POLAND Law and Practice Contributed by: Marcin Olechowski, Wojciech Iwański, Tytus Brzezicki and Piotr Orłowski, Sołtysiński Kawecki & Szlęzak
Responsibilities for Management Bodies DORA introduces a number of new obligations for the governing bodies of financial entities. These include: • bearing the ultimate responsibility for manag - ing the financial entity’s ICT risk; • putting in place policies that aim to ensure the maintenance of high standards of avail - ability, authenticity, integrity and confidential - ity of data; • setting clear roles and responsibilities for all ICT-related functions and establishing appropriate governance arrangements to ensure effective and timely communication, co-operation and co-ordination among those functions; • bearing the overall responsibility for setting and approving the digital operational resil - ience strategy; and • approving and periodically reviewing the financial entity’s ICT internal audit plans, ICT audits and the material modifications to them. Recovery and Back-Up Obligations DORA provides for numerous duties related to ensuring business continuity in financial entities. Primarily, financial entities must put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy forming an integral part of the overall busi - ness continuity policy of the financial entity. ICT business continuity policy shall be imple - mented through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to, inter alia: • ensure the continuity of the financial entity’s critical or important functions; • quickly, appropriately and effectively respond to and resolve all ICT-related incidents in a
way that limits damage and prioritises the resumption of activities and recovery actions; and • set out communication and crisis manage - ment actions that ensure that updated infor - mation is transmitted to all relevant internal staff and external stakeholders. Incident Management and Reporting DORA introduces comprehensive rules on the identification, management and reporting of ICT incidents. With regard to credit institutions, pay - ment institutions, account information service providers, and electronic money institutions, these rules also concern operational or secu - rity payment-related incidents concerning credit institutions, as DORA unifies reporting obliga - tions currently deriving from PSD2. DORA and Commission Delegated Regulation (EU) 2024/1772 establish specific criteria for incidents (and cyberthreats) classification to be used primarily for the purpose of reporting to the relevant authorities. Management of ICT Third-Party Risk DORA places a strong emphasis on third-party supplier risk management. It requires financial institutions to carry out rigorous assessments and audits of ICT third-party service providers, as well as ensure that relevant contracts contain appropriate clauses. Polish Legislation Related to DORA In April 2024, the Polish government started work on an Act amending certain laws related to ensuring the operational digital resilience of the financial sector. The purpose of the new regulation is to implement the provisions set by DORA into the national legal order and to adapt existing regulations to the principles introduced by DORA.
477 CHAMBERS.COM
Powered by FlippingBook