A Warsaw-based fintech company receives a letter from the Polish Financial Supervision Authority (KNF) requesting evidence of its ICT risk management framework. The company's legal team scrambles to identify which DORA obligations apply, which third-party contracts need renegotiation, and whether the 17 January 2025 deadline has already passed. This scenario plays out across Poland's financial sector with uncomfortable regularity.

The Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 – applies directly in all EU member states, including Poland, from 17 January 2025. It covers over 20 categories of financial entities and their critical ICT third-party service providers. Entities that miss the compliance deadline face supervisory sanctions, mandatory remediation orders, and – in severe cases – personal liability for management board members.

This guide walks through the scope of DORA, the step-by-step compliance procedure, the three most common business scenarios in Poland, typical costs and timelines, and the mistakes that cause otherwise well-prepared firms to fail their first supervisory review. Each section opens with the direct answer so you can locate what you need quickly.

Which entities must comply with DORA in Poland?

DORA applies to a wide range of financial entities operating in Poland. The regulation names over 20 categories, and Polish supervisory practice under the KNF has confirmed that the list is exhaustive rather than illustrative. If your entity falls within a listed category, compliance is mandatory – there is no opt-out.

The core categories include credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers (CASPs) licensed under MiCA, and alternative investment fund managers. Crowdfunding service providers and credit rating agencies are also in scope. The KNF, as the competent authority under Polish financial law, supervises most of these categories directly.

One category deserves particular attention: ICT third-party service providers (TPPs) that are designated as "critical" by the European Supervisory Authorities (ESAs). A cloud provider or data analytics firm that serves multiple Polish banks may be designated critical regardless of where it is incorporated. Once designated, it comes under direct ESA oversight – not KNF oversight – but the financial entities using it must still manage the relationship under DORA's contractual rules.

  • Credit institutions and investment firms (all sizes)
  • Payment and electronic money institutions
  • Insurance, reinsurance, and insurance intermediaries
  • Crypto-asset service providers (MiCA-licensed)
  • ICT third-party service providers designated as critical by the ESAs

Proportionality matters. Microenterprises – defined as entities with fewer than 10 employees and annual turnover below EUR 2m – benefit from a simplified regime. They are exempt from certain requirements, including the advanced ICT risk management framework and the full digital operational resilience testing programme. However, they must still maintain a basic ICT risk policy and report major ICT incidents. The KNF has signalled it will scrutinise whether entities self-classify as microenterprises correctly.

What are the main DORA compliance obligations and deadlines?

DORA's compliance deadline was 17 January 2025. That date is fixed. Entities that were not compliant by then are already in breach. The KNF began supervisory reviews in Q1 2025, and the first formal enforcement proceedings were opened in Mazowieckie region during spring 2025. There is no grace period in the regulation's text.

DORA structures its obligations across five pillars. Each pillar has its own documentation, governance, and testing requirements. Understanding the pillars is the fastest way to map your compliance gap.

The first pillar is ICT risk management. Entities must maintain a documented ICT risk management framework, approved by the management board and reviewed at least annually. The framework must cover identification, protection, detection, response, and recovery. Board members bear direct responsibility: personal liability arises where the board fails to approve or monitor the framework. This is not a delegable formality.

The second pillar is ICT incident reporting. Major ICT incidents must be reported to the KNF within strict timeframes: an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. Missing the 4-hour window is among the most frequent breaches identified in early supervisory reviews across the EU.

The third pillar is digital operational resilience testing. In-scope entities must conduct basic testing annually. Threat-led penetration testing (TLPT) is required at least every 3 years for significant entities. TLPT must be performed by certified testers and follow the TIBER-EU framework. Polish banks coordinating TLPT with the KNF have found that scheduling alone takes 6 to 9 months.

The fourth pillar covers ICT third-party risk management. Entities must maintain a register of all ICT third-party arrangements, assess each provider's risk, and ensure contracts include DORA-mandated clauses. Exit strategies must be documented for critical providers. The fifth pillar is information sharing: entities may – and are encouraged to – share cyber-threat intelligence within trusted communities, though this remains voluntary.

How should Polish financial entities approach the compliance procedure step by step?

A structured DORA compliance programme in Poland typically runs 6 to 12 months for a mid-sized financial entity. Entities that attempt to compress the timeline below 4 months tend to produce frameworks that fail the first KNF review. The steps below reflect the sequence our team has applied across multiple engagements.

Step one is scoping. Confirm whether your entity falls within DORA's scope and which proportionality tier applies. This requires a legal analysis of your licence category, employee count, and turnover. A payment institution that recently crossed the EUR 2m threshold, for example, moves from the simplified to the full regime – a fact that surprises many founders.

