RODO Eng

Data and information security after 5 years of the GDPR

5 June 2023 | Knowledge, News, The Right Focus

The last few years have seen significant changes in the data protection landscape with this year marking the 5th anniversary of the General Data Protection Regulation, commonly referred to as the GDPR. It’s a good time to take stock and analyse what has changed, and what we can expect in the near future.

What has the GDPR brought us

First and foremost, there has been a significant increase in data subjects’ awareness of their rights and the obligations of data processors. This can be seen, for example, in the high number of complaints filed with the supervisory authority.

The need to ensure “GDPR compliance” has also had a significant impact on business operations. Businesses have started to place much greater emphasis on the implementation and practical application of data protection systems, which have become a core area of ensuring business security. This is undoubtedly influenced by the fines for non-compliance with these data protection regulations.

Thanks to the principles of privacy by design and privacy by default, there has been a huge shift in the approach to data protection, which is now taken into account from the very beginning of data processing, especially where modern technology is used.

With the GDPR, data protection has become a process rather than a single one-off activity, which is very important for the improving of data security, and also in the context of changing technology. This can be seen with the recent unprecedented development of artificial intelligence systems, in particular generative artificial intelligence where the issue of data protection is a key element in the development and implementation of AI systems, including the learning of algorithms and the building of models related to the processing of large amounts of data.

The importance of cyber security

With the rapid development of technology, cyber security is a key issue. Digital threats are increasingly affecting businesses and are closely linked to the issue of data protection, making it one of the biggest challenges facing organisations today. As an example, we are seeing a significant increase in the use of malware, particularly ransomware.

This has also not escaped the attention of EU regulators, who have addressed the issue of cyber security in legislation such as DORA, the Regulation on digital operational resilience for the financial sector[1], or NIS II, the Directive on measures for a high common level of cybersecurity across the Union[2].

DORA

The objective of DORA is to upgrade and consolidate the requirements for managing the operational digital resilience of financial services market participants at a pan-European level.

Upgrading is understood as complementing the traditional quantitative approach consisting in setting capital requirements to cover ICT risks, with a qualitative approach focusing on defining targeted qualitative requirements for the protection, detection and containment of security incidents and the building of operational resilience testing capabilities.

As regards consolidation, DORA focuses on several issues:

  • Requirements for the management of financial entities in terms of digital resilience and requirements for the management of ICT-related risk
  • Requirements for the management, including monitoring, classification and logging, of ICT-related incidents;
  • Requirements for testing the digital resilience of financial entities
  • Requirements for the management of ICT third-party risk

The proposed regulation covers 20 categories of entity, with financial entities obliged to comply with the regulation expanded to include a new generation of financial market participants, such as crypto-asset and crowdfunding service providers, in addition to the traditional financial institutions such as credit institutions, payment institutions, and investment firms.

In accordance with the principle of proportionality, the DORA requirements vary depending on financial entities’ business profile, size and scale of operation. Financial entities identified as microenterprises are therefore exempt from a significant part of the DORA requirements, whilst those identified as significant are required, among other things, to conduct TLPTs. Importantly, the list of financial entities also includes ICT service providers, which represents another departure from previous sectoral regulations.

Entities covered by DORA must apply the resulting requirements from 18 October 2024.

NIS II

NIS II, which repeals the existing NIS Directive, was adopted by the European Parliament on 10 November 2022.

NIS II introduces a distinction between essential entities and important entities, rather than between operators of essential services and digital service providers, significantly expanding the existing list.

It also clarifies cyber security risk management obligations by making certain solutions mandatory, including but not limited to:

  • Risk analysis and IT system security policies
  • Incident management policies
  • Business continuity plans
  • Ensuring supply chain security

In addition, the Directive introduces the possibility of imposing fines on entities failing to comply with their obligations. The amount of these fines will depend on the type of entity and will be up to the greater of EUR 10 million or 2% of the total worldwide annual turnover in the preceding year for essential entities, and EUR 7 million or 1.4% of the total worldwide annual turnover in the preceding year for important entities.

The main objective of NIS II is to further improve digital security in the European Union and the incident response capabilities of both public and private sector entities. In addition, it aims to harmonise across the Union precisely who will be affected by cyber security obligations.

