveillance authority has jurisdiction to act against such providers.

Q: Is it a common misconception that a chatbot labelled "virtual assistant" already satisfies the AI Act's disclosure requirement?

A: It is one of the most frequent misunderstandings we encounter. The Act requires disclosure that is clear, prominent, and delivered at the moment of interaction – not on first login or buried in terms of service. A generic "virtual assistant" label that appears only once during account setup does not meet this standard. The disclosure must be repeated at the start of each interaction session.

Q: How long does it typically take to reach a defensible compliance position, and what does it cost?

A: For a single-system deployment of moderate complexity, the gap mapping, remediation design, and documentation phases together typically run 90 to 150 days. Cost depends on whether supplier contract renegotiation is required and how complex the system classification analysis is. Providers who have maintained GDPR-standard documentation from the outset will move faster and at lower cost than those starting from scratch.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to IP, technology regulation, and AI Act compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.