RODO Eng

Data and information security after 5 years of the GDPR

5 June 2023 | Knowledge, News, The Right Focus

The last few years have seen significant changes in the data protection landscape with this year marking the 5th anniversary of the General Data Protection Regulation, commonly referred to as the GDPR. It’s a good time to take stock and analyse what has changed, and what we can expect in the near future.

What has the GDPR brought us

First and foremost, there has been a significant increase in data subjects’ awareness of their rights and the obligations of data processors. This can be seen, for example, in the high number of complaints filed with the supervisory authority.

The need to ensure “GDPR compliance” has also had a significant impact on business operations. Businesses have started to place much greater emphasis on the implementation and practical application of data protection systems, which have become a core area of ensuring business security. This is undoubtedly influenced by the fines for non-compliance with these data protection regulations.

Thanks to the principles of privacy by design and privacy by default, there has been a huge shift in the approach to data protection, which is now taken into account from the very beginning of data processing, especially where modern technology is used.

With the GDPR, data protection has become a process rather than a single one-off activity, which is very important for the improving of data security, and also in the context of changing technology. This can be seen with the recent unprecedented development of artificial intelligence systems, in particular generative artificial intelligence where the issue of data protection is a key element in the development and implementation of AI systems, including the learning of algorithms and the building of models related to the processing of large amounts of data.

The importance of cyber security

With the rapid development of technology, cyber security is a key issue. Digital threats are increasingly affecting businesses and are closely linked to the issue of data protection, making it one of the biggest challenges facing organisations today. As an example, we are seeing a significant increase in the use of malware, particularly ransomware.

This has also not escaped the attention of EU regulators, who have addressed the issue of cyber security in legislation such as DORA, the Regulation on digital operational resilience for the financial sector[1], or NIS II, the Directive on measures for a high common level of cybersecurity across the Union[2].

DORA

The objective of DORA is to upgrade and consolidate the requirements for managing the operational digital resilience of financial services market participants at a pan-European level.

Upgrading is understood as complementing the traditional quantitative approach consisting in setting capital requirements to cover ICT risks, with a qualitative approach focusing on defining targeted qualitative requirements for the protection, detection and containment of security incidents and the building of operational resilience testing capabilities.

As regards consolidation, DORA focuses on several issues:

  • Requirements for the management of financial entities in terms of digital resilience and requirements for the management of ICT-related risk
  • Requirements for the management, including monitoring, classification and logging, of ICT-related incidents;
  • Requirements for testing the digital resilience of financial entities
  • Requirements for the management of ICT third-party risk

The proposed regulation covers 20 categories of entity, with financial entities obliged to comply with the regulation expanded to include a new generation of financial market participants, such as crypto-asset and crowdfunding service providers, in addition to the traditional financial institutions such as credit institutions, payment institutions, and investment firms.

In accordance with the principle of proportionality, the DORA requirements vary depending on financial entities’ business profile, size and scale of operation. Financial entities identified as microenterprises are therefore exempt from a significant part of the DORA requirements, whilst those identified as significant are required, among other things, to conduct TLPTs. Importantly, the list of financial entities also includes ICT service providers, which represents another departure from previous sectoral regulations.

Entities covered by DORA must apply the resulting requirements from 18 October 2024.

NIS II

NIS II, which repeals the existing NIS Directive, was adopted by the European Parliament on 10 November 2022.

NIS II introduces a distinction between essential entities and important entities, rather than between operators of essential services and digital service providers, significantly expanding the existing list.

It also clarifies cyber security risk management obligations by making certain solutions mandatory, including but not limited to:

  • Risk analysis and IT system security policies
  • Incident management policies
  • Business continuity plans
  • Ensuring supply chain security

In addition, the Directive introduces the possibility of imposing fines on entities failing to comply with their obligations. The amount of these fines will depend on the type of entity and will be up to the greater of EUR 10 million or 2% of the total worldwide annual turnover in the preceding year for essential entities, and EUR 7 million or 1.4% of the total worldwide annual turnover in the preceding year for important entities.

The main objective of NIS II is to further improve digital security in the European Union and the incident response capabilities of both public and private sector entities. In addition, it aims to harmonise across the Union precisely who will be affected by cyber security obligations.

The NIS II regulations must be applied in all EU Member States from 18 October 2024, so we can expect changes to the National Cyber Security System Act in this area as well.

