[codicts-css-switcher id=”346″]

Global Law Experts Logo
eu ai act 2026 compliance clock

The EU AI Act in 2026: the Compliance Clock for Businesses Using and Building AI

By Global Law Experts
– posted 54 minutes ago

The EU AI Act compliance clock is now running, and for businesses that build, buy or deploy artificial intelligence in Poland and across the European Union, the shift from broad principles to binding legal obligations is no longer theoretical. Regulation (EU) 2024/1689, the EU Artificial Intelligence Act, entered into force on 1 August 2024, launching a phased implementation schedule that reaches its most consequential milestone on 2 August 2026, when requirements for high-risk AI systems are set to become fully applicable. Although institutional discussions as recently as May 2026 have explored extending certain Annex III deadlines, no formal amendment has been adopted, meaning companies cannot rely on a postponement that has not yet materialised in law.

This guide provides a practical, checklist-driven playbook for general counsel, compliance officers, product teams and boards, particularly those operating in or serving the Polish market, who need to understand exactly what the EU AI Act 2026 compliance clock demands, who bears each obligation, and how to build an audit-ready programme before time runs out.

Key decision for businesses: Classify your AI systems now. Document your compliance evidence now. Waiting for a possible timeline extension is a strategy that carries significant legal and commercial risk.

How the EU AI Act Classifies AI Systems by Risk

The Regulation establishes a four-tier, risk-based framework that determines the level of regulatory obligation applicable to any given AI system. Understanding where a system falls within this hierarchy is the first step in every compliance programme.

  • Unacceptable risk (prohibited practices). Certain AI applications are banned outright. These include social scoring by public authorities, real-time remote biometric identification in publicly accessible spaces (subject to narrow law-enforcement exceptions), manipulation techniques that exploit vulnerabilities, and emotion recognition in workplaces or educational institutions beyond safety-critical use cases.
  • High-risk AI systems. Systems listed in Annex II (those embedded in products already covered by EU harmonisation legislation such as medical devices, machinery and aviation) and Annex III (standalone high-risk use cases) carry the heaviest obligations. High-risk AI systems are the central focus of the August 2026 deadline.
  • Limited risk. AI systems that interact directly with people, chatbots, deepfake generators, emotion-recognition tools outside banned contexts, must meet transparency obligations, principally disclosure that the user is interacting with AI or that content is artificially generated.
  • Minimal risk. All other AI systems. No specific obligations beyond voluntary codes of conduct.
Risk tier Examples (Annex II / III) Core obligation
Unacceptable Social scoring, covert manipulation, certain real-time biometric ID Prohibited, must not be placed on market or used
High-risk Employment screening, creditworthiness assessment, essential-service access, biometric categorisation, critical infrastructure management Full compliance regime: risk management, documentation, conformity assessment, post-market monitoring
Limited Chatbots, deepfake generators, emotion-recognition (permitted contexts) Transparency and disclosure obligations
Minimal Spam filters, AI-enhanced video games No specific obligations (voluntary codes of conduct encouraged)

Quick Checklist: Classifying an In-House System

To determine whether an AI system you build or deploy is high-risk, run it through these threshold questions:

  • Does the system fall within a product category covered by existing EU harmonisation legislation listed in Annex II (e.g., medical devices, machinery, lifts, toys, radio equipment)?
  • Does the system perform a function described in any of the eight use-case areas in Annex III, including biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control, or administration of justice?
  • Does the system’s output materially influence decisions affecting the health, safety or fundamental rights of natural persons?

If the answer to any of these is yes, the system is almost certainly high-risk, and the full AI risk management requirements will apply by the August 2026 deadline.

Provider vs Deployer: Who Does What Under the EU AI Act 2026 Compliance Clock

The Regulation assigns distinct obligations to different actors in the AI value chain. Understanding these roles is essential because contractual responsibility, regulatory liability and enforcement exposure all depend on accurate classification of the entity’s function, not merely its job title.

