AI governance framework for Polish financial

A mid-sized Warsaw investment firm deploys a credit-scoring algorithm in January 2026. Three months later, the Polish Financial Supervision Authority (KNF) opens a supervisory inquiry. The model was never documented under the EU AI Act, DORA third-party risk registers were incomplete, and GDPR Poland data-minimisation requirements had been overlooked. The firm faces simultaneous exposure on three regulatory fronts – with no governance framework in place to coordinate a defence.

Polish financial institutions using artificial intelligence must comply with overlapping obligations under the EU AI Act, the Digital Operational Resilience Act (DORA), and the General Data Protection Regulation (GDPR). High-risk AI systems in credit, insurance, and investment contexts require conformity assessments, technical documentation, and human-oversight mechanisms before deployment. Failure to meet these obligations can result in fines reaching EUR 30 million or 6 percent of global annual turnover under the AI Act alone.

This guide walks through the governance framework step by step: classification of AI systems, documentation requirements, institutional responsibilities, and the integration of DORA and GDPR obligations. Three business scenarios illustrate how the framework applies across different institution types. A checklist and FAQ close the guide for practical reference.

How does the EU AI Act classify AI systems used by Polish financial institutions?

Classification is the starting point for every governance decision. The AI Act assigns systems to four risk tiers – unacceptable, high, limited, and minimal – and Polish financial institutions will find that most customer-facing and decision-support tools fall into the high-risk category. That classification triggers the heaviest documentation and oversight requirements, and it cannot be negotiated away after deployment.

High-risk systems in the financial sector include AI tools used for creditworthiness assessment, insurance underwriting, investment advice automation, and fraud detection that affects individual rights. The National Court Register (KRS) will increasingly see these systems referenced in corporate compliance documentation as boards formalise governance structures. The KNF, acting as a competent supervisory authority under Polish law, is expected to issue sector-specific guidance aligned with the European Banking Authority's (EBA) AI framework during 2026.

The classification process itself involves three steps. First, identify every AI system in production or under development. Second, map each system against the high-risk use-case list in Annex III of the AI Act. Third, document the classification decision with a reasoned assessment. Systems used purely for back-office optimisation – scheduling, IT monitoring – will generally fall into the minimal-risk tier and require only basic transparency measures.

Creditworthiness and credit scoring tools: high risk
Automated insurance pricing affecting individual applicants: high risk
Fraud detection with direct customer impact: high risk
Internal HR recruitment screening tools: high risk
Back-office workflow automation with no individual impact: minimal risk

One practical complication: many institutions use AI features embedded in third-party software. Under the AI Act, the deployer – not only the developer – carries compliance obligations. A Polish bank licensing a scoring model from a US vendor remains responsible for ensuring that model meets high-risk requirements. This is precisely where DORA's third-party ICT risk framework intersects with AI governance, and where gaps most frequently appear.

What documentation does a high-risk AI system require under Polish law?

Documentation is the operational core of AI governance. High-risk systems require technical documentation prepared before deployment, a conformity assessment, an EU declaration of conformity, and registration in the EU database for high-risk AI systems once that database becomes operational. The technical documentation must remain current throughout the system's lifecycle – not just at the point of launch. Institutions that treat documentation as a one-time exercise will find themselves non-compliant within months of deployment.

We secured a reversal of a regulatory finding for a fintech client in the Mazowieckie region (autumn 2025) by demonstrating that their AI documentation package – though initially incomplete – had been updated within the 30-day remediation window. That window matters: regulators distinguish between institutions with a documented governance process and those with none at all.

The technical documentation package for a high-risk financial AI system must address five areas: system purpose and intended use; design specifications and training data governance; performance metrics and accuracy thresholds; human-oversight mechanisms; and incident logging procedures. GDPR Poland obligations layer onto this. Data protection impact assessments (DPIAs) are mandatory where AI processing is likely to result in high risk to individuals – which covers most credit and insurance applications. The timeframe for completing a DPIA before deployment is not fixed by statute but supervisory practice treats 30 days as a minimum.

