What is AI regulation in Poland?
AI regulation: countries and regions
AI regulation in Poland is mainly the EU AI Act, which applies directly in Poland as an EU member state. Poland's own task is to build the national enforcement and support machinery around that EU law. As of June 2026, the government has sent a draft Polish AI bill to Parliament. It would create a national AI market-surveillance authority, set complaint and penalty procedures, allocate roles to the Ministry of Digital Affairs and UODO, and support regulatory sandboxes.
What this means
Poland does not have a separate, stand-alone AI rulebook that replaces the EU framework. The main legal duties come from the EU AI Act itself: prohibited practices, transparency rules, high-risk system duties, governance rules and obligations for general-purpose AI models. Those rules apply in Poland because they are EU law.
What Poland still needs is the domestic layer that tells organisations which Polish authorities they deal with, how complaints are filed, how market supervision works, which court hears appeals and how conformity-assessment bodies are notified. That is what the Polish draft Act on AI systems is designed to do.
So the practical answer for most organisations is simple: if you build, buy, deploy or sell AI in Poland, start from the EU AI Act, then track the Polish implementation bill because it will shape supervision, procedures and regulator touchpoints inside Poland.
Why it matters
Poland matters because it combines two things: direct exposure to the EU AI Act and the scale of the largest economy in Central Europe. For founders, operators, buyers and advisers, that means Poland is not a peripheral implementation question. It is a market where regional governance choices can become operational very quickly.
The stakes are practical. If your organisation provides AI systems into Poland, procures them for Polish operations, or deploys them in areas such as employment, education, finance, healthcare, border control or public administration, you may need to classify systems, document intended purpose, manage human oversight, allocate contractual roles, train staff, handle complaints and prepare for regulator requests. Data protection, consumer law, sectoral safety rules and public-law controls can all overlap with the AI Act.
The Polish draft also matters for planning. It points to who may investigate incidents, accept complaints, impose sanctions, run sandboxes, issue individual interpretations and cooperate with EU bodies. For leaders, that changes budgeting, product planning, procurement, audit preparation and incident management, even before the final national text is settled.
How it works
The starting point is EU law, not a separate Polish AI regime
The core legal framework in Poland is Regulation (EU) 2024/1689, the EU AI Act. That means the central architecture is the same as elsewhere in the Union: a risk-based model, direct bans on certain practices, transparency duties for some systems, stricter obligations for high-risk systems, and a distinct regime for general-purpose AI models. Poland cannot rewrite those categories through ordinary domestic legislation. Its national law mainly fills in institutions, procedures and enforcement channels.
For general-purpose AI models, especially the most capable models, supervision remains more centralised at EU level through the European Commission's AI Office than it is for ordinary AI systems sold or used in one member state.
Some duties already apply. The AI Act's prohibitions and AI literacy rules started to apply from 2 February 2025. Governance rules and the obligations for providers of general-purpose AI models started to apply from 2 August 2025. The wider high-risk regime has been the subject of EU-level simplification work, and public Commission material after the May 2026 political agreement points to 2 December 2027 for many stand-alone high-risk systems and 2 August 2028 for AI embedded in regulated products. That means organisations in Poland should watch both the baseline AI Act and the latest EU implementation timetable, not just the Polish bill.
The Polish bill is about institutions, procedures and enforcement
The Polish draft Act on AI systems is designed to make the EU AI Act work on the ground in Poland. Official government material says it covers national supervision, proceedings before the authority, inspections, notification of conformity-assessment bodies, certification, judicial protection for citizens, administrative penalties for breaches of Article 5 of the AI Act, the reporting of serious incidents and support measures such as regulatory sandboxes.
That is an important distinction. The bill does not replace the EU risk taxonomy. Instead, it tells the market who the Polish authorities are, how they interact, and how a person or business can bring a complaint or challenge a decision. In other words, the EU AI Act supplies the substantive duties, while the Polish bill supplies much of the domestic machinery.
The proposed Polish supervisory map
The centrepiece of the Polish design is the proposed Komisja Rozwoju i Bezpieczenstwa Sztucznej Inteligencji, usually shortened in Polish materials to KRiBSI. Government materials say this body would serve as the national market-surveillance authority for AI systems and models, coordinate supervision in Poland, handle administrative cases, issue decisions, impose sanctions and act as Poland's main AI contact point.
The draft also gives the Ministry of Digital Affairs a different role. It is proposed as the notifying authority for conformity-assessment bodies. Accreditation matters would be handled through the Polish Centre for Accreditation, using Poland's wider conformity-assessment system.
