Author: Jakub Chlebiej

DORA – new standards for cyber security 🔒

In the digital age, when most financial transactions take place online, the security of our data and funds is becoming a priority. We’ve all seen recently – with the example of Microsoft’s operating systems crashing – what happens when one of the more commonly used online services for business, Office 365, is affected. ✈️🚫

Airline connections were cancelled, the London Stock Exchange did not work, and bank customers also reported problems (in Poland, Santander Bank and PKO BP, among others, were affected). Microsoft estimated that up to 8.5 million Windows devices were affected by the incident. The effects of what turned out to be ‘just’ a crash brought part of the world to a halt for a moment. The scale of the disruption to the operations of entities in many industries makes one wonder what might happen when we are dealing not with a crash, but with a successful cyber-attack. 🤔💻

The European Union, recognising the growing risks in the area of digital security for the financial sector and its customers, in December 2023 enacted the Digital Operational Resilience Act (DORA for short), which sets new standards for the cyber-security of financial entities, aiming to ensure their resilience to all ICT-related disruptions and threats. 🌐📜

The new regulations aim to:

Minimise the risks associated not only with cyber attacks, but more broadly with security incidents. By establishing uniform standards and procedures, DORA is expected to contribute to protecting the integrity, security and continuity of financial services in the European Union. 🛡️🇪🇺

The countdown is on ⏳

Financial entities have until 17 January 2025 to comply with DORA. After this date, there will be no concessionary tariffs – the FSA, during trainings and meetings with the financial sector, warns that it will not wait for latecomers and plans to verify and enforce the implementation of the new obligations from day one. 📅🔍

Importantly, DORA is not a directive (as is the case with another cyber-security-relevant act such as NIS2), but a regulation. This means that it is binding in its entirety on the entities to which it is addressed and is directly applicable in all countries of the European Union, without the need to implement it into local legal orders by means of laws. 📜⚖️

Who is affected by DORA? 🏦💼

DORA primarily – but not exclusively – covers a broad spectrum of financial institutions and digital finance entities. Among others, banks, insurance companies, investment funds, credit institutions, cryptocurrency providers, e-money institutions and other financial services providers are obliged to comply with the new regulations. 💳🏢

In addition, DORA introduces certain obligations for technology providers, including cloud service providers and other ICT service providers. ☁️💻

What does DORA mean for the financial sector? 📊🔒

DORA imposes obligations on financial sector players, requiring financial institutions not only to respond to incidents, but also to take a number of preventive measures, based on the principle that prevention is better than cure. 💡🔧

In practice, this means taking action primarily in the following key areas:

1. ICT risk management 🖥️⚠️Instytucje finance should develop and implement a comprehensive ICT risk management strategy. This strategy should include identifying, assessing, monitoring and controlling ICT risks to ensure the security and integrity of IT systems.
2. ICT incident management 🛡️🚨Classification and reporting of ICT incidents are key to effective security management, according to DORA. Financial institutions will be required to follow clear guidelines for incident classification, which is expected to lead to appropriate tracking, analysis and response.Responsibilities in this area will include, but are not limited to:Creating and implementing uniform incident classification guidelines to categorise incidents by level of severity and type of threat.Regular reporting of incidents to relevant authorities and stakeholders, in accordance with applicable standards and regulations.Conducting root cause analysis of incidents to identify vulnerabilities and implement corrective actions.
3. Risk management from external ICT service providers 🤝🔍Financial institutions should define policies for managing cooperation with external ICT service providers. Responsibilities in this area will include, among other things, developing criteria for the evaluation and selection of ICT service providers to ensure that they meet security and compliance requirements, ensuring that contracts entered into with ICT providers comply with the requirements set by DORA, and regularly monitoring and evaluating the performance of providers.
4. Operational digital resilience testing 🔄🛠️Obowiązki in this area will include, among other things, the establishment of a comprehensive operational digital resilience testing programme. Financial entities other than micro-enterprises will be required to test all ICT systems and applications at least once a year. For some obliged entities, DORA also provides for an additional obligation to carry out advanced penetration testing (TLPT) for threat searches at least every 3 years.

