A Warsaw-based software company received a formal inquiry from a business client in spring 2026. The client wanted to know whether the AI-powered document-review tool they had licensed was subject to disclosure requirements under the EU AI Act. The provider had not yet mapped its obligations. That gap – between deploying a product and understanding what the law now requires – is increasingly common among Polish technology companies.

The EU AI Act imposes transparency obligations on providers of certain AI systems, including requirements to inform users that they are interacting with AI, to label AI-generated content, and to maintain technical documentation. In Poland, the President of the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych, UODO) is expected to act as a supervisory authority alongside sector-specific bodies. Non-compliance can result in fines reaching EUR 15 million or 3% of global annual turnover, whichever is higher.

This case study traces how the provider identified its obligations, built a disclosure framework, and resolved the client's inquiry – and what other Polish AI companies can take from that process.

What was the background to this matter?

The provider had developed an AI system that reviewed commercial contracts and flagged risk clauses. It was marketed to legal departments and corporate procurement teams across Poland and two other EU member states. The system used a large language model and generated summaries that users acted on directly. That functional profile placed it squarely within the AI Act's scope as a general-purpose AI system with foreseeable downstream use in professional decision-making.

The client's inquiry arrived at an awkward moment. The provider had invested heavily in product development but had not yet assigned legal responsibility for regulatory compliance. There was no internal policy on AI disclosure, no user-facing notice explaining the system's AI nature, and no technical documentation file. The company's existing GDPR Poland compliance programme – managed through a data protection officer registered with UODO – did not extend to AI Act requirements, which sit alongside but separately from data protection law.

Our team at KORDECKI & Partners was engaged to assess the provider's exposure and design a remediation path. The first task was to classify the system correctly. Under the AI Act, transparency obligations differ depending on whether a system is a limited-risk AI system, a general-purpose AI model, or a high-risk system. Classification determines which obligations apply and at what level of detail.

How did we develop the compliance strategy?

We identified three immediate obligations. First, the provider needed to inform users – clearly and at the point of interaction – that the contract-review output was generated by an AI system. Second, any AI-generated content presented as a final document or summary required labelling. Third, the provider had to maintain technical documentation covering the system's intended purpose, training data categories, performance metrics, and known limitations. Each of these obligations applied from the date the AI Act's transparency provisions became enforceable.

The strategy had two phases. Phase one covered disclosure design: drafting a user-facing transparency notice, updating the product interface to display an AI-interaction label, and preparing a machine-readable content label for exported summaries. Phase two addressed documentation: building a technical file that could be produced to a supervisory authority within 30 days of any formal request. That 30-day response window is a hard deadline under the Act and shapes how documentation must be maintained.

  • Map the AI system against the Act's classification criteria before any other step
  • Assign a named compliance owner with authority to update the technical file
  • Integrate transparency notices into the product UI, not just the terms of service
  • Align AI Act documentation with existing GDPR records of processing activities
  • Review third-party model providers for their own transparency obligations

Cross-border data flows added a layer of complexity. The provider transferred user-uploaded contract data to processing infrastructure in France. That flow required a transfer mechanism under GDPR Poland rules – a point we addressed alongside the AI Act work, drawing on guidance relevant to data transfer from Poland to France. Keeping AI Act and GDPR compliance streams aligned avoided duplication and reduced overall project time.

What did the process reveal about practical pitfalls?

The provider's first instinct was to treat transparency as a drafting exercise – add a sentence to the terms of service and close the matter. That approach fails for two reasons. Regulators assess whether disclosure is effective, not merely present. A buried clause in a 40-page agreement does not satisfy the requirement to inform users at the point of interaction. The notice must be visible, timely, and unambiguous.

We secured a full compliance sign-off from the client's legal team within six weeks for a technology provider in the Mazowieckie region (spring 2026). The process revealed that the provider's reliance on a third-party model introduced a shared-responsibility question. Where a provider deploys a general-purpose AI model developed by another entity, both parties carry obligations. The upstream model provider must supply certain technical information; the downstream deployer must pass relevant disclosures to end users. Failing to obtain that upstream information forfeits the provider's ability to complete its own documentation – an irreversible gap if the relationship with the model vendor is not structured correctly from the outset.

DORA compliance obligations for financial-sector clients using AI tools introduced a parallel track. One prospective client of the provider was a regulated payment institution. That institution's own DORA compliance programme required it to assess the AI tool's operational resilience and documentation standards before onboarding. The provider's new technical file satisfied that due diligence request, turning a compliance cost into a commercial asset. For technology companies selling into regulated sectors, AI Act documentation and DORA compliance requirements increasingly overlap.

Employment classification risk added a further dimension. The provider had engaged several independent contractors to annotate training data. Questions arose about whether those arrangements carried B2B reclassification risk under Polish labour law – a separate but connected concern examined in our analysis of B2B reclassification risk and PIP enforcement powers in 2026.

What are the transferable lessons for Polish AI providers?

Classification comes first. The transparency obligations that apply to a limited-risk chatbot differ materially from those applying to a general-purpose AI model used in professional workflows. Providers that skip classification and go straight to drafting disclosures risk either over-engineering a solution or, more dangerously, under-disclosing where full obligations apply. The Act's definitions reward careful reading.

We obtained a regulatory pre-assessment for a second technology client in Lower Silesia (summer 2026), confirming that their AI-assisted HR screening tool fell within the high-risk category. That classification triggered documentation requirements significantly more demanding than transparency notices alone – requirements that the client had not anticipated when designing the product. Early classification, ideally at the product-design stage, avoids costly retrofitting.

Intellectual property questions also surface in AI Act work. Providers using third-party models must check whether their deployment terms permit commercial use and whether training data licensing creates trademark or IP exposure. An IP lawyer Warsaw-based clients can engage early in product development will reduce the risk of discovering a licensing conflict after launch.

Data transfer compliance runs in parallel. Where AI systems process personal data transferred outside Poland – whether to Cyprus, France, or elsewhere – the transfer mechanism must be documented and defensible. Our guidance on data transfer from Poland to Cyprus illustrates how these mechanisms interact with broader compliance programmes. Treating AI Act, GDPR, and data transfer obligations as a single integrated workstream is more efficient than addressing each in isolation.

To receive an expert assessment of your AI system's transparency obligations under the EU AI Act, contact info@kordeckipartners.com.

Frequently asked questions

Q: When do AI Act transparency obligations apply to Polish providers?

A: The AI Act's transparency provisions apply from August 2026 for most AI systems, with general-purpose AI model obligations applying from August 2025. Providers placing AI systems on the Polish or EU market should treat the earlier date as the relevant planning horizon. A 12-month implementation window is shorter than it appears once documentation and interface changes are scoped.

Q: Is a terms-of-service clause enough to satisfy the transparency requirement?

A: No. The AI Act requires that users be informed at the point of interaction that they are engaging with an AI system. A disclosure buried in contractual documentation does not meet this standard. The notice must be prominent, timely, and presented in plain language. Regulators assessing compliance will look at the user experience, not only the legal text.

Q: How does AI Act compliance relate to GDPR obligations already in place?

A: The two frameworks are distinct but interconnected. AI Act technical documentation overlaps with GDPR records of processing activities in areas such as data categories and system purpose. Aligning both sets of records reduces duplication and strengthens the overall compliance position. The Office for Personal Data Protection (UODO) is expected to coordinate with AI supervisory authorities, making integrated compliance particularly important for Polish providers.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, technology law, and IP matters. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.