AI Act transparency obligations for AI providers

A Warsaw-based software company launches an AI-powered customer service chatbot. The product is live, clients are onboarding, and the commercial team is celebrating. Then the compliance officer asks a simple question: have we met our transparency obligations under the EU AI Act? The room goes quiet.

The EU AI Act imposes transparency obligations on AI providers and deployers operating in Poland, with binding application dates that began in February 2025 for prohibited-practice rules and extend to August 2026 for most provider obligations. Providers of certain AI systems – including chatbots, emotion-recognition tools, and general-purpose AI models – must disclose the AI nature of their systems to users, maintain technical documentation, and register high-risk systems in the EU database. Failure to comply exposes providers to administrative fines reaching EUR 15 million or 3% of global annual turnover, whichever is higher.

This guide walks through the transparency framework step by step: which obligations apply, how to implement them, what the enforcement timeline looks like in Poland, and where companies most often go wrong. Three business scenarios – a software provider, a multinational deployer, and a foreign investor – illustrate the practical stakes.

What transparency obligations does the AI Act impose on providers?

The AI Act distinguishes between providers (those who develop or place AI systems on the market) and deployers (those who use AI systems in a professional context). Providers carry the heavier burden. Under EU AI regulation, a provider must ensure that users know they are interacting with an AI system – not a human – unless this is obvious from context. The disclosure obligation applies at the moment of interaction, not buried in terms and conditions.

For high-risk AI systems, the obligations go further. Providers must prepare and maintain technical documentation covering the system's design, training data, performance metrics, and intended purpose. That documentation must be kept for ten years after the system is placed on the market. High-risk systems must also be registered in the EU AI database before deployment – a step that Polish companies operating in regulated sectors such as credit scoring, recruitment, or critical infrastructure cannot skip.

General-purpose AI (GPAI) models carry a separate layer. Providers of GPAI models must publish a summary of training content, comply with EU copyright law, and – for systemic-risk models – conduct adversarial testing and incident reporting. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) coordinates with the designated national AI supervisory authority, which Poland is still in the process of formally appointing under domestic implementation legislation.

Disclose AI identity at point of interaction
Maintain technical documentation for ten years
Register high-risk systems in the EU AI database
Publish GPAI training-data summaries
Implement human oversight mechanisms for high-risk use cases

One practical point that surprises clients: the transparency obligation for emotion-recognition systems and biometric categorisation tools applies regardless of risk classification. If your system detects emotional states, disclosure is mandatory – full stop. (The same logic applies to deepfake-generated content, which must be labelled as artificially generated.)

How should Polish AI providers implement compliance step by step?

Implementation follows a four-phase logic: classify, document, disclose, and register. Each phase has a defined output. Skipping the classification phase – the most common shortcut – means companies spend resources documenting and registering systems that may not require it, or worse, miss obligations for systems that do.

We secured a compliance roadmap and risk-classification audit for a fintech provider in the Mazowieckie region (spring 2026), identifying two AI tools that had been misclassified as low-risk and required immediate registration in the EU AI database before a planned product launch.

Phase 1 – Classification (weeks 1–4): Map every AI system in use or under development. Apply the AI Act's four-tier risk hierarchy: unacceptable risk (banned), high risk (Annex III categories), limited transparency risk, and minimal risk. For each system, document the classification rationale. The Narodowe Centrum Badań i Rozwoju (National Centre for Research and Development, NCBR) has published guidance on classification methodology that Polish providers can reference.

Phase 2 – Documentation (weeks 5–12): For each high-risk system, prepare the technical file. This covers architecture, training datasets, validation results, and intended-use parameters. For GPAI models, prepare the training-data summary. Budget at least eight weeks for this phase if documentation does not already exist.

Phase 3 – Disclosure implementation (weeks 8–14): Update user interfaces, onboarding flows, and terms of service. The AI identity disclosure must appear before or at the start of each interaction. For automated decision-making systems that intersect with Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR), the disclosure must also satisfy GDPR Poland requirements on automated profiling – making coordination with the data-protection team non-optional. For cross-border data flows, our analysis of data transfer mechanisms from Poland to the UK sets out the interaction between GDPR transfer rules and AI system disclosures.

Phase 4 – Registration (weeks 12–16): Submit high-risk systems to the EU AI database. The European Commission manages the database centrally; Polish providers register directly. Expect processing time of two to four weeks. Keep registration records as part of the ten-year documentation obligation.

What are the enforcement timelines and penalties in Poland?

The AI Act's application is phased. Prohibited-practice rules became binding in February 2025. Obligations for GPAI model providers apply from August 2025. The full set of provider obligations for high-risk systems – including technical documentation and EU database registration – applies from August 2026. That deadline feels distant. It is not. Building a compliant technical file for a complex AI system takes three to six months even with dedicated resources.

Polish enforcement will sit with a national competent authority. As of spring 2026, Poland has not yet formally designated that authority by statute, though proposals point toward a structure involving the Urząd Komunikacji Elektronicznej (Office of Electronic Communications, UKE) and UODO working in parallel. Until designation is confirmed, providers should treat UODO as the primary interlocutor for AI matters that intersect with personal data – which covers most commercial AI deployments.

