AI governance framework for Polish financial

A Warsaw-based bank deploys a credit-scoring algorithm. Within months, the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) opens an inquiry. The model is a high-risk AI system under the EU AI Act – and the institution has no documented governance framework in place. The gap between deployment and compliance is measured in months, not years. Penalties under the AI Act can reach EUR 30 million or 6% of global annual turnover, whichever is higher.

Polish financial institutions deploying AI systems must comply with the EU AI Act, the Digital Operational Resilience Act (DORA), and Polish data-protection law implementing the General Data Protection Regulation (GDPR Poland). High-risk AI systems – including credit-scoring, fraud-detection, and insurance-underwriting models – require documented risk-management processes, human-oversight mechanisms, and registration in the EU database before deployment. The KNF serves as the primary national market-surveillance authority for AI in financial services, alongside the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) and the National Court Register (Krajowy Rejestr Sądowy, KRS) for corporate governance filings.

This page sets out the regulatory instruments that apply, the practical pitfalls that arise most often, the cross-border considerations for institutions with EU or non-EU parents, and a self-assessment checklist your team can use today. Each section follows the structure: what the rule requires, what happens when it is missed, and what a compliant institution looks like in practice.

What does the AI Act require from Polish financial institutions?

The AI Act imposes obligations that vary by risk tier. For most financial institutions, the relevant tier is "high risk." Credit-scoring models, biometric verification at onboarding, fraud-detection engines, and insurance-risk-assessment tools all fall within this category. The obligation attaches to the deploying institution – not only to the model developer. That distinction matters enormously when a Polish bank licenses a model from a third-party vendor.

Three obligations dominate in practice. First, the institution must maintain a risk-management system that is documented, tested, and updated throughout the model's lifecycle. Second, it must implement human-oversight measures that allow a trained employee to intervene, override, or suspend the system. Third, it must register the system in the EU AI database before putting it into service. The registration deadline for pre-existing high-risk systems deployed before August 2026 is 12 months from the Act's full applicability date.

The KNF and UODO share surveillance competence over AI in financial services in Poland. The KNF focuses on operational and prudential aspects; the UODO addresses personal-data processing within AI pipelines. An institution that satisfies one regulator may still face scrutiny from the other. Building a governance framework that addresses both simultaneously is not optional – it is the baseline.

We secured a successful pre-deployment compliance review for a fintech lender in the Mazowieckie region (spring 2025), identifying three high-risk AI components in its underwriting pipeline that the client had not classified as such. Early classification avoided a potential fine exceeding EUR 5 million.

Identify all AI systems in use and classify each by risk tier
Map data flows to determine GDPR Poland obligations within each model
Assign a named human-oversight responsible person per high-risk system
Register high-risk systems in the EU AI database before the applicable deadline
Document the risk-management system and retain records for at least 10 years

How does DORA compliance intersect with AI governance in Poland?

DORA compliance is not a separate workstream for financial institutions – it is the operational backbone of any AI governance framework. The Digital Operational Resilience Act applies directly to banks, payment institutions, investment firms, insurance companies, and crypto-asset service providers registered in Poland. From January 2025, these entities must meet binding requirements on ICT risk management, incident reporting, and third-party ICT oversight. AI systems are ICT assets. That means every high-risk model sits inside the DORA perimeter.

The most significant intersection concerns third-party AI providers. DORA requires written contractual arrangements with all critical ICT third-party providers. If a Polish institution uses a cloud-hosted AI scoring model, the provider agreement must include provisions on audit rights, data location, business-continuity obligations, and exit strategies. Contracts that predate January 2025 must be reviewed and, where necessary, renegotiated. The KNF has indicated it will scrutinise these contracts during routine supervisory reviews.

Incident-reporting timelines under DORA are tight. An institution must notify the KNF of a major ICT-related incident within 4 hours of classification. If that incident involves an AI system producing erroneous outputs that affect clients – say, a fraud-detection model generating mass false positives – the 4-hour clock starts from the moment the institution becomes aware. Governance frameworks that do not include AI-specific incident-classification criteria will fail this test.

For institutions with a German or other EU parent, DORA obligations apply at group level. The parent's ICT risk-management framework must be consistent with the Polish subsidiary's local obligations. Where they diverge, the stricter standard applies. This is a common source of friction in cross-border structures – and a reason to involve both local counsel and group compliance teams early.

What are the GDPR Poland pitfalls in AI-driven financial services?

GDPR Poland obligations attach to virtually every AI system in financial services. Credit-scoring models process personal data. Fraud-detection tools analyse behavioural patterns tied to identifiable individuals. Even anonymised datasets used for model training can re-identify individuals if combined with other data the institution holds. The UODO has taken an expansive view of what counts as personal data in AI contexts – and its enforcement posture has hardened since 2023.

Three pitfalls recur most often. The first is automated decision-making without adequate safeguards. GDPR Poland grants individuals the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. A credit refusal generated purely by an AI model, without any human review, engages this right. The institution must be able to offer a meaningful human review on request – and must disclose that automated processing is occurring.

The second pitfall is inadequate data-transfer documentation. Many AI models are trained or operated on infrastructure outside Poland – sometimes outside the EU. Data transfer from Poland to non-EU jurisdictions requires an adequacy decision or appropriate safeguards such as Standard Contractual Clauses. For institutions transferring data to Ukraine or the UAE for AI processing, the specific legal mechanisms differ. See our analysis of data transfer from Poland to Ukraine and data transfer from Poland to the UAE for the applicable frameworks.

