Prospere AI - AI Automation Solutions for Business Growth
← Back to blog

AI Automation

EU AI Act in Poland 2026: What It Means for Your Business

The EU AI Act fully applies from August 2026. Find out which AI tools in your company are covered, what your obligations are, and how to avoid fines up to €35 million.

Bartek
Lighthouse in morning mist symbolising navigation through AI Act regulations

Does your company use AI for recruitment? Do you have a chatbot on your website? Are you using automated lead scoring?

From 2 August 2026, all of this is governed by hard European law with fines reaching 35 million euros.

Don’t panic — most Polish B2B companies are in a better position than they think. But there is one catch that almost every article on this topic misses. We’ll get to it in a moment.

What Is the AI Act and Why Does It Affect Me

Regulation (EU) 2024/1689 is the world’s first comprehensive law regulating artificial intelligence. It entered into force on 1 August 2024.

The key principle: it applies to every company that offers or uses AI in the EU — regardless of where it is based. A US startup selling you AI software? Subject to the AI Act. A Polish company using that software? Also subject to the AI Act.

The AI Act works like building regulations for AI: the higher the risk, the stricter the standards.

Timeline: What Already Applies, What Is Coming

  • 1 August 2024 — AI Act enters into force
  • 2 February 2025 — Ban on unacceptable-risk AI systems — already in effect
  • 2 August 2025 — Rules for general-purpose AI models (GPT-4, Claude, Gemini)
  • 2 August 2026 — Full application for high-risk systems — the key deadline
  • 2 August 2027 — AI embedded in medical devices, industrial machinery

You have until 2 August 2026. That sounds far away, but preparing documentation for high-risk systems takes 6–12 months in practice.

Four Risk Categories — Where Does Your Company Fall

Unacceptable Risk — Absolute Ban (since February 2025)

  • Systems that manipulate users subliminally
  • Emotion recognition in workplaces and schools
  • Social scoring of citizens by public authorities
  • Predictive policing based on personal characteristics
  • Creating facial recognition databases by mass scraping

If your HR team had an idea for AI to “analyse candidate mood during job interviews” — that just became illegal.

High Risk — Full Documentation by August 2026

This is the catch. High-risk systems are not only military and medical. They include very common business applications:

  • Recruitment — any AI system for CV screening, candidate ranking, employee evaluation
  • Credit and insurance scoring — automated creditworthiness assessment
  • Employee performance management — if AI decides on bonuses, promotions, dismissals
  • Critical infrastructure (energy, water, transport)
  • Educational assessment systems

For these applications, full documentation, conformity assessment, registration in the EU AI Database and designated human oversight are required.

Limited Risk — Transparency Obligations

  • Customer service chatbots — must inform users they are talking to AI
  • Generative AI producing text, images or audio — obligation to label content as AI-generated
  • Deepfakes — mandatory labelling as synthetic material

Minimal Risk — No Additional Requirements

  • Spam filters
  • Product recommendation tools in e-commerce
  • Most productivity AI tools (AI writing assistants, Copilot)
  • BI analytics and sales prediction

The Key Distinction: Provider vs. Deployer

Provider — you create or deploy an AI system for others. Full obligations: technical documentation, certification, EU AI Database registration, CE marking, designated AI officer.

Deployer — you buy a ready-made AI tool (SaaS, API) and use it in your business. Lighter obligations: use according to provider instructions, human oversight, incident monitoring and reporting, informing employees.

Most Polish B2B companies are deployers — using ChatGPT, Copilot, no-code AI tools. Good news: the scope of obligations is much smaller than for companies building their own systems.

Bad news: if you use AI for recruitment or employee assessment — you are a deployer of a high-risk system and the obligations are concrete.

What Your Company Must Do — Checklist

If you use AI for recruitment or employee assessment (high risk):

  • Conduct a Fundamental Rights Impact Assessment (FRIA) before deployment
  • Ensure human oversight — no decision can be fully automatic
  • Inform employees and their representatives about AI use
  • Retain system logs for a minimum of 6 months
  • Verify that your tool provider has technical documentation and certification

If you have a chatbot or use generative AI (limited risk):

  • Add a clear notice: “You are talking to an AI assistant”
  • Provide the option to connect with a human
  • Label AI-generated content where published

For all companies:

  • Inventory all AI tools you use and determine their risk category
  • Verify that your SaaS and API providers are updating their products for AI Act compliance
  • Designate someone responsible for AI Act compliance in your company

Fines — What They Really Cost

  • Using prohibited AI systems — €35M or 7% of global annual turnover
  • Breaching high-risk obligations — €15M or 3% of global annual turnover
  • Providing incorrect information to authorities — €7.5M or 1.5% of global annual turnover

For SMEs and startups the lower of the two values applies. A company with 5M PLN annual revenue faces a maximum of around 450,000 PLN for a general breach, not €15M.

But fines are not the only risk. Reputational damage, lawsuits from employees dismissed “by an algorithm”, liability for discriminatory hiring decisions — these can cost more than the fine.

Poland: What Changed on 1 April 2026

The Council of Ministers adopted an implementing act that:

  • Designates KRiBSI as the main supervisory authority
  • Establishes a national sanctions framework aligned with the AI Act
  • Creates a regulatory sandbox for SMEs and startups

Important: the AI Act as an EU regulation applies directly in Poland without additional transposition. The Polish act clarifies supervision and national sanctions.

Summary

The AI Act is not a threat to most Polish companies — as long as you understand which category you operate in.

Three things to do now:

  1. Inventory all AI tools in your company
  2. Check the category — recruitment and employee assessment = high risk
  3. Designate someone responsible — not necessarily a lawyer, but someone who knows your processes

Your deadline is 2 August 2026. Organisations that start now will have comfort. Those that start in July 2026 will be fighting fires.

Book a free consultation with Prospere AI — we will help assess where your company stands →