PL·EU AI Act series·Poland implementation·Updated April 2026

The EU AI Act in Poland: KRiBSI under construction.

Poland has chosen a single-authority model. The Commission for AI Development and Security (KRiBSI) is being stood up as the national market-surveillance authority, with operational support nested inside the Ministry of Digital Affairs (Ministerstwo Cyfryzacji). The data-protection authority, UODO, has publicly criticised its advisory-only role given how often AI systems and personal data overlap.

Book the Agent Runtime Security Sprint All-EU material in the main guide →
Compliance lead DPO General Counsel CISO
Jul 2025
UODO publishes critique of advisory-only role
Aug 2025
GPAI obligations live; Polish authority designation slips
Feb 2026
Draft confirms KRiBSI operational support inside MC
Aug 2026
High-risk obligations scheduled; under Digital Omnibus review
What changed in April 2026 — Poland

The February 2026 draft of the implementing legislation confirmed that operational support for KRiBSI will sit inside the Ministry of Digital Affairs while KRiBSI itself is established as the single national market-surveillance authority. The build-out continues; KRiBSI is not yet fully resourced, and Poland’s "enforcement gap" remains a recognised issue.

UODO’s July 2025 position paper — that an advisory-only role is inadequate where AI and data-protection materially overlap — has not been resolved in the draft. UODO continues to argue for meaningful participation in decision-making on prohibited practices and on Article 10 data-governance assessments.

Who supervises what in Poland

Poland’s single-authority choice consolidates EU AI Act competences in KRiBSI, with the Ministry of Digital Affairs (MC) acting as notifying authority and providing operational support during the build-out. Sectoral regulators retain their existing domains. UODO and the Ombudsperson sit on the Article 77 fundamental-rights side.

AuthorityMandateEU AI Act role (April 2026)
KRiBSI Komisja Rozwoju i Bezpieczeństwa Sztucznej Inteligencji National market-surveillance authority and single point of contact (under construction). Operational support from MC during the build-out.
Ministry of Digital Affairs (MC) Ministerstwo Cyfryzacji Notifying authority for conformity-assessment bodies; provides operational support to KRiBSI; coordinates national AI policy.
UODO Urząd Ochrony Danych Osobowych (data protection authority) Advisory role under draft (contested). GDPR enforcement on AI systems processing personal data; Article 77 fundamental-rights body.
KNF Komisja Nadzoru Finansowego (financial supervision authority) Sector-specific high-risk AI in financial services: credit scoring, insurance underwriting, anti-fraud, market-conduct AI.
URPL Urząd Rejestracji Produktów Leczniczych (medicines, devices, biocidal products office) Healthcare AI sectoral regulator; medical-device conformity overlap (MDR/IVDR).
PIP Państwowa Inspekcja Pracy (national labour inspectorate) Workplace AI: emotion-recognition prohibition, worker monitoring; Article 77 fundamental-rights body.
RPO Rzecznik Praw Obywatelskich (Ombudsperson) Article 77 fundamental-rights body; non-discrimination supervision on AI-affected decisions.
RPP Rzecznik Praw Pacjenta (Patient Rights Ombudsperson) Article 77 fundamental-rights body in healthcare; clinical-AI patient-impact supervision.
Open dispute: UODO advisory role

UODO has argued, since July 2025, that an advisory-only role is inadequate where AI Act provisions materially overlap with GDPR — especially in prohibited-practice supervision, Article 10 data-governance, and Article 13–14 transparency. The dispute is unresolved in the February 2026 draft. Operators with high data-protection exposure should expect parallel UODO inspections under GDPR while KRiBSI builds out.

Polish sector overlays

The substantive Articles 9–15 obligations apply EU-wide. Poland’s differentiator is the single-authority model — once KRiBSI is operational, deployers benefit from a single point of contact for cross-sector matters, with sectoral regulators handling specialist conformity. The most common combinations:

SectorPolish regulators on top of the AI Act
Healthcare AIURPL on medical-device conformity (MDR/IVDR); NFZ on reimbursement of AI-aided services; UODO on patient-data lawful basis; RPP on patient-rights impact. e-zdrowie programme defines national interoperability for clinical AI.
Financial servicesKNF on conduct, prudential, and AML; UODO on customer-data lawful basis. Anti-fraud models continue under existing CRR/MiFID frameworks.
IT services and outsourcingPoland’s strong IT outsourcing sector means many domestic providers face provider obligations under Article 16 even when the deployer sits in another member state. Cross-border conformity-assessment coordination is the main complexity.
ManufacturingAnnex III(2) safety-component AI in industrial systems falls within KRiBSI’s scope; existing product-safety regimes (Machinery, LVD, EMC) continue to apply.
Public administrationUODO holds horizontal supervision; the Ombudsperson and RPP cover Article 77 fundamental-rights aspects. Voivodeship-level deployers should expect review where systems affect citizens directly.
Workplace AIPIP holds the prohibited-practice line on emotion recognition and biometric categorisation in workplaces; works-council co-determination under the Labour Code applies in parallel.

Regulatory sandbox

Article 57 sandbox arrangements are addressed in the February 2026 draft and will sit under KRiBSI once the authority is fully resourced. Healthcare deployers can use URPL pilot-monitoring routes; KNF runs a financial-innovation hub that operates as a parallel route for AI-aided financial-services products. The existing GovTech Polska programme provides interim sandbox-style arrangements for public-sector pilots.

Articles 9–15, conformity assessment, GPAI, penalties

These obligations apply EU-wide and are not Poland-specific. To keep this page focused on locality, the in-depth treatment of Articles 9–15, the conformity-assessment workflow, GPAI provider duties, and the Article 99 penalty structure is maintained on the main guide.

↑ For all-EU material, see the main guide

TopicAnchor on the main guide
Articles 9–15 explainerguide-eu-ai-act#articles-9-15
Article 12 logging requirementsguide-eu-ai-act#article-12
Conformity-assessment workflowguide-eu-ai-act#conformity
GPAI obligations and Code of Practiceguide-eu-ai-act#gpai
Article 99 penalty structureguide-eu-ai-act#penalties
Member-state implementation tableguide-eu-ai-act#member-states

References

  1. European Union. Regulation (EU) 2024/1689 (EU AI Act). EUR-Lex 32024R1689.
  2. Blavatnik School of Government, Oxford. AI Act’s enforcement gap: what Poland’s new regulator reveals about Europe’s challenge. bsg.ox.ac.uk.
  3. UODO. Position on the Polish draft AI implementing law, July 2025. uodo.gov.pl.
  4. Ministerstwo Cyfryzacji. Draft Ustawa o systemach SI, February 2026. gov.pl/web/cyfryzacja.
  5. Technology’s Legal Edge. State of the Act: EU AI Act implementation in key Member States, November 2025. technologyslegaledge.com.
  6. European Parliament. AI Act delayed application; ban on nudifier apps, March 2026. europarl.europa.eu.

Build the evidence trail

Polish operators: Article 12 logs on demand, before KRiBSI is fully resourced.

The Glacis Agent Runtime Security & Evidence Sprint produces signed evidence receipts and a tamper-evident Article 12 log from your AI’s actual runtime behaviour — runtime controls run inside your infrastructure with zero sensitive-data egress. KRiBSI inspectors, KNF supervisors, and UODO investigators receive verifiable evidence packs in place of written assertions — including for the parallel GDPR inspections you should expect in the meantime.

Book the Agent Runtime Security Sprint See a sample evidence pack →

10 business days. One named workflow. Signed evidence pack on day ten.