Fintech 2025

Last Updated March 25, 2025

Poland

Law and Practice

Author



Lawarton Lugowski Kapica Spolka Komandytowa is headquartered in Warsaw in Poland and excels in providing strategic guidance adjusted to the needs of fintech companies, particularly in blockchain technology, cryptocurrency regulations, payment services, regulatory compliance, investment structuring and financial sector regulation. It is prominent in the fintech industry, offering services to clients navigating the complex business and regulatory landscape. It combines the personalised service of a boutique law firm with the global reach necessary to handle complex, cross-border cases. Its team comprises of seven experts, each with unique experience and a fresh perspective on every challenge. Its experts work closely with clients to ensure the highest quality of service. With an in-depth understanding of fintech and blockchain regulations, the firm provides precise and practical advice to a diverse group of clients, ensuring compliance while fostering innovation. It provides services for clients such as Binance Poland, Golem Factory, Liquidity Systems, Oanda TMS Brokers and InPost.

The Evolution of the Fintech Market in Poland in 2024

Over the last 12 months, the Polish fintech market has experienced dynamic growth driven by technological innovation, increasing users and interesting regulatory developments.

The most notable development is improvements in the e-resident (mObywatel) application, which is part of developing a digital state in Poland. The new version introduced enhancements and features, like verifying identity using smartphones in offices, banks, post offices or with notaries. The list of features also covers driving licences, prescriptions and many other functions that bring the implementation of financial technologies to a wider audience.

The National Clearing House or KIR (a state-owned company) also introduced the first durable medium technology. Its solution combines blockchain and WORM technology in a straightforward solution. The use of this technology is now skyrocketing and has been introduced by most Polish banks.

AI

On 12 July 2024, the EU published the Artificial Intelligence Act (the “AI Act”), establishing a regulatory framework for developing and using AI across the EU. The Polish Ministry of Digital Affairs has started working on a bill to align the Polish legal system with the AI Act. The aim is to ensure the safe and ethical use of AI, considering citizens’ rights while supporting technological innovation. The Polish AI Act will also establish a new special authority, the Commission for AI Safety and Innovation.

DORA

The Digital Operational Resilience Act or DORA came into force at the start of this year. It has already affected the financial sector, but financial market participants such as payment institutions, investment firms or crypto-asset service providers (CASPs) are still looking for proper compliance guidelines. DORA sets out various new obligations for all participants, most of whom find it challenging to comply.

MiCAR

The Market in Crypto Assets Regulation or MiCAR, which fully came into force in December 2024, impacts CASPs and crypto-asset issuers. MiCAR introduces a complex authorisation regime for CASPs and strict transparency requirements for crypto-asset issuers. However, Polish corresponding legislation is still being prepared. Although the draft Polish Cryptoassets Act contains some required regulations, it can still be changed during drafting.

Polish fintech companies operate through various models. Payments are the dominant sector, followed by online currency exchange and alternative lending. Banks also integrate fintech solutions, driving innovation.

Poland’s fintech landscape spans digital payments, alternative lending, wealth management, insurtech, regtech and blockchain-based financial services, making it highly innovative.

Poland’s fintech sector is eminently innovative.

Digital Payments

Fintech firms develop infrastructure for seamless payment processing, mobile transactions and banking services. The sector is dominated by digital wallets, contactless payments and online banking.

Lending and Alternative Financing

Alternative lending platforms provide financing for consumers and SMEs using AI-driven risk assessment and alternative credit scoring. Peer-to-peer (P2P) lending, marketplace lending and buy now, pay later models enhance financial flexibility and reduce dependence on traditional banks.

Wealthtech and Investment Solutions

Wealth management platforms utilise automation, robo-advisors and algorithmic trading to optimise investment strategies. Retail investors gain access to diversified portfolios, fractional investing and alternative assets with lower entry barriers.

Insurtech and Digital Insurance Models

AI and data analytics enhance underwriting, claims processing and risk assessment. Insurance models adapt to consumer needs with personalised, usage-based and on-demand solutions, improving efficiency and customer experience.

Regtech and Compliance Automation

Regtech solutions help financial institutions meet changing legal requirements through automation, machine learning and blockchain verification. These tools streamline AML, KYC and risk management, reducing costs and enhancing compliance.

Blockchain-Based Financial Solutions

Blockchain is increasingly used in transaction security, smart contracts and decentralised finance (DeFi). Digital asset platforms support cross-border transactions, asset tokenisation and transparent record-keeping, reducing reliance on intermediaries.

Poland’s fintech industry operates within a regulatory framework shaped by both national legislation and EU regulations. Key regulatory bodies include the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego or KNF), which oversees banking, lending, insurance and investment activities and the Office of Competition and Consumer Protection (Urzad Ochrony Konkurencji i Konsumentow or UOKiK), which ensures consumer protection in financial services.

A key challenge in Poland remains the balance between EU regulations and local implementation. Additionally, Poland’s implementation of EU directives is often characterised by gold-plating, leading to stricter local requirements compared to minimum EU standards, which can increase compliance burdens for fintech firms.

This is especially true in crypto, where national authorities have yet to fully integrate MiCA into domestic law. This creates regulatory uncertainty for blockchain-based businesses operating in the country.

The regulatory regime applicable to the fintech industry varies according to particular verticals.

Different compensation models employed by market participants to charge customers depend on their regulatory status, the services they provide and their customer type. Different verticals must also comply with various regulatory requirements, including disclosure obligations. There are two most commonly used compensation models: the commission-based model and the fee-based model.

Generally, regulated participants (eg, banks or payment institutions) are subject to various disclosure regimes. This applies to specific pre-contractual and ongoing information requirements. Obligations are stricter if the service recipient is a consumer. These result from EU consumer protection laws (eg, the Consumer Credit Directive or the Distance Marketing of Consumer Financial Services Directive) which have been implemented into the Polish legal framework.

Traditional financial institutions and fintech companies must comply with financial regulations if their activities are within a regulated scope. However, traditional banks face stricter requirements under Basel III, Solvency II and broader capital and risk rules.

Fintech firms often navigate regulatory uncertainty due to innovative services that may not fit existing frameworks. Polish authorities address this through the Innovation Hub and sandbox environments, offering guidance and supervised testing with reduced compliance burdens.

Some fintech models exploit regulatory gaps to avoid licensing, particularly in crypto, DeFi and alternative payments. While fostering innovation, this raises consumer protection and financial stability concerns. Regulators are assessing these models, with potential future legislation expanding oversight.

In 2019, KNF developed an Innovation Hub Programme to allow fintech companies to test new solutions in a controlled environment, ensuring compliance with legal standards while fostering innovation. The aim was to promote the introduction of innovative technologies into the Polish financial market and test them in a safe environment. Another aim of the Programme was to improve communication with legacy players and fintech companies.

Poland’s Innovation Hub does not provide exemptions from financial regulations but offers regulatory guidance and support for fintech firms navigating compliance requirements instead. Eligible participants include start-ups, financial institutions and technology providers developing innovative solutions. Applicants must demonstrate that their solutions involve a high degree of innovation and have potential benefits for the financial sector.

A key advantage of the Programme is enhanced communication between fintechs, legacy financial institutions and regulators, allowing for a more flexible regulatory approach while maintaining market stability. Although Poland has not yet introduced a full-scale sandbox that grants temporary regulatory relief, the Innovation Hub serves as a stepping stone toward a more structured fintech-friendly regulatory framework.

KNF is the primary financial regulator, overseeing banks, payment operators, investment firms, AML and CFT compliance. Under the proposed Cryptoassets Act, it will also supervise the crypto-asset market.

The General Inspector of Financial Information (the “GIIF”), operating under the Ministry of Finance, enforces AML/CFT regulations, monitors transactions and co-operates with law enforcement to combat financial crime.

Other key regulators include UOKiK, which ensures fair competition and consumer protection and the National Bank of Poland (the “NBP”), which is responsible for monetary policy and financial stability.

The Ministry of Finance oversees financial legislation and tax policy.

