A Warsaw-based payment institution had operated smoothly for several years when the Digital Operational Resilience Act (DORA) entered full application in January 2026. Its IT department had documented processes, its contracts with cloud providers were in place, and its board assumed compliance was largely a formality. In practice, the gap between existing documentation and DORA's specific requirements proved wider than expected – and the Polish Financial Supervision Authority (KNF) had already signalled active supervisory interest in ICT risk frameworks across the sector.

DORA establishes a binding ICT risk management framework for financial entities operating in the European Union, including Polish payment institutions, banks, and investment firms supervised by the KNF. The regulation requires entities to implement a documented ICT risk management framework, conduct threat-led penetration testing at least every three years, and register all third-party ICT service providers. Non-compliance exposes firms to supervisory measures and, in serious cases, personal liability of management board members.

This case study traces how one Polish payment institution identified its compliance gaps, restructured its ICT governance arrangements, and reached a defensible position before the KNF's first supervisory review cycle. The lessons apply broadly to any Polish financial entity working through the same transition.

What was the background and what gaps did we find?

The client was a mid-sized payment institution authorised by the KNF under the Payment Services Act (ustawa o usługach płatniczych). It processed several hundred thousand transactions monthly and relied on three external cloud providers for core infrastructure. The management board had approved an IT security policy in 2023, but that document predated DORA and addressed only general cybersecurity hygiene rather than the regulation's specific requirements.

Our initial review identified four material gaps. First, the ICT risk management framework lacked a formal governance structure – there was no designated ICT risk function reporting directly to the board. Second, the existing business continuity plan did not meet DORA's requirement for ICT-specific recovery time objectives (RTOs) and recovery point objectives (RPOs). Third, contracts with all three cloud providers were missing mandatory clauses on audit rights, exit strategies, and sub-outsourcing chains. Fourth, the institution had never conducted a threat-led penetration test; its last vulnerability assessment had been a basic automated scan.

The KNF had issued supervisory expectations in late 2025 indicating that payment institutions should expect framework reviews within twelve months of DORA's application date. That created a concrete deadline. (The institution's management board had not previously been aware that board members could face personal liability for ICT governance failures under Polish financial supervision law.)

What strategy did we recommend?

We structured the remediation work in three parallel workstreams, each with a defined owner and a 90-day completion target. That timeline was chosen deliberately: it allowed the institution to present a substantially complete framework to the KNF before any formal supervisory inquiry arrived, which materially reduces the risk of enforcement measures.

The first workstream addressed governance. We drafted a standalone ICT risk management policy that established a board-level ICT risk committee, defined escalation thresholds, and created a register of critical ICT assets. This gave the board direct oversight – a requirement DORA imposes on management bodies, not just IT teams. Under Polish financial supervision law, board members who cannot demonstrate active engagement with ICT risk governance face personal accountability if a major incident occurs.

The second workstream covered third-party risk. We reviewed all three cloud provider contracts against DORA's mandatory contractual requirements. Two contracts required substantial renegotiation; one provider initially resisted audit-rights clauses. We used the leverage of the institution's multi-year renewal as a negotiating tool. All three contracts were amended within 60 days. We also built a third-party ICT register – a document DORA requires financial entities to maintain and, for critical providers, to report to the KNF and ultimately to the European Banking Authority (EBA).

The third workstream was testing. We helped the institution scope and procure a threat-led penetration test from an accredited provider. DORA requires such tests every three years for in-scope entities; the institution had never conducted one. Results identified two medium-severity vulnerabilities in the payment processing environment, both remediated before the supervisory review.

For context on how ICT and intellectual property considerations interact for technology companies operating across borders, see our analysis of IP protection strategy for Italian tech companies in Poland.

How did the process unfold and what did it cost?

The 90-day programme ran from February to April 2026. Week one was diagnostic: we mapped existing documentation against DORA's requirements chapter by chapter and produced a gap register with RAG (red-amber-green) status for each item. That register became the project management tool for the entire engagement.

Weeks two through eight covered policy drafting, contract renegotiation, and register construction. The most time-intensive element was the third-party contract work. Cloud providers' standard terms rarely satisfy DORA's mandatory clauses out of the box. Negotiating audit rights and exit-strategy provisions with a large hyperscale provider took four weeks and two escalations to the provider's legal team.

