A mid-sized Warsaw leasing company deploys a credit-scoring algorithm in January 2026. By March, the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) opens a supervisory inquiry. The firm has no documented AI governance framework, no risk classification register, and no human-oversight protocol. The consequences – regulatory censure, potential suspension of the scoring tool, and personal liability of the management board – are now live risks, not theoretical ones.
Polish financial institutions using artificial intelligence systems must comply with the EU AI Act (Regulation 2024/1689), which became directly applicable across Poland from August 2024, with high-risk system obligations phasing in through August 2026. Institutions subject to the Ustawa o krajowym systemie cyberbezpieczeństwa (Act on the National Cybersecurity System) and the Digital Operational Resilience Act (DORA) face a layered compliance obligation: AI governance requirements stack on top of existing ICT risk frameworks. Failure to register and document a high-risk AI system before the August 2026 deadline triggers fines of up to EUR 30 million or 6% of global annual turnover.
This alert explains what changed, which institutions are affected, and what immediate steps boards and compliance teams must take. The structure follows the three-part alert format: regulatory change, scope of application, and action items with deadlines.
What has changed in the AI regulatory environment for financial institutions?
The EU AI Act introduced a four-tier risk classification system. For Polish banks, insurers, leasing companies, and payment institutions, the most consequential tier is "high-risk." Credit scoring, insurance underwriting models, fraud-detection systems, and algorithmic customer-segmentation tools all fall within Annex III of the AI Act – meaning they are presumed high-risk from the moment of deployment. The KNF has signalled that it will treat AI Act compliance as part of its standard supervisory toolkit, integrating it into DORA-based ICT audits beginning in the second half of 2026.
DORA itself – applicable since January 2025 – already requires financial entities to maintain a register of ICT third-party service providers. That register must now be cross-referenced against AI system inventories. Where a third-party vendor supplies an AI model (a common arrangement in credit analytics), the financial institution remains the "deployer" under the AI Act and bears primary compliance responsibility. Outsourcing the model does not outsource the liability.
The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) has also clarified that automated decision-making under GDPR Poland rules – particularly decisions with legal or similarly significant effects – requires a documented lawful basis and a human-review mechanism. GDPR and AI Act obligations overlap directly in credit and insurance contexts. Institutions that addressed GDPR automated-decision rules in 2018 must revisit those assessments against the stricter AI Act standard.
Which Polish financial institutions are affected, and at what thresholds?
Scope is broad. Any entity authorised by the KNF – banks, cooperative savings and credit unions (spółdzielcze kasy oszczędnościowo-kredytowe, SKOK), insurance undertakings, investment firms, and payment institutions – that deploys or develops an AI system falling within Annex III is a "deployer" or "provider" under the AI Act. The size of the institution does not reduce the obligation, though proportionality applies to some procedural requirements for micro-enterprises.
Three thresholds determine the intensity of compliance obligations. First, any AI system used to evaluate creditworthiness or establish a credit score triggers full high-risk requirements: conformity assessment, technical documentation, post-market monitoring, and registration in the EU database by August 2, 2026. Second, AI systems used in life and health insurance underwriting carry the same classification. Third, AI tools used in anti-money-laundering transaction monitoring are subject to a separate but parallel obligation under the Ustawa o przeciwdziałaniu praniu pieniędzy (Anti-Money Laundering Act), which the KNF enforces alongside AI Act requirements.
Foreign-owned subsidiaries operating in Poland are not exempt. A German or Dutch parent's group-level AI governance policy does not automatically satisfy Polish regulatory requirements. The local entity must maintain its own documentation, designate a compliance contact, and – where the parent is the AI provider – execute a written allocation of responsibilities. We secured a regulatory pre-clearance outcome for a fintech subsidiary in the Mazowieckie region (winter 2026), establishing a compliant deployer-provider agreement that satisfied both KNF expectations and the parent's group framework.
What must boards do immediately – and by when?
The August 2, 2026 deadline for high-risk AI system registration is fixed. It does not shift for institutions that began deployment before the AI Act's full application date. Boards that have not yet initiated a governance framework face a compressed timeline of roughly 12 weeks from the date of this alert. Three immediate actions are non-negotiable.
- Conduct an AI system inventory across all business lines within 30 days – map every deployed model against Annex III categories.
- Appoint an AI compliance officer or designate an existing risk officer with explicit AI Act responsibility before June 30, 2026.
- Initiate technical documentation for each high-risk system – including data governance records, accuracy metrics, and human-oversight protocols – with a target completion date of July 15, 2026.
Beyond registration, institutions must establish ongoing post-market monitoring. This means logging incidents where AI outputs are overridden by human reviewers, tracking model drift, and reporting serious incidents to the KNF within defined timeframes. The KNF has not yet published its national supervisory guidance, but it has indicated alignment with the European Banking Authority's AI governance expectations. Waiting for national guidance before acting is a governance failure in itself.
Internal governance documents – AI use policies, board-level risk appetite statements, and vendor due-diligence checklists – must be updated to reflect the new framework. Institutions with existing whistleblower and compliance infrastructure (see our whistleblower protection policy drafting guide) should extend those channels to cover AI-related concerns raised by employees. AI Act obligations also intersect with trade secret and IP considerations when proprietary models are involved – our analysis of trade secret protection strategies under Polish law addresses the documentation requirements that simultaneously serve IP and regulatory purposes. For institutions with cross-border AI deployments, our IP and tech practice covering the United States provides comparative context on governance standards.
We assisted a regional bank in Silesia (spring 2026) in completing a full AI system inventory and technical documentation package in eight weeks – covering four high-risk models across credit, fraud, and customer-service functions. The exercise revealed two undocumented vendor-supplied models that required immediate contractual remediation.
The specific circumstances of your institution determine which obligations apply first and where documentation gaps carry the highest regulatory exposure. Acting without a tailored assessment risks misallocating limited compliance resources.
To receive an expert assessment of your institution's AI governance readiness, contact info@kordeckipartners.com. If your firm is deploying high-risk AI systems and has not yet initiated registration or technical documentation, we will conduct a gap analysis, map your obligations against the August 2026 deadline, and draft the required governance instruments.
Frequently asked questions
Q: Does a bank that uses a third-party credit-scoring model – rather than building its own – still need to comply with AI Act high-risk requirements?
A: Yes. Under the AI Act, the financial institution deploying the model is the "deployer" and carries its own set of obligations regardless of who built the system. The deployer must ensure the model is used in accordance with its intended purpose, maintain human-oversight mechanisms, and cooperate with the provider on technical documentation. Outsourcing development does not transfer compliance responsibility.
Q: How long does it take to complete AI Act compliance documentation for a single high-risk system?
A: For a well-documented existing model with available training data records, the process typically takes six to ten weeks. Systems with incomplete data lineage or undocumented vendor components can take significantly longer. Institutions should begin immediately given the August 2, 2026 registration deadline – starting in late June leaves no margin for remediation if gaps are discovered.
Q: Is GDPR compliance sufficient to satisfy AI Act requirements for automated decision-making in credit?
A: No. GDPR provides a baseline right to human review and an explanation of automated decisions, but the AI Act imposes additional requirements: conformity assessment, technical documentation, accuracy and robustness testing, and registration in the EU database. A GDPR-compliant credit process is a starting point, not a substitute. Institutions must treat the two frameworks as complementary and additive, not interchangeable.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, DORA compliance, and technology governance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.