Access of PL NCA to the data and systems of financial institutions in Polish Act accompanying DORA

A draft law accompanying the DORA regulation is currently being processed in the RP (as of 09.2024) (see Government’s Legislation Center’s website, in Polish only).

The draft provides authority for the PL NCA to inspect not only data and documents, but also systems, networks and equipment of financial entities

The draft introduces the following provision to the Law on Financial Market Supervision:

“Chapter 2c
Supervision of Financial Entities in Ensuring Operational Digital Resilience of the Financial Sector
Article 18za. (1) The Commission may inspect the compliance of activities with the provisions of Regulation 2022/2554 on ensuring operational digital resilience of the financial sector:

[…]

4. In the course of the inspection, the employees referred to in paragraph (3) shall have the right:

[….]

6) to inspect ICT systems and networks, equipment, information and data related to ICT, and data contained in the information system, related to the subject of the inspection, to the extent necessary to carry out and complete the inspection.”

DORA and the Polish current sectoral laws grant the PL NCA – generalizing – access to data in the information system. If the draft remains unchanged and becomes law, the PL NCA will have the right to see not only the data, but also the software and hardware. This raises a number of questions. First of all, how technically this access will be provided and what will be the expectations of the FSC in this regard. If the case involved systems and networks of subcontractors (third-party ICT service providers within the meaning of DORA/the Act) providing services to multiple financial entities, it would be difficult or unfeasible to provide access to hardware and software as well. This is because it may not be possible to separate insight into only one financial entity’s resources. However, the current draft of the Polish DORA Act does not include third-party ICT service providers among the entities that the FSC may inspect.

In preparing for DORA, financial entities should take this issue into account and provide for solutions in the event that the PL NCA obtains the authority to inspect also the financial entity’s systems, networks and equipment.