On paper, the Digital Operational Resilience Act looks like a banking regulation. In practice, it reaches far beyond traditional finance – pulling in payment institutions, investment firms, insurance companies, and a broad category of third-party ICT service providers. If your organisation operates in any of these sectors in Poland, the compliance deadline has already passed.

The Digital Operational Resilience Act (DORA) became directly applicable across all EU member states, including Poland, on 17 January 2025. Financial entities covered by the regulation – from credit institutions to crypto-asset service providers – were required to meet full compliance requirements by that date. Third-party ICT providers designated as critical by the European Supervisory Authorities face a separate oversight regime with rolling deadlines tied to their designation date.

This alert explains who falls within scope, which thresholds determine your obligations, and what immediate steps your organisation should take now. It also flags the consequences of non-compliance that Polish supervisory authorities are empowered to impose.

Who does DORA cover in Poland?

DORA defines its scope broadly. The regulation applies to 21 categories of financial entity. In Poland, the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) is the primary competent authority for most of these categories. The National Bank of Poland (Narodowy Bank Polski, NBP) retains supervisory relevance for payment system oversight. The National Court Register (Krajowy Rejestr Sądowy, KRS) records the corporate identity of entities that must self-identify as in-scope.

The core categories include: credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, and central securities depositories. Management companies of alternative investment funds are also covered. So are crowdfunding service providers and data reporting service providers.

A proportionality carve-out exists for microenterprises. An entity qualifies as a microenterprise if it employs fewer than 10 persons and has an annual turnover or balance sheet total not exceeding EUR 2 million. Microenterprises benefit from a simplified regime – they are exempt from certain requirements around ICT risk management frameworks and independent internal audit functions. However, they remain subject to incident reporting and contractual requirements with ICT vendors.

Third-party ICT service providers are not automatically subject to DORA. Only those designated as "critical" by the Joint Committee of the three European Supervisory Authorities – the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority – fall under the direct oversight framework. Designation triggers a 12-month transition period before full oversight obligations apply.

What are the key DORA obligations and deadlines?

DORA structures its requirements around five pillars. Each pillar carries specific deliverables. Missing any of them after 17 January 2025 places your organisation in breach – with no grace period remaining for in-scope financial entities.

The five pillars are:

  • ICT risk management – a documented framework approved by the management body, reviewed at least annually
  • ICT-related incident classification and reporting – major incidents must be reported to the KNF within 4 hours of classification, with a final report due within 1 month
  • Digital operational resilience testing – basic testing annually; threat-led penetration testing every 3 years for significant entities
  • ICT third-party risk management – written contracts with all ICT providers must include mandatory clauses on audit rights, exit strategies, and service levels
  • Information and intelligence sharing – voluntary participation in threat-intelligence sharing arrangements

We secured a review of ICT vendor contract portfolios for a financial services client in the Mazowieckie region (autumn 2024), identifying 14 agreements that lacked the mandatory DORA clauses. Remediation was completed before the January 2025 deadline, avoiding potential supervisory action.

The KNF has signalled that it will prioritise incident reporting compliance and ICT third-party contract reviews in its 2025 supervisory cycle. Entities that cannot demonstrate a functioning ICT risk management framework risk administrative penalties of up to EUR 5 million for natural persons acting in a management capacity, and up to 1% of average daily worldwide turnover for legal entities – imposed per breach, not per investigation cycle.

What should your organisation do immediately?

The compliance window has closed. The question now is whether your organisation can demonstrate compliance if the KNF requests documentation. Three immediate actions matter most.

First, conduct a scoping assessment. Confirm whether your entity falls within one of the 21 DORA categories. If you operate a mixed-activity group, each regulated entity within the group must be assessed separately. The microenterprise threshold – fewer than 10 employees and EUR 2 million turnover – applies at entity level, not group level.

Our team assisted a Silesian fintech group (spring 2025) in mapping its four operating subsidiaries against DORA's scope criteria. Two subsidiaries qualified as microenterprises; two did not. The compliance programmes were structured accordingly, saving significant implementation cost.

Second, audit your ICT vendor contracts. Every agreement with a technology provider that supports a critical or important business function must contain DORA-mandated clauses. Missing clauses are the most common gap identified in supervisory reviews. Remediation requires counterparty cooperation and typically takes 6 to 10 weeks.

Third, establish your incident classification and reporting workflow. The 4-hour initial reporting window to the KNF is tight. Organisations that lack a pre-defined classification matrix and internal escalation path will miss it. The workflow must be tested and documented before an incident occurs – not during one.

For entities with exposure to AI-driven systems, DORA intersects with the AI Act Poland obligations that apply to high-risk AI systems used in financial services. Similarly, technology companies entering the Polish market should review IP protection strategy considerations alongside their DORA readiness. Directors of financial entities should also be aware that DORA gaps can trigger personal liability – a risk discussed in our analysis of D&O insurance coverage for Polish directors.

What to prepare for a KNF supervisory review:

  • Approved ICT risk management policy signed by the management body
  • Register of all ICT third-party providers with criticality classification
  • Amended vendor contracts containing mandatory DORA clauses
  • Incident classification matrix and escalation procedure
  • Evidence of at least one completed resilience test in the past 12 months

Your specific situation may involve overlapping obligations under GDPR Poland requirements, trademark or IP lawyer Warsaw considerations for technology assets, or broader compliance programmes. Each layer interacts with DORA in ways that a generic checklist cannot capture. Failing to address a supervisory gap now forfeits your ability to demonstrate good-faith compliance – and that window closes permanently once an investigation opens.

To receive an expert assessment of your DORA compliance position, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does DORA apply to Polish insurers and not just banks?

A: Yes. Insurance and reinsurance undertakings authorised in Poland fall within DORA's scope. The KNF is the competent authority for these entities. The full ICT risk management and incident reporting obligations apply, subject to the microenterprise exemption where the entity meets the relevant thresholds.

Q: How long does it take to remediate ICT vendor contracts for DORA compliance?

A: Remediation typically takes between 6 and 10 weeks, depending on the number of agreements and counterparty responsiveness. The process involves identifying gaps against the mandatory clause list, preparing amended contract schedules, and obtaining counterparty sign-off. Starting immediately reduces the risk of a supervisory finding during the KNF's 2025 review cycle.

Q: Is a company that only provides cloud services to a bank automatically subject to DORA?

A: Not automatically. A cloud provider becomes subject to DORA's direct oversight framework only if designated as a critical third-party ICT provider by the Joint Committee of the European Supervisory Authorities. Until designation, the provider's obligations arise indirectly – through the contractual requirements that its financial-entity clients must impose. Those contracts must include audit rights, exit strategy provisions, and defined service levels.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology regulation, DORA compliance, and digital operational resilience. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.