Polish regulators collaborate with EU bodies like the ECB, the EBA, the ESMA and the EIOPA, which oversee major financial institutions and ensure market stability.

KNF does not issue “no-action” letters. Although the Polish financial regulator does not issue formal “no-action” letters, market participants can seek regulatory guidance on the compliance of their planned activities by asking for a written opinion from the regulator. While these opinions are not legally binding, they help reduce regulatory risk by clarifying supervisory expectations.

Unlike “no-action” letters in other jurisdictions, these opinions do not guarantee immunity from enforcement actions, as the regulator retains discretion to intervene if needed. However, this approach supports innovation while ensuring regulatory compliance.

Additionally, the regulator provides informal guidelines to market participants. These so-called “soft laws” provide essential insights into whether a particular activity aligns with regulatory requirements. The participants may expect that fulfilling those guidelines will not result in any negative actions from the regulator.

Outsourcing regulated functions to external service providers is permitted but subject to strict requirements, which vary depending on the nature of the outsourced activity (eg, investment or payment services).

Several general principles apply across nearly all regulated financial services. These principles primarily derive from the Act on Supervision on Securities Market, PSD2 and DORA, as well as EU-level outsourcing guidelines, including the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-157-2403) and related domestic laws.

Regulated entities must consider and address all the risks associated with outsourcing arrangements before proceeding. This requires thorough due diligence on potential service providers to ensure they possess the appropriate skills, experience and resources to perform the outsourced services effectively.

Furthermore, regulated entities must have a written outsourcing policy in place and ensure that outsourcing arrangements do not compromise their ability to fulfill legal obligations or hinder the competent authority’s ability to supervise them. Significantly, outsourcing does not relieve the regulated entity of responsibility to clients or third parties to deliver regulated services.

Additionally, a written outsourcing agreement must be established between the regulated entity and the service provider, including specific mandatory provisions covering aspects such as data protection, security, the right of the regulated entity and KNF to monitor and audit the outsourcing provider and termination rights. Stricter requirements apply when outsourcing critical functions like risk management, ICT or AML.

While outsourcing to a regulated entity is not always required, it is often preferable as such providers are already subject to supervisory controls, reducing compliance risks.

Fintech providers are considered “gatekeepers” in certain regulatory areas, particularly under AML/CFT legislation. They are required to conduct customer due diligence (KYC), monitor transactions and report suspicious activities to the relevant authorities. These obligations help ensure the legality, security and integrity of financial activities on fintech platforms.

Additionally, depending on their business model, some fintech companies may have broader consumer protection and market integrity responsibilities, such as preventing fraud or unauthorised financial activities. The Digital Markets Act introduces further obligations for large fintech platforms that could be designated as “gatekeepers” under EU law, potentially subjecting them to stricter compliance and operational transparency requirements.

While fintech providers have significant compliance responsibilities, their liability for user activities depends on the nature of their services and whether they actively facilitate or merely provide access to financial transactions.

National supervisory authorities enforce regulations in the fintech sector to ensure market integrity and consumer protection. The most severe is licence revocation or suspension, which can be imposed for serious violations of regulatory requirements. Regulators also impose penalties and fines on non-compliant fintech firms, serving as a deterrent against breaches of financial regulations. Additionally, supervisory authorities can mandate corrective measures, such as improving internal controls, enhancing security protocols or modifying business practices to align with regulatory standards.

For example, in a recent case, the largest online currency exchange group in Poland had its payment institution licence revoked by the regulator due to non-compliance with supervisory requirements. This decision forced the company to cease certain operations, leading to severe financial difficulties and a real threat of insolvency.

Polish regulators focus heavily on AML/CFT procedures, increasing penalties when not properly implementing and handling AML regulations. One of the fines for AML non-compliance reached approximately PLN22 million (approximately EUR5.2 million) in 2022.

Market observers conclude that obtaining licences from local regulators is consistently becoming more complex, time-consuming and labour-intensive.

Data Protection

The GDPR requires fintechs to apply privacy by design principles to minimise the amount of data processed and properly handle consumers’ personal data. In addition, some industry participants may soon be subject to the newly adopted Data Act, which focuses on data sharing and compensation and will apply for the most part from September 2025.

Cybersecurity

Cybersecurity regulations, such as the NIS2 Directive and DORA, add further complexity. These laws mandate robust cybersecurity measures, operational resilience and incident reporting requirements for financial entities. Fintechs must demonstrate their ability to withstand and recover from ICT-related disruptions and manage third-party risks, particularly when relying on cloud providers.

This poses a challenge for fintechs, which must prioritise agile development and third-party technologies, which are harder to control. Legacy players, by contrast, often have larger budgets, dedicated compliance teams and established security infrastructures, giving them an advantage in meeting these requirements.

Crypto-Assets Regulation

MiCAR recently came into force in Poland to regulate the crypto-assets market. See 10 Blockchain.

Social Media

The Digital Services Act establishes rules for online platforms, including social media, to prevent the spread of illegal content and ensure transparency in advertising. Fintechs must disclose sponsored content and advertising practices, moderate user-generated content and avoid misleading or harmful information. Fintechs relying heavily on social media marketing face additional compliance costs related to content moderation and transparency. In contrast, traditional banks and financial institutions tend to adopt more conservative marketing practices. They are less reliant on social media, which reduces their exposure to Digital Services Act-related compliance risks.

Consumer Protection

Polish consumer protection legislation, such as the Consumer Credit Act or the Competition and Consumer Protection Act, is also relevant for fintech industry participants who target consumers.

Most fintech companies or regulated operations must provide financial statements reviewed by qualified external auditing firms. Additionally, other entities like banks, payment institutions or investment firms must prepare proper special risk management plans, conduct regular due diligence and conduct internal audits.

Most banks, payment institutions and investment firms must develop risk management frameworks, conduct due diligence and perform internal audits to identify financial and operational risks.

While audits and risk controls are legally required, many fintechs adopt stricter cybersecurity, fraud detection and compliance monitoring standards, especially for cross-border operations.

Regulatory oversight of the fintech sector is primarily conducted by state supervisory authorities, with internal audits within regulated entities playing a key role in ensuring risk management and regulatory adherence. The involvement of non-state external organisations, such as industry associations or self-regulatory bodies, remains minimal in the fintech sector. Formal state supervision and internal governance structures within regulated firms largely shape Poland’s fintech landscape.

Operating regulated and unregulated activities in parallel is generally permitted, provided all legal and regulatory requirements are met. Supervisory authorities accept this model, provided that the unregulated activity does not compromise the regulated business’s integrity, stability or compliance. Firms must ensure clear governance structures, risk management frameworks and regulatory separation where necessary to prevent conflicts and maintain compliance.

The obligation to comply with AML/CFT regulations does not depend on whether a fintech company is regulated or unregulated. Regulatory classification is determined by other legal frameworks, while AML obligations arise from the nature of the activities performed rather than the regulatory status of the entity.

AML and sanctions rules heavily impact fintech companies, requiring them to implement strict customer due diligence, transaction monitoring and reporting mechanisms. Strict compliance measures increase operational costs, requiring investment in compliance teams and automated monitoring systems. Fintech firms must also adapt to evolving regulatory requirements, including expanding lists of sanctioned entities and changes in risk assessment methodologies.

Poland follows the AML and CFT standards set by the Financial Action Task Force (FATF). Polish AML legislation is aligned with FATF recommendations and shaped by EU directives, ensuring compliance with international best practices.

Additionally, Poland is subject to Moneyval evaluations, a Council of Europe mechanism that assesses AML/CFT measures in certain European jurisdictions. Recent evaluations indicate that Poland is progressively strengthening its AML framework, incorporating FATF recommendations to enhance financial security and tackle illicit financial activities.

It is possible to provide regulated fintech products or services from another jurisdiction on a reverse solicitation basis, but only under narrow and strictly defined conditions. In essence, domestic regulatory licensing requirements may not be triggered if a Polish client independently initiates contact for a specific service and the provider has not engaged in any marketing or other solicitations targeting Poland.

