Our Expert in Poland
No results available
The EU AI Act compliance clock is now running, and for businesses that build, buy or deploy artificial intelligence in Poland and across the European Union, the shift from broad principles to binding legal obligations is no longer theoretical. Regulation (EU) 2024/1689, the EU Artificial Intelligence Act, entered into force on 1 August 2024, launching a phased implementation schedule that reaches its most consequential milestone on 2 August 2026, when requirements for high-risk AI systems are set to become fully applicable. Although institutional discussions as recently as May 2026 have explored extending certain Annex III deadlines, no formal amendment has been adopted, meaning companies cannot rely on a postponement that has not yet materialised in law.
This guide provides a practical, checklist-driven playbook for general counsel, compliance officers, product teams and boards, particularly those operating in or serving the Polish market, who need to understand exactly what the EU AI Act 2026 compliance clock demands, who bears each obligation, and how to build an audit-ready programme before time runs out.
The Regulation establishes a four-tier, risk-based framework that determines the level of regulatory obligation applicable to any given AI system. Understanding where a system falls within this hierarchy is the first step in every compliance programme.
| Risk tier | Examples (Annex II / III) | Core obligation |
|---|---|---|
| Unacceptable | Social scoring, covert manipulation, certain real-time biometric ID | Prohibited, must not be placed on market or used |
| High-risk | Employment screening, creditworthiness assessment, essential-service access, biometric categorisation, critical infrastructure management | Full compliance regime: risk management, documentation, conformity assessment, post-market monitoring |
| Limited | Chatbots, deepfake generators, emotion-recognition (permitted contexts) | Transparency and disclosure obligations |
| Minimal | Spam filters, AI-enhanced video games | No specific obligations (voluntary codes of conduct encouraged) |
To determine whether an AI system you build or deploy is high-risk, run it through these threshold questions:
If the answer to any of these is yes, the system is almost certainly high-risk, and the full AI risk management requirements will apply by the August 2026 deadline.
The Regulation assigns distinct obligations to different actors in the AI value chain. Understanding these roles is essential because contractual responsibility, regulatory liability and enforcement exposure all depend on accurate classification of the entity’s function, not merely its job title.
| Obligation | Provider | Deployer |
|---|---|---|
| Risk management system | Primary responsibility to design, implement and continuously update | Must implement appropriate technical and organisational measures; provide deployment-context data |
| AI technical documentation | Produce comprehensive system documentation (model lineage, training data, performance metrics) | Maintain up-to-date deployment records, usage logs and input/output data where required |
| Conformity assessment | Organise and complete assessment (internal procedure or via notified body, depending on system type) | Cooperate with assessment; provide operational evidence and context |
| Post-market monitoring | Establish and maintain a post-market monitoring system; report serious incidents | Monitor system operation; report anomalies and incidents to provider and authorities |
| AI human oversight | Design system to enable effective human oversight | Ensure human oversight measures are operationally implemented by trained personnel |
| Transparency & record keeping | Provide instructions for use, labelling and CE marking | Ensure transparency towards affected individuals; retain automatically generated logs |
The division of obligations between providers and deployers has direct consequences for AI vendor contracts. Deployers who procure AI systems from third-party providers should ensure their agreements include:
Industry observers expect that as the AI Act August 2026 deadline approaches, contract renegotiations and supplementary addenda addressing these points will become standard practice across AI procurement in Poland and the wider EU.
The AI Act employs a phased implementation schedule. Different categories of obligation become applicable at different intervals after the Regulation’s entry into force on 1 August 2024.
| Date | Event | Practical effect for businesses |
|---|---|---|
| 1 August 2024 | AI Act enters into force | Start of transitional and preparatory period; no direct enforcement obligations yet |
| 2 February 2025 | Prohibitions on unacceptable-risk AI practices apply | Banned systems must already have been withdrawn or decommissioned |
| 2 August 2025 | Obligations for general-purpose AI models apply; governance provisions take effect | GPAI model providers must comply with transparency, documentation and systemic-risk rules |
| 2 August 2026 | High-risk obligations apply for Annex III systems | Providers and deployers must meet full compliance: risk management, technical documentation, conformity assessment, human oversight, post-market monitoring |
| 2 August 2027 | Obligations for Annex II high-risk systems (embedded in products under EU harmonisation legislation) | Product-safety-integrated AI systems must comply |
Discussions at EU institutional level, including signals from a 7 May 2026 negotiation round, have raised the possibility of extending certain Annex III applicability dates, with some proposals suggesting a shift to 2 December 2027 for selected high-risk categories. However, no formal legislative amendment has been adopted. The likely practical effect is that businesses must continue to prepare against the 2 August 2026 baseline. Delaying compliance on the assumption that an extension will materialise creates unquantifiable regulatory and reputational risk.
General-purpose AI (GPAI) models, including large language models and foundation models, are subject to a distinct set of obligations that became applicable on 2 August 2025. These requirements affect both the entity that builds the model and the businesses that integrate it into downstream applications.
Businesses deploying AI systems that interact with natural persons must ensure that users are informed they are interacting with an AI system, unless this is obvious from the circumstances. Content generated or manipulated by AI (including deepfakes, synthetic images and AI-written text) must be labelled as artificially generated or manipulated, using machine-readable formats where technically feasible. These general-purpose AI obligations apply regardless of whether the underlying system is classified as high-risk.
