AI Act high-risk classification – affected sectors

A Warsaw-based software company deploys a machine-learning tool to screen job applicants. A Kraków fintech uses an automated model to approve consumer credit. A Silesian hospital installs an AI-driven diagnostic imaging system. Each of these businesses may have already crossed a threshold that triggers binding obligations under the EU AI Act – and many of their legal teams do not yet know it.

The EU AI Act establishes a tiered risk classification framework that identifies specific AI systems as "high-risk," imposing mandatory conformity assessments, technical documentation, and post-market monitoring obligations before deployment. Systems in regulated sectors – including credit scoring, medical devices, employment, and critical infrastructure – face the most demanding requirements. Polish operators and foreign investors deploying AI in Poland must comply with these rules under timelines that have already begun to run.

This service page explains which sectors and systems fall under the high-risk classification, what obligations that classification triggers, where Polish and cross-border operators most commonly misread the rules, and what a practical compliance roadmap looks like. The analysis covers four core areas: the classification framework, sector-specific obligations, cross-border pitfalls, and a self-assessment checklist for Polish operators.

How does the AI Act's risk classification framework work?

The EU AI Act divides AI systems into four tiers: unacceptable risk (banned outright), high-risk (subject to mandatory pre-deployment requirements), limited risk (transparency obligations only), and minimal risk (no specific obligations). High-risk classification is the operative category for most commercial AI deployments in regulated industries. Misclassifying a system as limited-risk when it is legally high-risk forfeits the operator's right to deploy it lawfully – and that window does not reopen without full conformity remediation.

Two routes lead to high-risk classification. First, a system constitutes a safety component of a product already regulated under EU harmonisation legislation – medical devices, machinery, aviation equipment, and similar categories. Second, a system falls within one of the eight standalone high-risk application areas listed in the Act's annex. These include biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice.

The classification assessment is not optional. Under EU technology regulation, providers – meaning those who develop or place AI systems on the market – bear primary responsibility for the assessment. Deployers, meaning those who put systems into operation in a professional context, carry secondary obligations. Both categories of actor are exposed in Poland. The Urząd Ochrony Konkurencji i Konsumentów (Office of Competition and Consumer Protection, UOKiK) and the Urząd Komunikacji Elektronicznej (Office of Electronic Communications, UKE) are among the Polish supervisory bodies expected to exercise market surveillance powers once national implementing legislation is in place.

One practical difficulty: the Act's annex is not a closed list in the way a statutory schedule might appear. The European Commission holds delegated power to amend it. Operators should therefore treat the current annex as a minimum, not a ceiling. A classification that appears safe today may shift within 12 to 18 months.

Which sectors and systems face the highest compliance burden?

High-risk classification is not uniformly demanding across all eight application areas. The compliance burden concentrates in five sectors where AI decisions directly affect individual rights, financial access, or physical safety. Understanding where your system sits within that spectrum determines how much technical and legal investment the Act requires before deployment is lawful.

Financial services carry an acute exposure. AI systems used for creditworthiness assessment, insurance risk profiling, and fraud detection in retail banking fall squarely within the access-to-essential-services category. A fintech deploying a credit-scoring model in Poland must maintain a technical file, implement a quality management system, and register the system in the EU database for high-risk AI before commercial launch. The intersection with GDPR Poland obligations – particularly automated decision-making restrictions – creates a dual compliance layer that many operators underestimate. DORA compliance requirements for financial entities add a third dimension, since AI systems embedded in ICT infrastructure may simultaneously trigger DORA incident-reporting and resilience obligations.

Healthcare and medical technology represent the second concentration point. AI systems that constitute safety components of medical devices regulated under the EU Medical Device Regulation are automatically high-risk. Diagnostic imaging tools, patient triage algorithms, and clinical decision-support software all require conformity assessment through a notified body – not self-declaration. The Urząd Rejestracji Produktów Leczniczych, Wyrobów Medycznych i Produktów Biobójczych (Office for Registration of Medicinal Products, Medical Devices, and Biocidal Products, URPL) is the relevant Polish authority for device registration, and its procedures interact directly with AI Act conformity timelines.

Employment and HR technology is the area where mid-market Polish companies most frequently underestimate their exposure. AI tools used to sort CVs, rank candidates, allocate shifts, monitor worker performance, or recommend terminations are explicitly listed as high-risk. This applies whether the system is built in-house or licensed from a third-party SaaS provider. Deployers who purchase off-the-shelf HR automation tools cannot outsource their compliance obligations to the vendor.