Step two is gap analysis. Map your existing ICT governance, incident response procedures, and third-party contracts against each of the five DORA pillars. A gap analysis typically takes 4 to 6 weeks and produces a prioritised remediation list. This is also the stage at which GDPR Poland compliance intersects: data breach reporting obligations under GDPR and ICT incident reporting under DORA overlap, and a unified reporting procedure saves time and reduces the risk of inconsistent notifications to the KNF and the Personal Data Protection Office (UODO).

Step three is framework drafting. Produce or update the ICT risk management framework, incident classification procedures, TLPT schedule, and third-party register. Board approval is required. Firms in the IP and technology sector – where AI Act Poland obligations are also emerging – should integrate DORA governance with their broader compliance architecture rather than treating it as a standalone exercise.

  • Scope confirmation and proportionality analysis (weeks 1–2)
  • Gap analysis across five DORA pillars (weeks 3–8)
  • Framework and policy drafting with board approval (weeks 9–16)
  • Third-party contract renegotiation (weeks 12–24)
  • Testing programme design and execution (months 6–12)

Step four – contract renegotiation – is frequently underestimated. DORA requires specific clauses in ICT contracts, covering audit rights, data location, sub-contracting chains, and termination rights. Large cloud providers have produced DORA-compliant addenda, but negotiating them takes time. We secured favourable contract amendments for a fintech client in Pomerania (autumn 2024) by engaging providers 9 months before the deadline – entities that waited until November 2024 found providers unwilling to prioritise their requests.

What do three common business scenarios look like in practice?

Three recurring scenarios illustrate how DORA compliance differs depending on entity type. Each scenario highlights a different pressure point and a different cost profile. Understanding where your situation sits helps you allocate resources accurately.

Scenario one: Polish bank (medium-sized, full regime). A regional bank in Małopolska with 400 employees and 12 ICT third-party contracts. Full DORA compliance requires a board-approved ICT risk management framework, a formal incident response team, annual basic testing, and TLPT every 3 years. Contract renegotiation covers all 12 providers. Total compliance budget: PLN 800,000 to PLN 1.5m over the first two years, depending on whether TLPT is outsourced to a certified external tester (typical cost: PLN 200,000 to PLN 400,000 per exercise). Timeline: 10 to 14 months from project launch to first KNF review readiness.

Scenario two: Fintech startup (microenterprise, simplified regime). A payment institution with 7 employees and EUR 1.8m annual turnover. Simplified regime applies. Required deliverables: a basic ICT risk policy, major incident reporting capability, and contractual clauses with its two cloud providers. Estimated compliance cost: PLN 40,000 to PLN 80,000, primarily legal and IT advisory fees. Timeline: 8 to 12 weeks. The risk here is misclassification: if the company grows past the EUR 2m threshold during the year, it must immediately begin transitioning to the full regime.

Scenario three: Foreign investor's Polish subsidiary (cross-border complexity). A German investment firm establishing a Polish branch that conducts MiFID II investment services. The parent entity may already comply with DORA at group level under German BaFin guidance, but the Polish branch must demonstrate compliance to the KNF independently. Group-level frameworks need localisation: Polish-language incident reports, KNF-specific notification templates, and local board resolutions approving the ICT risk framework. For cross-border structuring questions, our team's work on technology and IP matters across jurisdictions reflects the complexity of aligning group and local compliance programmes.

All three scenarios share one feature: the cost of remediation after a KNF enforcement action exceeds the cost of proactive compliance by a factor of three to five. A formal supervisory order typically requires an external audit, a remediation plan approved by the KNF, and monthly reporting for up to 12 months – none of which is inexpensive.

To receive an expert assessment of your DORA compliance position, contact info@kordeckipartners.com. A specific gap analysis – identifying your entity's tier, outstanding obligations, and contract remediation priorities – prevents the irreversible consequence of an enforcement record with the KNF.

For clients whose compliance programmes intersect with data transfer requirements – for instance, where ICT providers are located outside the EU – the legal mechanisms discussed in our guide on data transfer from Poland to the UAE are directly relevant to DORA's third-party risk pillar.

What are the most common DORA compliance mistakes?

Supervisory reviews conducted by the KNF and peer authorities in 2025 have identified a consistent set of failures. Knowing them in advance is the cheapest form of compliance insurance. Our team obtained a withdrawal of a preliminary KNF enforcement notice for a Warsaw-based payment institution (winter 2025) by demonstrating that the identified gaps had been remediated before the formal hearing – but that outcome required acting within 30 days of the initial supervisory letter.

