Krzysztof Dąbrowski, Managing Director of the Security Division at Urząd Komisji Nadzoru Finansowego (UKNF), and Jolanta Gasiewicz, expert at the UKNF’s Cybersecurity Department, attended a conference titled ‘Legal challenges related to the implementation of DORA as seen by the regulator/legislator’ organised by the Chamber of Brokerage Houses (Polish: Izba Domów Maklerskich – IDM).

Addressing the conference, Krzysztof Dąbrowski presented a strategic take on DORA implementation, showing the conference participants the context for drafting the Regulation and its main assumptions.

He stressed the need for adopting multiple adjustment measures for which the starting point would be the analysis of compliance of the current practices with the new regulatory requirements. Contrary to how it may seem, the eleven months remaining until DORA starts applying is not much time, taking into consideration the extent of work that needs to be done by financial market entities. ‘Today’s conference is a good occasion for the UKNF to meet with entities operating in the capital market. It offers a possibility for us to conduct dialogue, talk about our supervisory approach to preparing for the application of DORA , about the preparations we are making, but also to hear the voices of market participants that are so important for us to hear.  In the context of implementation of DORA, Komisja Nadzoru Finansowego sees itself primarily as the supervisor and only secondly as the regulator, since, despite its participation in the DORA consultation process, it is the European institutions who are the actual initiator and author of the Regulation’ – Krzysztof Dąbrowski said.

He stated that DORA is a response to e.g. the increasing reliance of business processes on technology, the growing threat of cybercrime and its cross-border nature, and the major regulatory differences between countries in terms of cybersecurity. ‘At present, technology is widely used both in internal processes and in relations with the client. Dependence on technology  not only creates an opportunity to optimise the processes but also generates vulnerabilities. The activity of cybercriminals increases, in multiple areas. Some of them attack organisations, others focus on defrauding clients directly’ – Dąbrowski said.

When faced with challenges related to the current level of technology usage, a serious approach to the issue of cyber resilience  and security is required, as without proper recognition of the importance  and appropriate consideration of ICT risk in managing an organisation, such operational risk, when materialised, can lead to the elimination of a given entity from the market. 

The most relevant legal challenges in implementing DORA in an organisation include, to list but a few, recognition of changes to the existing obligations and identification of new obligations, identification of the required ICT resources, or the need to adjust the contracts with third-party providers  of ICT services. Such activities should not be delegated to a single unit but should be considered as an interdisciplinary challenge that requires involving many functions  in the organisation, particularly IT, compliance and security, with support from the management.  

Jolanta Gasiewicz appeared on a panel dedicated to vendor  policies and presented selected elements of DORA implementation in the operational context.

Addressing the panel, she highlighted that DORA puts great emphasis on the responsibility of the management body  for the area related to the oversight  of third-party ICT service providers. She also stressed that the responsibility for complying with the regulations was on the financial entity, so it is important for an organisation to have appropriate resources in its structures, including persons having the appropriate knowledge as well as legal and technical competences.

Contracts  with ICT service providers should include  a clear and complete description of all ICT functions and services, indicating whether subcontracting of an ICT service supporting a critical or important function is permitted . Before signing the contract, the organisation should conduct a process related to the identification of ICT functions and services, the assessment of compliance with supervisory requirements, a risk analysis and due diligence, as well as the rules for monitoring the service provider , in particular through control and audit. Contracts with ICT service providers should also include exit strategies.

Useful information:

Finalisation of the first package of implementing acts to DORA (until 17 January 2024):
https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-first-set-rules-under-dora-ict-and-third-party

Information on public consultation of the second package of implementing acts to DORA (until 17 July 2024) running from 8 December 2023 to 4 March 2024:
https://www.eba.europa.eu/publications-and-media/press-releases/esas-launch-joint-consultation-second-batch-policy-mandates