Poland's Draft Act on Artificial Intelligence Systems: Key Changes and Implications for Businesses in 2026

Poland is actively shaping its national response to the transformative power of artificial intelligence (AI) by implementing the landmark EU Artificial Intelligence Act (Regulation (EU) 2024/1689) at the domestic level. The Draft Act on Artificial Intelligence Systems (in Polish: Projekt ustawy o systemach sztucznej inteligencji), often referred to as the Polish AI Act implementation law, represents Poland's key legislative effort to adapt EU rules while fostering innovation, supporting SMEs, and ensuring safety and transparency. First published by the Ministry of Digital Affairs in October 2024, the draft underwent public consultations ending in November 2024. A revised version incorporating feedback was released on February 11, 2025, with further updates and consultations continuing into early 2026. The law is expected to be finalized and enacted in the first half of 2026, aligning with the EU AI Act's major compliance deadlines starting August 2, 2026. This comprehensive, easy-to-understand guide (based on authentic sources including official government publications, legal analyses from firms like Clifford Chance, Crowe Poland, CMS Law, and the Ministry of Digital Affairs) explains the draft's key changes, how it differs from the original EU framework, practical implications for Polish and international businesses operating in Poland, sector-specific impacts, compliance steps, opportunities (especially for innovation), challenges, and what companies should do now to prepare for 2026 and beyond. Why Poland Needs Its Own AI Act Implementation Law The EU AI Act is directly applicable across all Member States, meaning no full transposition is required. However, national laws are needed to: Designate competent authorities (market surveillance, notifying bodies, single point of contact). Establish procedures for oversight, complaints, penalties, and enforcement. Introduce supporting measures (e.g., regulatory sandboxes, innovation funds) tailored to national needs. Ensure alignment with existing Polish laws on data protection, consumer rights, and administrative procedures. Poland's draft focuses on these gaps while aiming to make the country more attractive for AI development compared to stricter or slower-moving EU peers. It emphasizes innovation-friendly rules, lighter burdens for SMEs, and flexible oversight—positioning Poland as a potential EU leader in balanced AI regulation. Timeline of the Draft Act and EU AI Act Application in Poland Date/MilestoneDescriptionBusiness Impact LevelAugust 1, 2024EU AI Act enters into forceLow (mostly governance prep)February 2, 2025Prohibitions on unacceptable-risk AI applyMedium (ban certain uses)August 2, 2025GPAI model obligations, governance, penalties startMedium-HighAugust 2, 2026Main obligations for high-risk AI systems applyHigh (core compliance deadline)October 16, 2024First draft of Polish Act publishedPreparation phaseNovember 15, 2024Public consultations close on first draftFeedback incorporatedFebruary 11, 2025Revised draft (version 2.0) published by Ministry of Digital AffairsCurrent active stageQ1–Q2 2026 (expected)Final adoption, inter-ministerial approval, parliamentary processHigh (law becomes binding)Ongoing 2026Regulatory sandboxes launch, KRiBSI becomes operationalHigh (testing & enforcement) The phased EU rollout gives businesses time, but 2026 is the critical year—especially August 2, when high-risk AI rules fully kick in. Key Changes in the Revised Draft (February 2025 Version) The updated draft addresses business concerns from the initial version by introducing simplifications, innovation support, and more practical oversight. Establishment of the Commission for the Development and Security of Artificial Intelligence (KRiBSI) This new body acts as the primary market surveillance authority and single point of contact under the EU AI Act. It oversees compliance, handles complaints, conducts inspections (including remote ones), and issues decisions. Business benefit: Centralized, specialized authority reduces fragmentation compared to multiple scattered bodies. Regulatory Sandboxes – A Major Win for Innovation and SMEs Poland introduces regulatory sandboxes (controlled testing environments) where companies can develop and test AI systems under relaxed rules and regulatory guidance. Free