EU AI Act in Poland: Authorities, Obligations, and the Pending National Framework

Poland is building its EU AI Act enforcement architecture from scratch — and doing so openly. Unlike member states that could retrofit an existing cross-sectoral regulator, Poland's draft implementing law proposes an entirely new collegial body with no predecessor. The Regulation (EU) 2024/1689 is directly applicable in Poland regardless of whether that national framework has been enacted. Article 5's prohibited practices have applied since 2 February 2025; GPAI obligations under Chapter V have applied since 2 August 2025. What Poland has not yet completed is designating the authority that will investigate and fine.

This article sets out where Poland stands: the proposed regulatory body, which existing regulators are already relevant, how the GDPR interacts with the Act, the corrected timeline following the Digital Omnibus, and what companies operating in Poland should be doing now.

---

A Regulation, Not a Directive: No Polish Transposition Required

The EU AI Act is a Regulation under Article 288 TFEU. It entered into force on 1 August 2024 and applies directly in every Member State without being transposed into national law. Companies in Poland do not wait for a Polish statute before obligations apply — the Regulation itself is the source of law. Any suggestion that you can defer compliance until Poland passes its implementing Act is wrong.

What Poland does need to provide — and what member states were expected to deliver by 2 August 2025 — is the national enforcement infrastructure: designated competent authorities, domestic procedures for enforcement and penalties, and the institutional arrangements that make the Regulation operational. Poland missed that deadline; so did several other member states. The practical effect is that enforcement powers have not yet been formally conferred on a Polish authority. That is a temporary gap in national infrastructure, not a suspension of substantive obligations.

Article 70 of the Regulation requires each Member State to designate at least one national competent authority, which must also serve as market surveillance authority (MSA) and notify the Commission accordingly. Article 70 also requires designation of a single point of contact (SPoC) for the EU AI Office. Poland has completed neither designation. The draft Act on Artificial Intelligence Systems addresses both — but the draft has not been enacted.

---

Poland's Draft Act and the Proposed AI Commission (KRiBSI)

The Polish Ministry for Digital Affairs (Ministerstwo Cyfryzacji) is leading work on a national implementing law: the Act on Artificial Intelligence Systems (Ustawa o systemach sztucznej inteligencji). A working draft circulated in February 2026 and was still progressing toward adoption by the Council of Ministers and then Parliament as of mid-2026. It has not been enacted. Treat the following as pending and subject to change.

The draft proposes a new body: the Commission for the Development and Security of Artificial Intelligence — in Polish, Komisja Rozwoju i Bezpieczeństwa Sztucznej Inteligencji, abbreviated KRiBSI — as Poland's national market surveillance authority and single point of contact for the EU AI Office. KRiBSI does not exist yet. It is proposed.

KRiBSI is designed as a collegial body rather than a single-commissioner model. Under the draft it would be composed of a chairperson, two deputy chairpersons, and permanent members seconded from four existing regulatory bodies: the Office of Competition and Consumer Protection (UOKiK), the Polish Financial Supervision Authority (KNF), the Office of Electronic Communications (UKE), and the National Broadcasting Council (KRRiT). That composition reflects the cross-sectoral reach of the Act: consumer protection, financial services, telecoms, and media are the sectors where AI deployment is already densest.

The Minister for Digital Affairs (Ministerstwo Cyfryzacji) would be designated as Poland's notifying authority under the Regulation — the body responsible for assessing and notifying conformity assessment bodies to the Commission under Article 28.

Until KRiBSI is formally established, there is no Polish authority with powers to investigate, issue corrective orders, or impose Article 99 fines. That will change when the Act passes. Companies that wait will find an undocumented AI inventory far harder to explain to a new regulator eager to demonstrate activity than one assembled in advance.

---

Who Will Enforce the EU AI Act in Poland?

KRiBSI: The Proposed Primary Authority

If enacted broadly as drafted, KRiBSI would serve as Poland's MSA for high-risk AI systems, notifying authority, and SPoC for the EU AI Office. As MSA it would have powers to audit technical documentation and conformity assessments under Article 43, review Article 72 post-market monitoring records, issue corrective orders, restrict market access, and impose Article 99 fines.

The collegial structure is meant to provide built-in sectoral expertise from day one. In practice, KRiBSI will be a genuinely new institution — with no institutional memory specific to AI regulation. Early enforcement is unlikely to follow a settled playbook. Companies that engage constructively, with clear documentation of their AI classifications and technical files, are more likely to shape that developing practice in a reasonable direction than those that treat compliance as a future problem.