However, the relationship must be solely initiated by the Polish client. The fintech company must be able to document and prove that the client contacted them of their own accord, without any prior proactive outreach by the provider. The precise application of reverse solicitation can vary depending on the type of fintech product or service, such as those falling under MiFID II regulations for investment services or other specific regimes (for instance, payment services or crypto-related activities).

Although regulations on reverse solicitation are relatively clear, market practice shows that many foreign entities violate these requirements, operating in ways that contradict regulatory restrictions. This is not just a challenge in Poland but across the whole of the EU, where enforcement remains difficult.

Ensuring compliance is particularly complex due to the digital nature of service offerings, allowing firms to reach Polish clients without a local presence or licence. While EU and Polish regulators actively work to enforce reverse solicitation rules, this remains a high-risk area for regulatory breaches and supervisory challenges.

Fintech companies utilising robo-advisers must adapt their business models based on the asset class they support. Traditional financial instruments, such as stocks and bonds, fall under MiFID II regulations, requiring strict risk profiling and investor suitability checks. Security tokens, classified as financial instruments, impose additional licensing and transparency obligations. Cryptocurrencies and utility tokens, regulated under MiCAR, require compliance with AML/CFT rules and enhanced risk disclosures.

Integrating digital assets into robo-advisory services presents challenges such as price volatility, liquidity management and secure custody, requiring fintechs to align their models with evolving regulations.

Legacy financial institutions are integrating robo-advisory solutions through hybrid models, where AI-driven recommendations complement human advisors. Many are launching in-house robo-advisors or partnering with fintechs for automated portfolio management and AI-driven customer engagement.

Best execution ensures trades occur under the most favourable conditions, considering price, speed, costs and market factors.

A major challenge is order routing transparency, requiring robo-advisors to avoid conflicts of interest and ensure client-focused execution. Liquidity fragmentation across exchanges can lead to price discrepancies, complicating best execution.

Market impact and slippage can affect execution quality, especially in volatile or illiquid markets. Robo-advisors must optimise execution algorithms to minimise delays and adapt to market shifts. Compliance with MiFID II regulations requires transparent execution policies, monitoring and reporting to ensure regulatory adherence.

Poland’s commercial lending regulation varies significantly depending on the type of borrower.

Consumers and SMEs

Consumer lending is subject to strict regulations to protect individual borrowers from abusive and unfair practices. The primary legal framework governing these loans is the Consumer Credit Act, which mandates transparency in loan agreements, ensuring consumers receive clear and comprehensive information before signing any contract. This includes pre-contractual disclosures, standardised contract requirements and cost limitations such as interest rates and fees. Additionally, consumer protection laws impose restrictions on collateral, preventing lenders from demanding excessive or disproportionate security, particularly in personal loans. These measures ensure that consumers are not exposed to excessive financial risk when obtaining credit.

SMEs run by natural persons may also be considered consumers under consumer legislation. If the lease is not a part of the central business activity of the enterprise, the trader falls under the consumer category. However, if an SME does not qualify for consumer protection, the lending relationship is treated as B2B, and the regulatory framework for commercial lending (B2B) applies.

Commercial Lending (B2B)

In contrast, commercial lending operates under a more flexible regulatory framework. Unlike consumer loans, B2B lending allows larger companies and lenders to negotiate terms more freely, as commercial entities are generally expected to have more significant financial expertise and bargaining power. Despite this flexibility, lenders must still comply with applicable financial laws, particularly regarding contractual fairness, transparency and enforcement of obligations. Unlike consumer loans, commercial loans have fewer restrictions on collateral requirements, allowing lenders to secure financing through a broader range of assets.

The underwriting process varies based on loan type (consumer, SME or commercial) and follows regulatory requirements.

KYC Protocols

The underwriting process typically begins with identity verification and fraud prevention. Online lenders employ electronic identity verification systems, multifactor authentication and KYC protocols to confirm a borrower’s identity.

AML/CFT

AML and CFT laws require robust monitoring and reporting mechanisms to detect suspicious financial activities.

Creditworthiness Assessment

Poland has a centralised credit system, including BIK (Credit Bureau) and BIGs (Economic Information Bureaus). BIK compiles credit data from financial institutions, while BIGs track negative credit histories from utilities and telecom providers. Lenders rely on both sources to assess risk.

Consumer Lending

As outlined in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, consumer lending is subject to stricter underwriting requirements. Lenders must provide detailed pre-contractual disclosures, ensure loan affordability assessments and comply with interest rate caps and fee limitations. These measures are designed to protect individual borrowers from excessive debt burdens.

Commercial Lending (B2B)

For business loans, the underwriting process is more flexible and allows for negotiation of terms between the lender and borrower. While large enterprises may be assessed based on financial statements, cash flow projections and collateral, SMEs are often subject to hybrid models that blend consumer and business lending criteria.

Online lenders finance their loan portfolios through several key sources, including P2P lending, lender-raised capital, deposit-taking and securitisation. Each funding method has distinct legal and regulatory considerations shaping these entities’ operations.

P2P Lending

P2P lending platforms facilitate direct lending between individual investors and borrowers and are regulated under the European Crowdfunding Service Providers Regulation (the “ECSP Regulation”). These platforms must comply with investor protection rules, risk transparency requirements and AML/CFT regulations. However, P2P lenders cannot accept deposits or offer deposit insurance, making clear risk disclosure is essential to maintaining investor confidence.

Lender-Raised Capital

Many online lenders finance their operations through venture capital, private equity or institutional funding. Securities laws regulate this model, requiring full compliance with Polish and EU financial regulations, including disclosure obligations and transparency standards. If funds are raised through bond issuance or share offerings, additional capital market regulations apply, requiring oversight by financial regulators.

Deposit-Taking

Only licensed financial institutions, such as banks and certain regulated credit institutions, can legally accept deposits from the public. Deposit-taking lenders are subject to strict regulatory oversight, including compliance with capital adequacy requirements, consumer protection laws and deposit guarantee schemes. Online lenders without a banking licence cannot accept deposits, limiting their funding options.

Securitisation

Some lenders package their loan portfolios into securitised financial instruments that are sold to institutional investors or asset-backed securities (ABS) markets. Securitisation must comply with the EU Securitisation Regulation, ensuring risk retention, investor disclosures and transparency in structured finance transactions. While securitisation allows lenders to expand their loan capacity, it requires strict risk management and reporting mechanisms.

Loan syndication is legally permissible and is primarily used for large corporate or infrastructure loans. It allows multiple lenders to share risk and expand lending capacity, typically involving major banks rather than fintech lenders or online platforms.

Although syndication occurs, it remains relatively uncommon in the Polish market, where bilateral lending structures and direct institutional financing are more prevalent.

The process is regulated by the Polish Civil Code and the Banking Law Act, ensuring contractual transparency and a structured framework for multi-lender agreements.

General

Payment processors are free to use existing payment rails or develop new ones, provided they comply with financial regulations. Any new payment infrastructure must receive authorisation from KNF to ensure compliance with PSD2, AML and CFT requirements.

While integrating with established payment systems is often more efficient and widely accepted, innovative solutions such as blockchain-based payment systems or alternative clearing mechanisms can be introduced, provided they meet regulatory standards and obtain the necessary approvals.

BLIK

BLIK is a notable example of a locally developed payment rail in Poland. It is a domestic mobile payment system that transforms cashless transactions, operating independently of global payment networks (legacy card systems operators). It provides an alternative infrastructure for real-time digital payments and offers seamless integration with the Polish banking system.

BLIK supports in-store and e-commerce payments, where customers authenticate transactions using a one-time code. It also allows ATM withdrawals and cash deposits without a physical card. Users can make P2P transfers using just a phone number and process instant bank transfers between accounts. The system enables recurring payments for subscriptions, bills and transactions via QR codes, facilitating seamless integration with online and offline merchants. It recently introduced a contactless payment feature using NFC technology, enabling mobile payments without a traditional payment card.