The NIS II regulations must be applied in all EU Member States from 18 October 2024, so we can expect changes to the National Cyber Security System Act in this area as well.

Summary

The above regulations herald the fact that we can expect even more guidelines, recommendations, good practices and opinions to be issued at both European and national levels in the coming years.

These regulations will inevitably relate to practices in specific market sectors and will provide specific, individual solutions that businesses will need to comply with, and hence directly impact the need for businesses to proactively respond and adapt their business practices and procedures. Some of these changes may have implications for business strategies. It is clear that there will be a need to focus on technical safeguards and assess their adequacy with a view to avoiding possible fines from the supervisory authority.

Any questions? Contact us

Monika Maćkowska-Morytz

Maciej Kuranc

[1] Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014

[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148)

Latest Knowledge

The new National Cybersecurity System

The amendment to the Act on the National Cybersecurity System (UKSC) is one of the most significant regulatory reforms in recent years. Its main objective is to align Polish law with Directive (EU) 2022/2555 of the European Parliament and of the Council. The directive, also known as NIS2, substantially raises digital security requirements across the Union. The Polish Act on the National Cybersecurity System has undergone a thorough overhaul, covering more organisations (with estimates suggesting nearly 40,000 entities), introducing more demanding obligations, statutory personal liability for management board members, and even more stringent rules for imposing financial penalties. In the case of the most serious violations, these penalties can reach 100 million PLN.

‘Made in Europe’ is no longer just a slogan. It is becoming law

Until recently, ‘Made in Europe’ was just a label. While it was useful for marketing purposes, it lacked any hard, normative content. This may soon change. On 4 March, the European Commission published a proposal for the Industrial Accelerator Act, stipulating that, from 2027 onwards, the Union origin of components will be a prerequisite for participating in renewable energy auctions, accessing public funding, and for being eligible to participate in public procurement procedures. The slogan ‘Buy European’ could become a concrete instrument for supporting local production and controlling foreign investment.

Non-obvious cases of transferring an establishment to a new employer

The transfer of all or part of an establishment (zakład pracy) is a special concept in labour law relating to changes in ownership. Put simply, it is the automatic transfer of all the rights and obligations of the employer from one entity to another, without the need for any additional actions or consents from the parties involved. However, this must be preceded by the fulfilment of a range of informing obligations by both the new and former employers. Let’s take a look at what the process should involve.

Protecting yourself against tax risks in the deposit-return system

The deposit-return system has been in place since October 2025, raising significant tax concerns from the outset. Although the regulations came into force, it was unclear for a long time how to apply them in practice. Some of the regulations needed clarification, some solutions were missing and the published explanations did not cover all the key issues. Consequently, the market began to develop its own operating standards.

Banking sector overview | Banking today and tomorrow | March 2026

On 12 February 2026, the Court of Justice of the European Union (CJEU) issued a judgment concerning the use of the WIBOR index in loan agreements. The CJEU judges confirmed that, in consumer cases, courts cannot examine the correctness of the WIBOR calculation. The banks had correctly informed their clients about the reference rate in accordance with national and EU law.

The issue of the National Labour Inspectorate reform has resurfaced

A new draft law proposing changes to the way the National Labour Inspectorate operates has been submitted to the Sejm. During its first reading on 25 February, the draft was not rejected and was therefore referred to the Social Policy and Family Committee for further consideration. Despite the concerns and controversies raised so far, including by businesses, the legislature continues to pursue the thorough modernisation of Poland’s employment model, which involves increased supervision of the labour market and curbing the abuse of civil law contracts. In this article, we will take a look at the proposals included in the new draft and explain what they mean for businesses.

Polish AI boom

According to the latest data, nearly 15,000 companies dealing with artificial intelligence were registered in Poland in 2025.[1] This testifies to an undoubted boom in AI, as well as to the dynamic changes related to the development of this technology. However, amid the rush to implement AI, do companies consider the most important issue: securing the outcomes of their work and protecting themselves against competitors? In this article, we explore this issue and suggest ways to avoid costly problems.

Contact us:

Monika Maćkowska-Morytz

Monika Maćkowska-Morytz

Advocate / Partner / Head of the Personal Data Protection and Cyber Security Practice

+48 660 765 918

m.mackowska-morytz@kochanski.pl