Group financial institution
Application of DORA and the NIS2 Directive
We advised Financial institution from the corporate group in:
Legal qualification of an entity
under the provisions of DORA
and the bill to amend the law on the national cyber security system
For our client, a financial institution, we performed a comprehensive analysis of its legal qualification under the provisions of Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022. on Operational Digital Resilience of the Financial Sector (DORA) and the Draft Law on Amendments to the Law on the National Cyber Security System and Certain Other Laws (List Number: UC32) (UKSC Draft), aimed at implementing Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cyber-security within the Union (NIS2 Directive), taking into account the specifics of the institution’s group operations.
Both DORA and the NIS2 Directive are EU acts aimed at strengthening the digital resilience and security of networks and information systems of entities operating in the European Union. DORA is applicable to the enumerated financial entities and third-party providers that provide ICT services to these institutions (ICT TPSPs).
If an entity is a financial entity within the meaning of DORA, the regulation will apply to it, provided that the entity does not benefit from the strict exemptions provided for in the act (e.g., an insurance intermediary meeting the definition of a microenterprise). Separately, DORA provides simplifications for selected categories of financial entities (e.g., for exempt payment institutions – which in Poland includes small payment institutions), or for micro-enterprises. DORA is applicable as of January 17, 2024, and as of that date financial entities within the meaning of DORA are required to ensure compliance of their activities with the regulation.
The Draft Law on Amendments to Certain Laws in Connection with Ensuring Operational Digital Resilience of the Financial Sector (list number: UC11), which aims to bring Polish regulations in line with DORA, is currently under way. In particular, it defines the competencies of the Financial Supervision Commission to enforce DORA.
In turn, the NIS2 Directive, followed by the Draft UKSC, makes a distinction between key and important entities, on which it imposes certain obligations.
According to the current version of the Draft UKSC (draft dated April 23, 2024):
1. a key entity is, among others:
1.1. a natural person, a legal person or an unincorporated organizational unit indicated in Annexes No. 1 and No. 2 to the Draft UKSC, which exceeds the requirements for a medium-sized enterprise set forth in Article 2(1) of Annex I to Commission Regulation (EU) No. 651/2014 of 17 June 2014 declaring certain types of aid compatible with the internal market in application of Article 107 and 108 of the Treaty (Regulation 651/2014),
1.2. regardless of the size of the entity:
1.2.1. DNS service provider,
1.2.2. provider of managed services for cyber security,
1.2.3. qualified trust service provider as defined in Article 3(20) of Regulation 910/2014,
1.2.4. registry of top-level domain names (TLDs),
2. a valid entity is, among others, a natural person, a legal person or an unincorporated organizational unit indicated in Annex No. 1 or No. 2 to the Draft UKSC, which meets the requirements for a medium-sized entrepreneur as specified in Regulation 651/2014 and which is not a key entity.
Annex No. 1 to the UKSC Project indicates, among others, the Digital Infrastructure sector, which is divided into:
1. sub-sector: digital infrastructure excluding electronic communications, to which the following types of entities are assigned:
1.1 Internet traffic exchange point provider.
1.2. DNS service provider, excluding primary name server operators.
1.3. top-level domain name registry (TLD).
1.4. Cloud service provider.
1.5. Data center service provider.
1.6. Content delivery network provider. Trust service provider.
1.7. the National Clearing House S.A.
1.8. Domain name registration service provider.
2. sub-sector: electronic communications, to which the following types of entities are assigned:
2.1. Telecommunications entrepreneur.
2.2. Entity providing interpersonal communication service not using numbers.
Annex No. 1 to the Draft UKSC also indicates, among others, the sector: managed ICT services, to which the following types of entities are assigned:
1. managed service provider.
2. cyber security managed service provider.
In turn, Appendix 2 of the Draft UKSC indicates, among other things, the sector: Digital service providers, to which the following types of entities are assigned:
1. online shopping platform provider
2. provider of an online search engine.
3. Provider of a social service network platform.
Regardless, the UKSC Project distinguishes and defines a hardware or software provider. In the current version of this draft, the mere possession of this status by an entity does not cause such entity to qualify as a key or valid entity under the UKSC Draft (although in practice, in parallel, it may often meet the definition of a key or valid entity).
The current wording of the Draft NSC provides for the law to enter into force one month after the date of promulgation. As of that moment, key and important entities will be required to bring their activities into compliance with the law adopted under this draft.
DLK’s advisory included:
- making a legal qualification of a financial institution under the provisions of DORA and the UKSC Project
- determining whether and in what arrangement a financial institution may meet the definition of a financial entity or ICT TPSP under DORA or a key entity, major entity, or hardware or software provider under the UKSC Project
- analyzing the financial institution’s obligations under its assumed legal status under DORA and the UKSC Project
Lawyers involved in the project:
Bartosz Wyżykowski
attorney-at-law, partner Bartosz Wyżykowski
Kamil Mosoń
trainee attorney-at-law, lawyer Kamil Mosoń
Banking & Fintech
Banking & FinanceIndustry 4.0
Industry 4.0IT & Outsourcing
TelecommunicationsLegislation
Legal supportTelecommunications
TelecommunicationsAlso check
#Banking & Fintech #Online & eCommerce
Operator of online monetization service for Streamers
Legal opinion on application of DAC7 regulations
Legal opinion on application of DAC7 regulations#Banking & Fintech #Industry 4.0 #Online & eCommerce #Retail #Telecommunications
Operators of POS terminals and ATMs
Availability of products and services for people with special needs
Availability of products and services for people with special needssmall payment institution
Application for entry in the register of small payment institutions
Application for entry in the register of small payment institutions