AI Act implementation timeline – what Polish

A Warsaw-based software company integrates a machine-learning tool into its HR platform. The tool screens job applicants automatically. Under the EU AI Act, that system is classified as high-risk – and the clock on compliance is already running. Missing the applicable deadline does not just expose the company to regulatory fines. It forfeits the right to place that system on the EU market at all.

The EU AI Act entered into force on 1 August 2024 and applies in stages through to August 2027. Polish companies deploying or developing AI systems must classify their tools, complete conformity assessments, and register high-risk systems before the relevant phase-in deadline. Failure to comply triggers fines of up to EUR 35 million or 7% of global annual turnover – whichever is higher – and may result in a mandatory market withdrawal order.

This page sets out the full implementation timeline, identifies which obligations fall on Polish businesses at each phase, and explains the practical steps required to reach compliance. The analysis covers prohibited systems, high-risk classification, provider and deployer duties, cross-border supply chains, and the self-assessment checklist your legal team needs before the next deadline arrives.

What does the AI Act timeline mean for Polish companies?

The AI Act does not take effect all at once. It operates in four distinct phases, each carrying different obligations. Polish companies – whether developing AI tools or deploying third-party systems – need to understand which phase governs their current exposure. The first hard deadline already passed: prohibitions on unacceptable-risk AI systems became enforceable on 2 February 2025, six months after entry into force.

Phase two runs to August 2025. It covers obligations for general-purpose AI (GPAI) model providers and the governance framework under which the European AI Office – a body established within the European Commission – coordinates enforcement. Polish companies building or fine-tuning foundation models are in scope now. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) and the Office of Competition and Consumer Protection (UOKiK) are both expected to play supervisory roles alongside the sector-specific market surveillance authorities designated by Poland.

Phase three – August 2026 – is the central deadline for most businesses. High-risk AI systems listed in Annex III of the Regulation (covering recruitment tools, credit scoring, biometric categorisation, and critical infrastructure management, among others) must be fully compliant by that date. Providers must complete a conformity assessment, maintain technical documentation, and register in the EU database managed by the European Commission. Deployers must implement human oversight measures and conduct fundamental-rights impact assessments where required.

Phase four (August 2027) applies to high-risk AI systems already embedded in regulated products – medical devices, machinery, and similar goods governed by separate EU harmonisation legislation. Polish manufacturers in these sectors have the longest runway, but the documentation requirements are the most demanding. Starting that process now rather than in 2026 is the only realistic path to on-time compliance.

Which AI systems are prohibited under Polish law?

Prohibited AI systems became unlawful across the EU – including Poland – on 2 February 2025. Any company still operating a prohibited system after that date faces immediate enforcement risk. The fine ceiling for prohibited-system violations is EUR 35 million or 7% of global annual turnover. That exposure is personal and direct: there is no grace period, and continued operation is not a regulatory grey area.

The prohibited categories are defined by function and effect, not by the technology used. Six categories are banned outright. They include:

Subliminal manipulation techniques that distort behaviour without conscious awareness
Exploitation of vulnerabilities related to age, disability, or social circumstance
Social scoring systems operated by public or private actors to rank individuals
Real-time remote biometric identification in publicly accessible spaces (with narrow law-enforcement exceptions)
Emotion-recognition systems in workplaces and educational institutions
Predictive policing tools based solely on profiling

Polish employers using emotion-recognition software in performance reviews should treat that system as presumptively prohibited. The prohibition applies regardless of whether the system was built in Poland or sourced from a foreign vendor. A deployer that continues using a prohibited system supplied by a third party carries the enforcement risk alongside the provider.

We advised a manufacturing client in Mazowieckie to decommission a workplace-monitoring tool that fell within the emotion-recognition prohibition before the February 2025 deadline (winter 2025). The decision avoided what would otherwise have been direct exposure to market surveillance proceedings and potential fines exceeding EUR 1 million.

One common misconception: some companies believe that conducting internal GDPR Poland compliance reviews is sufficient to address AI Act obligations. It is not. GDPR governs data processing. The AI Act governs system design, risk classification, and market placement. Both regimes apply simultaneously, but they require separate compliance tracks.

How should Polish companies classify and assess high-risk AI systems?

Classification is the first substantive task under the AI Act. It determines every subsequent obligation. A system that is not high-risk carries only transparency duties. A system that is high-risk requires a full conformity assessment, technical documentation, a quality management system, and registration before August 2026. Getting classification wrong in either direction is costly – under-classification creates enforcement exposure, over-classification wastes resources.

Annex III of the Regulation lists eight high-risk sectors. For Polish businesses, the most practically significant are: recruitment and employment management (including CV screening and performance monitoring), access to essential private and public services (credit scoring, insurance risk assessment), and education (tools that determine access to institutions or evaluate students). AI systems used in critical infrastructure also fall within the high-risk category, which is relevant to Polish energy and transport operators.

The conformity assessment process has three stages. First, the provider must identify the applicable requirements – accuracy, robustness, cybersecurity, data governance, transparency. Second, it must produce technical documentation demonstrating that the system meets those requirements. Third, for most Annex III systems, a self-assessment against harmonised standards is permitted (no third-party notified body is required unless the system falls under a regulated product framework). The completed assessment must be retained for ten years after the system is placed on the market.

Deployers – companies that use a third-party AI system in their own business context – carry their own obligations. They must implement human oversight arrangements, inform employees when AI systems make decisions affecting them, and conduct a fundamental-rights impact assessment where the system processes personal data at scale. An IT company in Małopolska that deploys a vendor-supplied recruitment tool is a deployer under the Regulation, not merely a customer. That distinction carries real legal weight.

