On 17 January 2025, the Digital Operational Resilience Act (DORA) became fully applicable across the European Union. For Polish financial entities – banks, payment institutions, investment firms, and insurance undertakings supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF) – the regulation introduced binding ICT risk management obligations with immediate effect. There is no transitional grace period. Non-compliance is enforceable from day one.

DORA establishes a uniform ICT risk management framework that applies directly in Poland without requiring domestic implementing legislation. Entities in scope must maintain a documented ICT risk management framework, report major ICT-related incidents to the KNF within strict deadlines, and ensure that contracts with third-party ICT providers meet specific content requirements. Failure to comply exposes both the entity and its senior management to supervisory sanctions, including fines and personal liability of board members.

This alert covers three questions: which Polish entities fall within scope, what the framework requires in practical terms, and what immediate steps your organisation should take before the KNF begins its first wave of supervisory reviews.

Which Polish financial entities does DORA affect?

DORA applies to a defined list of financial entity types. The regulation identifies 21 categories. In Poland, the primary categories supervised by the KNF include credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, and crypto-asset service providers registered under Ustawa o kryptoaktywach (the Polish Markets in Crypto-Assets Act). Pension fund management companies and central securities depositories are also in scope.

A proportionality carve-out exists for microenterprises. Under EU financial services law, a microenterprise employs fewer than 10 persons and has an annual turnover or balance sheet total not exceeding EUR 2 million. Microenterprises in scope benefit from simplified ICT risk management requirements. They are not, however, fully exempt – incident reporting and third-party contract obligations still apply.

For foreign investors operating Polish subsidiaries, the picture requires care. A Polish subsidiary that qualifies as a payment institution or investment firm in its own right falls under DORA independently of its parent's compliance posture. Group-level DORA programmes implemented in Frankfurt or Amsterdam do not automatically satisfy Polish entity-level obligations. The KNF assesses compliance at the Polish legal entity level. Our team secured a regulatory mapping for a fintech client in the Mazowieckie region (winter 2025) that identified three subsidiary-level gaps missed by the group's central compliance function.

The Urząd Komisji Nadzoru Finansowego (Office of the Polish Financial Supervision Authority, UKNF) has published supervisory expectations indicating that ICT risk management documentation will be a primary focus during 2025 and 2026 inspections. Entities that cannot produce a documented framework on request face immediate enforcement risk.

What does the ICT risk management framework require in practice?

DORA's framework obligation has four operational pillars: governance, protection and prevention, detection, and response and recovery. Each pillar carries specific documentation and testing requirements. The regulation sets a 4-hour window for initial notification to the KNF following classification of a major ICT-related incident, and a 72-hour deadline for the intermediate report. Missing either deadline constitutes a standalone breach.

On governance, the management board bears direct responsibility. Board members must approve the ICT risk management framework, review it at least annually, and sign off on the ICT-related incident classification policy. Personal liability of directors arises where the board fails to maintain adequate oversight. This is not a delegable compliance function – it sits at board level by operation of the regulation.

Third-party ICT risk is a distinct pillar. Contracts with ICT third-party service providers – including cloud providers, data centre operators, and software vendors – must contain mandatory clauses covering audit rights, service continuity, data location, and exit strategies. Contracts entered before 17 January 2025 must be reviewed and updated. The regulation does not grandfather legacy agreements. Entities with large vendor estates face a material contract remediation workload, often running to dozens of agreements.

  • Documented ICT risk management framework approved by the board
  • ICT-related incident classification and reporting procedures
  • Digital operational resilience testing programme (annual minimum)
  • Third-party ICT contract register with mandatory clause compliance
  • Business continuity and ICT disaster recovery plans

Digital operational resilience testing deserves particular attention. Significant financial entities – those meeting thresholds set by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) – must conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT engages external testers and requires KNF notification in advance. For entities below the TLPT threshold, basic vulnerability assessments and scenario-based testing remain mandatory annually.

The intersection with GDPR Poland obligations is operationally significant. An ICT incident that constitutes a personal data breach triggers parallel notification obligations – to the KNF under DORA and to the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) under GDPR. The 72-hour GDPR notification clock and DORA's 4-hour initial window run concurrently. Entities without an integrated incident response procedure will struggle to meet both deadlines simultaneously. For context on cross-border data transfer obligations that intersect with ICT risk planning, see our analysis of data transfer from Poland to Cyprus legal mechanisms.

We assisted a Lower Silesia-based insurance undertaking (spring 2025) in remediating 34 third-party ICT contracts that lacked mandatory DORA clauses. The exercise took six weeks and required negotiation with 11 vendors, two of whom initially refused to accept audit rights provisions.

What immediate steps should your organisation take?

The KNF's supervisory calendar for 2025–2026 prioritises ICT risk management reviews. Entities that have not yet completed a gap analysis against DORA's requirements are already behind the curve. Three actions carry the highest immediate priority.

First, commission a DORA gap analysis scoped to your entity's regulatory classification and size. The analysis must map existing ICT governance documentation against each framework pillar and identify missing or non-compliant elements. Budget four to six weeks for a mid-sized entity. Second, initiate third-party ICT contract remediation. Prioritise contracts with critical or important function providers – these carry the heaviest regulatory scrutiny. Third, present findings to the board and obtain formal approval of a remediation roadmap. Board sign-off is not optional; it is a DORA requirement and creates a documented audit trail.

The AI Act Poland timeline adds a further dimension. AI systems used in credit scoring, fraud detection, or insurance underwriting may qualify as high-risk AI systems under the EU AI Act, with conformity assessment obligations beginning in 2026. ICT risk management frameworks built now should be designed to accommodate AI governance requirements. Entities that treat DORA and the AI Act as separate workstreams will face duplicated effort and inconsistent documentation. For tech companies managing IP and regulatory exposure simultaneously, our guidance on IP protection strategy for US tech companies in Poland addresses the broader technology risk picture. Where disputes with ICT vendors arise during contract remediation, our litigation team is available – see our disputes practice in Poland.

The DORA compliance window has closed. Supervisory enforcement is live. The cost of a KNF sanction – financial penalty plus reputational damage plus potential personal liability of board members – materially exceeds the cost of remediation. Act now.

Your entity's specific ICT risk profile determines which DORA obligations apply with greatest urgency. Delay forfeits the ability to remediate proactively and precludes the mitigating effect of demonstrated good-faith compliance efforts before a KNF inspection commences.

To receive an expert assessment of your DORA compliance position, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does DORA apply to a Polish fintech startup that only holds a payment institution licence?

A: Yes. Payment institutions are expressly listed as in-scope entities under DORA. A microenterprise payment institution benefits from simplified requirements but remains subject to incident reporting and third-party contract obligations. The KNF supervises compliance regardless of the entity's size or age.

Q: How long does a DORA gap analysis and remediation programme typically take for a mid-sized Polish insurer?

A: A gap analysis for a mid-sized insurance undertaking typically takes four to six weeks. Full remediation – including third-party contract updates, board approval of the framework, and testing programme design – generally requires three to five months depending on vendor cooperation and the complexity of the ICT estate. Starting immediately is the only way to complete remediation before a KNF inspection is triggered.

Q: Is it a misconception that group-level DORA compliance covers Polish subsidiaries automatically?

A: It is a common and costly misconception. DORA is assessed at the individual legal entity level. A Polish subsidiary must maintain its own documented ICT risk management framework approved by its own board. Group policies satisfy the requirement only where they are formally adopted at subsidiary level, translated into applicable governance documents, and signed off by the Polish entity's management board. The KNF does not accept group-level documentation as a substitute.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology regulation, DORA compliance, and ICT risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.