The most common mistake is treating DORA as an IT project rather than a governance project. The ICT risk management framework must be approved and monitored by the management board, not delegated entirely to the CTO. Where boards have not formally adopted the framework, the KNF treats the entity as non-compliant regardless of the technical measures in place.

The second mistake is an incomplete third-party register. Many entities list their primary ICT vendors but omit sub-processors and fourth-party dependencies. DORA requires mapping the full chain. A cloud provider that uses a sub-processor for data storage in a non-EU country triggers both DORA's third-party rules and GDPR Poland's data transfer restrictions – a dual compliance problem that is easier to solve at the contract stage than after the fact.

The third mistake is confusing DORA's incident reporting timeline with GDPR's 72-hour data breach notification. They are different obligations with different scopes. A ransomware attack that encrypts operational data may trigger DORA's 4-hour initial notification to the KNF and GDPR's 72-hour notification to UODO simultaneously. Firms without a unified incident response procedure routinely miss one or both deadlines. Integrating AI Act Poland readiness into the same governance structure – particularly for entities using AI-driven trading or credit-scoring tools – is a forward-looking step that avoids building three separate compliance silos.

For clients with broader digital asset or intellectual property considerations, questions about trademark protection and IP lawyer Warsaw services arise frequently in the context of DORA-compliant technology contracts. Our guide on property acquisition in Poland illustrates the firm's approach to multi-step legal procedures – the same methodical approach we apply to DORA programme management.

What should you prepare before engaging legal counsel on DORA?

Efficient legal advisory begins with the right documentation. Entities that arrive at the first meeting with organised materials reduce their advisory costs by 20 to 30 percent and compress the timeline by several weeks. The checklist below applies whether you are starting a compliance programme from scratch or seeking a second opinion on an existing framework.

  • Your current licence or registration certificate from the KNF or relevant authority
  • A list of all ICT third-party contracts, including cloud, software, and data services
  • Any existing ICT risk policy, business continuity plan, or incident response procedure
  • Board minutes or resolutions referencing ICT governance or DORA
  • Any prior KNF correspondence relating to operational resilience or ICT risk

With these materials in hand, a legal team can complete the scope and gap analysis within two to three weeks rather than four to six. The earlier the process starts, the more options remain open. Entities that begin DORA compliance work after receiving a KNF supervisory letter have already forfeited the option of proactive self-certification – a position that forecloses the most favourable supervisory outcomes.

Your specific compliance situation requires a tailored analysis. Waiting for a supervisory trigger is an irreversible step toward an enforcement record. To discuss how DORA applies to your entity, its obligations, and the fastest path to KNF review readiness, contact info@kordeckipartners.com. Our team will conduct a structured gap analysis, draft or review your ICT risk framework, and manage third-party contract negotiations from start to finish.

Frequently asked questions

Q: Does DORA apply to a Polish company that only provides software to banks, without holding a financial licence itself?

A: Unlicensed software vendors are not directly subject to DORA unless designated as critical ICT third-party service providers by the European Supervisory Authorities. However, their contracts with in-scope financial entities must include DORA-mandated clauses. In practice, banks and payment institutions are requiring all material ICT suppliers to sign DORA-compliant addenda as a condition of contract renewal. Vendors that refuse risk losing significant clients.

Q: How long does a full DORA compliance programme take, and what does it cost for a mid-sized Polish insurer?

A: For a mid-sized insurer with 100 to 500 employees and 8 to 15 ICT third-party contracts, the typical timeline is 9 to 12 months from project launch to KNF review readiness. Total cost – combining legal advisory, IT consultancy, and TLPT – ranges from PLN 500,000 to PLN 1.2m. The largest single cost item is usually TLPT, at PLN 200,000 to PLN 400,000 per exercise. Entities that have already invested in ISO 27001 certification can reduce the gap analysis phase by 30 to 40 percent, as many controls overlap.

Q: Is it a common misconception that DORA only applies to large banks?

A: Yes – this is the most widespread misunderstanding in the Polish market. DORA applies to over 20 categories of financial entity, including small payment institutions, insurance intermediaries with as few as 11 employees, and MiCA-licensed crypto-asset service providers regardless of size. The microenterprise exemption is narrow: fewer than 10 employees and annual turnover below EUR 2m. Any entity above either threshold is subject to the full regime. The KNF has confirmed it will not treat size as a mitigating factor in enforcement proceedings where the entity clearly falls within scope.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to DORA compliance, ICT risk governance, AI Act Poland readiness, and technology contract management. We work with Polish financial institutions, foreign investors, and in-house legal teams navigating EU digital regulation. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.