access for micro, small, and medium-sized enterprises (SMEs)—a big advantage over paid or limited sandboxes in other countries. Implication: Polish startups and SMEs can experiment faster, gain early compliance feedback, and potentially launch products ahead of competitors in stricter markets. Flexible and Lighter Oversight Mechanisms Remote inspections allowed (less disruptive than on-site visits). Graduated sanctions: lighter penalties for first-time or minor breaches, especially for SMEs. Transparent complaint process: Complainants get updates at every stage, ending with a formal decision. Support for Innovation and SMEs Dedicated chapter on "Measures Supporting Innovation." Potential funding mechanisms (linked to national AI strategies and EU funds). Simplified rules for notifying authorities and conformity assessment. Alignment with EU AI Act Risk Categories Prohibited AI (e.g., social scoring, real-time remote biometric ID in public spaces) banned from early 2025. High-risk AI (Annex III & I systems: biometrics, critical infrastructure, employment, education, law enforcement) face strict requirements from August 2026: risk management, data quality, transparency, human oversight, conformity assessment. General-purpose AI (GPAI) models (e.g., large language models) have transparency and evaluation duties from 2025/2026. Limited/minimal-risk AI mostly transparency obligations (e.g., labeling deepfakes). Implications for Businesses Operating in Poland in 2026 The draft creates a balanced environment: strict safety where needed, but supportive of growth. Positive Implications Innovation Boost: Free SME sandboxes + flexible oversight = faster testing and market entry. Competitive Edge: Early sandbox access could make Poland attractive for AI startups relocating from stricter EU countries. Clearer Rules: Centralized KRiBSI reduces confusion over who enforces what. Funding Opportunities: Links to national AI Fund (announced 2024) and EU InvestAI initiatives. Challenges and Risks Compliance Costs: High-risk AI providers/deployers face documentation, audits, CE marking—expensive for non-tech firms using AI (e.g., HR tools, credit scoring). Uncertainty During Transition: Draft still under consultation; final law may change slightly. Penalties: Up to €35 million or 7% global turnover for serious breaches (EU level). Supply Chain Pressure: Providers must ensure upstream/downstream compliance. Sector-Specific Impacts Tech Startups & AI Developers: Huge opportunity via sandboxes; focus on GPAI transparency. Finance/Banking: High-risk credit scoring AI needs full compliance by 2026. Healthcare: Medical AI devices classified high-risk; strict data & oversight rules. HR/Recruitment: AI in hiring/promotion = high-risk; ban on emotion recognition in workplaces. Manufacturing/Critical Infrastructure: AI safety components = high-risk. Marketing/Advertising: Deepfake/transparency rules for generative AI. What Businesses Should Do Now to Prepare for 2026 AI Inventory & Risk Mapping (Immediate): List all AI systems; classify risk level per EU AI Act Annexes. Gap Analysis (Q1 2026): Compare current practices against high-risk obligations (risk management system, technical documentation, etc.). Sandbox Application (When Open): SMEs should prepare to test in Poland's sandbox. Governance Setup: Appoint AI compliance officer; update contracts with AI vendors. Training & Documentation: Train staff; build transparency records. Monitor Updates: Follow Ministry of Digital Affairs site (legislacja.gov.pl) and EU AI Office. Conclusion: Poland's Balanced Path in the AI Era Poland's Draft Act on Artificial Intelligence Systems is evolving into a pragmatic, business-friendly implementation of the EU AI Act. By prioritizing innovation through free sandboxes, lighter SME rules, and centralized oversight via KRiBSI, Poland aims to become an attractive hub for responsible AI development in Europe. For businesses, 2026 is the year of action—especially August 2, when high-risk obligations hit full force. Early preparation, leveraging sandboxes, and staying informed will turn compliance into a competitive advantage. This article draws from official sources including the Ministry of Digital Affairs draft publications (February 2025 revision), analyses by Crowe Poland, Clifford Chance, CMS Law, and EU implementation trackers. For the latest, check legislacja.gov.pl or gov.pl/cyfryzacja.