  • Provider. The entity that develops an AI system (or a general-purpose AI model) and places it on the market or puts it into service under its own name or trademark. Providers bear the heaviest regulatory burden.
  • Deployer. Any natural or legal person that uses an AI system under its authority, except where the system is used in the course of a personal, non-professional activity. In practice, most businesses purchasing or licensing AI tools are deployers.
  • Importer. An entity that places on the EU market an AI system bearing the name or trademark of a provider established outside the Union.
  • Distributor. Any entity in the supply chain (other than the provider or importer) that makes an AI system available on the EU market.
Obligation Provider Deployer
Risk management system Primary responsibility to design, implement and continuously update Must implement appropriate technical and organisational measures; provide deployment-context data
AI technical documentation Produce comprehensive system documentation (model lineage, training data, performance metrics) Maintain up-to-date deployment records, usage logs and input/output data where required
Conformity assessment Organise and complete assessment (internal procedure or via notified body, depending on system type) Cooperate with assessment; provide operational evidence and context
Post-market monitoring Establish and maintain a post-market monitoring system; report serious incidents Monitor system operation; report anomalies and incidents to provider and authorities
AI human oversight Design system to enable effective human oversight Ensure human oversight measures are operationally implemented by trained personnel
Transparency & record keeping Provide instructions for use, labelling and CE marking Ensure transparency towards affected individuals; retain automatically generated logs

Contract Implications, Vendor Due Diligence and Indemnities

The division of obligations between providers and deployers has direct consequences for AI vendor contracts. Deployers who procure AI systems from third-party providers should ensure their agreements include:

  • Warranties that the provider has completed a conformity assessment and can produce the CE declaration of conformity.
  • Obligations for the provider to deliver complete AI technical documentation and instructions for use before deployment.
  • Cooperation clauses requiring the provider to assist with audits, regulator inquiries and incident investigations.
  • Data-provenance warranties confirming that training data was lawfully obtained and documented.
  • Indemnification provisions allocating liability for non-compliance attributable to the provider’s design or documentation failures.

Industry observers expect that as the AI Act August 2026 deadline approaches, contract renegotiations and supplementary addenda addressing these points will become standard practice across AI procurement in Poland and the wider EU.

What the AI Act August 2026 Deadline Actually Requires, Timeline and Legal Status

The AI Act employs a phased implementation schedule. Different categories of obligation become applicable at different intervals after the Regulation’s entry into force on 1 August 2024.

Date Event Practical effect for businesses
1 August 2024 AI Act enters into force Start of transitional and preparatory period; no direct enforcement obligations yet
2 February 2025 Prohibitions on unacceptable-risk AI practices apply Banned systems must already have been withdrawn or decommissioned
2 August 2025 Obligations for general-purpose AI models apply; governance provisions take effect GPAI model providers must comply with transparency, documentation and systemic-risk rules
2 August 2026 High-risk obligations apply for Annex III systems Providers and deployers must meet full compliance: risk management, technical documentation, conformity assessment, human oversight, post-market monitoring
2 August 2027 Obligations for Annex II high-risk systems (embedded in products under EU harmonisation legislation) Product-safety-integrated AI systems must comply

Discussions at EU institutional level, including signals from a 7 May 2026 negotiation round, have raised the possibility of extending certain Annex III applicability dates, with some proposals suggesting a shift to 2 December 2027 for selected high-risk categories. However, no formal legislative amendment has been adopted. The likely practical effect is that businesses must continue to prepare against the 2 August 2026 baseline. Delaying compliance on the assumption that an extension will materialise creates unquantifiable regulatory and reputational risk.

Immediate Short-Term Actions: 30 / 60 / 90 Day Plan

  • Days 1–30. Complete an enterprise-wide AI system inventory. Identify every system that is built, procured or deployed. Flag potential high-risk systems.
  • Days 31–60. Perform risk classification against Annex II and Annex III. Assign an internal owner (AI Risk Owner or Compliance Lead) for each high-risk system. Begin gap analysis against the Regulation’s requirements.
  • Days 61–90. Initiate documentation workstreams: technical documentation, risk management system design, human oversight protocols. Open vendor dialogue for contract amendments where the organisation is a deployer.

How General-Purpose AI Obligations and Transparency Rules Apply

General-purpose AI (GPAI) models, including large language models and foundation models, are subject to a distinct set of obligations that became applicable on 2 August 2025. These requirements affect both the entity that builds the model and the businesses that integrate it into downstream applications.