BLIK functions exclusively within Poland. Since its launch, it has become one of the country’s most widely used payment methods, surpassing card transactions in mobile banking apps. While currently limited to the domestic market, discussions about its potential expansion to other European countries or integration with international payment networks are ongoing.

National and EU financial laws regulate Poland’s cross-border payments and remittances. Since Poland is a part of the Single Euro Payments Area (SEPA), the SEPA Regulation also applies. This Regulation allows relevant cross-border cashless payments in euros to be made similarly to domestic ones. The SEPA Regulation applies to all payments across the EU and several non-EU countries.

Strict AML measures require customer due diligence and usage of KYC protocols.

The execution and settlement of cross-border payments do not raise significant regulatory concerns, as the existing framework remains stable and well-defined. The primary focus of regulatory oversight is on AML and CFT compliance, ensuring transparency, risk mitigation and the prevention of illicit financial activities.

Poland’s fintech market allows various types of marketplaces and trading platforms, each subject to specific regulatory frameworks.

Traditional Stock Exchanges

Traditional stock exchanges, such as the Warsaw Stock Exchange (the “WSE”), operate under the supervision of KNF and must comply with MiFID II regulations and the Act on Trading in Financial Instruments, ensuring transparency, investor protection and fair market practices.

In addition to the main stock exchange, Poland has NewConnect, an alternative trading system designed for small and medium-sized enterprises seeking capital with fewer regulatory requirements than the WSE’s main market. Meanwhile, Catalyst serves as Poland’s regulated market for corporate and municipal bonds, facilitating both retail and wholesale bond trading while ensuring compliance with MiFID II regulations and national securities laws.

Cryptocurrency Exchanges

See 10 Blockchain.

Forex and CFD Trading/Platforms

Forex and CFD Trading Platforms operate under MiFID II regulations, offering leveraged financial instruments such as contracts for difference (CFDs) and currency trading (Forex). These platforms must be licensed by KNF or another EU regulator under the passporting regime. Many retail trading platforms in this segment operate under foreign licences, although they remain subject to Polish consumer protection and financial market regulations.

Crowdfunding Platforms

Crowdfunding platforms, while facilitating investments, differ from traditional trading platforms as they do not provide active secondary market trading. They operate under the European Crowdfunding Service Providers Regulation and allow investors to participate in equity crowdfunding (acquiring shares in start-ups and SMEs) or debt/lending crowdfunding (financing businesses through loans). Unlike stock exchanges, these platforms lack liquidity and secondary market mechanisms, meaning investors hold assets until a liquidity event, such as an acquisition or buyback.

Others

Other trading platforms, such as multilateral trading facilities (MTFs) and organised trading facilities (OTFs), are also permitted. They operate under MiFID II regulations and require appropriate licensing and compliance with the best execution and market integrity standards.

The regulatory frameworks for traditional securities and crypto-assets differ significantly, reflecting the distinct nature of these financial instruments.

Traditional Securities

Traditional securities, such as stocks and bonds, are primarily governed by the Polish Act on Trading in Financial Instruments. This Act aligns with MiFID II regulations, ensuring standardised regulation across EU member states. KNF oversees activities related to these financial instruments, enforcing compliance with established financial market laws.

Crypto-Assets

The regulatory landscape for crypto-assets wasn’t regulated until recently, when at the start of this year, the EU’s MiCAR came fully into force. This Regulation establishes a comprehensive EU-wide framework for crypto-assets and related services. MiCAR separates crypto-assets into three classes: asset-referenced tokens, e-money tokens and other tokens (including utility tokens).

Poland has yet to prepare national implementation of the Cryptoassets Act.

See 10 Blockchain.

The emergence of cryptocurrency exchanges, both centralised and decentralised, has led to significant regulatory developments in Poland and the EU more broadly.

As mentioned in 6.2 Regulation of Different Asset Classes, the EU introduced MiCAR to regulate emerging cryptocurrency exchanges, both centralised and decentralised. However, Poland is still working on the legislation to implement national rules and procedures.

See 10 Blockchain.

Listing standards for shares, bonds and crypto-assets differ significantly. Listing financial instruments on trading venues is highly regulated mainly by the Act on Public Offering, Conditions Governing the Introduction of Financial Instruments to Organised Trading and on Public Companies, the Act on Trading in Financial Instruments and the Act on Supervision on Securities Market.

Polish legislation requires trading venue operators to have transparent rules for trading, admission of financial instruments to trading and access to the trading venue. The criteria used on their systems must be objective. Furthermore, the trading rules must ensure fair and orderly trading.

While traditional financial instruments are subject to well-established regulatory frameworks, crypto-assets are governed under the EU’s MiCAR, which introduce a new set of listing requirements. As Poland has yet to finalise the national implementation of MiCAR, crypto-asset listing standards remain in transition, with further details expected upon full regulatory adoption.

Order handling rules apply to regulated financial markets, including securities and derivatives trading under MiFID II regulations. These rules ensure execution at the best terms, transparency and fair client treatment. Brokers must prioritise price, speed and cost while avoiding conflicts of interest.

KNF also sets specific order-handling rules for regulated markets, MTFs and OTFs.

P2P trading platforms are growing but remain smaller than traditional exchanges. They are mainly used by individual traders and offer privacy and diverse payment methods but have lower liquidity.

P2P trading reduces intermediaries, prompting fintechs to adopt hybrid models. Regulators face AML/CFT and investor protection challenges, as many P2P platforms lack KYC oversight, increasing risks. While P2P crypto trading influenced DeFi regulations, its market impact remains limited. As regulations evolve, its remit may expand.

Payment for order flow (PFOF) is restricted under MiFID II regulations, as it conflicts with best execution principles. Recent amendments introduce a complete phase-out by 30 June 2026.

PFOF has never been widely adopted in Poland, as KNF strictly enforces best execution rules. Polish brokers generally avoid PFOF, meaning the 2026 ban will have little impact on the domestic market.

Market integrity and market abuse regulations fall under the European Market Abuse Regulation (the “MAR”), which is enforced alongside the Act on Trading in Financial Instruments and the Penal Code. KNF oversees compliance and sanctions.

Prohibited practices include insider trading and market manipulation, such as inflating volumes or spreading misleading price signals. UOKiK also monitors abuses affecting retail investors.

The Regulation ensures fair competition, investor protection and market stability. KNF actively supervises trading and issues public warnings about suspected market abuse.

High-frequency (HFT) and algorithmic trading are regulated under MiFID II regulations, requiring firms to register with KNF and meet market-making obligations for transparent trading.

Firms must implement risk controls, trading thresholds and continuity plans to ensure compliance. Trading venues must provide fair access and monitor market abuses linked to HFT strategies.

Regulations apply across equities, bonds and derivatives, although risk controls vary by market structure and liquidity, with bond markets requiring different safeguards than equities.

Under the Act on Trading in Financial Instruments, investment firms acting as market makers must obtain a broker licence from KNF. Their role is to provide continuous liquidity by regularly offering buy and sell prices at competitive levels on one or more trading venues.

Market makers must comply with best execution principles, risk management requirements and transparency obligations. They are also subject to transaction reporting and state supervision to prevent market manipulation. Failure to meet market-making obligations can result in regulatory sanctions, including fines or loss of licence.

Under MiFID II regulations, algorithmic trading regulations apply uniformly to investment firms, regardless of whether they are dealers or investment funds. Both must implement risk controls to prevent disorderly trading.

However, dealers and funds may operate under different regimes. Dealers trade on their own account, often as market makers, and usually require an investment firm licence. Investment funds manage client assets under UCITS or AIFMD, focusing on portfolio management rather than liquidity provision.

Despite structural differences, regulations focus on trading activities rather than entity type, ensuring market integrity across both models.

Regulations focus on firms, not individual programmers, developing trading algorithms. However, investment firms, particularly those engaged in HFT and algorithmic trading, must ensure compliance with MiFID II regulations and DORA, even when outsourcing software development.