Existing Regulators in the Interim

Even before KRiBSI exists, the constituent regulators matter through their existing mandates. UOKiK enforces consumer protection and investigates digital market practices — its interest in AI systems affecting consumer decisions predates the EU AI Act. KNF supervises banks, insurers, and investment firms; for a Polish bank or insurer using an AI creditworthiness model under Annex III point 5(b) or 5(c), KNF is the relevant operational supervisor now. KRRiT's media-content jurisdiction makes it a natural counterpart for Article 50 synthetic-media and deepfake-labelling obligations that apply from 2 August 2026.

UODO — Poland's GDPR supervisory authority — retains full jurisdiction over personal-data processing in AI systems and operates independently of KRiBSI. For AI deployments triggering both GDPR and EU AI Act obligations, UODO is active today.

EU AI Office: GPAI Providers

Companies in Poland that develop and place general-purpose AI models on the market are supervised directly by the EU AI Office in Brussels, not by Polish authorities. The AI Office has competence over Chapter V obligations (Articles 53 and 55). KRiBSI, once established, would coordinate as SPoC but would not exercise substantive GPAI enforcement.

---

How Poland's Framework Interacts with the GDPR

The GDPR and the EU AI Act run in parallel for AI systems that process personal data — which covers nearly all Annex III high-risk categories. The obligations stack; neither displaces the other.

The most practically significant interaction is between the GDPR's GDPR Article 35 Data Protection Impact Assessment (DPIA) and the EU AI Act's Article 27 Fundamental Rights Impact Assessment (FRIA). Both are mandatory prior-to-deployment assessments; both examine risks to individuals' rights; both require documented findings available to supervisors. Article 27(4) explicitly allows the FRIA to build on an existing DPIA, and the two assessments share substantial factual ground. For a Polish public institution deploying an AI tool to assess social-benefit eligibility — an Annex III point 5 use case — running a coordinated DPIA + FRIA is both more efficient and more defensible than treating them as entirely separate exercises. UODO's published DPIA methodology provides a reasonable starting framework; the FRIA layers on the fundamental-rights analysis the EU AI Act specifically requires.

A second interaction concerns records and automated decisions. EU AI Act Article 12 requires record-keeping systems for high-risk AI; GDPR Article 22 governs automated decisions with significant effects on individuals and requires meaningful information about the logic involved. A Polish company running an AI recruitment screening tool has simultaneous obligations under both instruments on documentation, transparency, and human review — the records built for one inform the other, but compliance with both must be confirmed independently.

Where a high-risk AI system involves personal data at scale, the combined exposure is at the top of both penalty scales. UODO can impose fines under GDPR Article 83; KRiBSI will eventually be able to impose EU AI Act Article 99 fines. A single deployment failure could attract attention from both.

---

The EU AI Act Timeline as It Applies in Poland

Two points deserve particular emphasis for companies in Poland.

First, Article 5 is already live. Prohibited practices — biometric categorisation by sensitive characteristics, social scoring, manipulation exploiting personal vulnerabilities, emotion recognition in workplaces and educational settings, real-time remote biometric identification in publicly accessible spaces — have been enforceable since 2 February 2025. The absence of a formally designated Polish authority does not suspend them.

Second, the high-risk deadline is not August 2026. Under the Digital Omnibus — political agreement between Parliament and Council reached 7 May 2026, with formal adoption expected before 2 August 2026 — stand-alone high-risk Annex III systems have until 2 December 2027, and high-risk AI embedded in Annex I regulated products until 2 August 2028. That deferral is not a reprieve: assembling a full Article 9 risk management system, Annex IV technical documentation pack, Article 14 human oversight controls, and passing a conformity assessment under Article 43 takes most well-resourced organisations six to twelve months. Starting in 2026 is the right pace.

---

Penalties: What Companies in Poland Face

The penalty framework is Article 99 of Regulation (EU) 2024/1689. Three tiers, each expressed as whichever is higher of a fixed sum or a percentage of total worldwide annual turnover for the preceding financial year:

• €35,000,000 or 7% — for violations of the Article 5 prohibitions. Enforceable since 2 August 2025.
• €15,000,000 or 3% — for non-compliance with high-risk AI requirements (Articles 9–15), provider obligations (Article 16), deployer obligations (Article 26), and Article 50 transparency duties.
• €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.

