21
Thu, Nov
49 New Articles

Poland: DORA Compliance Deadline Approaches

Poland
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Digital Operational Resilience Act (DORA), along with the NIS2 directive, is a crucial piece of European legislation aimed at strengthening cybersecurity within the EU. While NIS2 focuses on a broader range of critical sectors, DORA specifically targets the financial sector, establishing a robust framework to ensure that regulated financial entities can withstand, respond to and recover from disruptions and threats related to information and communications technology (ICT). DORA complements other EU regulatory frameworks by introducing standardised requirements for digital operational resilience, which financial entities must incorporate into their risk management strategies by its effective date of 17 January 2025.

NIS2 Directive

In contrast to DORA, the second Network and Information Security Directive (NIS2) provides a harmonised framework for overseeing and supervising ICT risk management across various critical sectors.

Who must comply?

To enhance cybersecurity within the EU's financial system, European legislators have mandated that a wide range of financial institutions fall under DORA's scope. These institutions are required to implement the rules and standards set forth by the regulation, with varying levels of obligation. Entities subject to DORA include:

  • credit institutions;
  • investment firms;
  • insurance and reinsurance undertakings;
  • payment and electronic money institutions;
  • alternative investment fund managers;
  • crypto-asset service providers;
  • crowdfunding service providers; and
  • ICT third-party service providers.

These entities are considered vital to the infrastructure and security of the EU's financial system and are thus expected to maintain a high level of digital operational resilience to protect financial markets and their participants.

DORA compliance requirements

Entities subject to DORA must adhere to a range of technical, organisational and legal requirements, including:

  • ICT risk management;
  • reporting cybersecurity incidents to competent authorities and establishing communication channels;
  • regular testing of digital operational resilience;
  • ongoing training for employees and managers; and
  • managing risks associated with third-party service providers, including establishing key contractual provisions.

In certain cases, financial institutions may also engage in information-sharing arrangements related to cyberthreat intelligence. These arrangements aim to enhance security and cyberthreat awareness across the EU by sharing experiences and practical solutions.

Next steps

As the DORA compliance deadline approaches, all potentially affected institutions should evaluate whether they are subject to the new rules and to what extent. The regulation imposes significant obligations, requiring considerable time and resources to achieve compliance. It is advisable to allocate adequate resources and seek both technical and legal advisory support in a timely manner.

Reference

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.

By Katarzyna Szczudlik, Partner, and Pawel Baran, Senior Attorney at Law, Schoenherr