A Warsaw-based payment institution discovered, six weeks before the Digital Operational Resilience Act (DORA) application date of 17 January 2025, that its ICT risk management framework existed only on paper. Policies had been drafted. Governance had not been implemented. The gap between documentation and operational reality was wider than the board had anticipated.

DORA applies directly in Poland without domestic transposition, binding financial entities – including payment institutions, investment firms, and credit institutions supervised by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) – from 17 January 2025. The regulation requires a documented, tested, and board-approved ICT risk management framework covering governance, incident classification, resilience testing, and third-party oversight. Entities that fail to meet these requirements face supervisory measures, including fines and, in serious cases, restrictions on activity.

This case study traces how one Polish payment institution addressed a structural compliance gap under time pressure. The background, the strategic choices made, and the transferable lessons apply to any financial entity now facing its first KNF supervisory review under DORA.

What was the compliance gap, and why had it persisted?

The institution had approximately 120 employees and processed domestic and cross-border card transactions. Its ICT risk function sat within the IT department rather than at board level. That structural choice – common in mid-size Polish financial entities – created the core problem. DORA requires the management body to own ICT risk, approve the framework, and receive regular reporting. A framework owned by IT cannot satisfy that requirement.

Three specific gaps emerged during our initial diagnostic. First, no ICT business continuity plan had been tested within the preceding 12 months, as DORA's implementing technical standards require. Second, the institution had not classified its ICT third-party providers into critical and non-critical categories. Third, incident reporting thresholds had not been calibrated against the criteria set by the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) in their joint regulatory technical standards.

  • Governance: no board-level ICT risk owner or formal escalation path
  • Testing: business continuity untested; no threat-led penetration testing programme
  • Third-party register: 14 ICT vendors listed but not classified
  • Incident management: internal thresholds misaligned with EBA/ESMA criteria

The gap had persisted for a straightforward reason. DORA's requirements were understood as an IT compliance matter rather than a legal and governance matter. That framing delayed board engagement until external counsel was brought in.

How did the remediation strategy address governance first?

Speed was the binding constraint. With six weeks available, the team prioritised governance restructuring over documentation. A board resolution formally designating an ICT risk owner at management-body level was adopted within the first week. Without that resolution, no downstream remediation would satisfy the regulation's governance pillar.

We structured the remediation in three parallel workstreams. The legal team revised the ICT risk management policy to align with DORA's framework requirements and drafted the incident classification matrix against EBA/ESMA thresholds. The client's internal IT team conducted a rapid audit of the 14 third-party vendors, producing a criticality register within ten days. A specialist testing provider was engaged to design a 90-day business continuity testing schedule.

We secured a workable framework for a financial entity in the Mazowieckie region (winter 2025). The framework passed initial KNF review without a request for further information – an outcome that had seemed unlikely at the outset. For cross-border data flows underpinning the card-processing infrastructure, we drew on the mechanisms analysed in our guide on data transfer from Poland to the United Kingdom, ensuring that third-country transfer documentation was aligned with both DORA and GDPR Poland requirements.

One decision deserves particular attention. The team chose not to rebuild the entire policy suite from scratch. Instead, existing documentation was assessed against a gap matrix and amended where deficient. That approach saved approximately three weeks compared with a full redraft – time the institution could not afford to lose.

What does the process reveal about DORA implementation in practice?

Three process observations carry transferable weight. First, the criticality classification of ICT third-party providers is more demanding than most Polish entities expect. DORA's framework requires assessment of substitutability, concentration risk, and the systemic importance of each provider. For the payment institution, two vendors that had been treated as peripheral were reclassified as critical – triggering enhanced contractual obligations that had to be negotiated within the remediation window.

Second, incident classification is a legal exercise, not only a technical one. The EBA/ESMA joint technical standards set specific thresholds – including client impact numbers and transaction value percentages – that determine whether an incident must be reported to the KNF within four hours of classification. Misclassification creates personal liability exposure for the management body. That risk is irreversible once a reportable incident has been mishandled.

We obtained board-approved incident procedures for a fintech client in Lower Silesia (spring 2025), reducing its classification error rate to zero in the first quarter of live operation. The engagement also required review of internal investigation protocols – a process that intersected with questions addressed in our analysis of GDPR fines in Poland and UODO enforcement trends, since several incident categories triggered simultaneous GDPR notification obligations.