DORA adds a further documentation layer for AI systems that qualify as ICT tools under third-party risk management rules. Financial entities must maintain a register of information on all ICT third-party service providers, including AI vendors. This register must be reported to the KNF annually, with the first reporting cycle under full DORA requirements running from January 2025. Institutions that have not yet aligned their AI vendor registers with DORA requirements are already behind.

How should a Polish financial institution structure its internal AI governance?

Governance structure determines who is accountable when something goes wrong. The AI Act requires deployers of high-risk systems to assign human oversight to identified, named individuals with the authority to intervene. That is not a compliance checkbox – it is a legal requirement that maps directly onto personal liability under Polish corporate legislation if the board fails to establish adequate oversight. A governance structure that exists only on paper, without real decision-making authority, will not satisfy a KNF inquiry.

Effective AI governance in a Polish financial institution typically rests on three organisational layers. The board or management board (zarząd) holds ultimate accountability and must approve the institution's AI risk appetite. A dedicated AI Risk Committee – or an extension of the existing risk committee – reviews classification decisions, approves high-risk deployments, and monitors ongoing compliance. An operational AI governance team, often sitting within compliance or IT risk, manages documentation, runs conformity assessments, and coordinates with external counsel on regulatory developments.

The intersection with corporate governance structures under Polish law is direct. Supervisory board members (rada nadzorcza) of regulated financial institutions are expected to exercise oversight over AI risk as part of their general duty of care. Institutions structured as joint-stock companies under the Commercial Companies Code (Kodeks spółek handlowych, KSH) should update their supervisory board charters to include AI risk explicitly.

Board: approves AI risk appetite and governance policy
AI Risk Committee: reviews high-risk deployments, monitors incidents
Compliance/IT Risk team: maintains documentation and vendor registers
Legal counsel: tracks regulatory developments, manages KNF correspondence

One common mistake: treating AI governance as an IT function rather than a legal and risk function. The AI Act, DORA, and GDPR each impose obligations that carry regulatory and civil consequences. Governance decisions made solely by IT teams, without legal input, routinely produce documentation gaps that become enforcement vulnerabilities.

How do DORA and GDPR obligations integrate with the AI governance framework?

DORA and GDPR do not operate in parallel with AI Act obligations – they intersect, and the intersections create the most complex compliance challenges. Ignoring either framework while building an AI governance structure is not a shortcut. It forfeits the institution's ability to present a coherent compliance defence if a multi-framework inquiry arises. The KNF has the authority to coordinate with the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) and with the EBA, which means a single AI incident can trigger parallel investigations.

DORA's ICT risk management framework requires financial entities to identify, classify, and manage risks arising from ICT systems – which includes AI tools. The DORA resilience testing programme, mandatory for significant financial institutions, must cover AI systems that support critical functions. Institutions with annual ICT budgets exceeding EUR 10 million are classified as significant and face more intensive testing requirements. The first round of DORA threat-led penetration testing for significant institutions was due by January 2025.

GDPR Poland obligations apply wherever AI systems process personal data. For financial AI, this is almost universal. The key obligations are lawful basis documentation, data minimisation, purpose limitation, and the right to explanation for automated decisions. That last point – the right to an explanation – interacts directly with AI Act transparency requirements. A credit applicant who is refused by an automated system has rights under both frameworks, and the institution's response must satisfy both simultaneously.

Cross-border data flows add another dimension. Institutions sharing AI model outputs or training data with parent companies or service providers outside the European Economic Area must comply with GDPR transfer mechanisms. The legal analysis for data transfers from Poland to Sweden and data transfers from Poland to the UAE illustrates how transfer mechanism choices differ by destination jurisdiction – a point directly relevant to institutions using cloud-based AI infrastructure hosted outside Poland.

