What happened
On 11 June 2026 the Sejm passed the act on artificial-intelligence systems — the national act that anchors the EU AI Act (Regulation 2024/1689) in the Polish legal order. 421 deputies voted in favor, three against, eighteen abstained. This isn't binding law yet: the act now goes to the Senate, and after it to the President's signature. So we're talking about an act on the legislative path, not a provision that binds anyone today.
The heart of the act is the resolution the market waited on longest: who supervises AI in Poland. The Commission for the Development and Safety of Artificial Intelligence (KRiBSI) is being created — a single national market-surveillance authority and a single point of contact with EU institutions. Poland chose a centralized model: instead of dispersing competencies among several existing offices, it sets up a separate commission whose chair is appointed by the Sejm with the Senate's consent for a five-year term. KRiBSI gets hard powers — it can inspect companies and institutions using AI, examine systems' compliance with the AI Act, impose administrative fines and withdraw non-compliant systems from the market. The act also introduces regulatory sandboxes, in which companies test solutions under the supervisor's eye before they bring them to market.
The context of the dates matters here. The deadline for designating national supervisory authorities under the AI Act passed on 2 August 2025 — Poland is closing this with a delay. The broad applicability of the regulation itself falls in August 2026, and full implementation of the national provisions is planned for 2027. So the authority is being created roughly at the moment the AI Act obligations begin to genuinely apply.
Our thesis
The most important thing in this act isn't that Poland is implementing the AI Act — that was settled back in 2024. What matters is that there's now an address: a specific authority with the right to enter a company, assess a system and impose a fine. Until now "AI Act compliance" was, for boards, often a line on a slide — an obligation without an enforcer. The moment KRiBSI starts operating, someone who can ask for evidence sits down on the other side of the table.
That shifts the operator's question. It's no longer "does the AI Act apply to us" — it does, regardless of when the act leaves the Senate — but "can we show what AI is doing in our organization, who approved it and on what basis." One thing I flag as speculation: the exact date the commission goes live and its first inspections depends on the pace of work in the Senate and the appointment of the chair, so we don't know it today. The direction, however, is certain, and getting ready doesn't require waiting for the final signature.
Why it matters
Private Equity
For a fund, this is a new item in diligence and in portfolio oversight. With a national regulator that has the right to inspect and to fine, the question "does the portfolio company use AI" stops being a technical curiosity and becomes a regulatory risk that already has its addressee. Before the next transaction it's worth knowing which AI systems in the company fall under high risk in the AI Act, whether a register of them exists and who is responsible for compliance — because those are exactly the things the new authority can ask about after the fact. How we set up that review on the fund's side is described under working with private equity.
Enterprise
For a large organization, the act turns AI governance from a document into something you have to be able to produce. Centralized supervision means one mode of inspection and one set of expectations — easier to prepare for than with dispersed regulators, but harder to hide behind "that's not our authority." It's worth having three things ready before the commission gets going: an AI systems register with their risk classification, a clear boundary of human decision-making where the system operates in a high-risk area, and a decision log that can be presented. That's the same work we described under a year of the AI Act in boardrooms — now a regulator who can ask for it is added.
SMB / mid-market
Here the concern returns that national supervision is a problem only for the big players — and it's misleading. The AI Act doesn't exempt smaller companies, and the regulatory sandboxes are in fact designed as an entry point for entities that want to test a solution without the risk of tripping over a provision. The owner of a mid-sized company who put customer service or document flow on AI doesn't need a compliance department — they need three artifacts they can produce: what the system does with the data, where its decision ends and a human's begins, and a simple record of what it decided.
One step you can take this week
Make a list of the AI systems already running in your organization — including those bought as a feature inside another tool, because they count just the same. Next to each, add one sentence: what it's for and whether it makes or supports a decision concerning a person — a client, a candidate, an employee. That single page is the seed of the register the new authority will ask about, and at the same time the fastest way to see where your real risk lies. Don't leave it until the President's signature — the obligation stems from the AI Act, not from the date the act leaves the Senate.
Describe your case
If you want to know which of your AI systems fall under high risk in the AI Act and what a minimum register that withstands an inspection looks like, bring the list of what's already running. We start from something concrete, not from a policy. Describe your case: mailto:[email protected]?subject=Rozmowa%20z%20Aurora%20AI.