  • Model documentation. GPAI providers must produce and maintain detailed technical documentation describing the model’s capabilities, limitations, training methodology and evaluation results.
  • Transparency towards downstream providers. When a GPAI model is integrated into a high-risk AI system, the model provider must supply sufficient information and documentation to enable the downstream provider to meet its own compliance obligations.
  • Systemic-risk models. GPAI models classified as presenting systemic risk face additional obligations, including adversarial testing, incident reporting to the European AI Office, and cybersecurity protections.
  • Copyright compliance. GPAI providers must implement a policy to comply with EU copyright law, including the text and data mining opt-out provisions of the DSM Directive.

Practical Rules for Chatbots, Content Generation and Image Synthesis

Businesses deploying AI systems that interact with natural persons must ensure that users are informed they are interacting with an AI system, unless this is obvious from the circumstances. Content generated or manipulated by AI (including deepfakes, synthetic images and AI-written text) must be labelled as artificially generated or manipulated, using machine-readable formats where technically feasible. These general-purpose AI obligations apply regardless of whether the underlying system is classified as high-risk.

Extraterritorial Reach of the AI Act and Interaction with GDPR and Sector Rules

The AI Act’s territorial scope extends well beyond entities established within the EU. The Regulation applies to providers that place AI systems on the EU market or put them into service in the Union, regardless of where those providers are established. It also applies to deployers of AI systems who are located within the Union, and, critically, to providers and deployers established in third countries where the output produced by the AI system is used in the Union.

This extraterritorial reach of the AI Act means, for example, that a US-based software company whose AI-powered credit-scoring tool is used by a Polish bank must comply with the high-risk obligations as a provider, even though it has no EU establishment. The practical consequence for cross-border businesses is that AI Act compliance must be built into global product and service strategies, not treated as a regional add-on. Businesses operating internationally may benefit from comparing emerging AI regulatory frameworks in other jurisdictions, such as those examined in our coverage of Japan’s AI and data protection law and AI regulation in Indonesia.

The AI Act does not replace existing EU data protection obligations under the GDPR. Where an AI system processes personal data, the GDPR’s requirements for lawful basis, data minimisation, data protection impact assessments (DPIAs) and data subject rights continue to apply in parallel. The European Data Protection Board has confirmed that DPIAs are required for AI processing that is likely to result in a high risk to the rights and freedoms of natural persons. Additionally, sector-specific rules, including the Medical Devices Regulation, CRD/CRR for financial services, and product-safety directives, may impose supplementary requirements on AI systems used within their scope.

Polish Specifics, Which Regulators to Watch

For businesses operating in Poland, the following authorities are likely to play a role in AI Act enforcement and oversight:

  • UODO (Urząd Ochrony Danych Osobowych). Poland’s data protection authority will remain the primary regulator for GDPR-related AI obligations, including DPIAs and data subject rights in AI-driven processing.
  • KNF (Komisja Nadzoru Finansowego). The Polish Financial Supervision Authority supervises AI use in banking, insurance and capital markets, where sector-specific rules interact with AI Act obligations.
  • Designated national AI supervisory authority. Poland is required to designate one or more national competent authorities and a national AI supervisory authority. Businesses should monitor legislative developments for the formal designation and scope of this body.

The interaction between the AI Act, GDPR, and Poland’s existing regulatory architecture, including NIS2 cybersecurity obligations, means compliance teams must coordinate across multiple regulatory streams simultaneously.

Practical EU AI Act 2026 Compliance Clock Action List

This section provides the operational heart of any compliance programme. The steps below are designed to be assignable, with clear owners and evidence outputs.

Step 1: AI System Inventory

Every compliance programme begins with visibility. Organisations must catalogue every AI system they build, procure, license or deploy. The inventory should capture:

  • System name and version
  • Provider (internal team or external vendor)
  • Purpose and function (what decisions the system influences)
  • Data inputs (personal data, public data, proprietary data)
  • Deployment context (geography, business unit, end users)
  • Current risk classification (preliminary assessment)

Step 2: Risk Classification

For each inventoried system, apply the classification framework from Section 2 of this guide. Map each system against Annex II and Annex III categories. Document the reasoning for each classification decision, including borderline cases. This documentation becomes evidence in the event of a regulatory inquiry.

