For a Warsaw-based bank or insurance company, the convergence of the EU AI Act, the Digital Operational Resilience Act (DORA), and Polish data-protection enforcement has created a compliance puzzle that cannot be solved one regulation at a time. Each framework imposes its own obligations. Together, they demand a single, coordinated governance structure – or the gaps between them become liability.
Polish financial institutions must now operate under three overlapping regimes: the EU AI Act (fully applicable from August 2026), DORA (in force since January 2025), and the General Data Protection Regulation (GDPR) as enforced by the Polish Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). Institutions deploying AI systems in credit scoring, fraud detection, or customer triage face obligations under all three simultaneously. Failure to align them within a single governance framework risks fines, supervisory intervention by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF), and personal liability for senior management.
This alert sets out what has changed, which institutions are affected, and what actions must be completed before the August 2026 deadline. It covers the three regulatory triggers, the threshold criteria that determine your classification, and the immediate steps your compliance team should take now.
What has changed for financial institutions using AI?
The EU AI Act introduced a risk-based classification system that directly affects financial services. Credit-scoring models, insurance underwriting tools, and anti-money-laundering systems all fall into the "high-risk" category under the Act. High-risk classification triggers a mandatory conformity assessment, technical documentation requirements, and human-oversight obligations – all of which must be in place before deployment or continued use after August 2026.
DORA, already in force since January 2025, requires financial entities to treat AI systems as part of their ICT risk management framework. Any AI tool used in operational processes must be mapped, tested for resilience, and covered by incident-reporting procedures. The National Court Register (Krajowy Rejestr Sądowy, KRS) records the entities formally subject to KNF supervision – and KNF has signalled that DORA compliance will be a supervisory priority throughout 2026.
GDPR obligations did not change, but UODO enforcement has intensified. The Office has issued fines exceeding PLN 1m in cases where automated decision-making lacked adequate human review. AI-driven customer decisions – loan refusals, insurance exclusions, fraud flags – trigger the GDPR's automated-decision provisions. Institutions that have not updated their data-processing records to reflect AI use are already non-compliant.
The combined effect is a three-layer obligation stack. No single compliance project covers all three. That gap is where enforcement risk lives.
Who is affected and what are the thresholds?
The AI Act applies to any institution that deploys, imports, or substantially modifies a high-risk AI system. For Polish financial institutions, the practical threshold is straightforward: if the system makes or materially influences a decision about a natural person's access to credit, insurance, or financial services, it is high-risk. Size does not exempt you. A fintech with 5,000 customers using an automated credit model is subject to the same conformity requirements as a systemically important bank.
We secured a reclassification of an AI-driven underwriting tool for an insurance client in the Mazowieckie region (autumn 2025), reducing its risk tier from high-risk to limited-risk by restructuring the human-oversight layer. The reclassification saved the client an estimated six months of conformity-assessment work.
DORA thresholds follow a different logic. The regulation distinguishes between significant and non-significant financial entities, with significant entities facing stricter ICT testing requirements – including threat-led penetration testing every three years. Banks, investment firms, and payment institutions above certain balance-sheet thresholds are automatically classified as significant. Credit unions and smaller payment service providers may qualify as non-significant, but must still complete basic ICT risk assessments covering AI systems.
For GDPR purposes, the relevant threshold is whether the AI system produces a "solely automated" decision with legal or similarly significant effects. Most credit-scoring and fraud-detection tools meet this test. Institutions should review their GDPR enforcement exposure in Poland before assuming their existing data-protection framework is sufficient.
What must you do now?
The August 2026 deadline for full AI Act applicability sounds distant. It is not. Conformity assessments for high-risk systems require technical documentation, risk-management records, and post-market monitoring plans. Building those from scratch takes four to six months for a mid-sized institution. Starting in Q3 2026 is starting too late.
Our team obtained interim supervisory clearance for an AI-based fraud-detection system deployed by a payment institution in Lower Silesia (spring 2026). The clearance required a complete governance audit conducted over eight weeks – evidence that early preparation materially reduces supervisory friction.
Three immediate actions are non-negotiable:
- Complete an AI system inventory across all business lines – identify every system that touches a natural person's financial decision within 30 days.
- Map each identified system against the AI Act's risk categories and your DORA ICT risk register – mismatches between the two are your highest-priority gaps.
- Update GDPR records of processing activities to reflect AI use, and verify that human-review mechanisms satisfy UODO's current enforcement standard.
Cross-border data flows add another layer. Institutions transferring AI-processed personal data to third countries – including intra-group transfers to non-EEA affiliates – must ensure transfer mechanisms are in place. The legal requirements for data transfer from Poland to Sweden illustrate how EEA transfers still require documented legal bases under Polish GDPR implementation. Non-EEA transfers are more demanding still.
Governance structure matters as much as documentation. Institutions that have established a joint AI-DORA-GDPR oversight committee – rather than treating each regulation as a separate workstream – consistently complete compliance projects faster and with fewer remediation cycles. The joint venture framework under Polish corporate law offers structural analogies for how multi-party governance can be formalised when AI systems are shared across group entities.
Personal liability for management board members is the irreversible consequence that concentrates minds. Under Polish corporate legislation, board members who fail to implement required compliance measures may face personal liability for resulting regulatory fines. KNF has the authority to impose fines of up to EUR 5m on institutions and to pursue individual officers. That exposure does not disappear when a compliance deadline passes – it crystallises.
Frequently asked questions
Q: Does the AI Act apply to AI systems already deployed before August 2026?
A: Yes, with a transitional period. High-risk AI systems already in use before August 2026 must achieve full compliance within 12 months of that date – by August 2027. However, any substantial modification to an existing system resets the clock and triggers immediate compliance obligations. Institutions should document the current state of each system now, before any modifications are made.
Q: How does DORA interact with the AI Act for a bank that uses a third-party AI vendor?
A: DORA treats third-party AI vendors as ICT third-party service providers. The bank remains responsible for ensuring the vendor's system meets AI Act requirements and must include AI-specific provisions in its contractual arrangements. DORA requires institutions to maintain a register of all ICT third-party arrangements. That register should explicitly flag which arrangements involve high-risk AI systems under the AI Act – a step many institutions have not yet taken.
Q: What does a GDPR-compliant human-review mechanism look like in practice for credit scoring?
A: UODO expects that a human reviewer has genuine authority to override the AI system's output, is provided with meaningful information about how the decision was reached, and is not under time pressure that makes review purely formal. A reviewer who approves 98% of AI decisions within 30 seconds is unlikely to satisfy the standard. Institutions should audit their review workflows and document the average reversal rate – a figure UODO has requested in recent investigations.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, DORA compliance, and technology law. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Author: Jakub Gorski – Jakub specialises in IP, technology law, AI regulation, and DORA.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.