On 31 December 2024, the Polish Financial Supervision Authority (UKNF) published its position regarding the application by financial entities of the DORA Regulation. Despite the lack of provisions ensuring the application of the DORA Regulation, it should not be assumed that the obligation of financial entities to comply with the requirements arising from the aforementioned regulation – which will become applicable as of 17 January 2025 – is suspended.

The DORA Regulation entered into force on 16 January 2023, granting financial entities two years to adjust to its requirements. This period will end on 16 January 2025. As indicated in the aforementioned position, “UKNF expects that starting from the date the DORA Regulation becomes applicable, financial entities will comply with the method and manner of performing specific information and reporting obligations in accordance with this position.” In this article, we discuss the new obligations for financial entities.

Obligation to possess a LEI identifier as a necessary element of reporting

Pursuant to the obligations arising from the DORA Regulation, financial entities are required to possess a so-called LEI identifier from 17 January 2025. Financial entities that do not yet possess one should apply for and obtain it before 17 January 2025 – i.e. before the date the DORA Regulation becomes applicable.

Failure to possess a LEI identifier will prevent the submission of reporting forms to the KNF as the competent authority, and consequently the submission of some of them by the KNF to the European Supervisory Authorities.

The absence of a LEI identifier should be treated as a failure to fulfil a reporting obligation, which constitutes non-compliance with the DORA Regulation. As a consequence, sanctions may be imposed on the financial entity – ranging from the least severe in the form of a public reprimand, to a financial penalty, and in extreme cases, withdrawal of the licence for supervised activity.

In Poland, a LEI code can be obtained through the National Depository for Securities (KDPW).

Reporting obligations from 17 January 2025

First and foremost, financial entities should be prepared to fulfil specific reporting obligations including, among others: prior notification and reports concerning major ICT-related incidents (SPR-PF-07), notification of significant cyber threats (SPR-PF-10), and maintenance of a full information register or other scope of information as requested (SPR-PF-18). More on this topic can be found in the UKNF’s position on the application of the DORA Regulation by financial entities.

Furthermore, as UKNF indicates, reporting obligations should be fulfilled in electronic form, using communication channels, including ICT systems and ICT tools made available by UKNF, such as:

• DORA Reporting System;
• System for reporting serious ICT-related incidents;
• Communication and information exchange channel regarding TLPT tests, agreed with the financial entity conducting the test.

There is a clear trend towards the use of appropriate systems and automation of reporting processes.

Reporting of serious ICT-related incidents and significant cyber threats

According to the DORA Regulation, an “ICT-related incident” is defined as: “(…) a single event or a series of linked events, not planned by the given financial entity, that threaten the security of network and information systems and have a negative impact on the availability, authenticity, integrity, or confidentiality of data or on the services provided by that financial entity.”

The definition of a “serious ICT-related incident” refers to “an ICT-related incident with a major negative impact on the network and information systems supporting critical or important functions of a financial entity.” Moreover, according to the DORA Regulation, the UKNF position outlines several criteria for classifying serious ICT-related incidents, including, inter alia:

• the number or significance of financial clients or counterparties affected, and (if applicable) the amount or number of transactions involved, and whether the incident caused reputational damage;
• the duration of the ICT-related incident, including service interruption;
• the geographical scope of the ICT-related incident, in particular if it affects more than two Member States.

More on this topic can be found in the content of UKNF’s position on the application of the DORA Regulation by financial entities.

The classification of ICT-related incidents, including the assessment of whether a serious incident has occurred, should be based on the definition of a “serious ICT-related incident” and the classification criteria and materiality thresholds specified in regulatory technical standards. This results from the need to ensure the highest possible effectiveness of EU law.

The DORA Regulation provides for the exclusion of the obligation to report incidents under the PSD2 directive for payment service providers covered by the scope of the DORA Regulation.

Supervised entities subject to the PSD2 directive’s incident reporting requirement will be obliged to report serious operational incidents or serious payment security incidents in accordance with the DORA Regulation.

Additionally, key service operators, until the adoption of provisions implementing the NIS2 directive, should concurrently (regardless of reporting serious ICT-related incidents) report serious incidents in the manner provided in the Act of 5 July 2018 on the national cybersecurity system.

Maintenance and submission of an information register regarding contracts with external ICT service providers

According to the UKNF position – competent authorities will be obliged to obtain information registers from financial entities within a timeframe enabling the submission of collected data to the European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority (ESAs) before 30 April 2025. In this respect, KNF plans to approach financial entities at the beginning of April 2025 with a request to submit information registers to KNF so that KNF may timely fulfil its obligation to submit the collected registers to the ESAs.

It was emphasized that the registers submitted in 2025 to the competent authorities should contain data current as of 31 March 2025.

The Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 is also of key importance. It establishes implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council regarding standard templates for the information register, as it specifies what data must be included, and, consequently, what information will be submitted to the competent authority.

Withdrawal of existing guidelines

According to the position, it is also planned to repeal:

• Recommendation D on the management of IT areas and the security of the ICT environment in banks;
• Recommendation D-SKOK on the management of IT areas and the security of the ICT environment in credit unions;

and guidelines on the management of IT areas and the security of the ICT environment in:

• insurance and reinsurance undertakings;
• investment fund management companies;
• investment firms;
• capital market infrastructure entities.

Furthermore, it is also planned to repeal the UKNF communication regarding the processing by supervised entities of information in the public or hybrid cloud – the so-called Cloud Communication.