Penalties are tiered. Prohibited-practice violations carry fines up to EUR 35 million or 7% of global turnover. High-risk system violations and transparency failures carry fines up to EUR 15 million or 3% of global turnover. Providing false information to authorities attracts fines up to EUR 7.5 million or 1% of turnover. For a mid-sized Polish software company with EUR 20 million in annual revenue, a 3% fine equals EUR 600,000 – a figure that makes a compliance programme look inexpensive by comparison.

The irreversible consequence here is market access. A provider that fails to register a high-risk system before August 2026 cannot lawfully deploy that system in the EU. Remediation after the fact does not restore lost commercial ground. Clients who delay this process forfeit the opportunity to launch on schedule – and in competitive markets, that window rarely reopens.

How do three business scenarios illustrate the practical stakes?

Concrete scenarios clarify where the obligations land in practice. The AI Act's abstractions become real once mapped to a specific product, user base, and deployment context.

Scenario A – Polish software provider (SaaS recruitment tool): A Kraków-based company sells an AI-powered CV-screening tool to HR departments across the EU. Recruitment AI falls squarely within Annex III high-risk categories. The provider must prepare a technical file, register the system, and build human-oversight mechanisms into the product before August 2026. The disclosure obligation requires that candidates are informed that their application is being processed by an AI system. Failing to disclose this to candidates – not just to the HR client – is a provider-level violation. Choosing the right legal structure for the operating entity also matters; our comparison of sp. z o.o. versus SA for Poland investors is relevant for providers considering scale-up financing.

Scenario B – Multinational deployer (financial services): A German bank deploys a credit-scoring AI in its Polish subsidiary. The bank is the deployer; the AI vendor is the provider. Under the AI Act, the deployer carries obligations too – including human oversight, logging, and informing individuals subject to high-risk AI decisions. The Polish subsidiary must ensure its vendor has provided compliant technical documentation and that its own deployment practices satisfy Polish financial regulation. DORA compliance requirements for ICT risk management layer on top for regulated financial entities, making this a dual-track exercise.

We assisted a foreign financial services group in mapping AI Act obligations against its existing DORA compliance programme at its Warsaw subsidiary (autumn 2025), identifying a six-week gap in documentation timelines that would have delayed a product launch by a full quarter.

Scenario C – Foreign investor entering Poland: A US-based AI company wants to distribute an emotion-recognition tool in Poland through a local partner. The US company is the provider; the Polish distributor carries secondary obligations. The emotion-recognition disclosure requirement applies regardless of risk tier. The US provider must also consider whether its system processes personal data – if so, GDPR Poland enforcement by UODO applies in parallel. Our review of GDPR fines in Poland and UODO enforcement trends shows the authority's increasing appetite for technology-sector enforcement.

Across all three scenarios, the common thread is timing. Classification, documentation, and registration cannot be compressed below eight to twelve weeks for a complex system. Companies that begin in spring 2026 are already at risk of missing the August 2026 deadline.

To receive an expert assessment of your AI Act compliance position, contact info@kordeckipartners.com.

What to prepare: compliance checklist for AI providers in Poland

The checklist below applies to any company developing, placing on the market, or putting into service an AI system in Poland. It covers the minimum viable compliance posture for the August 2026 deadline. IP lawyer Warsaw practices that advise technology clients increasingly treat this checklist as the opening step of any AI product launch review.

AI system inventory: list every AI system in development or deployment, with classification rationale
Technical documentation file: completed for each high-risk system, covering design, data, and validation
User disclosure: AI identity notice implemented at point of interaction across all products
EU AI database registration: submitted for all Annex III high-risk systems
GDPR alignment: automated-decision disclosures coordinated with data-protection officer

One item that often falls off the list: trademark and IP clearance for AI-generated outputs. If your system generates content – text, images, code – that your clients will use commercially, the trademark and IP ownership questions attach to the provider. Providers who skip this step discover the gap when a client faces an infringement claim. That discovery is almost always expensive.

The decision matrix for providers is straightforward. High-risk system with personal data: full documentation, registration, GDPR alignment, human oversight. Limited-transparency system (chatbot, deepfake): disclosure obligation only. Minimal-risk system: voluntary codes of conduct, no mandatory steps. GPAI model: training-data summary, copyright compliance, and – for systemic risk – adversarial testing within twelve months of designation.

For a tailored strategy on AI Act implementation, reach out to info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to Polish companies that only sell AI products outside Poland?

A: Yes. The AI Act applies to providers who place AI systems on the EU market or put them into service in the EU – regardless of where the provider is established. A Polish company selling to German or French clients is subject to the full provider obligations. The place of incorporation does not limit the regulation's reach; the place of deployment determines it.

Q: How long does it take to prepare a technical documentation file for a high-risk AI system?

A: For a system where internal documentation already exists in structured form, preparation takes approximately six to eight weeks. For systems where documentation must be built from scratch – common in early-stage companies – allow twelve to sixteen weeks. The file must cover architecture, training data, performance benchmarks, and intended-use parameters. Starting this process fewer than four months before the August 2026 deadline creates material risk of non-compliance.

Q: Is the AI Act's transparency obligation separate from GDPR disclosure requirements?

A: They are legally separate but practically overlapping. The AI Act requires disclosure that a user is interacting with an AI system. GDPR requires disclosure of automated decision-making and profiling when personal data is involved. Many AI deployments trigger both. A common misconception is that satisfying one regime satisfies the other. It does not. Providers must run both compliance tracks in parallel, coordinating user-facing notices to avoid contradictions and gaps.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP, technology law, and data protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.