The third pitfall is the absence of a Data Protection Impact Assessment (DPIA). Any AI system that processes personal data at scale or involves systematic monitoring of individuals requires a DPIA before deployment. The UODO can impose fines of up to EUR 20 million or 4% of global annual turnover for failures here. That risk is irreversible – a DPIA cannot be conducted retroactively to cure a deployment that has already affected data subjects.

How should cross-border financial groups structure AI governance for their Polish operations?

Cross-border structures introduce a coordination problem. A financial group headquartered in Germany, Austria, or the Netherlands may operate a centralised AI governance framework at group level. The Polish subsidiary is subject to that group framework – but also to local KNF supervisory expectations, Polish corporate law under the Kodeks spółek handlowych (Commercial Companies Code, KSH), and the specific requirements of Polish financial-sector regulation. These layers do not always align.

The most common friction point is board accountability. Under the KSH, the management board of a Polish subsidiary bears direct responsibility for regulatory compliance. A group-level AI governance policy that assigns accountability to a central compliance function does not discharge that responsibility. Polish directors remain personally liable for failures in the subsidiary's AI governance – even if the failure originated in a group-level decision. That personal liability is not capped and cannot be insured away entirely.

We obtained interim protective measures for a German investor's Polish subsidiary in Lower Silesia (autumn 2024), preventing enforcement action while a disputed AI-model classification was reviewed by the KNF. The case turned on whether the group's central governance documentation satisfied Polish local requirements – it did not, and a supplementary Polish-law annex was required within 30 days.

IP protection is a related concern. AI models developed within a Polish entity may generate intellectual property rights that are not automatically captured by group-level IP assignments. Under Polish intellectual-property law, software copyright vests initially in the author or, for employee-created works, in the employer – but the scope of employer ownership depends on whether the employment contract expressly covers AI-generated outputs. Groups that assume automatic IP transfer without reviewing Polish-law documentation risk losing ownership of valuable models. An awareness of how Polish regulatory reclassification disputes develop is useful context for understanding how ownership disputes over AI assets can escalate similarly.

What should a practical AI governance framework include?

A practical AI governance framework for a Polish financial institution is not a single document. It is a set of interlocking policies, processes, and controls that satisfy the AI Act, DORA compliance obligations, and GDPR Poland requirements simultaneously. The framework must be proportionate to the institution's size and the risk profile of its AI systems. A payment institution with one fraud-detection model needs a leaner framework than a bank operating twelve high-risk systems across retail, corporate, and treasury functions.

The core elements are consistent regardless of scale. A risk-classification register maps every AI system to its applicable regulatory tier. A human-oversight policy names responsible persons and defines intervention procedures. A vendor-management protocol addresses DORA third-party requirements. A data-governance policy covers GDPR Poland obligations including DPIA processes and data-transfer mechanisms. An incident-response playbook sets out AI-specific classification criteria and the 4-hour KNF notification pathway.

Governance structures matter too. The management board must formally adopt the framework – not merely be informed of it. Under Polish corporate law, board adoption creates a documented record that can be produced to the KNF on inspection. Board minutes should record the adoption, the risk-classification register as an annex, and the identity of the human-oversight responsible persons. This documentation costs almost nothing to produce and can be decisive in a regulatory investigation.

Timeline for implementation: a financial institution starting from scratch should allow 90 days for a gap analysis, framework drafting, and board adoption. Registration of high-risk systems in the EU AI database adds a further 30 days. Institutions that have already deployed high-risk systems without a framework face a compressed remediation window – the KNF's supervisory calendar for 2026 includes dedicated AI-governance reviews.

For institutions with existing IP or trademark portfolios tied to AI-branded products, the governance framework should also address brand-protection obligations. An IP lawyer Warsaw-based can advise on whether AI-model names or outputs require trademark registration under Polish or EU law – an often-overlooked element of a complete governance structure.

Frequently asked questions

Q: Does the AI Act apply to AI systems already deployed before August 2026?

A: Yes, with a transitional period. High-risk AI systems deployed before the Act's full applicability date must be brought into compliance within 12 months of that date. This means institutions cannot treat pre-existing deployments as exempt. The risk-management system, human-oversight measures, and EU AI database registration must all be in place within the transitional window. Institutions that delay remediation risk enforcement action immediately after the window closes.

Q: How long does a DPIA take, and what does it cost?

A: A DPIA for a single AI system typically takes 4 to 8 weeks, depending on the complexity of the data-processing activities involved. External legal and technical input is usually required. Costs vary, but an institution should budget for at least 40 to 80 hours of combined legal and data-protection specialist time. A DPIA cannot be conducted after deployment to cure a pre-existing breach – it must precede deployment. This is a common misconception that leads to significant UODO enforcement exposure.

Q: Can a Polish subsidiary rely on its group's AI governance framework without any local adaptation?

A: Not safely. Group frameworks are typically drafted to the lowest common denominator across multiple jurisdictions. Polish KNF supervisory expectations, KSH board-accountability rules, and UODO enforcement positions all create local requirements that a generic group policy will not address. A Polish-law annex to the group framework – formally adopted by the Polish management board – is the minimum required. In practice, the annex often needs to address board minutes, KNF notification procedures, and Polish-language documentation requirements that the group framework omits entirely.

Specific AI governance gaps carry consequences that cannot be reversed after a KNF investigation opens. Board members of Polish financial institutions face personal liability for governance failures – liability that attaches regardless of where the decision to deploy the AI system was made. Acting before the KNF's 2026 AI-governance review cycle begins is the only way to protect that position.

To receive an expert assessment of your institution's AI governance framework, contact info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI governance, DORA compliance, and technology regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.