UODO, Poland's data protection authority, is not the general AI regulator, but it is clearly important. Government materials on the bill say the proposed national authority must cooperate with UODO. The project also gives UODO the additional market-surveillance role for certain sensitive use cases, especially some biometric, law-enforcement, border, justice and democracy-related high-risk uses. UODO itself has publicly welcomed the recognition of its exclusive competence in some of those areas, while also arguing that the draft still needs clearer statutory rules on how UODO and the new AI authority would exchange information and coordinate when personal data issues are central.
What organisations in Poland actually need to operationalise
For most companies, the first operational task is role-mapping. Are you the provider, deployer, importer, distributor or authorised representative? Polish law will not change those EU categories, but the Polish authorities you deal with may differ depending on the use case. A provider of a high-risk recruitment tool, a deployer of a biometric system and a company fine-tuning a general-purpose model are not exposed in the same way.
The second task is system-mapping. Many organisations still ask whether "AI" is regulated as a general idea. In practice, the important question is whether a specific tool falls inside the AI Act, and if so under which bucket: prohibited, transparency-only, high-risk, general-purpose model, or lower-risk use with no dedicated AI Act controls beyond general law. That classification then drives documentation, governance, contract drafting, supplier diligence and escalation paths.
The third task is evidence-building. In Poland, as elsewhere in the EU, compliance is not mainly about having an AI policy on paper. It is about maintaining evidence that the system has been classified correctly, that staff have the right level of AI literacy, that human oversight is real, that data and testing practices are defensible, that incidents can be reported, and that the organisation knows when to involve privacy, product, employment, procurement or safety specialists.
Complaints, intervention powers and appeals
A notable feature of the Polish model is the emphasis on complaint-handling for people affected by AI. Official Polish materials describe a route for individuals to complain when they believe an AI system acted improperly, and the draft provides a specific complaint procedure for alleged breaches of the AI Act's prohibited-practice rules. Government explanations also describe powers to investigate, inspect and issue accelerated orders, including the withdrawal of a system from use where there is a direct risk.
The draft also points to a more formal judicial route than many businesses expect. Government material says appeals from decisions of the competent national authority would go to the Regional Court in Warsaw, specifically the Court of Competition and Consumer Protection. That matters because it signals that AI supervision in Poland is being built as an administrative and market-surveillance system, not just a policy forum.
The same public materials also point to transparency on the regulator side. The proposed authority would publish decisions, maintain a list of AI systems for which penalties were imposed, and publish annual examples of good practice. If enacted, that would make Polish AI supervision more visible to the market and would create a growing body of practical signals for compliance teams.
Support measures, sandboxes and the policy direction behind the law
Poland's approach is not only restrictive. The government has paired supervision with ecosystem-building. The proposed authority would help create and run AI regulatory sandboxes, and official materials describe a route for organisations to request individual opinions on how the rules apply in a specific case. The Ministry of Digital Affairs has framed this as a way to support trustworthy AI development without leaving users unprotected.
That matches the broader Polish policy direction, which links AI regulation with competitiveness, research capacity, public-sector capability and trustworthy deployment. For business, the signal is that Poland is trying to build both control and enablement: formal supervision for risky use, plus structured support for testing and lawful deployment.
What is confirmed, and what is still moving
A few points are clear. The EU AI Act already applies in Poland because it is directly applicable EU law. Poland needs designated national authorities and domestic procedures under that framework. The Council of Ministers adopted a draft national bill in March 2026 and sent it into the parliamentary process. The institutional direction is therefore visible.
But important details remain in motion. The Polish bill was still going through Parliament in June 2026, so its final institutional design could still change. At EU level, the implementation calendar for many high-risk rules has also been affected by a simplification package and a May 2026 political agreement. For organisations operating in Poland, the safe reading is that the architecture is settled, but some timing and supervisory details still need close monitoring.
Examples
A bank uses an AI system to assess a customer's application and rejects it. The Polish Ministry has used this kind of example to explain the draft system. Under the proposed Polish model, the affected person could submit a complaint to the new AI authority if they believed the system had acted unlawfully or in a discriminatory way. In practice, that could pull in both AI Act supervision and data protection analysis if personal data were central to the decision.
A healthcare app based on AI is placed on the market and later appears to create a direct safety risk. Polish government material says the proposed authority should be able to act quickly and order the system's withdrawal from use, rather than waiting for a long court process before risk controls begin. For providers and deployers, that points to the importance of post-market monitoring, incident escalation and a clear owner for product withdrawal decisions.
A company developing a high-risk AI system wants early certainty before scaling in Poland. The current Polish design points to two routes. First, the organisation may be able to use a regulatory sandbox to test the system in a controlled environment. Second, it may request an individual opinion from the proposed authority on how the rules apply to its case. If a conformity-assessment body wants to operate in this area, the draft assigns notification to the Ministry of Digital Affairs, with accreditation handled through the Polish Centre for Accreditation.
