POLAND Law and Practice Contributed by: Wojciech Ługowski, Lawarton Lugowski Kapica Spolka Komandytowa
addition, some industry participants are subject to the EU Data Act, which focuses on data sharing and compensation mechanisms. Cybersecurity Cybersecurity regulations, such as the NIS2 Directive and DORA, add further complexity. These laws man - date robust cybersecurity measures, operational resil - ience and incident reporting requirements for finan - cial entities. Fintechs must demonstrate their ability to withstand and recover from ICT-related disruptions and manage third-party risks, particularly when relying on cloud providers. This poses a challenge for fintechs, which must priori - tise agile development and third-party technologies, which are harder to control. Legacy players, by con - trast, often have larger budgets, dedicated compli - ance teams and established security infrastructures, giving them an advantage in meeting these require - ments. Alongside institution-level cybersecurity and opera - tional resilience requirements introduced by DORA, the EU Cyber Resilience Act will add a complementary layer of regulation focused on the security of digital products themselves. Unlike DORA, which addresses organisational processes and governance, the Cyber Resilience Act targets software and hardware used in the delivery of financial services. As a result, fintechs will need to consider not only their internal resilience and third-party risk management, but also the cyber - security standards applicable to the technological products on which their services are built. Crypto-Assets Regulation MiCA recently came into force in Poland to regulate the crypto-assets market. See 10. Blockchain . Social Media The Digital Services Act establishes rules for online platforms, including social media, to prevent the spread of illegal content and ensure transparency in advertising. Fintechs must disclose sponsored content and advertising practices, moderate user- generated content and avoid misleading or harmful information. Fintechs relying heavily on social media marketing face additional compliance costs related to
content moderation and transparency. In contrast, tra - ditional banks and financial institutions tend to adopt more conservative marketing practices. They are less reliant on social media, which reduces their exposure to Digital Services Act-related compliance risks. Consumer Protection Polish consumer protection legislation, such as the Consumer Credit Act or the Competition and Con - sumer Protection Act, is also relevant for fintech industry participants who target consumers. In addition, recent EU-level consumer law reforms will increasingly affect fintech products and cus - tomer journeys. Directive (EU) 2023/2673 introduces enhanced transparency and withdrawal requirements for financial services offered through digital channels, while Directive (EU) 2023/2225 (CCD2) updates the consumer credit framework to reflect digital distribu - tion models, including certain short-term and “buy now, pay later” (BNPL)-type products, with practical application expected from 2026. 2.12 Review of Industry Participants by Parties Other Than Regulators Most fintech companies or regulated operations must provide financial statements reviewed by qualified external auditing firms. Additionally, other entities like banks, payment institutions or investment firms must prepare proper special risk management plans, conduct regular due diligence and conduct internal audits. Most banks, payment institutions and investment firms must develop risk management frameworks, conduct due diligence and perform internal audits to identify financial and operational risks. While audits and risk controls are legally required, many fintechs adopt stricter cybersecurity, fraud detection and compliance monitoring standards, especially for cross-border operations. Regulatory oversight of the fintech sector is primarily conducted by state supervisory authorities, with inter - nal audits within regulated entities playing a key role in ensuring risk management and regulatory adher - ence. The involvement of non-state external organisa -
626 CHAMBERS.COM
Powered by FlippingBook