EU AI Act Compliance for HR-Tech Companies in Poland
Poland-based organisations deploying AI in recruitment, selection, or employee evaluation face the same uniform EU-wide obligations as every other member state. The EU AI Act — Regulation (EU) 2024/1689 — is directly applicable law across the entire European Union. No transposition is required, and no member state may reduce or delay its obligations. This page sets out what HR-tech deployers operating in Poland need to know and do.
HR and Recruitment AI Is High-Risk — Uniformly Across the EU
Annex III point 4 of Regulation (EU) 2024/1689 classifies as high-risk any AI system used in:
- Point 4(a): Recruitment or selection of natural persons — including targeted job advertising, analysis and filtering of job applications, and evaluation of candidates in interviews or assessments.
- Point 4(b): Decisions on promotion, termination, task allocation, or monitoring of performance and conduct of persons in employment relationships.
This classification applies identically in Poland, Denmark, Germany, and every other EU member state. There is no national carve-out. If your HR platform uses AI to screen CVs, rank candidates, power psychometric assessments, or monitor workforce performance, you are deploying a high-risk AI system and the obligations in Chapter III of the Act apply to you as the deployer.
Key Dates (Uniform EU Timeline)
| Date | What enters into force |
|---|---|
| 2 February 2025 | Prohibited AI practices (Article 5) — already in effect |
| 2 August 2025 | Rules on general-purpose AI models (GPAI) — already in effect |
| 2 August 2026 | High-risk obligations (Chapter III, including Annex III) fully applicable |
A proposed Digital Omnibus amendment package would defer certain Annex III deployer obligations to 2 December 2027. As of the date of this page, this deferral is a legislative proposal only — it has not been enacted. Compliance planning should continue against the 2 August 2026 date until the amendment is formally adopted and published.
Article 4 AI Literacy — Already Required Since February 2025
Article 4 requires deployers to ensure a sufficient level of AI literacy for all staff who operate, oversee, or make decisions informed by AI systems. This obligation has been in force since 2 February 2025 — it is not part of the deferred high-risk chapter. HR directors, recruiters, hiring managers, and HR business partners all fall within scope. Maintain a dated register of training delivered.
Deployer Duties Under Article 26
As the organisation putting the AI system into use, your obligations include:
- Art 26(1) — Use the system strictly in accordance with the provider's instructions for use. Deviating from those instructions — including connecting non-validated input feeds — is a compliance breach.
- Art 26(2) — Assign competent human oversight persons with the authority, training, and technical understanding to intervene, override, and reverse AI recommendations.
- Art 26(5) — Monitor operation against the instructions for use and report serious incidents to the provider.
- Art 26(6) — Retain the automatic logs generated by the system for an appropriate period, minimum six months, in a manner that allows audit and reconstruction of decisions.
- Art 26(7) — Before deploying a high-risk AI system in the workplace, inform workers' representatives and affected workers that the system will be used.
- Art 26(11) — Inform natural persons (candidates, employees) that they are subject to a decision made or materially assisted by a high-risk AI system.
Compliance evidence must be documentary, not merely procedural. Auditors and national market surveillance authorities will request records.
Article 27 Fundamental Rights Impact Assessment
Certain deployers — public bodies and private operators providing services to the public in the sectors listed in Annex III — must complete a Fundamental Rights Impact Assessment (FRIA) before first deployment. Even where the FRIA is not a strict legal requirement for a given private employer, completing one is strong evidence of due diligence and materially overlaps with the GDPR Article 35 Data Protection Impact Assessment that is almost always required for automated candidate evaluation. Do not treat these as separate exercises.
Penalties (Uniform Across All Member States)
Penalties under Article 99 apply uniformly in Poland and every other member state:
| Violation category | Maximum fine |
|---|---|
| Prohibited practices (Article 5) | EUR 35 million or 7% of global annual turnover |
| Most other violations of the Act | EUR 15 million or 3% of global annual turnover |
| Incorrect, incomplete, or misleading information to authorities | EUR 7.5 million or 1% of global annual turnover |
The higher of the two figures applies. For a multinational group with significant revenue, the turnover-based cap will almost always exceed the absolute ceiling.
NIS2 Cybersecurity Obligations
NIS2 — Directive (EU) 2022/2555 — raises cybersecurity requirements and is transposed into national law in each EU member state, including Poland. HR-tech SaaS vendors operating above the relevant employee and turnover thresholds are typically classified as important entities (digital providers) and carry obligations covering risk management, incident reporting, supply chain security, and board-level accountability for cybersecurity governance. Their customers may independently fall within NIS2 scope depending on their own sector. Organisations in Poland should verify their sector classification and identify the relevant national competent authority under the Polish transposition. Because national transposition details and sector mappings involve country-specific law, we recommend confirming NIS2 scope with a qualified local legal adviser.
What PowerQuant Delivers
PowerQuant provides fixed-price, fixed-delivery compliance documentation packages for EU AI Act deployers. Every claim in our deliverables is cross-checked against the regulation text.
| Module | What you receive | Price |
|---|---|---|
| Module 1 — AI Inventory & Article 4 Literacy Register | Structured AI system inventory, Annex III classification rationale, Article 4 literacy register template | EUR 1,499 |
| Module 2 — Procurement Evidence Pack (Article 26) | Article 26 deployer checklist, human-oversight SOP, log-retention policy, worker information notice templates, FRIA framework | EUR 3,499 |
| Ongoing Compliance Monitoring | Regulatory change monitoring, quarterly evidence review, alert on relevant guidance and enforcement decisions | EUR 699/month |
Modules 1 and 2 together give you a complete deployer evidence file ready for market surveillance audit or due-diligence review. Delivery is in English; Danish available on request.
Get a Fixed Quote
Email kontakt@powerquant.dk to request a scoped proposal. Describe the AI systems your organisation is deploying in HR — we will confirm the applicable obligations, map them to our modules, and provide a written fixed-price quote within two working days.
This page is technical documentation prepared to help deployers understand the regulatory framework. It is not legal advice. Consult a qualified legal adviser for advice specific to your organisation's situation.
PowerQuant ApS, CVR 46274067.
Source: Regulation (EU) 2024/1689 (EU AI Act) — eur-lex.europa.eu/eli/reg/2024/1689/oj; Directive (EU) 2022/2555 (NIS2).