A Warsaw-based software company deploys an AI-powered hiring tool to screen candidates for a logistics client. Weeks later, a compliance officer raises a flag: the system may fall within the Rozporządzenie w sprawie sztucznej inteligencji (EU Artificial Intelligence Act, AI Act) high-risk category. The company had assumed classification was someone else's problem. It was not.

The AI Act establishes a mandatory risk-based classification framework that applies directly across all EU member states, including Poland. Systems placed in the high-risk category face obligations covering conformity assessment, technical documentation, human oversight, and registration in the EU database before market deployment. Non-compliance triggers fines of up to EUR 30 million or 6% of global annual turnover, whichever is higher. Polish operators, importers, and deployers are subject to these rules from August 2026 for most high-risk categories.

This page sets out which sectors and systems attract high-risk status, what obligations follow, where Polish businesses typically go wrong, and how cross-border deployments add a further layer of complexity. A self-assessment checklist and FAQ are included at the end.

What makes an AI system "high-risk" under the AI Act?

High-risk status is not a judgment about how dangerous a system feels. It is a legal classification based on two criteria: the area of deployment and the role the system plays in decisions affecting individuals. The AI Act sets out both criteria in its annexes, and both must be read together. Misreading either one is the most common source of misclassification.

The first criterion covers eight regulated sectors. These include biometric identification, management of critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice. Any AI system operating in these sectors is presumptively high-risk unless a specific exclusion applies.

The second criterion focuses on function. A system is high-risk only if it takes a decision, or meaningfully influences a decision, that affects a person's legal status, access to services, or safety. A tool that merely generates draft text for a human reviewer who then decides independently sits in a different category – though that distinction is narrower than many assume. The Office of Competition and Consumer Protection (UOKiK) in Poland has already signalled interest in how this boundary is drawn in consumer-facing deployments.

One concrete figure matters here: systems already on the market before 2 August 2026 may benefit from a transitional window, but new deployments after that date must comply from day one. There is no grace period for high-risk systems deployed for the first time after the deadline.

  • Biometric categorisation and remote identification systems
  • AI used in recruitment, performance assessment, or dismissal decisions
  • Credit scoring and insurance risk evaluation tools
  • AI supporting judicial or administrative decision-making
  • Systems managing access to education, housing, or social benefits

Which Polish sectors face the highest exposure?

Poland's industrial and service economy means high-risk exposure is concentrated in four areas: financial services, manufacturing-adjacent HR systems, healthcare, and public administration. Each carries distinct compliance timelines and supervisory risks. The Polish Financial Supervision Authority (KNF) and the Personal Data Protection Office (UODO) are the most active domestic regulators watching this space.

Financial services present the clearest pressure point. Banks and insurers using AI for credit decisions, fraud detection, or claims assessment fall squarely within the high-risk category. DORA compliance already requires financial entities to manage ICT risks from third-party providers. The AI Act adds a parallel layer: the same vendor contract that satisfies DORA may need supplementary AI Act clauses covering transparency, logging, and human oversight. Firms that treat these as separate workstreams will duplicate effort and create gaps.

HR technology is the second concentration point. Any AI system used in Poland to screen CVs, rank candidates, monitor employee performance, or inform termination decisions is high-risk. This applies whether the tool is developed in-house or licensed from a foreign vendor. (A US-headquartered HR platform deployed by a Polish entity makes the Polish entity the deployer under the AI Act – full obligations apply.) For context on US technology licensing arrangements, see our IP and technology practice for US-linked matters.

Healthcare AI – diagnostic support tools, triage systems, treatment recommendation engines – carries additional complexity because it overlaps with Medical Device Regulation (MDR) requirements. A system classified as a medical device under MDR and also high-risk under the AI Act must satisfy both regimes. The conformity assessment paths are not identical.

We assisted a manufacturing client in Silesia (spring 2026) in mapping its supplier-facing AI procurement tool against the high-risk annexes. The system was initially classified internally as low-risk. After analysis, two modules triggered high-risk status under the employment and essential-services categories. Reclassification added four months to the deployment timeline.

