On 18 April, the Polish government officially commenced work on a law implementing the provisions of the Digital Operational Resilience Act (hereinafter “DORA”) into the national (polish) legal system. The new regulation is primarily intended to bring the existing legislation in line with the principles introduced by DORA. The so-called sectoral laws relating to individual branches of the financial market, such as payments, banking, or insurance, will be amended.
The Polish legislator decided not to make use of the so-called ‘national option’ provided for in Article 2(4) of DORA, insofar as it allows for the exclusion of the application of the provisions of DORA to cooperative savings and credit unions (SKOK) operating on the Polish market, as referred to in Article 2(5)(18) of Directive 2013/36/EU. At this point, however, the legal status of Bank Gospodarstwa Krajowego (BGK) mentioned in the said provision is not clear. The law transposing DORA into national law also provides for the implementation of provisions relating to the conferral of supervisory powers on competent national authorities with respect to financial entities. Under the provisions of DORA, the Polish Financial Supervision Authority (KNF) will be entitled to apply administrative sanctions and carry out inspections and investigations of financial institutions.
At this point, it is important to point out some legislative errors that the authors of the implementing act made when drafting the legislation. The Act does not distinguish between the concepts of ‘inspections’ and ‘investigations’ as described in Article 50(2) of DORA. As a result, some of its provisions can be deemed unclear in terms of terminology and in certain aspects even contradictory to the provisions of DORA. The law is currently at the stage of public consultations, so there is hope that the authors will take into consideration the comments made in this regard by the legal community and financial players and clarify the above concerns.
The law also needs to be refined in terms of the catalogue of entities to be supervised by the KNF. As a result of legislative omissions, despite the literal wording of Article 2(1)(b) in this regard, the proposed provisions do not extend the supervision of the KNF to entities exempted from the application of certain provisions under Article 32(1) of PSD2.
In this respect, attention should additionally be drawn to the extension of certain obligations under the NIS2 Directive to financial entities obliged to apply DORA. This results from the implementation of Article 19(1)(6) of DORA in the NIS2 implementing act. As a result, financial institutions deemed important or critical under NIS2 will be required to provide ‘initial notifications’ and ‘individual reports’ of major ICT incidents to Computer Security Incident Response Teams (CSIRTs).
The KNF has become involved in the work to transpose the DORA requirements into Polish law. Recently, financial entities have been asked to complete a so-called ‘self-assessment survey’ to enable the KNF to obtain detailed information on their application of the security rules implemented by DORA related to the use of ICT. According to the KNF, the survey is not only intended to provide the supervisory authority with relevant information, but also presents an opportunity for financial institutions to better understand the requirements of DORA.