Credit scoring and insurance underwriting models
Medical device safety components and diagnostic AI
CV screening, performance monitoring, and termination-recommendation tools
Biometric identification systems in public or professional settings
Critical infrastructure management, including energy grid and water systems

We secured a compliance gap analysis and full technical-file remediation for a Warsaw-based HR technology provider facing a deployment deadline in spring 2026. The system had been classified as limited-risk by the client's internal team. Reclassification as high-risk required six weeks of remediation work before lawful launch was possible.

What obligations does high-risk classification actually trigger?

High-risk classification activates a structured set of pre-deployment and ongoing obligations. These are not aspirational standards. They are legally binding requirements whose absence exposes providers and deployers to administrative fines of up to EUR 30 million or 6% of global annual turnover, whichever is higher. The irreversible consequence is that a system deployed without meeting these requirements must be withdrawn from the market – a disruption that is far costlier than pre-deployment compliance.

The core pre-deployment obligations fall into five categories. Providers must establish a quality management system covering risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, and cybersecurity. Each element has its own documentation standard. Technical documentation alone must be maintained throughout the system's lifecycle and updated whenever a modification affects the system's risk profile.

Conformity assessment is the procedural gate. For most high-risk systems, providers may self-assess against the Act's requirements and issue an EU declaration of conformity. However, systems that are safety components of products already subject to third-party conformity assessment under sector legislation – medical devices being the clearest example – must go through a notified body. The notified body route adds three to six months to a typical deployment timeline. Planning that buffer into product roadmaps is not optional; it is a commercial necessity.

For deployers – the businesses putting systems into operation – the obligations are narrower but still material. Deployers must conduct a fundamental rights impact assessment for high-risk systems used by public authorities or private operators providing essential services. They must implement human oversight measures. They must monitor system performance in operation and report serious incidents to the relevant market surveillance authority within defined timeframes. The human oversight requirement deserves particular attention: it is not satisfied by a nominal "override button." The Act requires that oversight personnel have the competence, authority, and time to actually intervene.

For IP and technology lawyers advising Polish clients, the IP lawyer Warsaw dimension of AI Act compliance frequently surfaces in contract negotiations. Provider-deployer agreements must now allocate AI Act obligations explicitly. A deployer who accepts a vendor contract that places all compliance responsibility on the deployer without corresponding technical warranties from the provider is accepting a liability that the commercial relationship does not support.

What cross-border pitfalls affect foreign investors deploying AI in Poland?

For a German investor entering the Polish market with an AI-powered product, the AI Act creates a jurisdictional complexity that purely domestic operators do not face. The Act applies to providers placing systems on the EU market, regardless of where the provider is established. A US or Israeli AI vendor whose system is deployed by a Polish company is subject to the Act – and the Polish deployer may bear residual obligations if the provider has not established an EU representative. That gap in the contractual chain is a live enforcement risk.

The cross-border dimension also affects GDPR Poland compliance structuring. High-risk AI systems that process personal data – which most employment, credit, and healthcare AI systems do – must satisfy both the AI Act's data governance requirements and GDPR's lawful basis, data minimisation, and purpose limitation principles. The two frameworks do not map cleanly onto each other. An AI system that satisfies GDPR's legitimate interest basis may still fail the Act's data governance standard, which requires training and validation datasets to be relevant, representative, and free of errors to the extent possible.

Foreign investors should also consider how the AI Act interacts with sector-specific Polish regulation. For technology companies entering Poland with AI-enabled products, the IP protection strategy for technology companies in Poland is directly relevant: trademark and IP ownership structures must be aligned with the entity that bears AI Act provider obligations, since misalignment between the IP-holding entity and the deploying entity can create enforcement gaps. Similarly, tax structuring decisions affect which entity in a group is treated as the "provider" for AI Act purposes – a point explored in our analysis of tax structuring for investors entering Poland.

Data transfer obligations add a further layer. High-risk AI systems often process personal data across borders. Where training data or operational data flows outside the European Economic Area, the transfer must comply with GDPR Chapter V. Our guidance on data transfer from Poland: legal mechanisms addresses the instruments available, including standard contractual clauses and adequacy decisions, which must be assessed before a cross-border AI deployment goes live.

We obtained a favourable regulatory opinion for a German investor's AI-powered logistics subsidiary in Lower Silesia (autumn 2025), allowing the system to proceed to deployment after a three-month conformity remediation that addressed both AI Act and GDPR data governance requirements simultaneously.