Step 3: AI Governance Structure

Stand up a formal governance framework with defined roles:

  • AI Risk Owner. Senior executive accountable for AI risk management at enterprise level.
  • Data Protection Officer (DPO). Coordinates GDPR and AI Act intersections, particularly DPIAs for high-risk systems processing personal data.
  • CTO / Head of Engineering. Responsible for technical documentation, system design for human oversight, and conformity assessment preparation.
  • Compliance Lead. Manages regulatory reporting, incident response procedures and post-market monitoring.

Establish clear escalation pathways, a written AI policy, and board-level reporting on AI risk at least quarterly.

Step 4: Human Oversight Processes

High-risk AI systems must be designed to allow effective human oversight. In practice, this means deployers must:

  • Assign qualified personnel who understand the system’s capabilities and limitations.
  • Implement operational controls that allow human operators to intervene, override or halt the system.
  • Provide training to operators on recognising automation bias and anomalous system behaviour.
  • Document fallback procedures for when human override is triggered.

Step 5: Technical Documentation and Record Keeping

AI technical documentation for high-risk systems must include:

  • General description of the system (intended purpose, design specifications)
  • Model lineage and development methodology
  • Training, validation and testing data, summary of data sources, selection criteria, known gaps and biases
  • Performance metrics and accuracy/error rates across relevant demographic groups
  • Bias testing results and mitigation measures applied
  • Cybersecurity measures and robustness testing
  • Instructions for use, including known limitations and foreseeable misuse scenarios

Deployers must retain automatically generated logs for a period appropriate to the system’s intended purpose, and no less than six months unless a longer period is required by Union or national law.

Step 6: Conformity Assessment

Providers of high-risk AI systems must complete a conformity assessment before placing the system on the market or putting it into service. For most Annex III systems, the conformity assessment is an internal procedure based on Annex VI of the Regulation. For specific categories, notably remote biometric identification systems, a third-party assessment by a notified body is required. Engage early with notified bodies where applicable, as capacity constraints are anticipated as the August 2026 deadline approaches.

Step 7: Vendor Diligence and Contract Terms

Deployers procuring AI systems must conduct due diligence on their providers. At minimum, AI vendor contracts should address:

  • Provider’s warranty of completed conformity assessment and CE marking
  • Obligation to deliver and maintain AI technical documentation
  • Data provenance warranties (lawfulness and documentation of training data)
  • Cooperation obligations for regulatory audits and incident investigations
  • Indemnification for losses caused by provider non-compliance
  • Notification duties if the provider discovers non-conformity, vulnerabilities or performance degradation

Step 8: Post-Market Monitoring and Incident Response

Providers must establish a post-market monitoring system proportionate to the nature and risks of the AI system. Serious incidents, including those resulting in death, serious harm, or serious and irreversible disruption, must be reported to the relevant market surveillance authority. Deployers should establish internal incident response plans that include procedures for reporting anomalies to providers and, where necessary, directly to national authorities.

30 / 90 / 180 Day Implementation Milestones

Milestone Owner Evidence / deliverable
Day 30, AI inventory complete CTO / Compliance Lead Inventory register with system details, preliminary risk flags
Day 60, Risk classification finalised AI Risk Owner / Legal Classification report per system; documented reasoning for each determination
Day 90, Governance framework operational Board / AI Risk Owner Published AI policy; role assignments; escalation matrix; board reporting schedule
Day 120, Documentation drafts complete CTO / Engineering Draft technical documentation packages for each high-risk system
Day 150, Vendor contract review complete Legal / Procurement Amended contracts or addenda incorporating AI Act obligations
Day 180, Conformity assessment initiated CTO / Quality Internal assessment report (Annex VI) or notified body engagement confirmation

Sector and Poland-Specific Considerations

Certain sectors face amplified obligations because their AI use cases fall squarely within Annex III high-risk categories. Businesses operating in Poland should be particularly alert to the following:

