The Evolution of the Fintech Market in Poland in 2024

Over the last 12 months, the Polish fintech market has experienced dynamic growth driven by technological innovation, increasing users and interesting regulatory developments.

The most notable development is improvements in the e-resident (mObywatel) application, which is part of developing a digital state in Poland. The new version introduced enhancements and features, like verifying identity using smartphones in offices, banks, post offices or with notaries. The list of features also covers driving licences, prescriptions and many other functions that bring the implementation of financial technologies to a wider audience.

The National Clearing House or KIR (a state-owned company) also introduced the first durable medium technology. Its solution combines blockchain and WORM technology in a straightforward solution. The use of this technology is now skyrocketing and has been introduced by most Polish banks.

AI

On 12 July 2024, the EU published the Artificial Intelligence Act (the “AI Act”), establishing a regulatory framework for developing and using AI across the EU. The Polish Ministry of Digital Affairs has started working on a bill to align the Polish legal system with the AI Act. The aim is to ensure the safe and ethical use of AI, considering citizens’ rights while supporting technological innovation. The Polish AI Act will also establish a new special authority, the Commission for AI Safety and Innovation.

DORA

The Digital Operational Resilience Act or DORA came into force at the start of this year. It has already affected the financial sector, but financial market participants such as payment institutions, investment firms or crypto-asset service providers (CASPs) are still looking for proper compliance guidelines. DORA sets out various new obligations for all participants, most of whom find it challenging to comply.

MiCAR

The Market in Crypto Assets Regulation or MiCAR, which fully came into force in December 2024, impacts CASPs and crypto-asset issuers. MiCAR introduces a complex authorisation regime for CASPs and strict transparency requirements for crypto-asset issuers. However, Polish corresponding legislation is still being prepared. Although the draft Polish Cryptoassets Act contains some required regulations, it can still be changed during drafting.

Polish fintech companies operate through various models. Payments are the dominant sector, followed by online currency exchange and alternative lending. Banks also integrate fintech solutions, driving innovation.

Poland’s fintech landscape spans digital payments, alternative lending, wealth management, insurtech, regtech and blockchain-based financial services, making it highly innovative.

Poland’s fintech sector is eminently innovative.

Digital Payments

Fintech firms develop infrastructure for seamless payment processing, mobile transactions and banking services. The sector is dominated by digital wallets, contactless payments and online banking.

Lending and Alternative Financing

Alternative lending platforms provide financing for consumers and SMEs using AI-driven risk assessment and alternative credit scoring. Peer-to-peer (P2P) lending, marketplace lending and buy now, pay later models enhance financial flexibility and reduce dependence on traditional banks.

Wealthtech and Investment Solutions

Wealth management platforms utilise automation, robo-advisors and algorithmic trading to optimise investment strategies. Retail investors gain access to diversified portfolios, fractional investing and alternative assets with lower entry barriers.

Insurtech and Digital Insurance Models

AI and data analytics enhance underwriting, claims processing and risk assessment. Insurance models adapt to consumer needs with personalised, usage-based and on-demand solutions, improving efficiency and customer experience.

Regtech and Compliance Automation

Regtech solutions help financial institutions meet changing legal requirements through automation, machine learning and blockchain verification. These tools streamline AML, KYC and risk management, reducing costs and enhancing compliance.

Blockchain-Based Financial Solutions

Blockchain is increasingly used in transaction security, smart contracts and decentralised finance (DeFi). Digital asset platforms support cross-border transactions, asset tokenisation and transparent record-keeping, reducing reliance on intermediaries.

Poland’s fintech industry operates within a regulatory framework shaped by both national legislation and EU regulations. Key regulatory bodies include the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego or KNF), which oversees banking, lending, insurance and investment activities and the Office of Competition and Consumer Protection (Urzad Ochrony Konkurencji i Konsumentow or UOKiK), which ensures consumer protection in financial services.

A key challenge in Poland remains the balance between EU regulations and local implementation. Additionally, Poland’s implementation of EU directives is often characterised by gold-plating, leading to stricter local requirements compared to minimum EU standards, which can increase compliance burdens for fintech firms.

This is especially true in crypto, where national authorities have yet to fully integrate MiCA into domestic law. This creates regulatory uncertainty for blockchain-based businesses operating in the country.

The regulatory regime applicable to the fintech industry varies according to particular verticals.

Different compensation models employed by market participants to charge customers depend on their regulatory status, the services they provide and their customer type. Different verticals must also comply with various regulatory requirements, including disclosure obligations. There are two most commonly used compensation models: the commission-based model and the fee-based model.

Generally, regulated participants (eg, banks or payment institutions) are subject to various disclosure regimes. This applies to specific pre-contractual and ongoing information requirements. Obligations are stricter if the service recipient is a consumer. These result from EU consumer protection laws (eg, the Consumer Credit Directive or the Distance Marketing of Consumer Financial Services Directive) which have been implemented into the Polish legal framework.

Traditional financial institutions and fintech companies must comply with financial regulations if their activities are within a regulated scope. However, traditional banks face stricter requirements under Basel III, Solvency II and broader capital and risk rules.

Fintech firms often navigate regulatory uncertainty due to innovative services that may not fit existing frameworks. Polish authorities address this through the Innovation Hub and sandbox environments, offering guidance and supervised testing with reduced compliance burdens.

