Krzysztof Dąbrowski, Managing Director of the Security Division at the UKNF, took part in a panel titled ‘Cyber Defence Meets Finance: National Capabilities, Sector Resilience’ during Future Finance Summit 2025.

‘From the perspective of the UKNF, ICT risk management is one of the top priorities for ensuring digital operational resilience of each institution,’ Krzysztof Dąbrowski said.

Why is it so important? Because financial institutions tend to rely more and more on ICT third-party service providers, which increases the exposure to concentration risk and the dependence on third parties.

‘We expect financial entities to pay special attention to fully adapt their practices to the requirements imposed in this respect under DORA. The ICT risk management framework constitutes the foundation for building digital resilience based on that key Regulation,’ Krzysztof Dąbrowski emphasised.

If we look at cyber security incidents observed in the course of supervision activities, it is disruptions originating from third-party providers that affect financial entities the most. This is why ‘we expect financial entities to pay special attention to fully adapt their practices to DORA requirements, including to maintain and update registers of contractual arrangements  with ICT third-party service providers,’ Krzysztof Dąbrowski stressed.

Reporting is another important aspect of DORA compliance, therefore the UKNF will continue close supervision over the quality and timeliness of reporting by financial institutions.

We pay special attention to:

(1) timely and proper reporting of major ICT-related incidents, which allows financial institutions to identify weaknesses and manage ICT risk,

(2) maintaining updated register of outsourcing arrangements , which directly affects the effectiveness of the management of risk arising from cooperation with ICT service providers.

‘Digital resilience testing is a very important area’, Krzysztof Dąbrowski noted, ‘including threat-led penetration testing (TLPT). It is a new type of testing, to be implemented next year. It’s quite a challenge for a financial entity, since TLPT is a multi-stage process, strictly regulated and executed on live production systems . For this reason, it requires very careful planning and coordination, both on the part of the financial  institution, and on the part of the supervision authority,’ Krzysztof Dąbrowski said.