What obligations apply once a system is classified as high-risk?

Classification triggers a structured compliance programme. The AI Act imposes six categories of obligation on providers (those who develop or place the system on the market) and a separate, lighter set on deployers (those who use it under their own authority). Both roles can apply to the same Polish entity simultaneously.

Providers must establish a quality management system covering the full AI lifecycle. This includes a risk management file updated throughout development, technical documentation sufficient for post-market surveillance, and a conformity assessment – either self-assessment or third-party audit depending on the sector. For biometric and law-enforcement AI, third-party assessment is mandatory.

Deployers face three core obligations. First, they must conduct a fundamental rights impact assessment before deployment where the system processes personal data at scale. GDPR Poland obligations under the General Data Protection Regulation (GDPR) run in parallel: any high-risk AI system processing personal data will almost certainly require a Data Protection Impact Assessment (DPIA) under GDPR as well. Second, deployers must implement human oversight measures – not merely nominal review, but genuine capacity to intervene. Third, deployers must register the system in the EU AI database maintained by the European Commission before going live.

One deadline stands out: registration in the EU database must occur before deployment, not after. Many Polish businesses are treating registration as a post-launch formality. It is not. Deploying a registered-but-non-compliant system carries different legal consequences than deploying an unregistered one – and both carry personal liability risk for senior management.

  • Quality management system with documented risk management file
  • Technical documentation for post-market surveillance
  • Conformity assessment (self or third-party depending on sector)
  • Fundamental rights impact assessment for deployers
  • EU AI database registration before deployment

For organisations already managing data transfer obligations, the compliance architecture overlaps with cross-border data flows. Our analysis of data transfer from Poland to the UAE illustrates how layered obligations interact in practice.

Where do Polish businesses most often go wrong?

Complexity is the dominant risk here – not bad faith, but genuine misreading of how the classification rules interact with existing Polish and EU law. Three failure patterns appear repeatedly in practice.

The first is vendor-shifting. A Polish company licenses an AI tool from a foreign provider and assumes that the provider carries all compliance obligations. Under the AI Act, this is only partially correct. Providers bear the primary technical obligations. But deployers carry independent duties – oversight, registration, impact assessment – that cannot be contracted away. A vendor indemnity clause does not substitute for a compliant oversight mechanism.

The second failure pattern involves scope creep. A system is initially deployed for a low-risk use case – say, document summarisation. Over time, its outputs begin informing HR or credit decisions. Nobody updates the classification. The system is now functionally high-risk but legally undocumented as such. This gap is exactly what regulators will examine first in enforcement actions. Polish corporate law already imposes personal liability on board members for regulatory breaches under the Kodeks spółek handlowych (Commercial Companies Code, KSH); AI Act non-compliance fits within that framework.

The third pattern is treating AI Act compliance as an IT project rather than a legal and governance matter. Technical documentation is necessary but not sufficient. The obligations around human oversight, fundamental rights assessment, and contractual allocation between provider and deployer are legal questions. Firms that delegate the entire programme to IT departments without legal oversight will have documentation gaps that surface during audit.

We obtained a corrected classification determination for a fintech client in Mazowieckie (autumn 2025), reversing an internal assessment that had placed a credit-scoring module outside the high-risk category. The correction prevented a deployment that would have been non-compliant from day one, avoiding fines that could have reached EUR 15 million given the company's turnover.

Non-compete restrictions on AI engineers and data scientists add another dimension. Businesses relying on key technical staff to maintain compliance documentation should review enforceability carefully. Our note on non-compete clauses in Poland covers the relevant limits.

How do cross-border deployments affect classification in Poland?

Poland sits at an intersection of EU regulatory obligations and strong inbound technology investment from the US, Germany, Israel, and increasingly Asia. Cross-border deployments raise four specific issues that domestic-only analysis misses.

First, jurisdiction. The AI Act applies to providers placing systems on the EU market and to deployers using systems within the EU, regardless of where the provider is established. A US or Israeli company with no Polish subsidiary but whose AI tool is deployed by a Polish entity triggers AI Act obligations for that Polish deployer. The deployer cannot shift classification responsibility to a non-EU provider who has not appointed an EU representative.