For smaller companies and start-ups, Article 99(6) provides a proportionality protection: the fine is capped at the lower of the fixed amount or the applicable percentage. A Polish company with €5 million in annual worldwide turnover faces a ceiling of €150,000 (3% of €5M) for a high-risk obligation breach — not €15 million. That cap is real and worth knowing; it is not a licence to delay. Even a €150,000 fine is material to a company of that size, and reputational consequences observe no such cap.

The procedures for imposing penalties will be set by the national Act when enacted. Until that framework is in place, the enforcement process in Poland remains unsettled. GPAI-specific fines — up to €15 million or 3% — are a separate instrument under Article 101, imposed by the Commission directly on GPAI model providers.

---

Poland-Specific Compliance Considerations

Document Your Classification Now

The Article 6(3) filter means that many systems falling within an Annex III area are not automatically high-risk — if the system poses no significant risk to health, safety, or fundamental rights, and meets one of the four filter conditions (narrow procedural task; improves a previously completed human activity; detects decision patterns without replacing human judgment; or preparatory work), the provider can claim the exemption. But Article 6(3) still requires the provider to document that assessment and register the system under Article 49. Doing that classification work now, before KRiBSI exists, is not wasted effort. The analysis is the same regardless of whether a Polish authority is watching.

Regulatory Sandbox

Article 57 requires member states to establish at least one AI regulatory sandbox by 2 August 2026, with priority and free access for smaller companies under Article 58. Which Polish body will host that sandbox pending KRiBSI's establishment has not been confirmed. Companies developing AI applications in uncertain or high-risk categories should monitor announcements from the Ministry for Digital Affairs.

Public Bodies and the Mandatory FRIA

Polish public bodies — ministries, agencies, local government, courts, law enforcement — deploy AI across Annex III categories with the most significant fundamental-rights consequences. Article 27 requires deployers who are public bodies, or who deploy creditworthiness (Annex III point 5(b)) or life-and-health-insurance AI (Annex III point 5(c)), to complete a FRIA before putting the system into service. That obligation applies regardless of whether KRiBSI exists. Public bodies should treat FRIA preparation as a current task.

The Article 25 Role-Shift Risk

Most Polish companies deploying third-party AI tools sit in the deployer role under Article 26. But companies that fine-tune a model on proprietary data, substantially reconfigure it, integrate it into a product sold under their own name, or repurpose it for a new use face the Article 25 analysis. Any of those steps can convert a deployer into a provider, triggering the full Article 16 provider stack: Annex IV technical documentation, Article 43 conformity assessment, Article 47 Declaration of Conformity, Article 49 registration. Polish technology companies customising AI tools for clients should assess Article 25 exposure carefully.

---

How Confir Helps Companies in Poland

The EU AI Act's documentation requirements are the same in Poland as anywhere else in the EU: an AI inventory, Article 6 + Annex III classification for every system, Annex IV technical documentation for high-risk ones, an Article 47 / Annex V Declaration of Conformity, an Article 27 FRIA for applicable deployers, and an immutable audit log. Assembling that from scratch is the work — and it is time-consuming regardless of whether a Polish enforcement authority is currently active.

Confir is an EU-hosted compliance tool built for exactly this documentation stack. Its classification engine is rule-based and deterministic — it encodes Articles 5 and 6 with Annex III logic in explicit rules, so the same intake always produces the same finding, with a human-readable explanation of which rule fired. No black box, no hallucination. The output is audit-defensible by design.

Confir generates the full Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and runs the Article 27 FRIA for deployers that need it. The compliance assessment spans four structured areas: risk classification and compliance (AIRC), data and technical robustness (AITR), transparency and human oversight (AITO), and governance and post-market monitoring (AIGM). Self-serve from €600 per year, no consulting engagement required.

For companies preparing for a regulator that does not yet exist but will, having a documented compliance programme in a structured tool with an immutable audit log is precisely the kind of evidence that demonstrates good faith when enforcement does arrive.

---

What Companies in Poland Should Do Now

Immediately (Article 5 obligations already apply): Audit any AI system that might involve biometric categorisation by sensitive characteristics, social scoring, subliminal manipulation, exploitation of personal vulnerabilities, emotion recognition in workplaces or educational settings, or real-time remote biometric identification in public spaces. If the system fits an Article 5 category with no applicable exemption, stop or restructure. These prohibitions have been in force since 2 February 2025.

Before 2 August 2026 (Article 50 transparency): Any customer-facing AI system — chatbots, voice assistants, AI-generated content, synthetic media — must meet Article 50's disclosure and labelling requirements from 2 August 2026. This is a separate, nearer obligation from the high-risk deadline.

