A Warsaw-based bank deploys a credit-scoring algorithm in January 2026. Two months later, its compliance team discovers that the system qualifies as a high-risk AI system under the EU AI Act – and that the 12-month window to complete conformity assessment is already running. The cost of inaction is not a fine alone. It is the loss of the right to operate that system entirely.

Polish financial institutions face a dual compliance obligation from 2026 onward. The EU AI Act (Regulation 2024/1689) classifies credit scoring, insurance risk assessment, and fraud detection tools as high-risk AI systems, triggering mandatory conformity assessments and internal governance requirements. Separately, the Digital Operational Resilience Act (DORA) – fully applicable since January 2025 – imposes ICT risk management standards that directly overlap with AI governance. Institutions that fail to align both frameworks before the AI Act's high-risk deadlines forfeit the right to continue operating non-compliant systems.

This alert explains what changed, which institutions are affected, and what steps must be taken now. The analysis covers the AI Act's high-risk classification, DORA's overlap with AI governance, and the immediate action items that compliance teams should prioritise in the first half of 2026.

What has changed under the AI Act and DORA for Polish banks?

The EU AI Act entered into force on 1 August 2024. Its provisions on high-risk AI systems – those used in credit scoring, employment decisions, and insurance underwriting – apply from 2 August 2026. That deadline is closer than it appears. Conformity assessments, technical documentation, and human oversight mechanisms all require months of preparation. A bank that begins in July 2026 will not finish in time.

DORA has been fully applicable since 17 January 2025. It requires Polish financial institutions supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF) to maintain documented ICT risk management frameworks. AI systems that process financial data are ICT assets under DORA. They must be inventoried, tested for resilience, and covered by incident reporting procedures within 72 hours of a major disruption.

The overlap is significant. An AI-driven fraud detection system is simultaneously a high-risk AI system under the AI Act and an ICT asset under DORA. Institutions that treat these as separate workstreams will duplicate effort and create compliance gaps. A unified governance framework – covering both risk classification and operational resilience – is the more efficient path. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) adds a third layer: AI systems that process personal data must also satisfy GDPR Poland requirements, including data minimisation and automated decision-making restrictions.

  • AI Act high-risk provisions apply from 2 August 2026
  • DORA ICT risk management requirements fully applicable since January 2025
  • UODO enforcement of GDPR automated-decision rules is ongoing
  • KNF supervisory expectations for AI governance are published in its 2025 supervisory priorities

We secured a successful GDPR compliance review for a fintech client in the Mazowieckie region (spring 2025), identifying three AI systems that required reclassification before the client's KNF supervisory inspection.

Who is affected and what are the thresholds?

The AI Act applies to any institution that deploys, distributes, or develops AI systems in the EU. For Polish financial institutions, the relevant high-risk categories include: credit scoring systems used to evaluate natural persons, AI tools used in employment or HR decisions, and fraud detection systems that produce outputs affecting individual rights. The threshold is not size – a small payment institution using a third-party credit model is a deployer and bears compliance obligations.

DORA applies to a broader set of entities. Banks, insurance companies, investment firms, payment institutions, and e-money institutions supervised by the KNF all fall within scope. Micro-enterprises with fewer than 10 employees and an annual turnover below EUR 2m benefit from a simplified regime – but they are not exempt. They must still maintain a basic ICT risk policy and report major incidents to the KNF within the 72-hour window.

The GDPR Poland dimension affects any institution using AI to make or inform automated decisions about individuals. Under Polish data protection law as applied by the UODO, individuals have the right to contest automated decisions and request human review. Institutions must implement that review mechanism before deploying the system – not after a complaint arrives. For a practical overview of UODO enforcement trends, see our analysis at GDPR fines in Poland – UODO enforcement trends.

Foreign-owned subsidiaries operating in Poland are not exempt. A German parent's AI system deployed through a Polish subsidiary triggers Polish compliance obligations. The parent's CE marking or conformity assessment in Germany does not automatically satisfy Polish supervisory requirements under KNF oversight. Cross-border deployment requires a jurisdiction-specific review.

What must Polish financial institutions do now?

Three actions are time-critical. First, complete an AI system inventory by 30 April 2026. Every AI tool used in credit, fraud, insurance, or HR decisions must be classified against the AI Act's high-risk categories. Systems that qualify require a conformity assessment, technical documentation, and a human oversight protocol. That documentation cannot be produced overnight – allow at least three months.

Second, align the AI governance framework with DORA's ICT risk management requirements. This means mapping each AI system to the institution's ICT asset register, assigning a risk owner, and including AI-related scenarios in the next resilience testing cycle. DORA requires institutions to test critical ICT systems at least once per year. AI systems that process payment data or credit decisions should be treated as critical by default.

Third, review automated decision-making procedures under GDPR Poland. Any AI system that produces decisions with legal or similarly significant effects on individuals must be documented, with a human review mechanism in place. The UODO has issued enforcement decisions against institutions that relied on automated outputs without adequate human oversight. Fines have reached EUR 1m in the financial sector. For institutions with IP-embedded AI tools, our guide on IP protection strategy for tech companies in Poland addresses the intersection of AI governance and intellectual property rights.

  • Complete AI system inventory and risk classification by 30 April 2026
  • Update ICT asset register to include all AI systems under DORA
  • Implement human review mechanisms for automated decisions affecting individuals
  • Review employment-related AI tools against both the AI Act and Polish labour law

Our team obtained a full AI governance gap analysis for an insurance client in Lower Silesia (winter 2025), identifying two high-risk systems that required conformity assessments before the client's planned product launch in Q2 2026. For employment-related AI tools, our analysis at employment law compliance for companies in Poland covers the specific obligations under Polish labour law.

Institutions that delay risk more than regulatory fines. Under the AI Act, operating a non-compliant high-risk AI system after 2 August 2026 can result in a market withdrawal order – an irreversible consequence that disrupts operations far beyond the compliance cost of acting now.

Specific circumstances at your institution will determine which obligations apply first and which carry the greatest operational risk. A targeted review now avoids the irreversible consequence of a supervisory finding after the deadline. To receive an expert assessment of your AI governance exposure, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to third-party AI tools that our institution licenses rather than builds?

A: Yes. Under the AI Act, a financial institution that deploys a high-risk AI system – even one built and supplied by a third party – is a deployer and bears specific obligations. These include verifying that the provider has completed a conformity assessment, maintaining a human oversight mechanism, and logging system outputs. Licensing agreements should be reviewed to confirm that the provider supplies the required technical documentation.

Q: How long does a conformity assessment take for a credit-scoring AI system?

A: For a high-risk AI system in the financial sector, a conformity assessment typically takes between three and six months, depending on the complexity of the model and the completeness of existing documentation. Institutions should begin the process no later than 30 April 2026 to meet the 2 August 2026 deadline. Waiting until June or July creates a material risk of non-compliance on the deadline date.

Q: Is there a misconception that DORA compliance automatically satisfies AI Act requirements?

A: Yes – this is a common misunderstanding. DORA governs ICT operational resilience, including incident reporting and third-party risk management. The AI Act governs the design, transparency, and human oversight of AI systems. An institution that is fully DORA-compliant still needs to complete AI Act conformity assessments, maintain AI-specific technical documentation, and implement human review mechanisms. The two frameworks overlap but neither substitutes for the other.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI governance, DORA compliance, and technology regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.