Firms remain liable for the risk controls, security and compliance of their trading systems. While not directly regulated, programmers may face scrutiny if their algorithms facilitate market manipulation or system failures. Additionally, firms must assess service providers’ reliability and ensure adherence to regulatory and cybersecurity standards.

Insurtech companies mostly follow the same regulations as traditional insurers, operating under the Insurance and Reinsurance Activity Act and KNF supervision, with Solvency II ensuring capital adequacy and risk management.

Insurers must act in the customer’s best interest, comply with pre-contractual and contractual obligations and maintain transparent underwriting standards. Online underwriting for consumer insurance requires clear disclosures, explicit consent and strict compliance with consumer protection laws.

This framework allows insurtech firms to innovate, but within strict regulatory boundaries, ensuring fairness and risk transparency in underwriting.

All insurers operate under the Insurance and Reinsurance Activity Act, supervised by KNF. Life insurance requires stricter capital reserves and consumer protections, while property and casualty insurance follow different risk models. Solvency II and the Insurance Distribution Directive further differentiate capital requirements and distribution rules across insurance types.

Regtech providers are not directly regulated unless they engage in regulated financial activities such as AML monitoring or regulatory reporting. In these cases, they may require licensing or registration. Financial institutions using regtech solutions must comply with regulated outsourcing laws, which impose strict oversight on third-party providers (TPPs) handling critical functions. Firms remain fully responsible for compliance, ensuring service providers meet regulatory and operational standards.

DORA further strengthens cybersecurity and resilience requirements for ICT providers working with financial institutions. Outsourcing agreements must meet detailed legal requirements, covering audit rights, risk management, reporting obligations and termination conditions. These contractual terms ensure that financial firms maintain control over outsourced services, linking directly to performance and accuracy requirements.

Regulated outsourcing agreements in financial services must include detailed contractual provisions to ensure compliance, security and service reliability. Contracts define service levels, regulatory obligations and liability for breaches. Financial institutions must ensure that outsourced services meet legal requirements under MiFID II regulations, PSD2 and national financial laws.

DORA sets overarching cybersecurity and resilience requirements, but outsourcing regulations dictate specific contractual obligations. These requirements make compliance legally binding rather than a matter of market practice. Financial firms impose strict controls on regtech providers to mitigate risks and maintain regulatory oversight.

Traditional financial institutions in Poland are increasingly exploring blockchain to enhance security, efficiency and transparency. Many banks are testing blockchain-based solutions for digital documentation, compliance and settlement processes. The tokenisation of assets is gaining traction, allowing for fractional ownership and improved liquidity in capital markets.

A notable blockchain-based initiative is the durable medium technology developed by the KIR. This system integrates blockchain and WORM solutions to ensure secure and immutable storage of documents in online banking. Many banks and financial institutions have adopted this system to meet regulatory requirements.

Several legacy financial players are also members of the Blockchain and New Technologies Chamber, a non-governmental organisation supporting the adoption of blockchain. Meanwhile, the NBP is analysing blockchain’s potential in central bank digital currencies (CBDC).

Polish legislation is still adapting to MiCAR, with KNF set to oversee the crypto-asset market. A unified regulatory approach could strengthen blockchain adoption in the financial industry, fostering greater integration of DLT and compliance standards.

Polish regulators are actively shaping the legal framework for blockchain and cryptocurrency, with KNF preparing to oversee the crypto-assets market under MiCAR. However, Poland has not yet passed a national law implementing MiCAR, meaning that no entity currently holds CASP status in Poland and no one has been able to apply for a CASP licence either.

Work on implementing MiCAR is still ongoing and the proposed bill includes a complete ban on staking and crypto lending, although this provision is still being debated by the industry.

KNF supports blockchain-based innovation through its Innovation Hub, helping fintechs navigate compliance challenges. However, it does not function as a regulatory sandbox, meaning companies must still adhere to existing financial laws.

The NBP remains highly sceptical of cryptocurrencies, frequently warning about their volatility and speculative nature. Meanwhile, KNF’s 2020 guidelines on crypto-asset trading continue to emphasise high investment risks and the need for investor caution.

In Poland, the classification of blockchain assets follows MiCAR, which directly defines three classes of tokens: e-money tokens, asset-referenced tokens and other tokens (including utility tokens). Since MiCAR is directly applicable across the EU, Poland has not introduced additional classification rules.

Before MiCAR, there were no specific Polish regulations defining blockchain asset classifications and crypto-assets were generally assessed under existing financial and consumer protection laws. To date, there are no comprehensive official statements from Polish regulators regarding how tokens should be classified beyond the MiCAR framework.

In terms of security v non-security classification, Poland applies EU-wide regulations without national modifications, relying on MiFID II and ESMA guidelines.

Due to the limited number of token issuances in Poland before MiCAR, there is no well-established regulatory practice in this area. As a result, assessments are made on a case-by-case basis.

Under MiCAR, “issuers” of crypto-assets must publish a white paper outlining key details about the asset, issuer and risks. It must be submitted to KNF, although formal approval is only required for asset-referenced tokens and e-money tokens, which also face additional capital and governance requirements.

In Poland, regulations for “issuers” derive directly from MiCAR, with no significant national modifications. KNF will oversee compliance, but no issuer has been able to submit a white paper yet, as Poland has not passed the MiCAR implementation law.

Non-compliance with MiCAR can result in severe administrative sanctions, including fines, operational bans and restrictions on business activities. Additionally, CASPs such as exchanges and wallet providers must obtain authorisation and comply with AML/CFT regulations.

Under MiCAR, blockchain asset trading platforms are classified as CASPs and must obtain authorisation. They must comply with AML/CFT regulations, security standards and transparency requirements.

Cryptocurrency exchanges fall under MiCAR, requiring CASP registration and adherence to AML, transparency and consumer protection rules. However, Poland has not yet implemented MiCAR, meaning that no entity currently holds CASP status and no one has been able to apply for a CASP licence.

Poland follows MiCAR without significant national modifications. The upcoming Cryptoassets Act focuses on CASP registration rather than adding new obligations for trading platforms.

Secondary market trading, including intermediaries and P2P transactions, is subject to MiCAR. While P2P transactions remain decentralised, high-volume traders may need to register and comply with financial rules. KNF will oversee compliance, enforce regulations and impose sanctions to maintain market integrity.

Under MiCAR, EU member states have the authority to regulate staking services at the national level (Recital 94). Poland’s draft Cryptoassets Act proposes significant restrictions on staking, although the exact scope remains legally uncertain.

The wording of the draft law suggests that staking services provided by CASPs will generally be prohibited, with limited exceptions arising from the diversity of staking models.

The proposed ban has faced criticism from the market, with industry representatives arguing that MiCAR allows for regulation rather than prohibition. The legislative process is still ongoing, meaning that the final version of the law could maintain the ban, modify its scope or abandon it entirely.

Under MiCAR, EU member states have the authority to regulate crypto lending at the national level (Recital 94). Poland’s draft Cryptoassets Act explicitly bans crypto lending, making it one of the strictest regulatory approaches in the EU.

The prohibition is clearly stated in the draft law, leaving no room for interpretation.

The ban applies specifically to CASPs, meaning that regulated entities will not be allowed to grant crypto loans or facilitate lending transactions in any form.

The proposed ban has faced criticism from the market, with industry representatives arguing that MiCAR allows for regulation rather than prohibition. The legislative process is still ongoing, meaning that the final version of the law could maintain the ban, modify its scope or abandon it entirely.

Cryptocurrency derivatives fall under MiFID II regulations if they qualify as financial instruments. On 17 December 2024, ESMA’s Final Report (Annex III) outlined criteria for classifying crypto-assets as financial instruments.

If a derivative is based on a crypto-asset meeting these criteria, it is regulated under MiFID II regulations, requiring authorisation and compliance with investor protection rules. Otherwise, it may remain outside financial regulations, subject only to consumer protection laws.

Poland follows EU regulations without national modifications, assessing crypto-asset derivatives on a case-by-case basis.