The AI Act’s territorial scope extends well beyond entities established within the EU. The Regulation applies to providers that place AI systems on the EU market or put them into service in the Union, regardless of where those providers are established. It also applies to deployers of AI systems who are located within the Union, and, critically, to providers and deployers established in third countries where the output produced by the AI system is used in the Union.
This extraterritorial reach of the AI Act means, for example, that a US-based software company whose AI-powered credit-scoring tool is used by a Polish bank must comply with the high-risk obligations as a provider, even though it has no EU establishment. The practical consequence for cross-border businesses is that AI Act compliance must be built into global product and service strategies, not treated as a regional add-on. Businesses operating internationally may benefit from comparing emerging AI regulatory frameworks in other jurisdictions, such as those examined in our coverage of Japan’s AI and data protection law and AI regulation in Indonesia.
The AI Act does not replace existing EU data protection obligations under the GDPR. Where an AI system processes personal data, the GDPR’s requirements for lawful basis, data minimisation, data protection impact assessments (DPIAs) and data subject rights continue to apply in parallel. The European Data Protection Board has confirmed that DPIAs are required for AI processing that is likely to result in a high risk to the rights and freedoms of natural persons. Additionally, sector-specific rules, including the Medical Devices Regulation, CRD/CRR for financial services, and product-safety directives, may impose supplementary requirements on AI systems used within their scope.
For businesses operating in Poland, the following authorities are likely to play a role in AI Act enforcement and oversight:
The interaction between the AI Act, GDPR, and Poland’s existing regulatory architecture, including NIS2 cybersecurity obligations, means compliance teams must coordinate across multiple regulatory streams simultaneously.
This section provides the operational heart of any compliance programme. The steps below are designed to be assignable, with clear owners and evidence outputs.
Every compliance programme begins with visibility. Organisations must catalogue every AI system they build, procure, license or deploy. The inventory should capture:
For each inventoried system, apply the classification framework from Section 2 of this guide. Map each system against Annex II and Annex III categories. Document the reasoning for each classification decision, including borderline cases. This documentation becomes evidence in the event of a regulatory inquiry.
Stand up a formal governance framework with defined roles:
Establish clear escalation pathways, a written AI policy, and board-level reporting on AI risk at least quarterly.
High-risk AI systems must be designed to allow effective human oversight. In practice, this means deployers must:
AI technical documentation for high-risk systems must include:
Deployers must retain automatically generated logs for a period appropriate to the system’s intended purpose, and no less than six months unless a longer period is required by Union or national law.
Providers of high-risk AI systems must complete a conformity assessment before placing the system on the market or putting it into service. For most Annex III systems, the conformity assessment is an internal procedure based on Annex VI of the Regulation. For specific categories, notably remote biometric identification systems, a third-party assessment by a notified body is required. Engage early with notified bodies where applicable, as capacity constraints are anticipated as the August 2026 deadline approaches.
Deployers procuring AI systems must conduct due diligence on their providers. At minimum, AI vendor contracts should address:
Providers must establish a post-market monitoring system proportionate to the nature and risks of the AI system. Serious incidents, including those resulting in death, serious harm, or serious and irreversible disruption, must be reported to the relevant market surveillance authority. Deployers should establish internal incident response plans that include procedures for reporting anomalies to providers and, where necessary, directly to national authorities.
| Milestone | Owner | Evidence / deliverable |
|---|---|---|
| Day 30, AI inventory complete | CTO / Compliance Lead | Inventory register with system details, preliminary risk flags |
| Day 60, Risk classification finalised | AI Risk Owner / Legal | Classification report per system; documented reasoning for each determination |
| Day 90, Governance framework operational | Board / AI Risk Owner | Published AI policy; role assignments; escalation matrix; board reporting schedule |
| Day 120, Documentation drafts complete | CTO / Engineering | Draft technical documentation packages for each high-risk system |
| Day 150, Vendor contract review complete | Legal / Procurement | Amended contracts or addenda incorporating AI Act obligations |
| Day 180, Conformity assessment initiated | CTO / Quality | Internal assessment report (Annex VI) or notified body engagement confirmation |
Certain sectors face amplified obligations because their AI use cases fall squarely within Annex III high-risk categories. Businesses operating in Poland should be particularly alert to the following:
The EU AI Act 2026 compliance clock represents the most significant regulatory development for businesses using AI in Poland and across the European Union. With the 2 August 2026 high-risk applicability date as the operative baseline, every business that builds, deploys, imports or distributes AI systems should be deep into implementation, not planning. The steps are clear: inventory, classify, govern, document, assess and monitor. Early indications suggest that regulatory enforcement capacity is being built in parallel with industry readiness, meaning the window for remediation after the deadline passes will be narrow. Businesses that act now will be positioned not only to comply but to compete with confidence in an AI-regulated market.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Jakub Koziol at The Heart Legal, a member of the Global Law Experts network.
posted 37 minutes ago
posted 54 minutes ago
posted 54 minutes ago
posted 54 minutes ago
posted 54 minutes ago
posted 5 hours ago
posted 11 hours ago
posted 12 hours ago
posted 12 hours ago
posted 12 hours ago
posted 12 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message