Banking & Fintech /

New Draft Bill implementing the DORA Regulation

Since the beginning of 2024, intensive efforts have been underway to implement the DORA Regulation, aimed at strengthening the operational digital resilience of the financial sector. On 17 October 2024, the Government Legislative Centre presented a new draft bill, introducing significant expansions compared to previous proposals.

The latest draft of the law implementing the DORA regulation implies an expansion of the scope of implementation compared to the version of 18 April 2024.

DORA in a New Version – key changes in the Draft Bill

The latest draft bill implementing the DORA Regulation extends the scope of implementation compared to the version from 18 April 2024. The broader regulatory scope is reflected in the title of the draft bill, which reads: “An Act Amending Certain Acts in Connection with Ensuring the Operational Digital Resilience of the Financial Sector and Issuing European Green Bonds.”

Expansion of the scope – How will It affect the financial sector?

The new draft bill introduces a range of significant changes that substantially expand the scope of DORA’s implementation:

  • Reference to EU Regulations: The full national regulation of entities supervised by the PFSA has been replaced with a reference to Article 2 of the DORA Regulation. This simplifies the regulatory process by applying the European regulation directly, instead of detailed national provisions.
  • New Powers for the PFSA: The PFSA has been granted the right to access data contained in the ICT systems of supervised institutions. These new powers allow for more effective oversight of the digital operational resilience of the financial sector.
  • Outsourcing of Key Operations: National Payment Institutions will be allowed to outsource essential operational functions, including those related to ICT, to external providers, provided they comply with DORA and other security regulations.
  • Reporting and Testing Obligations for External ICT Providers: Institutions will be required to report to supervisory authorities about their cooperation with external ICT providers and regularly test their services for digital resilience in the face of potential disruptions.
  • Supervision Over External ICT Providers: The PFSA has been granted the right to control both natural and legal persons to whom banks have outsourced functions, including external ICT service providers. These providers will be required to supply any information necessary to achieve the supervisory objectives.
  • Mandatory Emergency and Business Continuity Plans: The bill introduces the requirement for institutions to have detailed strategies, emergency plans, and business continuity plans, including ICT recovery and response plans, which will be regularly tested and updated.
  • Precise Rules for Reporting ICT Incidents: The new regulations provide detailed guidelines for reporting significant ICT incidents and notifying about cyber threats, specifying deadlines and procedures for these reports.

Extension of the implementation of the DORA regulation:

The legislative process is still ongoing

According to information published on the government website, the legislative process is still in its early stages. Therefore, further amendments to the proposed regulations can be expected in the future.

Stay updated on the latest legal changes! Sign up for our newsletter to receive regular updates.

Author team leader DKP Legal Mateusz Bałuta
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Mateusz Bałuta

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.WROCLAWPOLAND
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]