Second, parallel regimes. DORA compliance for financial entities, GDPR Poland requirements, the MDR for healthcare AI, and sector-specific Polish legislation all intersect with AI Act obligations. A single system can simultaneously require a DPIA under GDPR, a conformity assessment under MDR, and registration under the AI Act. Treating these as sequential rather than parallel processes adds months to deployment timelines.

Third, contractual allocation. Cross-border AI contracts drafted before August 2026 typically lack AI Act provisions. Provider-deployer agreements need clauses allocating responsibility for technical documentation, incident reporting, and post-market monitoring. Where the provider is outside the EU, the deployer may need to assume provider-equivalent obligations – a significant shift in risk profile.

Fourth, trademark and IP considerations. AI systems trained on proprietary datasets or generating outputs that embed third-party IP create trademark and copyright exposure that sits alongside AI Act compliance. An IP lawyer in Warsaw familiar with both regimes is better positioned to advise on system design choices than a compliance specialist working from either framework alone.

Self-assessment checklist and next steps

Before engaging external counsel, Polish businesses can use the following checklist to gauge their exposure. Each item corresponds to a distinct compliance obligation. Any "yes" answer in items one through five indicates a high-risk system requiring a full compliance programme before August 2026.

  • Does the system operate in any of the eight regulated sectors listed in the AI Act annexes?
  • Does the system's output directly inform or substitute for a human decision affecting a person's rights, access to services, or safety?
  • Has the system's use case expanded since initial deployment without a fresh classification review?
  • Does the vendor contract allocate AI Act obligations clearly between provider and deployer?
  • Is the system registered, or scheduled for registration, in the EU AI database before deployment?

Three business scenarios illustrate how the checklist maps to practice. A manufacturing company in Silesia using AI to schedule shift patterns – and where the output influences performance assessments – faces high-risk classification under the employment category. An IT services firm in Warsaw licensing a US-developed code-review tool faces deployer obligations even if the provider holds all technical documentation. A foreign investor establishing a Polish subsidiary to offer AI-assisted financial advice faces both AI Act and KNF licensing obligations from day one of operation.

The decision matrix is straightforward. If the system is high-risk: engage legal counsel, complete the conformity assessment, register before deployment, implement human oversight. If classification is uncertain: conduct a formal scoping exercise – the cost of a scoping exercise is a fraction of the EUR 30 million maximum fine. If the system is not high-risk but processes personal data: GDPR obligations still apply in full.

Specific situations require tailored analysis. The classification rules interact with sector law, contract structure, and existing compliance programmes in ways that generic guidance cannot fully capture.

To receive an expert assessment of your AI system's classification status and compliance obligations under the AI Act, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to Polish companies using AI tools built by foreign providers?

A: Yes. The AI Act applies to deployers – entities that use an AI system under their own authority – regardless of where the provider is based. A Polish company deploying a US-built hiring tool carries independent obligations covering oversight, impact assessment, and registration. These cannot be delegated entirely to the foreign provider, particularly if that provider has not appointed an EU representative under the AI Act.

Q: How long does a conformity assessment take, and what does it cost?

A: For self-assessment (available in most high-risk categories outside biometrics and law enforcement), the process typically takes three to six months depending on documentation maturity. Third-party assessment adds two to four months and notified-body fees that vary by sector and system complexity. Starting documentation work before the August 2026 deadline is strongly advisable – notified-body capacity in the EU is limited.

Q: Is a GDPR Data Protection Impact Assessment the same as the AI Act fundamental rights impact assessment?

A: No, though they overlap. A DPIA under the General Data Protection Regulation focuses on risks to data subjects arising from personal data processing. The AI Act fundamental rights impact assessment is broader: it covers impacts on rights beyond data protection, including non-discrimination, access to justice, and fair treatment. Both assessments are typically required for high-risk AI systems processing personal data at scale. Running them as a combined exercise is efficient but requires care to ensure neither is truncated.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP, technology law, and DORA compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating the AI Act's classification and conformity requirements. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.