DORA in Poland 2025: What You Need to Know

Practical guide to DORA implementation in Poland. Deadlines, regulatory requirements, and key steps for financial institutions.

Since January 17, 2025, DORA (Digital Operational Resilience Act) is fully applicable across the European Union, including Poland. Financial institutions supervised by the Polish Financial Supervision Authority (KNF) must meet the regulation requirements for digital operational resilience.

Which institutions in Poland are subject to DORA?

DORA covers a wide range of entities: banks, credit unions, insurance companies, investment fund companies, brokerage houses, payment institutions, leasing and factoring companies, crypto-asset service providers. In Poland, supervision is exercised by KNF, which has issued implementation guidelines. An estimated over 2,000 entities in Poland are directly subject to DORA requirements.

What are the key DORA requirements for Polish institutions?

Main DORA requirement areas are: ICT risk management (framework, policies, procedures), ICT incident reporting (within 4 hours of classification), digital resilience testing (basic annually, TLPT for selected entities), third-party risk management (contract register, critical provider assessment), threat information sharing.

How will KNF verify DORA compliance?

KNF has announced an active approach to DORA supervision. Planned activities include: self-assessment questionnaires for supervised entities, thematic inspections on selected DORA areas, incident report verification, review of ICT provider contracts. Institutions should be prepared to demonstrate compliance with documentation and implementation evidence.

What penalties apply for DORA non-compliance?

DORA provides severe sanctions: for financial institutions - fines up to EUR 10 million or 5% of annual turnover, for responsible individuals - fines up to EUR 5 million, for critical ICT providers - fines up to 1% of average daily global turnover. KNF may also impose administrative sanctions under Polish law.

Wizards.io supports Polish financial institutions in DORA compliance. **Revelio** automatically detects and maps data in ICT systems, supporting information asset inventory. **Detecto** monitors systems for data-related incidents. **Oblivio** manages retention according to DORA documentation requirements.

DORA is not a one-time project but an ongoing digital resilience management process. Polish financial institutions should treat compliance as part of business strategy, not just a regulatory requirement.