📢 DORA implementation in Poland: Administrative fines for non-compliance

Following the future granting of new powers to the Polish Financial Supervisory Authority (KNF) in connection with the supervision of the activities of financial entities in meeting digital resilience requirements under the DORA Regulation, the draft act implementing the Regulation also grants the KNF the power to impose administrative penalties. 

When can the KNF impose a penalty in connection with violations of the draft regulations implementing DORA? 🚨

The KNF may impose a penalty mainly when the activities of a financial entity are carried out in violation of the provisions of:

• Chapter II (ICT risk management),

• Chapter III (ICT incident management, classification and reporting),

• Chapter IV (Testing operational digital resilience),

• Chapter V (Management of risks from external ICT service providers),

- of DORA Regulation (with exceptions indicated in the proposed Article 18zf of the Financial Market Supervision Law. 

🚫 What penalties will the draft provisions introduce?

If such violations are found, the KNF may mainly: 

1. order an individual, legal entity or an organizational unit without legal personality to cease the behavior in question and to refrain from such behavior in the future;

2. a person in charge of an enterprise, in particular in a managerial position;

3. impose a fine on a natural person in the amount of up to 3,042,410 PLN or on a legal entity in the amount of up to 20,869,500 PLN or in the amount of 10% of net revenues from sales of goods and services and financial operations; 

4. prohibit a person from serving as a member of the board of directors or supervisory board or other managerial function of the entity, for a period of not less than one month and not more than one year, who is in charge of the enterprise, in particular, serves as a manager or is a member of the management body of the enterprise, and who, in the exercise of his function, at the time of the identified violation of these provisions, allowed by his action or omission to commit the violation; 

5. issue a public statement indicating the name of the natural person or the company or name of the legal entity or an organizational unit without legal personality responsible for the violation, and the nature of the violation.