We secured a fully compliant ICT risk framework for this Warsaw-based payment institution within the 90-day window (spring 2026). The total external legal and advisory spend was under EUR 40,000 – a fraction of the potential supervisory fine, which under Polish financial supervision law can reach PLN 21 million for serious ICT governance failures.

The KNF supervisory review took place in late April 2026. The institution presented its framework documentation, third-party register, and penetration test report. The KNF issued no remediation findings – an outcome that, in our experience, is uncommon for first-cycle DORA reviews at institutions that had not previously structured their ICT governance specifically for the regulation.

Financial entities navigating overlapping regulatory obligations – including KSeF invoicing requirements – should note that digital compliance programmes often share governance infrastructure. Our overview of KSeF penalties, calculation, and avoidance strategies addresses the parallel digital compliance track.

What are the transferable lessons for Polish financial entities?

Three lessons stand out from this engagement. Each applies to any Polish financial entity that has not yet completed its DORA ICT risk management framework.

  • Start with governance, not technology. DORA's requirements are primarily organisational. The board must own ICT risk. An IT security policy that sits with the IT department, without board-level oversight, will not satisfy supervisory expectations.
  • Contract renegotiation takes longer than expected. Large cloud providers move slowly. Allow at least 60 days for substantive contract amendments. Starting late precludes a clean supervisory outcome.
  • Threat-led penetration testing is mandatory, not optional. Many Polish entities confuse automated vulnerability scans with DORA-compliant testing. They are not equivalent. Budget and plan for a full test at least six months before any expected supervisory review.
  • The third-party register is a living document. It must be updated whenever a new ICT provider is engaged or an existing relationship changes materially. A static snapshot prepared for a supervisory review will not satisfy ongoing obligations.

DORA's interaction with the AI Act is also relevant for institutions deploying machine-learning models in credit scoring or fraud detection. Polish entities using high-risk AI systems face dual compliance obligations. Our analysis of AI Act high-risk classification, affected sectors, and systems maps those overlapping requirements in detail.

The broader point is this: DORA compliance is not a one-time project. It is an ongoing management function. Institutions that treat it as a documentation exercise – rather than a governance transformation – will face recurring supervisory exposure. The KNF has made clear that ICT risk management is a standing supervisory priority, not a transitional item.

For Polish financial entities that have not yet completed their DORA framework, the window for proactive compliance is narrowing. A supervisory inquiry that arrives before the framework is in place forfeits the institution's ability to present a clean compliance record – an irreversible disadvantage in enforcement proceedings.

To receive an expert assessment of your institution's DORA ICT risk management framework, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does DORA apply to all Polish financial entities, or only to large institutions?

A: DORA applies to a broad range of financial entities supervised in Poland, including banks, payment institutions, investment firms, and insurance companies. Smaller entities benefit from a proportionality principle – the regulation allows simplified ICT risk management frameworks for institutions below certain thresholds. However, the KNF determines which entities qualify for the simplified regime, and institutions should not assume they are exempt without a formal assessment.

Q: How long does it take to implement a compliant ICT risk management framework?

A: For a mid-sized institution starting from a basic IT security policy, a well-structured programme typically takes 90 to 120 days to reach a defensible position. The most time-consuming elements are third-party contract renegotiation and procuring a threat-led penetration test. Institutions that delay until a supervisory inquiry arrives will find both timelines compress uncomfortably.

Q: What is the relationship between DORA and GDPR Poland obligations for financial entities?

A: DORA and GDPR Poland obligations overlap significantly in areas such as incident reporting, third-party data processing, and access controls. A DORA-compliant ICT risk management framework will address many GDPR technical and organisational measures requirements simultaneously. However, the two regimes have different supervisory authorities – the KNF for DORA and the Personal Data Protection Office (UODO) for GDPR – and incident notification timelines differ. Entities should map both sets of obligations explicitly rather than assuming one framework satisfies the other.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to DORA compliance, AI Act implementation, and ICT risk management frameworks. We work with Polish financial institutions, foreign investors, and in-house legal teams navigating digital regulation. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.