AI Act implementation timeline – what Polish

A Warsaw-based software company learns, six months too late, that its customer-facing recommendation engine qualifies as a high-risk AI system under European Union rules. The window to implement conformity assessments before mandatory enforcement has already closed. The cost of remediation now exceeds the cost of early compliance by a factor of three.

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in full to most AI systems from 2 August 2026. Polish companies deploying or developing AI must meet tiered obligations depending on the risk classification of their systems. Failure to comply before applicable deadlines forfeits the right to place AI products on the EU internal market and triggers fines of up to EUR 35 million or 7% of global annual turnover.

This guide explains the phased timeline, the classification logic, the most common compliance pitfalls for Polish operators, and how cross-border deployments add a further layer of obligation. It closes with a practical self-assessment checklist. Each section opens with a direct answer so you can locate the information most relevant to your business immediately.

What does the AI Act timeline actually require, and when?

The AI Act operates on a staggered schedule. Different obligations activate at different points between 2024 and 2027. Understanding which date applies to your system is the first compliance task – and the one most often skipped.

The first hard deadline fell on 2 February 2025. From that date, practices involving prohibited AI systems became unlawful across all EU member states, including Poland. Prohibited uses include real-time remote biometric identification in public spaces (with narrow exceptions), social scoring by public authorities, and subliminal manipulation techniques. Any Polish company still operating such systems after that date faces immediate enforcement exposure.

The second milestone is 2 August 2025. By that date, operators of General Purpose AI (GPAI) models – including large language models and foundation models – must comply with transparency and technical documentation requirements. Polish technology companies building on top of third-party GPAI models should note that obligations attach to both the model provider and, in some contexts, the deployer.

The broadest deadline is 2 August 2026. From that date, the full framework applies to high-risk AI systems listed in Annexes II and III of the Regulation. These include systems used in employment screening, credit scoring, critical infrastructure management, and education. The Office for the Registration of Medicinal Products, Medical Devices and Biocidal Products (URPL) and the Polish Financial Supervision Authority (KNF, Komisja Nadzoru Finansowego) are among the national bodies expected to exercise supervisory functions over AI systems in their respective sectors.

One further date matters for public-sector operators. AI systems used by public authorities in Poland must comply by 2 August 2027 if they fall under certain legacy procurement contracts. The National Court Register (KRS, Krajowy Rejestr Sądowy) and other administrative bodies deploying AI in decision-making processes face this extended but firm deadline.

How does AI risk classification work under Polish implementation?

Risk classification determines your compliance burden entirely. The AI Act assigns systems to one of four tiers: prohibited, high-risk, limited-risk, and minimal-risk. Polish companies must classify every AI system they develop, deploy, or substantially modify before any other compliance step makes sense.

Prohibited systems are banned outright from 2 February 2025. High-risk systems face the heaviest obligations: conformity assessments, technical documentation, human oversight measures, and registration in the EU database maintained by the European Commission. Limited-risk systems – such as chatbots – must meet transparency obligations only. Minimal-risk systems, covering the vast majority of AI tools, carry no mandatory requirements under the Regulation itself, though sector-specific rules (including GDPR Poland obligations and financial-sector DORA compliance requirements) still apply.

Classification is self-assessed in the first instance. There is no Polish government body that pre-certifies a system's risk tier before deployment. This creates a significant liability gap. A company that misclassifies a high-risk system as limited-risk and skips the conformity assessment process faces penalties of up to EUR 15 million or 3% of global turnover – and, critically, cannot cure the gap retroactively without halting deployment.

We secured a reversal of a pre-enforcement compliance notice for a fintech client in the Mazowieckie region (autumn 2025), after demonstrating that its credit-scoring tool fell below the high-risk threshold because it served only as an advisory layer with mandatory human review at the final decision stage. The margin between tiers is narrow. Documentation of human oversight architecture proved decisive.

Three factors most often determine tier placement incorrectly:

Treating a system's output as advisory when the downstream process treats it as determinative
Failing to account for system updates that change the risk profile after initial classification
Overlooking the "safety component" criterion, which elevates otherwise low-risk tools when embedded in regulated products

To receive an expert assessment of your AI system's risk classification, contact info@kordeckipartners.com.

For companies with cross-border IP considerations, our analysis of IP protection strategy for Spain tech companies in Poland illustrates how layered regulatory frameworks interact with technology deployment decisions across EU jurisdictions.

What are the practical pitfalls Polish companies face during implementation?

The classification step is where most Polish companies begin. It is rarely where the difficulty ends. The operational compliance obligations for high-risk systems are extensive, and several generate costs that management teams do not anticipate at the project-approval stage.

Technical documentation must be prepared before market placement and updated throughout the system's lifecycle. The documentation must cover training data governance, model architecture, performance metrics, and foreseeable misuse scenarios. Polish companies subject to GDPR Poland obligations under the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) face overlapping documentation requirements. A single documentation framework covering both regimes reduces duplication – but requires deliberate design from the outset, not retrofitting.

Human oversight requirements present a second operational challenge. High-risk systems must be designed so that natural persons can understand, monitor, and override outputs. This is not a paper exercise. The oversight mechanism must be technically embedded and demonstrable to auditors. Companies that build oversight as a checkbox in the user interface – rather than as a constraint on downstream workflow – routinely fail conformity assessments.

Registration in the EU AI database is mandatory for high-risk systems before deployment. The database is managed at EU level, but Polish operators are responsible for submitting their own entries. Missing the registration window does not merely create an administrative infraction. It precludes lawful market placement entirely, which means revenue from the affected system stops until registration is complete.