2026–2027 (high-risk preparation): Companies with stand-alone Annex III systems have until 2 December 2027 under the Digital Omnibus deferral. Use 2026 to build the AI inventory, complete Article 6 + Annex III classification (including Article 6(3) filter assessment), assign provider and deployer roles, and begin Annex IV documentation for high-risk systems. For public bodies and deployers of creditworthiness or health-insurance AI, coordinate GDPR Article 35 DPIA and Article 27 FRIA preparation in parallel.

Monitor KRiBSI progress: Follow the Act on Artificial Intelligence Systems through the Council of Ministers and Sejm. Watch for Ministry for Digital Affairs announcements on the regulatory sandbox and KRiBSI's establishment. When the authority is formed, its first enforcement signals will indicate which sectors and obligation types it prioritises first.

---

Frequently Asked Questions

Has Poland designated an EU AI Act enforcement authority?

Not as of mid-2026. Poland missed the 2 August 2025 designation deadline. The draft Act on Artificial Intelligence Systems proposes KRiBSI as the market surveillance authority and single point of contact for the EU AI Office. As of mid-2026, the Act had not been enacted and KRiBSI had not been formally established. Companies cannot wait for designation: Regulation (EU) 2024/1689 applies directly under Article 288 TFEU regardless.

What is KRiBSI and what would it do?

KRiBSI (Komisja Rozwoju i Bezpieczeństwa Sztucznej Inteligencji) is Poland's proposed AI regulator under the draft Act on Artificial Intelligence Systems. If enacted, it would serve as the national market surveillance authority with powers to audit, issue orders, and impose Article 99 fines, and as single point of contact for the EU AI Office. It would be collegial: a chairperson, two deputies, and permanent members from UOKiK, KNF, UKE, and KRRiT. It does not yet exist; treat it as proposed, not established.

Do EU AI Act obligations apply in Poland right now, even without a designated authority?

Yes. Regulation (EU) 2024/1689 is directly applicable in Poland under Article 288 TFEU. Article 5 prohibitions have applied since 2 February 2025; GPAI and penalty provisions since 2 August 2025. The absence of a formally designated Polish enforcement authority is a gap in national enforcement infrastructure, not a suspension of substantive obligations.

Which Polish regulator is relevant for AI in financial services?

KNF (Komisja Nadzoru Finansowego) supervises banks, insurers, and investment firms. AI systems used for creditworthiness assessment (Annex III point 5(b)) or life and health insurance risk classification (Annex III point 5(c)) in those entities are within KNF's supervisory perimeter now. KNF is also a proposed permanent member of KRiBSI, which reinforces its continuing relevance for financial-sector AI compliance.

How does GDPR interact with the EU AI Act for companies in Poland?

The two instruments stack. UODO (Poland's GDPR supervisory authority) retains full jurisdiction over personal-data processing in AI systems. The most practically important overlap is between the GDPR Article 35 DPIA and the EU AI Act Article 27 FRIA — both mandatory prior-to-deployment assessments for high-risk systems involving personal data. Article 27(4) allows the FRIA to build on an existing DPIA. Running them in a coordinated sequence is more efficient and more defensible than two entirely separate exercises.

When is the high-risk AI compliance deadline for companies in Poland?

Under the Digital Omnibus (political agreement 7 May 2026), stand-alone high-risk AI systems listed in Annex III have until 2 December 2027, and high-risk AI embedded in Annex I regulated products until 2 August 2028. The original August 2026 deadline for high-risk systems was deferred. Article 5 prohibitions have applied since 2 February 2025 and are enforceable now.

Where does the EU AI Office fit in for Polish companies?

The EU AI Office in Brussels directly supervises GPAI model providers under Chapter V (Articles 53 and 55) regardless of where they are based. For Polish companies building or distributing general-purpose AI models, the AI Office is the relevant supervisory body. KRiBSI, once established, would coordinate with the AI Office as Poland's SPoC but would not exercise substantive GPAI enforcement authority.

---

Related guides

• EU AI Act in Germany: enforcement model and KI-MIG
• EU AI Act in France: national framework overview
• What is the EU AI Act?
• EU AI Act summary and key obligations
• EU AI Act penalties: Article 99 in full
• EU AI Act timeline: every deadline mapped
• AI risk classification under Article 6 and Annex III
• Annex III high-risk use cases explained
• Conformity assessment under Article 43
• EU AI Act extraterritorial scope
• What is a market surveillance authority?