Third, the interaction between DORA and existing Polish financial regulation – including KNF guidelines on operational risk – creates layering complexity. Entities that treat DORA as a standalone exercise, separate from their existing KNF compliance programme, will find themselves maintaining two parallel frameworks. Integration from the outset is the more efficient approach, even if it requires more legal input at the design stage.

What are the transferable lessons for Polish financial entities?

The case produces four lessons with direct application to any Polish financial entity now preparing for supervisory review. Each addresses a structural error that recurs across engagements.

  • Governance before documentation: Board-level ownership must be established before policy drafts are finalised. A policy signed by an IT director does not satisfy DORA's management-body requirement.
  • Classify before you contract: Third-party criticality classification must precede contract review. Without classification, enhanced contractual obligations cannot be identified or negotiated.
  • Test on a fixed schedule: Business continuity testing must be documented, dated, and board-reported. A plan that has never been tested is not a plan for DORA purposes.
  • Integrate, do not duplicate: DORA requirements should be mapped against existing KNF operational risk obligations. Duplication wastes resources and creates inconsistency risk.

For entities with restructuring considerations alongside DORA compliance – for example, where ICT outsourcing arrangements are being unwound as part of a broader operational change – the procedural analysis in our guide on pre-pack sale in Poland is relevant to understanding how asset and contract transfers interact with ongoing regulatory obligations.

The AI Act Poland implementation timeline will add a further layer of technology-governance obligation for entities using AI-based decisioning in financial services. Firms that build sound DORA governance structures now will be better placed to absorb that additional framework when it becomes applicable. The management disciplines – board ownership, documented testing, third-party oversight – are shared across both regimes.

A practical checklist for entities beginning their DORA review:

  • Confirm board-level ICT risk ownership by formal resolution
  • Complete third-party criticality classification across all ICT vendors
  • Calibrate incident thresholds against EBA/ESMA joint technical standards
  • Schedule and document business continuity testing within the next 90 days
  • Map DORA obligations against existing KNF operational risk framework

DORA compliance is not a one-time project. The regulation requires annual review of the ICT risk management framework and ongoing testing. Entities that treat the initial implementation as a permanent solution will face escalating supervisory risk as the KNF develops its examination programme through 2025 and 2026.

Your institution's specific ICT risk profile – its vendor mix, transaction volumes, and existing KNF relationship – determines which remediation sequence will be most effective. A generic approach risks missing the classification or governance gap that matters most for your entity.

To discuss how DORA's ICT risk management framework applies to your institution, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does DORA apply to all Polish financial entities, including smaller payment institutions?

A: DORA applies to a broad range of financial entities supervised by the KNF, including payment institutions, electronic money institutions, investment firms, and credit institutions. The regulation includes a proportionality principle: microenterprises may apply simplified arrangements for certain requirements, including the ICT risk management framework. However, the core governance, incident reporting, and third-party oversight obligations apply regardless of size. Entities should not assume that a proportionality carve-out eliminates the framework requirement entirely.

Q: How long does a DORA ICT risk management framework implementation typically take?

A: For a mid-size Polish financial entity with existing operational risk documentation, a focused implementation covering governance, third-party classification, incident thresholds, and testing schedules can be completed in six to ten weeks. Entities starting from a lower baseline – no existing ICT risk policy, no vendor register – should allow twelve to sixteen weeks. The binding constraint is usually board scheduling for governance resolutions and vendor negotiation timelines, not the legal drafting itself.

Q: Is DORA separate from GDPR Poland obligations, or do they overlap?

A: The two regimes are legally distinct but operationally overlapping. A single ICT incident may trigger both a DORA major incident report to the KNF and a personal data breach notification to the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). The classification criteria differ between the two frameworks. Entities should maintain a dual-trigger classification matrix so that a single incident can be assessed against both DORA and GDPR Poland thresholds simultaneously, avoiding missed notification deadlines under either regime.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology regulation, DORA compliance, and IP lawyer Warsaw matters including trademark and AI Act Poland readiness. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.