Who falls under DORA?

Types of entities covered in the financial sector:

• Financial institutions (banks, credit institutions, investment firms, investment funds)
• Insurance institutions (insurers and reinsurers, intermediaries, occupational pension institutions)
• Financial market infrastructure (exchanges, trading venues, CSDs, trade repositories, CCPs)
• Payments and fintech (payment institutions, e-money institutions, account information service providers, crypto-asset firms)
• Other entities (rating agencies, benchmark administrators)
• Technology & ICT providers* (external ICT service providers, data and information providers, crowdfunding service providers)

*In this context, an ICT service provider is a technology company whose services are critical to the stability and continuity of financial institutions under DORA.

Penalties for non-compliance with DORA

Breaches can lead to administrative and financial sanctions. The supervisory authority in Poland (KNF) may:

• hold management personally liable
• order cessation of the breach
• impose fines up to PLN 20,869,500 or 10% of annual revenue
• fine an ICT provider up to 1% of average daily turnover per day
• publish a statement naming the offender and describing the breach
• suspend use of a critical ICT provider
• order partial or full termination of ICT provider contracts

Does your client require DORA compliance?

The financial sector is responsible not only for its own security but also for protecting customer funds and data. Under strong regulatory pressure, institutions increasingly classify their partners as critical ICT providers – even if those partners don't see themselves that way.

For many firms this means meeting stringent cybersecurity requirements and being ready to prove controls are adequate and effective. Otherwise, despite good business relations, they may still be excluded from serving the financial sector.