DeFi is not currently explicitly regulated under EU or Polish law. ESMA’s October 2023 report highlights challenges in applying existing rules to decentralised systems that lack intermediaries. MiCAR and the DLT Pilot regime do not directly cover DeFi, leaving a regulatory gap.

In Poland, there are no dedicated regulations for DeFi and no established supervisory practice has yet developed. A DeFi service facilitating security token or crypto trading is not automatically exempt from regulation. If its activities fall under MiFID II regulations or AML laws, it may still have to comply.

There are currently no specific rules regarding investing in crypto-assets. Therefore, the general rules applied to investing funds apply.

Virtual currencies are legally defined under AML regulations, distinguishing them from other blockchain assets. The definition follows EU AML directives, recognising virtual currencies as a digital representation of value that is not issued or guaranteed by a central authority and does not have the status of legal tender.

The key difference between virtual currencies and other blockchain assets lies in their intended use. Virtual currencies are mainly used as a means of exchange or store of value, whereas blockchain assets can include security tokens, utility tokens or other financial instruments with broader applications.

NFTs are not explicitly regulated under Polish or EU financial laws. They are unique digital assets stored on a blockchain, typically representing ownership of digital or physical items.

However, only “true” NFTs, genuinely unique and non-interchangeable, fall outside financial regulations. If an NFT is not “truly unique”, it may be classified as a regular crypto-asset under MiCAR (potentially subjecting it to financial regulations).

PSD2 defines the regulatory framework for open banking in Poland, requiring banks to provide TPPs access to customer accounts via secure application programming interfaces (APIs). KNF enforces compliance and most banks use Berlin Group API standards. Poland has also introduced PolishAPI, a national standard developed by the Polish Bank Association to improve API integration and compliance.

Despite a strong fintech sector, challenges persist. Strict authentication rules complicate user experience, while API inconsistencies remain a barrier. Some banks have delayed or limited API functionality, treating open banking as a compliance obligation rather than an opportunity. Regulatory interventions have been necessary to enforce compliance.

PSD3 is expected to address these issues, introducing stricter oversight and standardised interfaces to improve API interoperability.

Banks and technology providers use encryption, tokenisation and strong customer authentication (SCA) to protect data in open banking. AI-driven fraud detection and transaction monitoring help ensure compliance with PSD2 and the GDPR. However, fintechs face barriers to accessing banking APIs and strict SCA rules impact user experience. Regulatory audits and industry collaboration seek to balance security and seamless transactions.

Fraud in fintechs includes identity theft, where criminals steal personal data to access bank accounts or secure loans. Phishing scams also pose a threat, with fraudsters impersonating banks or authorities to extract sensitive information through fake emails or calls.

Investment fraud remains a major risk, luring victims with promises of high returns on fictitious ventures, such as real estate or foreign markets, often leading to severe financial losses.

Polish regulators are focused on authorised push payment fraud, investment scams, crypto fraud and identity theft. Payment providers must detect suspicious transactions and warn users. Banks and fintechs face growing pressure to enhance AML measures, fraud detection and transaction monitoring to improve customer protection.

A fintech provider’s liability depends on its services and regulations. Under PSD2, fintechs offering payment services must use SCA, report breaches and compensate for unauthorised transactions unless proven otherwise.

Polish consumer protection laws favour refunds, ensuring strong customer rights. For unregulated services, liability is based on contracts and consumer laws. Fintechs may still be responsible for fraud, negligence or security failures, with regulators imposing sanctions for non-compliance.

Lawarton Lugowski Kapica Spolka Komandytowa

Mokotowska 1/floor 8
00-640 Warsaw
Poland

+48 880 311 784

office@lawarton.com www.lawarton.com/
Author Business Card

Trends and Developments


Authors



Deloitte Legal, Gizicki i Wspólnicy sp.k. has been operating for 18 years and has approximately 100 lawyers. It specialises in providing regulatory advisory services to the financial, fintech and newtech sectors. These regulatory advisory services cover financial and fintech regulations, AI governance, cybersecurity regulations, consumer protection, data privacy and IP/IT. The dedicated fintech team contributes to the firm’s strong market recognition. Its strategy integrates a multidisciplinary approach, harnessing the firm’s capabilities to provide tailored solutions. It addresses business challenges comprehensively, offering a one-stop shop for clients. Synchronisation across legal, business strategy, technology, risk, data governance, AI, cybersecurity, tax and accounting teams gives it a competitive edge. Its services cover legal and regulatory advisory matters across various sectors, handling regulations such as banking and insurance laws, PSD2, AML, DORA, outsourcing, consumer protection, the GDPR and MiFID. It also tackles issues like cloud computing, e/m-commerce, digital transformation, biometrics, cybersecurity and AI. Its client portfolio includes banks, providers of financial infrastructure, payment institutions and technology companies.

Overview of the Polish Market

Poland is expected to be the fastest-growing economy in Europe in the years 2025-26. GDP growth is predicted to be 3% to 3.5% per annum (depending on the source), which is significantly more than any other EU member state. Additionally:

  • in 2024, inflation dropped significantly, reaching around 4.7%, and the price level in 2025 is predicted to be much more stable than in previous years;
  • high immigration numbers remain an important factor supporting economic growth, impacting the consumer market and facilitating the development of cross-border financial services (such as money remittance or online foreign exchange); and
  • the favourable economic situation is also accompanied by a relative limitation of changes in the tax system, which slightly improves legal certainty for businesses.

Regardless of the local market’s attractiveness, major Polish cities (including Kraków, Warsaw and Wroclaw) remain popular nearshore destinations for BPO/SSC operations of global financial institutions. This popularity is mainly driven by the high level of skilled workforce, economic stability, cost-effectiveness of investments and the relatively short distance to major European financial centres such as London, Paris and Frankfurt.

Payment Services

Poland has been one of the leaders in Europe in implementing cashless payments for many years. The number of payment cards has been steadily increasing, reaching an all-time high in mid-2024 (over 46 million cards, with a Polish population of 36 million). The number of payment transactions and their value are also rising, exceeding PLN336 billion (approximately EUR78 billion) in the third quarter of 2024 alone. Only one out of 40 transactions (2.5%) were not contactless.

The payment card acceptance network is also expanding. By the end of September 2024, Poland had approximately 1.4 million point of sale (POS) terminals, while the number of ATMs slightly declined. These efforts are strongly amplified by the Cashless Poland Foundation (Fundacja Polska Bezgotówkowa), which is committed to expanding the payment acceptance network in Poland by reimbursing costs incurred by entrepreneurs who consider offering their customers the option to pay with cards or other payment instruments for the first time.

A unique local flavour of the payment market in Poland is the growing popularity of BLIK, which is a native mobile payment system created through the co-operation of six major Polish banks. BLIK continues to be a leading payment method in Polish e-commerce. It also enjoys market prominence as a popular method for cashless settlements between consumers (peer-to-peer transfers) and has a growing share in the buy now, pay later market. The BLIK service is entirely embedded into banks’ mobile applications (notably also adopted by Revolut in its app), and customers do not have to install any dedicated software or register any additional accounts to use it.

In 2024, four new payment institutions were registered by the Polish Financial Supervision Authority (the “KNF”). Interestingly, three of them had already been active lenders providing consumer financing services and are currently offering credit cards. On the other hand, the KNF decided to withdraw the licence from one of the entities.

The Polish financial industry is closely monitoring EU efforts to adopt a payment services package (particularly the PSR Regulation). Considering that a significant part of the legislative work is expected to take place during the Polish presidency of the EU in the first half of 2025, banks hope for their voices to be heard and for a reasonable balance to be struck between the interests of the industry and the interests of consumers.

The main concerns stem from the plans to significantly increase banks’ liability for fraud, including authorised transactions being a result of “spoofing”. The current practice of Polish courts in cases of unauthorised transactions remains favourable to consumers. Additionally, since 2022, the Polish Office of Competition and Consumer Protection (the “UOKIK”) has initiated proceedings against 15 banks for alleged infringements of collective consumer interests and PSD2 rules on liability for unauthorised payment transactions. According to the banking community, increased standards of liability may result in a disproportionate burden on banks, even in cases where the bank cannot possibly prevent the fraud (for instance, where a third party impersonates a bank employee and the consumer fails to verify their identity using tools made available by the bank).

