A Warsaw-based fintech receives a letter from the Polish Financial Supervision Authority (KNF) requesting evidence of its ICT risk management framework. The company's management board had assumed DORA applied only to large banks. That assumption is now proving costly.

The Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 – became directly applicable across all EU member states, including Poland, on 17 January 2025. It applies to a wide range of financial entities and their critical ICT third-party service providers. Firms that have not yet mapped their obligations face regulatory scrutiny, potential supervisory measures, and reputational exposure that cannot easily be reversed.

This alert covers three questions: which entities must comply, what the key obligations are, and what immediate steps management boards should take now that the deadline has passed.

Which financial entities does DORA cover?

DORA's scope is broader than most compliance teams initially expect. The regulation applies to over 20 categories of financial entity, defined by reference to existing EU sectoral legislation. The Polish Financial Supervision Authority (KNF) supervises compliance for the majority of in-scope entities operating in Poland.

The core categories include: credit institutions and payment institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers (CASPs) authorised under MiCA, central counterparties, and trade repositories. Electronic money institutions and alternative investment fund managers are also captured. If your firm holds any EU financial services licence, DORA almost certainly applies.

Two threshold-based exemptions deserve attention. Microenterprises – defined as firms with fewer than 10 employees and annual turnover or balance sheet below EUR 2 million – benefit from a simplified ICT risk management framework. Small and non-interconnected investment firms meeting specific capital and activity thresholds face reduced obligations under the proportionality provisions. These exemptions are narrow. They do not eliminate the obligation to comply; they reduce the depth of certain requirements.

ICT third-party service providers that qualify as "critical" are subject to direct EU-level oversight by the European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). Designation as critical triggers a separate oversight regime, distinct from the obligations placed on financial entities themselves.

What are the core compliance obligations and deadlines?

DORA's obligations cluster into five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. Each pillar carries specific procedural and documentation requirements. Missing any one of them exposes the entity to supervisory action.

The ICT risk management framework must be documented, board-approved, and reviewed at least annually. Management bodies bear direct responsibility. Under DORA, board members who fail to oversee ICT risk governance may face personal liability – a consequence that precludes the usual defence of delegating technical matters to IT departments.

Incident reporting operates on tight timelines. Major ICT-related incidents must be reported to the competent authority – in Poland, the KNF – within 4 hours of classification, with a detailed intermediate report within 72 hours and a final report within one month. Firms that lack automated detection and classification systems will struggle to meet these windows.

Digital operational resilience testing requirements vary by entity size. Basic vulnerability assessments apply broadly. Threat-led penetration testing (TLPT) is mandatory for significant entities, with a minimum frequency of once every 3 years. The KNF has indicated it will begin requesting TLPT evidence from larger entities during 2025 supervisory cycles.

Third-party risk management is where many Polish firms are furthest behind. Every ICT contract with a service provider must be reviewed against DORA's mandatory contractual provisions. Contracts that predate 17 January 2025 must be brought into compliance at the next contractual opportunity. The National Court Register (KRS) filings and corporate documentation alone will not demonstrate compliance – firms need updated contract registers and concentration risk assessments.

We secured a full contractual compliance review and updated ICT register for a payment institution client in the Mazowieckie region (spring 2025), identifying 14 legacy contracts requiring amendment before the first KNF supervisory cycle.

What immediate action does your board need to take?

The 17 January 2025 deadline has passed. Regulators are not waiting. The KNF has supervisory powers to impose corrective measures, restrict activities, and – for serious breaches – impose financial penalties. For individual board members, failure to implement adequate ICT governance is an irreversible mark on their regulatory record.

Three actions are non-negotiable within the next 30 days. First, conduct a gap analysis against all five DORA pillars. Second, appoint or designate a DORA compliance owner at board level. Third, inventory all ICT third-party contracts and flag those missing mandatory provisions.

What to prepare before your first compliance review:

  • Board resolution approving the ICT risk management framework
  • Register of all ICT third-party service providers, with criticality assessments
  • Incident classification and reporting procedure, with defined 4-hour and 72-hour escalation paths
  • Gap analysis against DORA's five pillars, signed off by management
  • Updated or renegotiated ICT contracts containing DORA-mandated clauses

For firms with cross-border data flows – for example, those relying on cloud providers outside the EU – DORA intersects with obligations under data transfer rules applicable to transfers from Poland to third countries. The contractual safeguards required under DORA and under GDPR Poland frameworks are not identical, but they overlap. Addressing them together is more efficient than treating them as separate workstreams.

Firms in financial difficulty face a compounded risk. A firm simultaneously managing restructuring and DORA compliance must prioritise both. The simplified arrangement proceedings available under Polish restructuring law do not suspend regulatory obligations. DORA compliance cannot be deferred on grounds of financial distress.

For technology companies providing services to financial entities – particularly those with IP assets or software licensing arrangements – DORA's third-party provisions interact directly with contractual IP frameworks. Our work on IP protection strategy for technology companies operating in Poland addresses how software licensing and source code escrow arrangements can be structured to satisfy both commercial and DORA requirements.

Our team assisted a cloud infrastructure provider serving Polish insurance clients in Lower Silesia (autumn 2024) in restructuring its service agreements to meet DORA's mandatory contractual provisions ahead of the January 2025 deadline.

Specific compliance obligations under the AI Act Poland framework may also apply where financial entities deploy AI-driven ICT systems. The intersection of DORA and AI Act requirements is an emerging area that boards should flag now rather than discover during a supervisory visit.

The compliance window has closed. Supervisory engagement has begun. Boards that cannot demonstrate a documented, functioning ICT risk management framework are exposed – and that exposure grows with each passing month.

Your firm's specific DORA gap cannot be closed with a generic policy template. A targeted review of your entity type, contract register, and incident procedures is the only path to documented compliance. To discuss how DORA applies to your firm and receive a structured gap analysis, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does DORA apply to Polish firms that are not banks or insurers?

A: Yes. DORA applies to over 20 categories of financial entity, including payment institutions, electronic money institutions, crypto-asset service providers, investment firms, and fund managers. If your firm holds any financial services authorisation in Poland or another EU member state, you should assume DORA applies and verify the position against the regulation's full scope provisions. The microenterprise exemption is narrow and does not eliminate compliance obligations entirely.

Q: How long does a DORA compliance project typically take?

A: For a mid-sized payment institution or investment firm, a gap analysis and initial remediation programme typically takes 8 to 12 weeks. Full contractual remediation – reviewing and renegotiating ICT provider agreements – can extend the timeline to 6 months or more, depending on the number of legacy contracts and the responsiveness of counterparties. Firms that have not yet started should treat this as an urgent matter, given that KNF supervisory cycles are already underway.

Q: Is it a misconception that DORA only covers cybersecurity?

A: Yes, and it is a costly one. DORA covers ICT risk broadly – including operational continuity, third-party dependency, incident response, and governance. Cybersecurity is one component, but firms that address only technical security measures while neglecting contractual, governance, and reporting obligations will fail a supervisory review. The regulation explicitly places responsibility on management bodies, not IT departments alone.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to DORA compliance, AI Act Poland obligations, and technology regulatory matters. We work with Polish financial entities, foreign investors, and in-house legal teams navigating EU digital regulation. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.