For a tailored assessment of your AI system's risk classification, reach out to info@kordeckipartners.com.

What are the cross-border pitfalls for Polish companies operating in EU supply chains?

The AI Act applies to any provider that places an AI system on the EU market – regardless of where the provider is established. A Polish company that develops an AI tool and sells it to a German customer is a provider under the Regulation. A Polish company that imports and distributes an AI tool developed in the United States is treated as a provider for compliance purposes. Both scenarios require full conformity assessment before August 2026.

Supply chain liability is one of the most underappreciated risks. Where a Polish company acts as a downstream deployer, it must verify that the upstream provider has supplied adequate technical documentation. If the provider fails to deliver compliant documentation, the deployer cannot simply proceed – it must either demand compliance or cease deployment. Contractual protections matter here: AI Act compliance warranties should be standard in any AI procurement agreement from 2024 onwards.

Cross-border data flows add a further layer. AI systems that process personal data in training or inference may involve transfers to non-EU jurisdictions. Polish companies using US-based cloud infrastructure for AI workloads must ensure that those transfers comply with GDPR Poland transfer rules – whether through Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision. The intersection of AI Act and GDPR obligations is particularly acute for systems that process sensitive categories of data. For a detailed analysis of the data transfer framework, see our guide on data transfer from Poland to Ukraine and our parallel analysis of data transfer from Poland to the UAE.

DORA compliance presents a related pressure point for financial-sector clients. The Digital Operational Resilience Act applies from January 2025 and imposes ICT risk management obligations that overlap significantly with AI Act requirements for AI systems used in financial services. Polish banks, insurance companies, and investment firms deploying AI tools in risk modelling or customer-facing decisions face concurrent obligations under both frameworks. Mapping those overlaps early prevents duplication of effort and identifies gaps that neither framework alone would reveal.

We obtained a favourable contractual restructuring for a fintech client in Pomerania (spring 2026), securing revised AI system documentation from a US-based vendor within a 30-day negotiation window. The outcome allowed the client to proceed with a product launch without delaying market entry.

Where enforcement disputes arise, the disputes practice at KORDECKI & Partners handles proceedings before Polish market surveillance authorities and coordinates cross-border regulatory responses.

What practical steps should Polish companies take before August 2026?

August 2026 is 26 months from the AI Act's entry into force. For a company with a mid-size AI portfolio, that is a tight window. The conformity assessment alone – including technical documentation, internal audits, and staff training – typically requires six to twelve months for a single high-risk system. Companies with multiple AI tools in scope need to start now, sequence their workload, and allocate dedicated compliance resources.

The trademark and IP dimension deserves attention. AI-generated outputs – text, images, code – raise authorship questions under Polish intellectual property law. The Prawo własności przemysłowej (Industrial Property Law) and the Ustawa o prawie autorskim i prawach pokrewnych (Copyright and Related Rights Act) do not currently recognise AI as an author. Companies commercialising AI-generated content should secure IP assignments and usage rights contractually, and should consider whether trademark protection is available for AI-assisted brand assets. An IP lawyer Warsaw-based or otherwise must be part of the compliance team, not just technical and data-protection counsel.

The self-assessment checklist below captures the minimum steps before August 2026:

Complete an AI system inventory – identify every AI tool in use or under development, classify each by risk level, and document the classification rationale
Decommission or remediate any system that falls within a prohibited category (deadline already passed: 2 February 2025)
Initiate conformity assessments for all high-risk systems – assign responsibility, engage technical experts, and set internal milestones at least 12 months before the August 2026 deadline
Review and update AI procurement contracts to include documentation warranties, audit rights, and compliance representations from providers
Map GDPR, DORA, and AI Act obligations across each AI system to identify overlaps and gaps – assign a single compliance owner per system

The implementation process also requires board-level attention. Under Polish corporate legislation, directors are responsible for ensuring that the company does not place non-compliant products on the market. Personal liability for directors arises where non-compliance results from a failure of internal governance rather than an external supplier's breach. That distinction matters when regulators investigate after a market withdrawal order.

For a tailored implementation strategy covering your AI portfolio, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to Polish companies that only use AI systems built by third-party vendors?

A: Yes. A company that deploys a third-party AI system in its own operations is a deployer under the Regulation and carries independent obligations. These include implementing human oversight, informing affected employees, and – where the system processes personal data at scale – conducting a fundamental-rights impact assessment. The provider's compliance does not discharge the deployer's separate duties. Deployers should request full technical documentation from providers and verify it before deployment.

Q: How long does a conformity assessment take, and what does it cost?

A: For a single high-risk AI system, a realistic timeline is six to twelve months from the start of the assessment process to completed documentation. Costs depend on system complexity, the size of the technical documentation required, and whether external consultants are engaged. For most mid-size Polish companies, budget planning should assume a minimum of several months of internal legal and technical resource, plus external advisory fees. Systems falling under regulated-product frameworks (medical devices, machinery) require additional steps and typically take longer.

Q: Is it a misconception that GDPR compliance covers AI Act obligations?

A: It is a widespread misconception. GDPR governs the lawful processing of personal data. The AI Act governs system design, risk classification, market placement, and operator duties. A system can be fully GDPR-compliant and still violate the AI Act – for example, by lacking a conformity assessment, failing to register in the EU database, or missing required transparency disclosures to users. Companies should treat the two frameworks as parallel obligations requiring separate compliance tracks, even where the same system is subject to both.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI Act implementation, technology regulation, and IP protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating EU digital regulation. To discuss your situation, contact info@kordeckipartners.com.