Common misunderstandings
"Poland has its own AI Act." Not really. The main binding framework is the EU AI Act. Poland's draft law is the domestic implementation and enforcement layer around it.
"Nothing applies until Poland passes its bill." Incorrect. Core EU AI Act rules already apply in Poland, even while the Polish institutional bill is still moving through Parliament.
"AI in Poland is mainly a GDPR issue." GDPR remains important, especially where training data, profiling or automated decisions involve personal data, but the AI Act also brings market-surveillance, safety, transparency and conformity-assessment issues that go beyond privacy law.
"Only AI developers need to care." No. Deployers, importers, distributors, employers, buyers and public bodies can all acquire duties under the AI Act depending on their role and the system type.
"UODO will regulate all AI in Poland." Not on the current design. UODO is important, especially for data protection and certain sensitive high-risk uses, but the proposed general market-surveillance role sits with the new AI authority.
Risks and boundaries
AI regulation in Poland is not a single checklist. Even where the AI Act applies, organisations may also need to follow GDPR, consumer law, product safety law, sector-specific rules, employment law, public procurement rules and constitutional or administrative-law controls. The Polish bill does not remove those layers.
It is also a mistake to treat every automated or statistical tool as regulated AI. The first question is whether the tool falls within the AI Act at all. The second is which category applies. Plenty of governance failures happen because organisations skip that threshold analysis and either over-classify everything or assume nothing is covered.
The biggest current boundary is legal timing. In mid-2026, the domestic Polish institutional framework was not yet final, and the EU timetable for many high-risk obligations had been politically reshaped but was still part of an evolving implementation picture. That means teams should separate three things: what is already binding now, what is likely to come next, and what still depends on final legislative text.
Lastly, Poland's draft is not a substitute for implementation design inside a company. The law can tell you who the authorities are and what they can do. It does not tell you how to allocate product ownership, assure training data, structure human review, log interventions, or divide responsibility across legal, technical and operational teams.
What to do next
Start with an inventory of AI systems used or supplied in Poland, then assign the EU AI Act role for each system: provider, deployer, importer, distributor or another relevant actor. Without that step, nearly every later control becomes unreliable.
Prioritise what already bites. Review prohibited-practice risk, put AI literacy measures in place for relevant staff, and identify any transparency duties that may apply to synthetic content, emotion recognition, biometric categorisation or other in-scope tools.
For any system that may be high-risk, prepare an evidence pack now. That should cover intended purpose, data and testing controls, human oversight, logging, accountability lines, supplier documentation, incident reporting and the route to conformity assessment where needed. Do not wait for the final Polish act before doing this work.
Track the Polish institutional map closely. If the current draft is enacted in roughly its present form, organisations will need to understand when to engage the new AI authority, when UODO may have a parallel or primary role, and when the Ministry of Digital Affairs or the Polish Centre for Accreditation enters the picture.
Finally, build Poland into your regional governance model rather than treating it as a local exception. For many businesses serving Central and Eastern Europe, Poland is large enough that its compliance process can influence contracts, product release sequencing, procurement standards and escalation design across the wider region.
FAQs
Is AI regulation in Poland mainly EU law or Polish law?
Mainly EU law. The AI Act is directly applicable in Poland. The Polish bill is mainly about authorities, procedures, sanctions, complaints and support mechanisms.
Has Poland already passed its national AI implementation act?
As of June 2026, no final Polish act had yet replaced the draft stage. The Council of Ministers had adopted a bill and sent it into Parliament, but the final enacted text was still pending.
Who is expected to supervise AI in Poland?
The current draft centres supervision on a new authority called the Komisja Rozwoju i Bezpieczenstwa Sztucznej Inteligencji. The Ministry of Digital Affairs would act as notifying authority, and UODO would keep an important role, especially for data protection and certain sensitive high-risk uses.
Does UODO regulate AI in Poland?
UODO regulates personal data issues and, on the current draft, would also have a specific market-surveillance role for some sensitive AI use cases. But it is not presented as the single regulator for all AI activity.
Do any AI Act duties already apply in Poland?
Yes. The AI Act's prohibited-practice rules and AI literacy duties already apply, and the governance and general-purpose model regime has also started to apply at EU level.
Are general-purpose AI models mainly supervised in Poland?
Not mainly. The EU framework gives the European Commission's AI Office a central role for general-purpose AI models, especially the most capable models and their systemic-risk obligations.
Will Poland have AI regulatory sandboxes?
The draft Polish design clearly points that way. Official materials say the proposed authority would create and run regulatory sandboxes and offer individual opinions to help organisations test and assess compliance.
Does Polish AI regulation replace sector-specific rules?
No. AI Act duties sit alongside sector rules, privacy law, product law, consumer law, employment law and other applicable requirements.