Poland has started implementing EU rules allowing non-bank payment service providers (PSPs) to directly access all payment systems and offer accounts assigned with IBAN. One of the primary challenges is ensuring that non-bank providers can secure bank accounts at the National Bank of Poland (the “NBP”). A recent decision by the European Central Bank to allow non-bank PSPs meeting certain requirements to access TARGET starting in April 2025 has increased the expectations of Polish fintech companies.

However, the more common issues in the sector continue to be derisking and difficult access to regular bank accounts, rather than direct access to payment systems. Non-bank providers have been advocating for a level playing field with banks, particularly for clearer rules on when banks can refuse to open payment accounts for other PSPs. On the other hand, stringent regulatory policies in the AML area require banks to apply demanding KYC and due diligence measures also to non-bank financial institutions, such as payment institutions, online currency exchanges and entities operating in the crypto industry.

Consumer Finance and Buy Now, Pay Later

2024 was a period of relative stability in the Polish consumer finance market. The number of lending institutions remained steady, with 103 entities registered with the KNF at the end of 2024, compared to 107 at the start of the year. According to BIK (the Credit Information Bureau), the total value of loans granted increased significantly, by approximately 30% year-on-year in the banking sector and up to 50% among non-bank lenders. Non-bank lending institutions continued to dominate the low-value loan segment. At the same time, buy now, pay later services maintained strong and growing popularity, with transactions totalling PLN8.5 billion in the first ten months of 2024.

A key regulatory shift that took effect at the start of 2024 was the introduction of supervision over all lending institutions by the KNF, following legislative changes finalised in late 2023. This regulatory overhaul brought stricter capital, organisational and business requirements, fundamentally reshaping the consumer finance landscape. The number of registered lending institutions declined significantly by the end of 2023 as a result of these new regulations. While key market players assert their financial stability and preparedness for the regulatory environment, ongoing discussions suggest that further consolidation within the sector is likely in the coming years.

The impact of supervision by the KNF is becoming increasingly apparent across the industry, particularly through rising costs driven by compliance with new regulatory requirements. In November 2024, a representative of the KNF suggested that replacing the current registration system with a licensing or quasi-licensing requirement for lending institutions in coming years is possible. However, these plans have not been officially confirmed.

The implementation of the Non-Performing Loans Directive in Poland imposed additional formal requirements on lenders regarding the restructuring of borrower debt. In practice, lending institutions have had to adjust or introduce debt restructuring processes, develop internal regulatory frameworks and prepare the necessary product documentation to comply with these new obligations.

The market is also preparing for the implementation of the revised Consumer Credit Directive (the “CCD2”). In January 2025, Poland’s legislative agenda included a draft Consumer Credit Act, along with amendments to consumer protection laws, aimed at transposing the CCD2 into Polish law. The proposed regulations introduce significant changes designed to enhance consumer protection and align Polish law with EU standards. Key modifications include:

  • the removal of the upper credit limit;
  • the extension of regulatory oversight to all buy now, pay later providers (including those who operate beyond a consumer credit regime);
  • stricter creditworthiness assessment requirements; and
  • new rules governing the advertising of credit products.

Artificial Intelligence in Financial Institutions

The pursuit of maximising artificial intelligence or AI adoption in organisations is one of the most prominent trends observed not only in the fintech industry but across the entire economy. The Polish government has also announced the creation of an AI Fund, which will invest approximately EUR1 billion in the digitalisation of key areas for the state. However, most businesses reasonably evaluate the opportunities and risks associated with AI, viewing technological transformation as a gradual evolution rather than a sudden revolution.

AI is predominantly used for automating and enhancing internal, back-office processes, with its application in customer-facing processes being much less common. However, simple tools such as chatbots on websites, in banking apps and AI in phone channels are becoming increasingly popular. The use of generative AI tools on the Polish market is also quite common. However, according to Deloitte’s “Trust in Generative AI” study, only 18% of respondents use generative AI for professional purposes. They do so mainly to generate ideas (45%), create or edit content (37%) and analyse data (36%).

On the other hand, Deloitte’s “Trust in Generative AI” study shows that the use of generative AI tools often occurs outside the organisation’s control, generating additional legal and reputational risks. 56% of employees use generative AI for work purposes without the explicit approval of their employer and only 19% of respondents have access to solutions developed by their organisation or officially acquired from third-party providers. Respondents often attribute the use of non-approved tools to either the absence of officially adopted solutions or their inferiority compared to market alternatives.

A lack of trust remains a significant hurdle in the adoption of AI, affecting both regulatory frameworks and the technology itself. Only half of respondents to the study believe that AI will be used ethically and 53% indicate that this technology would be adopted more widely if it were regulated. The use of AI technology still faces significant challenges in terms of trust. According to respondents, key factors for building trust include data security (68%), human oversight (62%), confidence in received results and understanding of algorithms (60%).

Representatives of the financial sector increasingly see building AI governance frameworks (mostly on the basis of compliance with the AI Act) as an opportunity to gain control over the use of cutting-edge technology rather than solely a regulatory burden. The industry’s efforts were also accelerated by the KNF, which sent a detailed questionnaire on the use of AI to supervised entities.

Some efforts have already been made to incorporate the AI Act into Polish law. Notably, the current draft law proposes the establishment of a new supervisory body, the Commission for AI Safety and Development (the “KRIBSI”) designed as a single collegial supervisory authority for the entire economy, including the financial sector. While the decision seems definitive, the legislative process is still in its early phases, leaving room for potential changes.

Cybersecurity

The Digital Operational Resilience Act or DORA marks a key milestone in the cybersecurity of the Polish financial industry, even though the existing regulatory framework in this area was already relatively extensive and included several recommendations issued by Polish and European supervisory authorities. The implementation of DORA was also one of the top priorities for the KNF.

Most projects carried out in the Polish market were completed on time (at least to a large extent). However, the legal qualification of key services (including financial market infrastructure providers) and the contract amendment process remain the main challenges for the financial industry. For many institutions, contractual requirements resulted in the need to process thousands of annexes to already binding commercial agreements. The market also had to face the lack of regulatory clarity throughout the implementation processes due to the late adoption of crucial secondary legislation by the European Commission and the European supervisory authorities.

Following changes in the regulatory environment at the EU level, the KNF decided to withdraw key soft law regulations in the area of cybersecurity. The changes included the repeal of the Cloud Communication and numerous recommendations on the management of risks associated with ICT systems for various branches of the financial market. Although the reduction in the number of regulations was well received by the financial industry, it has led to unexpected consequences.

In many aspects the scope of these regulations went beyond the requirements of DORA, providing, for example, the basis for implementing formalised data governance regulations by many financial institutions. It also affected cloud computing adoption projects, as the repealed soft law issued by the KNF outlined some requirements in a more detailed manner.

Banks are continuously making efforts to implement behavioural biometrics tools as security features of payment transactions. The lack of legislative solutions providing a clear legal basis for the processing of sensitive data means that the use of these tools depends on client consent. This results in the limited coverage of customer portfolios with behavioural biometric solutions, thereby slowing down the entire process.

On the other hand, the implementation of behavioural biometrics remains one of the key recommendations issued to PSPs by the UOKIK at the end of 2024. These recommendations are part of the ongoing dialogue between the UOKIK and the banking industry, related to proceedings conducted by the UOKIK regarding alleged infringement of unauthorised payment transaction regulations.

The Polish government is also setting high ambitions in the area of cyber-resilience, demonstrated by its investment in the Polish Cyber Command, established in 2022, which employs over 6,500 specialists. This move is essential for Polish society, the economy and public services, considering that Poland is the second most targeted country in cyberspace. The government’s efforts are in line with the financial industry’s growing focus on cybersecurity.