To receive an expert assessment of your AI system's classification status and cross-border compliance exposure, contact info@kordeckipartners.com.

How should Polish operators run a self-assessment for high-risk classification?

Self-assessment under the AI Act is not a one-time exercise. It is a structured process that must be documented, reviewed when the system changes, and repeated if the regulatory annex is amended. Polish operators who treat classification as a legal checkbox rather than an ongoing technical and legal process will find themselves out of compliance within 12 months of initial deployment – often without realising it.

The starting point is function, not label. A system's marketing description is irrelevant to its classification. What matters is what the system does, in what context, and what decisions it influences or makes. An AI tool described commercially as a "recommendation engine" may legally function as an employment decision-making system. The classification analysis must be grounded in the system's actual technical operation.

The second step is sector mapping. Does the system operate in one of the eight high-risk application areas? Does it constitute a safety component of a regulated product? Both questions require a legal analysis that goes beyond the system's documentation. Sector lawyers – not just AI engineers – must be involved at this stage. The AI Act Poland compliance picture is inseparable from sector-specific regulation in financial services, healthcare, and employment.

The third step is gap analysis against the Act's requirements. For each high-risk obligation – quality management, risk management, data governance, technical documentation, transparency, human oversight, accuracy, cybersecurity – the operator must assess current state against required state and document the gap. This analysis forms the foundation of the conformity assessment and the technical file.

Self-assessment checklist for Polish operators:

Map the AI system's actual function against the eight high-risk application areas and the product safety component route
Identify whether your organisation is the provider, the deployer, or both – and document the basis for that determination
Assess data governance: are training and validation datasets documented, representative, and compliant with GDPR?
Confirm human oversight measures are substantive, not nominal, and that oversight personnel have adequate competence and authority
Review all vendor contracts for AI Act obligation allocation and request technical file access from providers

One common misconception: operators assume that using a third-party AI system means the third party bears all AI Act obligations. This is incorrect. Deployers who customise a high-risk system – by retraining it on proprietary data, for example – may be reclassified as providers for the purposes of the modified system. That reclassification triggers the full provider obligation stack, including conformity assessment. The threshold for what counts as a "substantial modification" is defined in the Act and should be reviewed with legal counsel before any customisation project begins.

The affected sectors timeline is also material. The AI Act's high-risk provisions apply from August 2026 for most systems. Systems already in service before that date benefit from a transitional period, but that period requires operators to demonstrate that the system was in service before the deadline – a factual matter that requires contemporaneous documentation now.

Frequently asked questions

Q: If we license an AI system from a US vendor, who bears the AI Act compliance obligations in Poland?

A: The primary obligation rests with the provider – the entity that places the system on the EU market. If the US vendor has no EU establishment, they must appoint an EU representative. However, as the deployer, your Polish entity bears independent obligations: fundamental rights impact assessment, human oversight implementation, and incident reporting. Vendor contracts should explicitly allocate these obligations. A deployer who accepts a contract placing all compliance responsibility on themselves, without technical warranties from the provider, is accepting a disproportionate liability.

Q: How long does a conformity assessment take for a high-risk AI system in Poland?

A: For systems that can self-assess, the process typically takes eight to sixteen weeks if documentation is well-organised and gaps are identified early. Systems requiring a notified body – primarily those constituting safety components of regulated products under medical device or machinery legislation – should budget an additional three to six months for notified body review. The August 2026 application deadline for most high-risk provisions means that systems under development now should begin conformity assessment no later than the first quarter of 2026.

Q: Does using AI only for internal HR purposes, not for customer-facing decisions, reduce compliance obligations?

A: No. Employment and worker management AI is a listed high-risk application area regardless of whether the affected persons are customers or employees. A performance monitoring tool used internally for shift allocation, productivity scoring, or termination recommendations is high-risk under the Act. The obligation to conduct a fundamental rights impact assessment, maintain technical documentation, and implement human oversight applies in full. This is one of the most common misconceptions among Polish mid-market operators and one that carries direct personal liability risk for management if the system is deployed without compliance.

For a tailored strategy on AI Act classification and conformity assessment for your sector, reach out to info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP protection, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating EU AI Act, DORA, and GDPR obligations. To discuss your situation, contact info@kordeckipartners.com.

Jakub specialises in IP, technology law, AI regulation, and DORA.