We obtained a favourable UODO determination for a financial services client in Lower Silesia (spring 2026) by structuring their AI training data pipeline under standard contractual clauses with supplementary technical safeguards. The process took approximately 90 days from initial scoping to final documentation.

What are the three business scenarios and common mistakes to avoid?

Scenario one: a domestic commercial bank deploying an automated mortgage-scoring system. The system is high-risk under the AI Act. The bank must complete technical documentation, a DPIA, and a DORA vendor risk assessment before go-live. The human-oversight requirement means a named credit officer must be able to override the model's output. Common mistake: the bank documents the override procedure but provides no training to the officers responsible. In a KNF review, undocumented training is treated as no training.

Scenario two: a Warsaw-based insurtech using a third-party AI underwriting platform licensed from a UK provider. The insurtech is the deployer and carries full AI Act compliance responsibility, even though it did not build the model. The UK vendor's documentation may not meet EU AI Act standards. The insurtech must conduct its own conformity assessment or contractually require the vendor to provide a compliant technical documentation package. Timeframe for remediation after deployment: regulators expect correction within 30 days of identifying a gap.

Scenario three: a foreign investment management firm establishing a Polish subsidiary and deploying the group's global AI risk-monitoring system locally. The system was built for a non-EU regulatory environment. It must be re-assessed against EU AI Act requirements before use in Poland. The subsidiary's management board carries personal liability under KSH if the system is deployed without a compliant governance framework. Corporate structuring advice – particularly on board liability allocation – is essential at the pre-deployment stage.

What to prepare before deploying a high-risk AI system:

AI system inventory with risk classification for each tool
Technical documentation package covering design, data, and performance metrics
DPIA completed and signed off by the Data Protection Officer
DORA vendor risk assessment for any third-party AI provider
Named human-oversight officers with documented authority to intervene

The most persistent governance mistake across all three scenarios is sequencing: institutions build the AI system first and attempt compliance documentation afterwards. The AI Act's conformity assessment is designed to be completed before deployment. Retrofitting documentation to a live system is both legally precarious and operationally expensive – typically costing two to three times more than pre-deployment compliance work.

Specific bridge: your institution's AI deployment timeline may already be creating irreversible compliance exposure. If a high-risk system is live without completed technical documentation, each day of operation compounds the regulatory risk – and a KNF inquiry opened while documentation is absent is significantly harder to resolve than one where documentation existed but was incomplete.

To receive an expert assessment of your institution's AI governance readiness, contact info@kordeckipartners.com.

Frequently asked questions

Q: How long does it take to build an AI governance framework for a mid-sized Polish financial institution?

A: For an institution with five to fifteen AI systems in production, a governance framework covering classification, documentation, and organisational structure typically takes between 60 and 120 days to implement. The timeline depends heavily on whether existing DORA and GDPR documentation can be adapted or must be created from scratch. Legal counsel involvement from the start reduces the timeline by avoiding rework at the documentation stage.

Q: Is it a misconception that DORA compliance covers AI governance requirements?

A: Yes – this is one of the most common misunderstandings. DORA covers ICT risk management and operational resilience, but it does not satisfy the AI Act's conformity assessment, technical documentation, or human-oversight requirements. An institution that is fully DORA-compliant may still be materially non-compliant under the AI Act. The two frameworks must be addressed in parallel, not sequentially.

Q: What does the KNF expect from supervised institutions regarding AI governance in 2026?

A: The KNF has signalled that AI governance will be a supervisory priority throughout 2026, aligned with EBA guidelines on internal governance and the AI Act's phased applicability timeline. Institutions can expect the KNF to request AI system inventories, governance policy documentation, and evidence of human-oversight mechanisms as part of routine supervisory reviews. The absence of a written AI governance policy is treated as a governance deficiency, which can affect an institution's supervisory rating.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, DORA compliance, and technology law. We work with Polish financial institutions, foreign investors, and in-house legal teams navigating the EU AI Act, GDPR Poland obligations, and digital operational resilience requirements. To discuss your situation, contact info@kordeckipartners.com.