Digital Identity, Open Finance and Data Protection

Digital identity services in Poland must be viewed in the context of the continuous advancement in the digitalisation of public services in recent years. Government efforts have led, for instance, to the implementation of the mObywatel app (a government superapp that includes electronic ID among other features) and extensive digital correspondence through the ePUAP platform. Additionally, Poland is working on a project to implement a robust electronic delivery system to replace the ePUAP platform. The system has been in operation since 1 January 2025, but it still faces a considerable number of limitations.

An important milestone in terms of digital identity services is the eIDAS 2.0 Regulation. It requires each EU member state to establish at least one European Digital Identity Wallet (EDIW) by 2026, designed to enable users to securely authenticate their identity when accessing both public and private services. In Poland, the mObywatel app is likely to be designated as the national EDIW.

Although Polish financial institutions are already advanced in implementing e-identity and remote onboarding solutions (as a result of a statutory obligation to accept the mObywatel app in KYC processes since 2023), the changes will have a significant impact on the market. Concerns are increasingly being raised that the relationship between EDIW and the regulations concerning unauthorised payment transactions and strong customer authentication (SCA) under PSD2 remains unclear and may pose significant challenges for the industry.

The Polish financial market is also closely monitoring regulatory developments in the area of open finance and open banking, including the new FIDA regulation. Despite temporary uncertainty about the continuation of legislative work at the start of 2025, work on FIDA is still expected to continue during Poland’s Presidency of the EU. Although market interest is noticeable, it is too early for new business initiatives.

It is also important to highlight the increasing activity of the Polish Data Protection Authority in areas critical to the ongoing operations of financial institutions. These include detailed examinations of the accuracy of personal data protection principles in creditworthiness assessments, as well as strict expectations regarding the independence of data protection officers (which are difficult to reconcile with the “three lines of defence” principle), among other things.

Crypto-Assets Regulations

2024 was marked by legislative uncertainty for the cryptocurrency sector due to the lack of a national law aligning Polish regulations with the EU’s Markets in Crypto-Assets Regulation or MiCA. At the time of writing, the legislative process is ongoing, despite an initial draft of the law being published in February 2024. Until the law comes into force, Polish law does not provide a legal basis to process applications for crypto-asset service provider (CASP) licences, which impacts the competitiveness of the Polish industry.

The absence of a national law transposing MiCA into the Polish regulatory framework also means that the 18-month transitional period prescribed under MiCA remains unchanged. During this period, MiCA’s licensing requirements do not apply to entities registered as virtual asset service providers (VASPs) before the end of 2024. Although the current draft of the law proposes shortening the transition period to 30 June 2025, there is ongoing debate over whether this period can be reduced after 30 December 2024 (ie, after MiCA became fully applicable). It is worth noting that approximately 1,700 entities are currently registered as VASPs in Poland.

It is also important to note that as of 30 December 2024, the EU Regulation on information accompanying transfers of funds and certain crypto-assets comes into effect. The Regulation implements the “travel rule” for cryptocurrency transactions, requiring CASPs to collect, verify and share information about the sender and recipient of crypto-assets to enhance transparency and combat illicit activities. According to the Polish supervisory authorities, the “travel rule” applies to all businesses engaged in virtual currency activities, although this view is contested by some market representatives, as the Regulation explicitly refers to PSPs and CASPs.

Impact of the Omnibus Simplification Package and a Clean Industrial Deal on Polish Fintechs

The main driving force for a change in the ESG compliance of Polish fintechs’ (and perhaps even more importantly, that of their business partners) is the adjustment of the approach by legislators in the EU. This adjusted approach promises to reduce overall administrative burdens for EU companies by 25% and for SMEs by 35%, as well as ensure access to affordable energy, enabling EU industry (including energy-intensive sectors) to stay competitive, while maintaining the overall commitment to decarbonisation and utilising it as a factor for economic growth.

This ambitious approach requires a major overhaul of the legislation. To this end, the European Commission has already published proposed drafts of the Taxonomy Disclosures Delegated Act, the Taxonomy Climate Delegated Act and the Taxonomy Environmental Delegated Act. The aim is to reduce the number of reported data points. There are also draft Directives amending the CSRD and the CSDDD, which are aimed at postponing the application of all reporting requirements in the CSRD for companies that are due to report in 2026 and 2027, and to postpone the transposition deadline and the first wave of application of the CSDDD by one year to 2028.

Because of the encompassing nature of the changes, which need to be agreed upon and (in many cases) transposed into national law, as well as additional works in the pipeline (ie, those included in the European Commission Work Programme for 2025), while the overall direction of the changes has been met with cautious approval from parts of the market, the general sentiment remains one of increased awareness about the inherent uncertainty of the processes ahead.

Notwithstanding the above, it seems that the EU continues its transformation programme (although adjusted), finding new ways to tackle greenwashing and foster changes.

Non-Obvious Interplay of Digital Transformation, ESG Reporting and Carbon Footprint

Managing a carbon footprint, understood as the total greenhouse gases emitted, is an overarching concept of the ESG Regulations. How it affects the digital economy has previously been tackled from different angles, both looking at the possible impact of the overall “sustainable digital footprint” (that is including environmental, social and business aspects and trying to quantify them) and the carbon footprint in particular, focusing on the “digital carbon footprint” (the carbon footprint of the digital services and the hardware necessary to sustain them across the value chain).

Recent developments and an increasing concern for Polish fintechs (which by definition are reliant on digital services) is having an impact on the possible redundancy or inefficiencies introduced in the process of achieving compliance with the ESG Regulations, mainly in the area of data gathering and processing. As the regulatory ESG landscape and reporting obligations in particular are rapidly evolving, this issue needs careful monitoring both in terms of assessment of the existing framework and the potential impact of the changes introduced during ongoing and future alignment processes.

Deloitte Legal, Gizicki i Wspólnicy sp.k.

Al. Jana Pawła II 22
00-133 Warsaw
Poland

+48 22 511 08 11

+48 22 511 08 13

deloittekancelaria@deloitte.com www.deloitte.com/pl/kancelaria
Author Business Card

Law and Practice

Author



Lawarton Lugowski Kapica Spolka Komandytowa is headquartered in Warsaw in Poland and excels in providing strategic guidance adjusted to the needs of fintech companies, particularly in blockchain technology, cryptocurrency regulations, payment services, regulatory compliance, investment structuring and financial sector regulation. It is prominent in the fintech industry, offering services to clients navigating the complex business and regulatory landscape. It combines the personalised service of a boutique law firm with the global reach necessary to handle complex, cross-border cases. Its team comprises of seven experts, each with unique experience and a fresh perspective on every challenge. Its experts work closely with clients to ensure the highest quality of service. With an in-depth understanding of fintech and blockchain regulations, the firm provides precise and practical advice to a diverse group of clients, ensuring compliance while fostering innovation. It provides services for clients such as Binance Poland, Golem Factory, Liquidity Systems, Oanda TMS Brokers and InPost.

Trends and Developments

Authors



Deloitte Legal, Gizicki i Wspólnicy sp.k. has been operating for 18 years and has approximately 100 lawyers. It specialises in providing regulatory advisory services to the financial, fintech and newtech sectors. These regulatory advisory services cover financial and fintech regulations, AI governance, cybersecurity regulations, consumer protection, data privacy and IP/IT. The dedicated fintech team contributes to the firm’s strong market recognition. Its strategy integrates a multidisciplinary approach, harnessing the firm’s capabilities to provide tailored solutions. It addresses business challenges comprehensively, offering a one-stop shop for clients. Synchronisation across legal, business strategy, technology, risk, data governance, AI, cybersecurity, tax and accounting teams gives it a competitive edge. Its services cover legal and regulatory advisory matters across various sectors, handling regulations such as banking and insurance laws, PSD2, AML, DORA, outsourcing, consumer protection, the GDPR and MiFID. It also tackles issues like cloud computing, e/m-commerce, digital transformation, biometrics, cybersecurity and AI. Its client portfolio includes banks, providers of financial infrastructure, payment institutions and technology companies.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.