Summary

The above regulations herald the fact that we can expect even more guidelines, recommendations, good practices and opinions to be issued at both European and national levels in the coming years.

These regulations will inevitably relate to practices in specific market sectors and will provide specific, individual solutions that businesses will need to comply with, and hence directly impact the need for businesses to proactively respond and adapt their business practices and procedures. Some of these changes may have implications for business strategies. It is clear that there will be a need to focus on technical safeguards and assess their adequacy with a view to avoiding possible fines from the supervisory authority.

Any questions? Contact us

Monika Maćkowska-Morytz

Maciej Kuranc

[1] Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014

[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148)

Latest Knowledge

Banking sector overview | Banking today and tomorrow | June 2026

According to a statement published by GPW Benchmark, the reference rate administrator, and the Polish Financial Supervision Authority (KNF), which oversees the administrator, 31 December 2036 will be the last day on which the WIBID and WIBOR rates will be provided for all key fixing periods: 1 month (1M), 3 months (3M) and 6 months (6M).

How to correctly calculate length of service from 1 May 2026

New rules for calculating length of service have applied to private sector employers since the beginning of May 2026. With companies continuing to express concerns about the new framework, the Ministry of Family, Labour and Social Policy has addressed the most common questions. We look at the issues that are (still) troubling employers and how we can help.

Tax settlement agreement: A new tool in the General Tax Code

A draft bill amending the General Tax Code (No. UDER110) has been submitted for consideration by the Council of Ministers. The bill introduces the tax settlement agreement, a new form of amicable dispute resolution between taxpayers and the tax authority. The draft is open for inter-ministerial review and public consultation until 19 June, with the proposed date of entry into force being 1 January 2028. Below, we examine who may apply for a settlement agreement, when, and on what terms, and how the process may work in practice.

A revolutionary reform of Poland’s capital market – ETFs and the Qualified Investment Fund

Poland’s capital market is on the cusp of one of the most significant reforms in recent years, which will fundamentally reshape the regulatory framework for ETFs and introduce an entirely new investment vehicle: the Qualified Investment Fund (QIF/KFI). This is a response to market demands and presents an opportunity for Poland to close the gap with countries such as Luxembourg and Ireland, with the overarching objective of boosting competitiveness and stemming the outflow of investment capital abroad. The new regulations aim to deliver greater flexibility for investors and fund managers alike, while also aligning with current market trends and European standards. We examine what is changing in practice and what it means for all market participants.

Directive 2024/825 – the European Union’s response to greenwashing

Greenwashing poses one of the most significant challenges to the consumer protection framework in the European Union. As customers become increasingly environmentally conscious, brands are ever more inclined to leverage this interest by invoking the language of environmental protection, sustainable development and climate neutrality. Yet these claims do not always reflect the actual characteristics of their products or services. The EU has sought to bring systemic order to this area by clarifying the information obligations of traders and broadening the list of practices deemed unfair. We consider what these changes mean for businesses in practice.

GLI – AI, Machine Learning & Big Data 2026: The Polish perspective on artificial intelligence law

Global Legal Insights (GLI) is a series of international publications by the Global Legal Group (GLG), authored by legal practitioners from around the world. It offers an up-to-date and highly practical guide to the applicable regulatory landscape, complemented by expert commentary on specific areas of law across different jurisdictions. In short: legislation and actionable know-how in one place.

Banking sector overview | Banking today and tomorrow | May 2026

“The end of the dream of free housing” – this is how the Polish Bank Association (Związek Banków Polskich) has characterised Thursday’s judgments of the Court of Justice of the European Union in cases concerning whether the claims of financial institutions against CHF mortgage borrowers have become time-barred.

Return deposits like VAT? The elephant in the room: the risks of the deposit-return system

The deposit-return system was supposed to be simple. Eco-friendly. Leak-proof. Tax-neutral. However, it took just a few months for serious doubts to emerge. The first loopholes are no longer just theoretical, they are in plain sight. The mechanisms for abuse can be described quite precisely, and the scale of potential losses may be much greater than anticipated. Below, we examine where the system is losing control and how this can be addressed.

Contact us:

Monika Maćkowska-Morytz

Monika Maćkowska-Morytz

Advocate / Partner / Head of the Personal Data Protection and Cyber Security Practice

+48 660 765 918

m.mackowska-morytz@kochanski.pl