  • Employment and worker management. AI systems used for recruitment screening, CV filtering, interview evaluation, promotion decisions or task allocation are high-risk. Polish employers must ensure human oversight of automated hiring decisions and comply with both AI Act and Polish labour law requirements on automated decision-making.
  • Credit and financial services. AI-driven creditworthiness assessments and insurance pricing fall within Annex III. The KNF may issue supplementary guidance; firms should monitor the authority’s communications and integrate AI Act obligations into existing regulatory compliance frameworks.
  • Public procurement and administration. Public bodies in Poland that deploy AI for benefit eligibility assessment, resource allocation or document processing must comply with high-risk obligations and ensure transparency towards affected citizens.
  • Biometric identification. Remote biometric identification systems require third-party conformity assessment by a notified body. Polish entities deploying such systems must also coordinate with UODO regarding the personal-data processing implications.

Conclusion, The EU AI Act 2026 Compliance Clock Will Not Wait

The EU AI Act 2026 compliance clock represents the most significant regulatory development for businesses using AI in Poland and across the European Union. With the 2 August 2026 high-risk applicability date as the operative baseline, every business that builds, deploys, imports or distributes AI systems should be deep into implementation, not planning. The steps are clear: inventory, classify, govern, document, assess and monitor. Early indications suggest that regulatory enforcement capacity is being built in parallel with industry readiness, meaning the window for remediation after the deadline passes will be narrow. Businesses that act now will be positioned not only to comply but to compete with confidence in an AI-regulated market.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Jakub Koziol at The Heart Legal, a member of the Global Law Experts network.

Sources

  1. European Commission, AI Act / Regulatory Framework for AI
  2. EUR-Lex, Full Text of the EU Artificial Intelligence Act (Regulation 2024/1689)
  3. European Data Protection Board (EDPB)
  4. artificialintelligenceact.eu, Implementation Timeline
  5. DataGuard, EU AI Act Timeline Explainer
  6. Legal Nodes, EU AI Act 2026 Updates
  7. Walled.AI, EU AI Act Compliance Guide
  8. A-LIGN, EU AI Act Enforcement Delay
  9. UODO, Polish Data Protection Authority

FAQs

What is the EU AI Act compliance deadline for high-risk systems?
The current legal deadline for full compliance with high-risk AI system obligations under Annex III of the EU AI Act is 2 August 2026. Institutional discussions have explored extending some deadlines, but no formal amendment has been adopted. Businesses should prepare against the existing date.
A provider is the entity that develops an AI system and places it on the market or puts it into service under its own name or trademark. A deployer is any natural or legal person that uses an AI system under its authority in a professional capacity. The distinction determines which obligations each party bears, providers carry the heavier regulatory burden, while deployers must implement operational controls and cooperate with assessments.
Yes. The AI Act applies to providers and deployers established outside the EU where the output produced by their AI system is used within the Union. A non-EU company whose AI tool is deployed by a Polish business, for example, must comply with the relevant provider obligations.
Key documents include: a comprehensive AI system inventory, a risk classification report for each system, technical documentation (covering model lineage, training data, performance metrics and bias testing), a risk management system description, human oversight protocols, a post-market monitoring plan, and updated vendor contracts incorporating AI Act obligations.
The AI Act operates alongside the GDPR, it does not replace data protection obligations. Where a high-risk AI system processes personal data, businesses must continue to comply with GDPR requirements including lawful basis, data minimisation, data subject rights and data protection impact assessments (DPIAs). The EDPB has confirmed that DPIAs are required for AI processing likely to result in high risk to individuals’ rights.
Poland’s data protection authority (UODO) oversees GDPR-related AI obligations. The KNF supervises AI use in financial services. Poland is also required to designate a national AI supervisory authority, businesses should monitor legislative developments for formal designation and powers.
how to get a civil marriage in Abu Dhabi 2026
By Global Law Experts

posted 12 hours ago

icc arbitration rules bangladesh
By Global Law Experts

posted 12 hours ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

The EU AI Act in 2026: the Compliance Clock for Businesses Using and Building AI

Send welcome message

Custom Message