Brandsit

Tag: AI Act

  • NIS2 and AI Act in Poland: Costly obligation or ticket to Western markets?

    NIS2 and AI Act in Poland: Costly obligation or ticket to Western markets?

    Just two years ago, regulatory compliance (compliance) was treated in boardrooms as a necessary evil – a costly item in Excel that had to be minimised. Today, in January 2026, we are waking up to a new reality. The protective periods have passed. “Paper tigers” have taken real shape, and the market is brutally verifying who has done their homework and who was hoping for eternal deferral.

    For Polish companies and their European partners, compliance has ceased to be a matter of avoiding administrative fines. It has become the hardest currency in B2B relationships and a sine qua non for staying in supply chains.

    Two-speed Europe, one unforgiving market

    It is January 2026 and Western Europe is already more than a year after the deadline for full transposition of the NIS2 Directive (October 2024). In Germany, France or Scandinavia, oversight mechanisms are in full swing and the first severe financial penalties and personal consequences for board members have become a media fact.

    Poland is at a peculiar moment. We are fresh from the tumultuous, delayed entry into force of the amendment to the National Cyber Security System Act (UKSC), which implemented EU requirements in mid-2025. Polish companies are still in the ‘post-implementation shock’ phase. While the German contractor treats cyber-security procedures as standard, the Polish supplier is often only just finishing frantically patching gaps so as not to lose the contract.

    This time asymmetry raises concrete business implications. For Polish business, 2026 is a race against time to prove to Europe that ‘Made in Poland’ also means ‘Secure by European Standards’.

    NIS2 knock-on effect: The great purge in supply chains

    The most important economic phenomenon of the beginning of 2026 is not the regulations themselves, but their secondary effect, which we call Supply Chain Hygiene.

    The UKSC amendment has placed thousands of new entities in Poland under scrutiny – from hospitals and water companies to food manufacturers and digital service providers. However, the real pressure is not coming from Warsaw, but from corporate clients.

    We are seeing a massive phenomenon of ‘Vendor Shedding’. Large industrial corporations and SOEs, themselves key players, are being forced to audit their subcontractors. In requests for proposals (RFPs) for 2026, the cyber security section has become a knock-out criteria.

    For Polish business, the situation is zero-sum. A software house from Wrocław or a logistics company from Poznań that wants to cooperate with the German automotive sector must present a “NIS2 compliance passport” (often in the form of an ISO 27001 certificate or a KSC compliance audit). The absence of the document means automatic rejection of the offer, regardless of price attractiveness. Compliance has become a new barrier to entry into export markets.

    AI Act: Race to August 2026

    The situation is equally dynamic in the area of artificial intelligence. We are halfway through the implementation of the AI Act. We are already well past (February 2025) the entry into force of the Prohibited Practices Act and (August 2025) the regulation for General Purpose AI (GPAI) models.

    However, a major milestone lies ahead: August 2026, when the High-Risk AI Systems regulations will be fully applicable. Although the deadline is a few months away, the market is not waiting.

    In January’s IT budgets for 2026, companies are massively demanding ‘AI Act Ready’ status from software vendors. B2B customers are afraid of legal liability for ‘black boxes’. They would rather pay more for a system that guarantees transparency, human oversight and auditable data than risk implementing a cheap algorithm that will become illegal in six months.

    Here lies a huge opportunity for the Polish IT sector. Polish technology companies are starting to use AI Act compliance as their Unique Selling Proposition (USP). In the clash with cheaper competition from Asian or even American markets (where regulations are looser), the Polish code is promoted as a “Safe Harbor” (Safe Harbor). The European stamp of conformity becomes a guarantee of quality and legal security, which attracts investors seeking stability.

    DORA: Lessons one year after ‘zero hour’

    The financial sector is already one step further ahead. The DORA (Digital Operational Resilience Act) regulation has been in full effect since 17 January 2025. A year of operation under the new regime has brought hard lessons.

    The Polish banking sector, regarded as one of the most modern in Europe, has become an absolute verifier for the Fintech industry. DORA has forced banks to rigorously manage third-party supplier risk (ICT Third Party Risk).

    The result? Fintechs and payment gateway providers that have ignored digital resilience requirements have lost access to banking APIs or been terminated from contracts in the last 12 months. DORA has acted as a natural selection tool – only those who can demonstrate not only innovation but also operational indestructibility are left in the market.

    Compliance as a hard financial benefit

    In 2026, the discussion about regulatory compliance has moved from the legal department to the financial department. Data from the market shows concrete figures:

    Insurance (Cyber Insurance): Faced with a wave of ransomware attacks, the cost of 2026 policies is astronomical. However, brokers are offering discounts of 30-40% for companies that demonstrate full KSC/NIS2 compliance. For a large company, this is a saving going into the hundreds of thousands of pounds a year – a direct return on investment in compliance.

