Practice · Chapter One

IP, Technology, AI Act and Data Protection.

We advise software vendors, fintechs, AI startups and enterprises on the new EU regulatory stack: AI Act, DORA, NIS2, MiCA, plus the established framework of GDPR, trade-secrets, trademarks, SaaS contracts. Where regulation outpaces business — we are at the front.

Practice · 01

Scope of services

AI Act — system classification (prohibited, high-risk, limited, minimal)
AI Act — conformity assessment, technical documentation, CE marking
AI Act — HR/recruitment tools, financial services, biometric ID
DORA — ICT risk management, third-party register, testing
DORA — incident reporting to KNF
NIS2 — essential vs important entities, security measures
GDPR audit and gap analysis (UODO trends)
Data breach response — UODO notification within 72 hours
Trademark registration — UPRP, EUIPO (EUTM)
Trademark infringement and litigation
SaaS contracts — SLAs, data processing, security annexes
Software copyright — protection scope, employee-created works
Trade secrets — protection plans, NDA frameworks
MiCA — crypto-asset service provider authorisations

AI Act prohibitions are in force since 2 February 2025; high-risk requirements apply from 2 August 2026.

Have a question about this practice?

Check whether your deadline has passed →

Practice · 02

↻

How we work

You describe

Send your situation in 5–10 sentences via form or call.

Partner reviews

A partner — not a junior — reads it within 2 business hours.

Scope & fee

We propose the scope, timeline, and fee — before any commitment.

Engagement

Work begins only after you approve the engagement letter.

Practice · 03

∴

Lead team for this practice

Jakub Górski

Analyst-Author · Adwokat

IP / TMT / AI Act / DORA

Bar admissionAdwokat, ORA Warszawa

SpecialisationAI Act, DORA, GDPR, Trademarks

LanguagesPolish, English

View full profile →

Practice · 04

⌗

Key jurisdictions

Most common cross-border matters in this practice arrive from:

Practice · 05

∮

Related insights

We publish in-depth analyses weekly. The full archive is available in the Insights section →.

Practice · 06

Frequently asked questions

When do AI Act high-risk obligations begin?

AI Act prohibitions (e.g., social scoring) apply from 2 February 2025. General-purpose AI obligations apply from 2 August 2025. High-risk system requirements (conformity assessment, technical documentation, post-market monitoring) apply from 2 August 2026. We map every AI system against Annex III before the deadline.

Who must comply with DORA?

DORA applies to financial entities — banks, investment firms, insurance, payment institutions, crypto-asset service providers — and critical ICT third-party providers. Application is from 17 January 2025. Penalties include 1% of daily worldwide turnover for delays. We complete the ICT risk framework, register of information, and TLPT (threat-led penetration testing) coordination.

How quickly must a data breach be reported under GDPR?

To UODO (data protection authority): within 72 hours of becoming aware of the breach, where likely to result in risk to rights and freedoms. To affected individuals: without undue delay, where high risk. The 72 hours starts from awareness, not from incident occurrence. We coordinate the response across legal, technical and PR teams within hours.

Discuss your matter with a partner

Describe the situation briefly. A partner — not a junior associate — will respond within 2 business hours.