Where there are obligations, there are also sanctions ⚖️💰

Understanding and adapting to the requirements of DORA are essential from the point of view of financial actors, not only for the need to ensure an adequate level of operational digital resilience, but also to avoid serious legal and financial consequences.

DORA implies that the competent authorities (in Poland this will primarily be the FSA) will be granted broad powers to supervise and enforce DORA. They will be entitled to request access to any documents and data they deem relevant in the context of their investigations. Financial institutions must be prepared for possible audits and inspections. Failure to cooperate or provide the requested information may lead to additional sanctions. 🔍📋

In the event of violations of DORA, various administrative sanctions may be applied by the supervisory authorities. These include, inter alia, cease and desist orders for non-compliant activities, the requirement to terminate practices contrary to the regulations and the application of financial sanctions aimed at enforcing compliance. 💼💸

Summary 📊✍️

Of course, a full assessment of the impact of the new regulations will only be possible after some time, but we already dare to hypothesise that DORA is a milestone towards ensuring digital operational resilience in the EU financial sector. With the introduction of new ICT risk management standards and the requirement for a proactive approach to digital security, DORA should not only help protect financial institutions, but also increase customer confidence in financial services. The move is now on the side of the financial sector – achieving the goal of DORA and the associated benefits will only be possible if the implementation of the new regulations is taken seriously. 🔜🔧

🚨 What does an employer have to bear in mind when employing minors?

On the business portal Puls Biznesu you can already read an article by Justyna Klupa discussing the legal aspects of employing minors. In general, the employment of minors is forbidden unless the exceptions set out in the legislation are met. The first exception concerns the employment of minors on the basis of a vocational training contract. The second allows them to work under an ‘ordinary’ employment contract if they are qualified. In both cases, however, the regulations introduce certain restrictions. 📚

Our labour law expert, legal advisor Paweł Kempa-Dymiński, emphasises in his commentary that, according to the law, a juvenile may be employed in this way only to perform light work and with many other restrictions on the manner in which they are provided.

What are the basic conditions for the employment of juveniles?

This question was answered by our labour law expert, legal counsel Natalia Wojciechowska-Chałupińska, who pointed out in her commentary,
that the employer should be aware of certain limitations;
in practice, he will only be able to employ such juveniles who have completed eight years of primary school and have a medical certificate stating that the work of a given type does not endanger their health. In addition, both conditions must be met together (with some exceptions for juveniles who have not completed primary school, subject to additional conditions specified by law).

Ms Wojciechowska-Chałupińska also explained the rules of employing such persons for the purpose of professional preparation, which are regulated by the Regulation of the Council of Ministers, indicating in the commentary that the preparation may include learning a profession or apprenticeship and may be conducted only by a person with the relevant qualifications, most often the employer, but also another employee of the company, if he or she also has these qualifications.

HOW MUCH TIME DO YOU HAVE?

After months of work, the Law on whistleblowers of 14 June 2024 was published in the Official Gazette on 24 June 2024. Most of the provisions of this Act – including those relating to whistleblower protection and internal reporting obligations – will come into force on 25 September 2024. You therefore have less than three months left to prepare for your new obligations!

WHO IS AFFECTED BY THE PROVISIONS OF THE ACT?

The provisions of the Whistleblowers Act will apply to almost all private entities regardless of the forms of employment used.

The level of employment (i.e. the number of employees and co-workers – persons providing work for remuneration on a basis other than the employment relationship, if they do not employ other persons for this type of work) will only be relevant for determining the scope of obligations incumbent on a given entity.

WHO IS A WHISTLEBLOWER?

A whistleblower will be any individual who reports or publicly discloses information about a breach of the law obtained in a work-related context. Therefore, if you use other people’s work on any basis, you may have a whistleblower!

