For a long time, the EU AI Act sounded to many companies like something distant: an EU regulation, future obligations, a topic for lawyers, technologists and large corporations.

That stage is coming to an end.

Poland's draft Act on artificial intelligence systems has reached the Sejm. It's an important moment, because the AI Act stops being purely a European regulation "from somewhere in Brussels" and starts being translated into a national system of oversight, procedures and accountability.

For companies, this means one thing: the era of general declarations is slowly ending. The era of concrete questions is beginning.

  • Do we know where artificial intelligence is used across our organisation?
  • Do employees understand the rules of safe AI use?
  • Do we have an AI policy?
  • Do we know which tools are officially approved and which operate beyond the organisation's knowledge?
  • Can we show evidence that the company has actually addressed this topic?

What does the Polish act actually change?

As an EU regulation, the AI Act applies directly, but part of how it is applied needs to be supplemented at the national level. That is exactly what Poland's draft Act on artificial intelligence systems is for.

The draft does not recreate the AI Act from scratch. Rather, it is meant to build Poland's oversight infrastructure: to designate the authority responsible for supervising the AI market, define procedures, the conduct of proceedings, rules for reporting infringements, and mechanisms that support innovation.

According to government information, the central role is to be played by the Commission for the Development and Security of Artificial Intelligence. It is to be responsible for checking whether AI systems meet safety and legal requirements. The draft also provides for the possibility of restricting the use of AI systems or withdrawing them from the market if they fail to meet requirements.

This is an important shift in how we think about AI.

Artificial intelligence stops being treated solely as a productivity tool. Increasingly, it becomes an area of risk management, much like cybersecurity, personal data protection or compliance.

Why companies shouldn't wait for the first inspection

Many business owners react to new regulations only when there is a real threat of sanctions, an audit or a question from a client. With AI, that may be too late.

The problem is that preparing for the AI Act cannot be done in a single day.

It isn't enough to write a short set of rules and email it to employees. Nor is it enough for the board to declare that the company uses AI responsibly.

If an organisation wants to be credibly prepared, it has to know how AI is actually used in its day-to-day work. And that is often not obvious.

AI can appear in marketing, sales, HR, customer service, administration, document analysis, proposal writing, translations, meeting notes, reports, presentations - and even in tools the company already had, but which only now gained AI features.

Some of these uses are low risk. Some may require clear rules. Some should be restricted. And some may be unacceptable in a given process.

None of that can be assessed without a first round of order.

The biggest risk: the company doesn't know it uses AI

In practice, many organisations don't start with the problem "we have too much documentation." They start with a much simpler and much more dangerous one: they don't know where AI is already running.

Employees use generative tools because they are fast and convenient. They polish text, summarise documents, draft proposals, analyse data, prepare client communications.

They often do it in good faith. They want to work better and faster.

But from the organisation's perspective, questions arise: did personal data go into the tool? Did confidential information appear? Was the AI output checked? Did the use of AI influence a decision about a client, an employee or a candidate? Can the company identify who is responsible for that use?

This is exactly where real preparation for the AI Act begins.

Not with a grand strategy. With establishing the facts.

What should a company have ready?

The first level of readiness does not have to mean a complex compliance system. It should, however, answer a few basic questions.

First: which AI tools are used in the organisation. Both those officially purchased and those tested, informal or embedded in other systems.

Second: in which processes AI appears. A tool says little without context. Using AI to proofread text carries different risk than using it to screen CVs, handle complaints, assess a client or work on documents containing personal data.

Third: what rules apply to employees. They need to know what must not be entered into AI tools, when output must be verified, when to raise doubts and which tools may be used.

Fourth: whether the company has evidence of its actions. Who was trained? Who accepted the rules? When did the training take place? Which risk areas were identified? Is there a readiness report?

That last point will matter more and more. In regulation, it isn't enough that "we did something." What counts is also whether we can demonstrate it.

AI literacy is not an add-on. It's the first obligation

One of the most underestimated elements of the AI Act is AI literacy, that is, AI competence.

This does not mean every employee must become an expert on language models. It's about something more practical: an employee should understand how to use AI safely in their role.

They should know that they must not thoughtlessly paste client data, contracts, recruitment documents or confidential information into AI tools. They should know that AI can generate errors. They should be able to recognise a situation in which output needs verifying. They should understand that responsibility for using AI does not disappear just because "the tool suggested it."

It is the cheapest and simplest step toward putting the topic in order. And at the same time one of the most practical.

The Polish act will accelerate the conversation about accountability

As long as the AI Act functioned mainly as a slogan, it was easy to put the topic off. Poland's draft act changes that perspective. It shows that a national system of oversight, procedures and accountability is taking shape.

For companies, this does not mean every organisation immediately becomes a high-risk entity. It does mean that questions about AI will become increasingly concrete.

Clients may ask whether the company has rules for using AI. Business partners may ask whether data is secure. The board may expect a report. An audit may check whether employees were trained. And a supervisory authority, in certain cases, may expect evidence of compliance.

That is why preparing for the AI Act should not be treated as a legal project detached from the business.

It is a management project.

It concerns the way a company uses technology, data, employees' knowledge and external tools.

Where does AI TrustCERT help?

AI TrustCERT was created precisely to help companies move from general interest in AI to an orderly, documented process.

It isn't only about training. It's about building the organisation's basic readiness: employee awareness, rules for using AI, a register of tools, acceptances, risk identification and a readiness report.

As a result, the company can stop operating on guesswork.

Instead of saying "we think we have it under control," it can show what has been done: who completed training, which rules were adopted, which tools were identified and which areas need further action.

This matters, because the AI Act will not only be a question about technology. It will be a question about accountability.

Summary

Poland's Act on artificial intelligence systems is a signal that the "wait and see" stage is slowly ending.

Companies don't need to panic. Nor do they need to build elaborate compliance structures right away. But they should start with the basics: check where they use AI, train employees, set rules, organise tools and gather evidence of their actions.

Because the biggest problem with the AI Act will not be the question itself: "do you use AI?"

The hardest question may be the next one:

"Show us how you keep it under control."

AI TrustCERT helps you prepare for exactly that moment - before anyone asks for evidence.

Sources

  1. The Council of Ministers adopted the draft Act on artificial intelligence systems on 31 March 2026; the draft is intended to establish an AI oversight system in Poland, including the Commission for the Development and Security of Artificial Intelligence.
  2. The draft act was submitted to the Sejm on 8 April 2026; the draft documents were published on the KPRM website.
  3. The Ministry of Digital Affairs stated that the draft is intended to ensure the application of the AI Act in Poland and to establish procedures for oversight, security and support for innovation.
  4. On 29 April 2026 the Sejm held the first reading of the government draft Act on artificial intelligence systems, print no. 2443.