The Polish Financial Supervisory Authority plans to repeal some recommendations and guidelines in connection with DORA | In Principle

Go to content
Find what you need in over 1,000 articles
Search form
Subscribe to newsletter
In principle newsletter subscription form

The Polish Financial Supervisory Authority plans to repeal some recommendations and guidelines in connection with DORA

19.12.2024 insurance

On its website, the Polish Financial Supervisory Authority (KNF) has announced that it plans to repeal the current recommendations and guidance for financial institutions on managing IT and cybersecurity, covered by the EU’s DORA regulation.

It is also planned to repeal the “cloud communiqué” of the KNF Office regarding processing of information by supervised entities in a public or hybrid computing cloud. The affected institutions include banks, insurance companies, and investment firms.

Reason for repeal

KNF indicates that the planned repeal of selected acts results from their overlap with obligations under the Digital Operational Resilience Act (DORA—Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector) and related implementing acts. Additionally, KNF points out that the instruments it is repealing are “soft law” and not sources of mandatorily applicable law, unlike the DORA regulation. The repeal should avoid interpretive doubts that could arise between mandatory provisions and existing acts of soft law. It should also reduce the regulatory burden on entities supervised by KNF in the area of digital operational resilience.

Acts to be repealed:

  • Recommendation D on management of information technology and security of the ICT environment in banks
  • Recommendation D-SKOK on management of information technology and security of the ICT environment in cooperative savings and loan institutions
  • Guidance on management of information technology and security of the ICT environment in insurance and reinsurance companies
  • Guidance on management of information technology and security of the ICT environment in financial funds
  • Guidance on management of information technology and security of the ICT environment in investment companies
  • Guidance on management of information technology and security of the ICT environment in capital market infrastructure entities
  • Communiqué of the KNF Office of 23 January 2020 on processing of information by supervised entities in public or hybrid cloud computing.

The exact date of repeal of these acts will be announced by the KNF Office separately.

A consistent EU approach

The Polish regulator also stresses that similar analyses of the convergence of the DORA regulation with the EBA’s Guidelines on ICT and Security Risk Management and the ESMA’s Guidelines on Outsourcing to Cloud Service Providers are being conducted by European supervisory authorities. The planned repeal of the recommendations and guidelines, and the cloud communiqué, responds to the need for action at the national level consistent with the approach to defining ICT risk management requirements at the level of European legislation, in connection with DORA.

DORA is coming soon

The DORA regulation, which aims to increase the operational digital resilience of financial entities and regulates the provision of ICT services in the financial market, will apply from 17 January 2025.

Mateusz Kosiorowski, adwokat, Klaudiusz Mikołajczyk, Insurance practice, Wardyński & Partners

Recommended articles
Key resolution by Supreme Court of Poland on third-party liability insurance for motor vehicle owners
In search of lost profit: Business interruption insurance in disastrous times
Poland’s insurance and banking industries issue credit protection insurance guidelines
Insurers of trade receivables should verify whether their outsourcing of collections complies with KNF guidance
KNF’s new Recommendation U includes guidance for bancassurance and insurance distribution channels