The law directly indicates examples of the roles that a whistleblower can play in your company. It can certainly be: an employee, temporary employee, proxy, shareholder or partner, member of a body (management board or supervisory board), intern, volunteer, trainee. Remember, however, that a whistleblower can also be someone working for your contractor, subcontractor or supplier (e.g. in one of the roles identified above), as well as someone who has ended their relationship with your company or merely participated in the recruitment process for any position in your organisation.

WHAT CAN A WHISTLEBLOWER REPORT BE ABOUT?

Under the Act, whistleblowers can report a violation of the law (an act or omission that is unlawful or intended to circumvent the law) in 17 areas.

In your internal reporting procedure, you may additionally provide for the possibility of reporting violations relating to your internal regulations or ethical standards that have been established pursuant to and remain consistent with generally applicable law.

The most important areas that may be reported on are:

1) corruption;

2) public procurement;

3) financial services, products and markets;

4) anti-money laundering and countering the financing of terrorism;

5) product safety and compliance;

7) environmental protection;

8) public health

9) consumer protection;

10) protection of privacy and personal data;

11) security of ICT networks and systems;

12) financial interests of the State Treasury of the Republic of Poland, local government unit and the European Union;

13) the EU internal market (inter alia, competition rules and state aid and corporate taxation).

WHAT DOES THE WHISTLEBLOWER STATUS ENTAIL?

A whistleblower is subject to the protection set out in the Act from the moment of filing a notification or public disclosure, provided that the whistleblower had reasonable grounds to believe that the information that was the subject of the notification or public disclosure was true at the time of filing the notification or public disclosure and that it constituted information about an infringement of the law.

For example, if a person providing work for you makes a report and becomes a whistleblower you have a number of obligations, including:

– you must protect the whistleblower’s personal data from disclosure,

– you must not retaliate against them (in simple terms – actions that have a negative impact on the whistleblower’s existing rights/situation),

– you must exercise extra diligence if, for reasons other than the reporting (e.g. lack of demand for work), you want to terminate cooperation with the whistleblower (the onus will be on the company to demonstrate that this is not related to the reporting),

– in case of retaliation – you will be obliged to pay compensation (not less than the average monthly salary in the national economy in the previous year announced by the Central Statistical Office),

– you have limited possibilities of exercising your rights aimed at prosecuting the whistleblower, e.g. to disciplinary liability or liability in the case of defamation, violation of personal rights, copyrights, etc.

The person assisting the whistleblower in making the report is similarly protected.

WHAT IS THE THRESHOLD OF 50 “EMPLOYEES” ABOUT?

Pursuant to the Act, the obligation to deal with internal reporting and to have an internal reporting procedure applies – in principle – to entities for which at least 50 persons perform gainful employment.

This group does not only include employees! When determining the state of employment, we also take into account persons providing paid work on a basis other than an employment relationship, if they do not employ other persons for this type of work (i.e. all so-called ‘self-employed’ – on commission or B2B contracts).

The law describes in detail how to count this employment status and as of what date.

There are important exceptions to the employment threshold rule! A number of entities will be obliged to have an internal notification procedure regardless of the level of employment (and thus already with one employee or contractor)!

We are talking about entities carrying out activities in the fields of financial services, products and markets and anti-money laundering and terrorist financing, transport safety and environmental protection covered by the European Union acts listed in Parts I.B and II of the Annex to Directive 2019/1937.

Who, for example, will be required to have an internal notification procedure regardless of the number of employees? Among others, these are:

– credit providers, including consumer credit, real estate credit, factoring or forfeiting,

– parabanking institutions,

– leasing providers,

– entities distributing insurance,

– entities providing advice to businesses on capital structure, industrial strategy and related issues, as well as advice and services relating to mergers and the acquisition of businesses,

– accountants and accounting firms,

– real estate agents,

– lawyers: solicitors, barristers, notaries,

– currency and cryptocurrency exchange offices,

– all entities accepting payments in cash with a value equal to or greater than EUR 10 000.