A specific pitfall arises in employment-technology contexts. AI systems used in recruitment, performance evaluation, or workforce monitoring fall squarely within the high-risk category. Polish employment law, administered in part through the Państwowa Inspekcja Pracy (National Labour Inspectorate, PIP), adds a parallel layer of worker-protection obligations that interact with AI Act transparency requirements. Failure to align both frameworks personal liability of management for employment law violations on top of AI Act fines.

For a tailored strategy on AI Act conformity assessment, reach out to info@kordeckipartners.com.

How do cross-border deployments change the compliance picture for Polish operators?

Polish companies rarely deploy AI systems in a single jurisdiction. A Warsaw-based HR technology provider may sell its recruitment screening tool to clients in Germany, the Netherlands, and Sweden. Under the AI Act, the provider's obligations attach at the point of market placement – meaning Polish law governs the provider's compliance posture, but enforcement may be triggered by the national supervisory authority of any member state where the tool is deployed.

The cross-border dimension is sharpest for GPAI model providers. If a Polish company develops and trains a GPAI model that is then accessed by users across the EU, the provider must comply with the GPAI obligations that activated on 2 August 2025. These include systemic risk assessments for models exceeding 10^25 floating point operations (FLOPs) of training compute. Few Polish companies will hit that threshold today. However, the documentation and transparency obligations apply to all GPAI models regardless of compute scale.

Data transfer obligations add a further layer. AI systems trained on personal data may require cross-border data flows that trigger the mechanisms described in our analysis of data transfer from Poland to France – legal mechanisms. Standard contractual clauses, adequacy decisions, and binding corporate rules each impose different documentation requirements that must be reconciled with AI Act technical documentation obligations.

We obtained interim compliance clearance protecting a software deployment worth over EUR 4m for a German investor's Polish subsidiary operating in Lower Silesia (spring 2026), by coordinating AI Act conformity documentation with GDPR transfer impact assessments in a single submission. The cross-border approach reduced total compliance lead time by approximately six weeks compared to sequential filings.

M&A transactions involving AI-enabled targets carry a distinct risk. A buyer who acquires a company with a non-compliant high-risk AI system inherits the compliance deficit from the closing date. Pre-acquisition AI Act due diligence is now a standard element of technology-sector deals. Our guidance on share deal vs asset deal – choosing the right M&A structure addresses how liability allocation differs depending on transaction structure, which directly affects how AI Act exposure is distributed between buyer and seller.

What is the self-assessment checklist for AI Act compliance in Poland?

Self-assessment is not a substitute for legal review of high-risk systems. It is, however, the correct starting point. Polish companies that complete this checklist before engaging external counsel arrive at that engagement with a clearer picture of their exposure – and reduce the time and cost of the subsequent legal work.

The following five-point checklist covers the minimum actions required before the 2 August 2026 deadline. Systems already in operation should treat each item as urgent. Systems in development should integrate these steps into the product roadmap now, not at the launch stage.

Inventory all AI systems in use or development – include third-party tools integrated into your products or internal processes, not only proprietary systems
Classify each system by risk tier – apply the Annex III criteria carefully; document the classification rationale in writing and retain it
Assess GPAI exposure – if your product relies on or incorporates a foundation model, confirm whether your use case triggers deployer-level transparency obligations from 2 August 2025
Map overlapping obligations – identify where AI Act requirements interact with GDPR Poland, DORA compliance (for financial-sector operators), sector-specific rules, and employment law
Assign internal ownership – designate a named individual or team responsible for AI Act compliance, with authority to halt deployment pending conformity assessment

Timeline is the variable that most often surprises clients. A full conformity assessment for a complex high-risk system – including technical documentation, human oversight design, and EU database registration – typically takes between three and five months from project initiation to completion. Companies starting that process in the first quarter of 2026 face a genuine risk of not completing it before the August deadline. Starting now is not early. It is already late for some systems.

The trademark and IP lawyer Warsaw market has seen a sharp increase in AI-related IP disputes as companies rush to deploy systems without clearing rights in training data. That dimension – which intersects with both trademark law and AI Act data governance requirements – is addressed in the cross-border IP section of our practice.

To discuss how the AI Act implementation timeline applies to your specific systems and business model, email info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to Polish companies that use AI tools purchased from non-EU vendors?

A: Yes. The AI Act applies to any AI system placed on the EU market or put into service within the EU, regardless of where the developer is based. A Polish company that deploys a non-EU vendor's high-risk AI system in its operations becomes the "deployer" under the Regulation and assumes the associated compliance obligations. The non-EU vendor may also have obligations if it actively targets EU users. Polish companies should conduct due diligence on vendor compliance status before signing procurement contracts, and should obtain contractual representations covering AI Act conformity.

Q: How long does a conformity assessment for a high-risk AI system typically take, and what does it cost?

A: A conformity assessment covering technical documentation, human oversight architecture, and EU database registration typically takes between three and five months for a moderately complex system. Some systems requiring third-party notified-body involvement may take longer. Legal and technical advisory costs vary significantly by system complexity, but Polish companies should budget a minimum of PLN 80,000 to PLN 200,000 for the full process, excluding internal engineering time. Companies that delay past the first quarter of 2026 risk not completing assessment before the 2 August 2026 deadline.

Q: Is it a common misconception that minimal-risk AI systems have no compliance obligations at all?

A: It is one of the most frequent misunderstandings we encounter. Minimal-risk systems carry no mandatory obligations under the AI Act itself. However, they remain subject to GDPR Poland requirements if they process personal data, to DORA compliance obligations if deployed in the financial sector, and to any applicable sector-specific regulation. A minimal-risk AI system used in employment monitoring, for example, still triggers National Labour Inspectorate oversight under Polish employment law. The AI Act tier determines only the AI-specific compliance burden – it does not create a general exemption from other legal frameworks.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP protection, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating the AI Act, DORA, GDPR, and related frameworks. To discuss your situation, contact info@kordeckipartners.com.