Jan Ziomek Dora Eng

DORA – how quickly is the clock ticking

18 October 2023 | Knowledge, News

The financial sector has today fully embraced technology as a way to offer clients increased security, quality and convenience. Modern financial institutions are increasingly relying on digital technology, offering their clients services based on cloud computing, big data, blockchain, and artificial intelligence, often managed by external ICT companies. However, the surge in reliance on ICT systems, has seen a hand in hand exponential increase in cyber-attacks and consumer risk.

CERT Polska, the group set up to monitor and respond to major cyber incidents reported that in 2022  there had been 2944 incidents targeting banks, of which 21 were deemed serious, and a staggering 2813 incidents targeting financial market infrastructure. It seems that the surge in technology has come at a cost of an explosion in online crime and it’s likely that this pattern of behaviour will continue unless there are adequate safeguards implemented to fight back.

Who is DORA aimed at

DORA, the EU regulation for digital operational resilience of the financial sector, is designed to create a robust, homogeneous EU wide network, by laying down new regulations requiring ICT entities to provide security against cyber risk, whilst managing any cyber incidents in a consistent manner. DORA focuses mainly on players operating in this market, such as:

  • Credit institutions
  • Insurance companies
  • Payment institutions
  • Investment firms
  • Insurance intermediaries

DORA will also cover third-party ICT service providers and apply to the requirements of contracts between financial market entities and these providers. Thus, entities providing services to the financial market and using resources or networks in information systems for this purpose will have to adapt their activities and the terms and conditions of their contracts.

How long will it be before DORA enters into force

DORA is expected to fully enter into force by 17 January 2025, which is a closer than it may seem. Financial market participants and external ICT service providers should thus be carefully considering the steps they will need to take to come into line with these new requirements, and should already be considering:

  • Building or reviewing the quality of the governance framework related to ICT risks
  • Developing and implementing policies, procedures, protocols and tools to ensure ICT security
  • Adapting contractual terms and conditions

Given the potential scale of the transition, it is  clear that financial market participants should begin to implement DORA at soon as practicable. However, given that regulatory technical standards are still being developed to clarify many issues, it would be wise to plan any changes, seeking experienced advisors to assist along the way. But it seems that finally, the digital future is one step closer to being secured for business.

Source: Contact Online

Date: 5.10.2023

Questions? Contact us

Jan Ziomek

Latest Knowledge

Length of service now includes periods of self-employment

The length of service no longer depends solely on work carried out under a contract of employment. The amendment to the Labour Code introduces significant changes, as work carried out under civil law contracts or as part of business activity will now also be included when calculating service, which affects employees’ rights. What will this mean for employees and employers?

Banking sector overview | Banking today and tomorrow | February 2026

The Polish banking sector is undergoing intense reshuffling on a scale not seen for years. Large banks are changing owners, foreign players are shifting their strategies and new investors are entering the market. The question is whether these are just temporary shifts in capital or the beginning of lasting change in the industry’s balance of power.

31 January. Don’t forget about the DAC7 Directive

The deadline for meeting the obligations under the DAC7 directive and the Polish regulations implementing it is fast approaching. Online platform operators must fulfil their reporting obligations by 31 January 2026 at the latest with regard to 2025 data. For many, this is the final opportunity not only to prepare the required information, but also to verify whether DAC7 obligations apply to them and, if so, to what extent.

The New Consumer Credit Act – extensive regulation with a broad market impact

In 2025, the Polish financial market entered another phase of adjustments to EU legislation. The draft new Consumer Credit Act implementing the CCD2 Directive, alongside the regulations on distance financial services, represents one of the most comprehensive attempts to standardise the rules for providing finance to consumers. The changes are so extensive that they cover all stages, from advertising and customer acquisition to the assessment of creditworthiness, the structure of agreements, the scope of the lender’s liability, withdrawal rules and the detailed organisation of remote sales.

Energy Radar 2026: Your roadmap to energy transition

Energy is no longer the exclusive domain of engineers and politicians; it is becoming the foundation of the business strategy of any company that wants to remain competitive. And 2026 will see a multitude of legislative changes that will fundamentally alter the current approach to the rules for grid connection, energy trading and reporting obligations.

Banking sector overview | Banking today and tomorrow | January 2026

On 1 January, new regulations came into force that increased the income tax rate paid by banks. The rate will be 30% in 2026. However, entities starting their business, credit and savings unions (SKOKs), small entities, and banks undergoing restructuring will pay less.