Entities employing less than 50 persons and not covered by the exceptions (inter alia, not belonging to the above-mentioned groups), may introduce the internal notification procedure on a voluntary basis. This is worth considering and is recommended by us for the following reasons. Whistleblower status is granted irrespective of the employment status of the legal entity in question – this means that legitimate whistleblowers can make external notifications and public disclosures (and obtain protection therefrom) bypassing the internal notification channel. Its absence may therefore be a direct reason for the whistleblower to use external channels (which may potentially be undesirable for the entity concerned).

A voluntary internal reporting procedure may provide an incentive for the whistleblower to report possible irregularities internally. This gives the legal entity in question a chance to manage a crisis situation resulting from a possible violation more efficiently, also in terms of image.

HOW TO PREPARE FOR THE NEW RESPONSIBILITIES?

Preparation for the new obligations should include the following:

1. determining whether we are subject to the obligation to introduce an internal reporting procedure (if not – deciding whether we are introducing a voluntary procedure),
2. identifying the key elements of internal reporting:

– whether we stay with the statutory catalogue of legal violations or expand it to include additional areas,

– what channels and forms will be used to receive reports (including whether anonymous reports are allowed),

– who will accept reports and who will implement follow-up measures (whetherthiswill bedone internally or, where possible, outsourced to a specialised entity – e.g. a law firm),

1. drafting the necessary documents on whistleblowers – list below,
2. verification and adaptation of the labour law documents already in place in the company (NDAs, confidentiality clauses, termination templates, RODO documents),
3. consulting the procedure with employee representatives,
4. formally introduce the procedure,
5. training of responsible persons to receive and handle notifications,
6. train HR/People&Culture departments and managers on the rights of whistleblowers and their impact on recruitment and dismissal procedures for employees/co-workers.

WHAT DOCUMENTS NEED TO BE PREPARED?

Whistleblower documentation is not only an internal reporting procedure! The documents to be developed and implemented will include:

1. an internal notification procedure,
2. information for job/co-worker advertisements with information on the whistleblowing procedure (provided at the start of recruitment or pre-contract negotiations),
3. template for acknowledgement of receipt of an internal application,
4. template (framework) for feedback to the whistleblower,
5. authorization and NDA for persons accepting and processing reports,
6. alternatively, an agreement with the Firm as an external entity involved in the acceptance or recognition of notifications,
7. register of reports (structure),
8. separate procedure for investigation and follow-up (recommended).

IF I DO NOT HAVE TO AND DO NOT WANT TO VOLUNTARILY ADOPT THE PROCEDURE, DO I HAVE ANY OBLIGATIONS?

Of course yes! This is because you are still subject to the provisions of the Act. People working for you can still be whistleblowers – they can make external and public reports, or they can, for example, make an internal report at your contractor (if they discover a breach there).

If this is the case, the scope of your preparation for the implementation of the Whistleblower Protection Act should include, at the very least, the verification and adaptation of the company’s existing employment law documents (NDAs, confidentiality clauses, model termination notices, RODO documents) and the training of HR / managerial staff.

HOW CAN WE HELP YOUR COMPANY?

We assist both in comprehensive implementations (including offering standard implementation packages for obliged entities subject to AML), as well as in selected areas including:

– preparation and implementation of an internal reporting procedure,

– audit of a previously operating whistleblowing procedure (implemented e.g. under good practice, certification or sectoral legislation) – and its adaptation to the requirements of the Whistleblower Protection Act,

– preparation of other required documents,

– a full whistleblowing intake service and handling of internal whistleblowing (to the extent permitted by the Act) or support in the intake and handling of whistleblowing by an internal unit – depending on the model adopted,

– training for HR/People&Culture and managers on whistleblower rights, receipt and handling of reports, follow-up, etc.

– audit and adaptation of hiring and termination procedures to address risks arising from whistleblower legislation,

– awareness training for employees.

If you have questions, we are happy to answer them!