    Public Procurement: The new Public Procurement Law in Poland increasingly places a premium on safety. Price is no longer the only determinant. The weight of non-price criteria (including certified information security) in tenders for 2026 has increased significantly. ‘Compliant’ companies are winning tenders, even offering higher prices.

    Mergers and Acquisitions (M&A): Venture Capital and Private Equity funds have changed their checklists. Due diligence in 2026 starts with questions about AI Act and NIS2 compliance. A startup with ‘legal debt’ is unsellable or its valuation is drastically reduced.

    Change your thinking or die

    For Boards of Directors and Officers (CxOs), the conclusion for 2026 is clear: the Compliance department is no longer a ‘brake department’ that says ‘no’. It is a key partner of the sales department.

    In a business landscape dominated by geopolitical and technological uncertainty, trust has become a scarce commodity. A certificate of NIS2 compliance or AI Act readiness is proof in 2026 that a company is a predictable, secure and mature partner.

    Companies that treat regulation merely as an unpleasant bureaucratic chore are already losing the battle for Western markets. Those that have made transparency and security their banner gain a competitive advantage that cannot be copied overnight. In 2026, compliance is not a shield – it is a sword with which to cut out unprepared competitors.

  • Brussels relaxes AI Act. Big Tech can take a temporary breather

    Brussels relaxes AI Act. Big Tech can take a temporary breather

    It looks like intense lobbying by big tech companies and criticism from the US administration is bearing fruit. The European Commission is considering relaxing some of the provisions of its landmark Artificial Intelligence Act (AI Act), which could give valuable deferral to players such as Apple and Meta.

    The move is part of the new Commission’s wider drive to ‘simplify’ the complex digital regulations the EU has adopted over the past two years. Key to this is to be the so-called ‘Digital Omnibus’, a simplification package to be unveiled by the EU’s new executive vice-president for digital, Henna Virkkunen, on 19 November.

    According to a draft document accessed by Reuters, the Commission is proposing “targeted simplification measures” to ensure proportionate implementation of the rules.

    What does this mean in practice? First of all, companies can be exempted from registering their AI systems in the EU database for high-risk systems if the tools are only used for ‘narrow or procedural tasks’. This is a significant reduction in the bureaucratic burden that the industry has been calling for.

    Moreover, the industry may gain additional time to comply. The document introduces a one-year grace period for the imposition of financial penalties, which would not be enforced until 2 August 2027. The transitional grace period would also cover a key requirement to flag AI-generated content – a mechanism to combat deepfakes and misinformation.

    This change of course is not isolated. Brussels also recently relaxed its ambitious environmental rules after strong opposition from industry and farmers. For technology companies, which had criticised the AI Act for potentially stifling innovation, this is a clear signal that their voice (and pressure from Washington) has been at least partially heard. The document is still subject to change before the official presentation.

  • The EU AI Act enters a new phase. More obligations await Poland and Europe

    The EU AI Act enters a new phase. More obligations await Poland and Europe

    In August 2025, further provisions of the EU’s Artificial IntelligenceAct (AI Act) came into force, introducing significant new requirements for technology providers and member state administrations. The regulations focus on general purpose AI (GPAI) models and the creation of surveillance structures. Poland, like other EU countries, is working to adapt its national law, although work on a key law is still ongoing.

    A new phase in the implementation of the AI Act, a landmark regulation for the technology sector, focuses on ensuring the transparency and security of the most advanced AI systems. Providers of general-purpose models, such as those underpinning popular chatbots or image generators, have been required to assess their impact on fundamental rights in detail. They must also publish concise summaries of the data used to train the algorithms and provide oversight of their further use.

    This is the regulator’s response to growing concerns about the potential risks associated with the non-transparent operation of powerful language and generative models. The European Commission has also published a specific code of conduct to help companies implement these complex requirements in practice.

    Another pillar of the August amendments is the establishment of a formal governance and oversight framework for the AI market. The legislation establishes EU administrative structures which, in cooperation with national authorities, will monitor compliance with the law. A system of financial penalties for violations has also been introduced to ensure real enforcement of the regulations.

    Meanwhile, in Poland, government work is underway on a draft Artificial Intelligence Systems Act (U71) to implement the EU law. The draft, which has received a positive opinion from the Committee for European Affairs, envisages the establishment of a new supervisory body, the Commission for the Development and Security of Artificial Intelligence. The Ministry of Digitalisation has a key role in coordinating the implementation.

    An important element of the Polish strategy is to be the promotion of innovation through the creation of so-called regulatory sandboxes. These controlled test environments will allow companies and startups to experiment with new AI technologies without the risk of violating complex regulations, which is supposed to be a compromise between security and development. However, the lack of finalisation of national regulations remains a challenge for the Polish AI sector, which is waiting for clear implementation guidelines.