Banking & Fintech /

DORA Regulation – How is Poland preparing for the digital revolution in finance?

The Regulation on Operational Digital Resilience of the Financial Sector (DORA Regulation) will take effect as early as January 17, 2025. The primary goal of the act is to increase the operational digital resilience of financial entities and regulate the provision of ICT (information and communication technology) services in the financial market.

In Poland, on April 18, 2024, a new bill on amending certain laws in connection with ensuring operational digital resilience of the financial sector was published. This bill is intended to bring the legislation in line with European standards in accordance with the DORA Regulation.

“The Polish government has released a new draft law, which is part of the country's preparations for implementing the DORA Regulation in the financial sector.”

Operational digital resilience. What is it?

In the digital age, where every financial transaction is carried out through information and communications technology (ICT), cyber security is becoming a key element of financial stability.

Operational digital resilience is an effort to strengthen the security of ICTs used by financial sector entities.

The DORA regulation introduces a framework that aims to minimize the risk of outages and ensure continuity of financial services. These regulations have also proven necessary to ensure the digital security of the ever-expanding digital economy.

Draft law implementing DORA in Poland

The draft law implementing the DORA regulations into the Polish system is necessary, among other things, because of the need to equip specific authorities with specific supervisory powers.

Until now, the provisions on operational digital resilience have been scattered in various laws, e.g. banking services, payment services, investment funds or pension or insurance activities.

The new law aims to introduce them with a unified supervision of operational digital resilience.

What will be the new obligations for financial entities?

The regulation imposes a number of obligations on financial entities. The most important of these include such issues as:

  • managing risks associated with the use of information and communication technologies (ICT),
  • reporting of major ICT incidents to competent authorities and informing them of significant cyber risks,
  • reporting of major operational incidents or major security incidents related to payments by financial entities to the competent authorities,
  • testing operational digital resilience,
  • sharing information and analysis in relation to cyber threats.

Who is affected by the new DORA regulations?

The entities affected by the Draft of the Bill are listed below:

Financial Supervisory Authority Occupational pension companies Commercial and state-owned banks Foreign banks Cooperative and associative banks
SKOKs and National Credit Unions Investment Fund Companies Managers of alternative investment companies Investment companies National Payment Institutions
Electronic money institutions Cryptocurrency service providers Central securities depositories Bank Guarantee Fund Entities operating a financial instruments trading venue
Securitisation repositories Trade repositories Providers providing only access to account information service Credit institutions Crowdfunding providers
External ICT service providers Insurance undertakings Reinsurance undertakings Insurance intermediaries Credit rating agencies

Payment service providers with new responsibilities

Payment service providers will have to act faster and more transparently. Under the new regulations, they will be obliged to promptly report information about serious operational incidents or IT security incidents to the Polish Financial Supervisory Authority (PFSA).

National Payment Institutions will also have to make significant changes to their management and internal control systems. Each application for authorization to provide payment services will have to include a detailed description of these systems.

Moreover, this description will have to include:

  • Effective contingency plans
  • Procedures for ICT business continuity
  • ICT incident response and recovery plans
  • These changes are designed to ensure that payment institutions are well prepared for any unexpected events

The Polish Financial Supervision Authority with new powers

New expanded powers for the PFSA

The Polish Financial Supervision Authority (PFSA) will gain new powers to supervise the operational digital resilience of financial entities, according to a draft law implementing the DORA Regulation.

The KNF will be responsible for monitoring whether financial institutions comply with the DORA regulations, which is key to maintaining stability and security in the financial sector.

What steps can the PFSA take?

Under the new regulations, the PFSA will have the right to initiate inspections of financial entities’ compliance with DORA regulations. If violations are found, the PFSA will be able to take the following steps by decision:

  • order the cessation of the behavior in question and to refrain from such behavior,
  • prohibit the person responsible for the violation from serving as a member of the entity’s board of directors or supervisory board or other management function,
  • impose a fine.

In addition, the PFSA will have the authority to issue public statements indicating the name of the person or the Company responsible for the violation.

How high will the fine be?

In the case of a legal entity, the monetary penalty will be a maximum of PLN 20,869,500, or 10% of net revenues or twice the benefits gained, or losses avoided, as a result of the violation.

“Fines for companies: Up to PLN 20,869,500 or 10% of net revenues or twice the benefits gained or losses avoided for DORA violations.”

Entrepreneur, what should be your next step?

The DORA regulation and the draft Polish law aim to achieve a high level of digital resilience for financial entities. This is coupled with a number of new obligations, often procedural, that these entities must comply with under pain of certain consequences, such as fines.

Compliance with DORA requires careful planning and implementation of appropriate digital risk management systems. Companies must develop effective contingency plans, procedures for business continuity and incident response strategies. It’s a complex process that requires expert knowledge and experience.

If your company needs help complying with the new regulations, contact our law firm ([email protected]). We will help you through the process to ensure compliance with the new regulations and protect your interests.

Author team leader DKP Legal Mateusz Bałuta
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Mateusz Bałuta
Author team leader DKP Legal Piotr Glapiński
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Piotr Glapiński

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]
Flaga Włoch.MILANITALY
Via F. Sforza 15
20122 Milan
+48 61 853 56 48[email protected]
See all local services