Some fintech models exploit regulatory gaps to avoid licensing, particularly in crypto, DeFi and alternative payments. While fostering innovation, this raises consumer protection and financial stability concerns. Regulators are assessing these models, with potential future legislation expanding oversight.

In 2019, KNF developed an Innovation Hub Programme to allow fintech companies to test new solutions in a controlled environment, ensuring compliance with legal standards while fostering innovation. The aim was to promote the introduction of innovative technologies into the Polish financial market and test them in a safe environment. Another aim of the Programme was to improve communication with legacy players and fintech companies.

Poland’s Innovation Hub does not provide exemptions from financial regulations but offers regulatory guidance and support for fintech firms navigating compliance requirements instead. Eligible participants include start-ups, financial institutions and technology providers developing innovative solutions. Applicants must demonstrate that their solutions involve a high degree of innovation and have potential benefits for the financial sector.

A key advantage of the Programme is enhanced communication between fintechs, legacy financial institutions and regulators, allowing for a more flexible regulatory approach while maintaining market stability. Although Poland has not yet introduced a full-scale sandbox that grants temporary regulatory relief, the Innovation Hub serves as a stepping stone toward a more structured fintech-friendly regulatory framework.

KNF is the primary financial regulator, overseeing banks, payment operators, investment firms, AML and CFT compliance. Under the proposed Cryptoassets Act, it will also supervise the crypto-asset market.

The General Inspector of Financial Information (the “GIIF”), operating under the Ministry of Finance, enforces AML/CFT regulations, monitors transactions and co-operates with law enforcement to combat financial crime.

Other key regulators include UOKiK, which ensures fair competition and consumer protection and the National Bank of Poland (the “NBP”), which is responsible for monetary policy and financial stability.

The Ministry of Finance oversees financial legislation and tax policy.

Polish regulators collaborate with EU bodies like the ECB, the EBA, the ESMA and the EIOPA, which oversee major financial institutions and ensure market stability.

KNF does not issue “no-action” letters. Although the Polish financial regulator does not issue formal “no-action” letters, market participants can seek regulatory guidance on the compliance of their planned activities by asking for a written opinion from the regulator. While these opinions are not legally binding, they help reduce regulatory risk by clarifying supervisory expectations.

Unlike “no-action” letters in other jurisdictions, these opinions do not guarantee immunity from enforcement actions, as the regulator retains discretion to intervene if needed. However, this approach supports innovation while ensuring regulatory compliance.

Additionally, the regulator provides informal guidelines to market participants. These so-called “soft laws” provide essential insights into whether a particular activity aligns with regulatory requirements. The participants may expect that fulfilling those guidelines will not result in any negative actions from the regulator.

Outsourcing regulated functions to external service providers is permitted but subject to strict requirements, which vary depending on the nature of the outsourced activity (eg, investment or payment services).

Several general principles apply across nearly all regulated financial services. These principles primarily derive from the Act on Supervision on Securities Market, PSD2 and DORA, as well as EU-level outsourcing guidelines, including the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-157-2403) and related domestic laws.

Regulated entities must consider and address all the risks associated with outsourcing arrangements before proceeding. This requires thorough due diligence on potential service providers to ensure they possess the appropriate skills, experience and resources to perform the outsourced services effectively.

Furthermore, regulated entities must have a written outsourcing policy in place and ensure that outsourcing arrangements do not compromise their ability to fulfill legal obligations or hinder the competent authority’s ability to supervise them. Significantly, outsourcing does not relieve the regulated entity of responsibility to clients or third parties to deliver regulated services.

Additionally, a written outsourcing agreement must be established between the regulated entity and the service provider, including specific mandatory provisions covering aspects such as data protection, security, the right of the regulated entity and KNF to monitor and audit the outsourcing provider and termination rights. Stricter requirements apply when outsourcing critical functions like risk management, ICT or AML.

While outsourcing to a regulated entity is not always required, it is often preferable as such providers are already subject to supervisory controls, reducing compliance risks.

Fintech providers are considered “gatekeepers” in certain regulatory areas, particularly under AML/CFT legislation. They are required to conduct customer due diligence (KYC), monitor transactions and report suspicious activities to the relevant authorities. These obligations help ensure the legality, security and integrity of financial activities on fintech platforms.

Additionally, depending on their business model, some fintech companies may have broader consumer protection and market integrity responsibilities, such as preventing fraud or unauthorised financial activities. The Digital Markets Act introduces further obligations for large fintech platforms that could be designated as “gatekeepers” under EU law, potentially subjecting them to stricter compliance and operational transparency requirements.

While fintech providers have significant compliance responsibilities, their liability for user activities depends on the nature of their services and whether they actively facilitate or merely provide access to financial transactions.

National supervisory authorities enforce regulations in the fintech sector to ensure market integrity and consumer protection. The most severe is licence revocation or suspension, which can be imposed for serious violations of regulatory requirements. Regulators also impose penalties and fines on non-compliant fintech firms, serving as a deterrent against breaches of financial regulations. Additionally, supervisory authorities can mandate corrective measures, such as improving internal controls, enhancing security protocols or modifying business practices to align with regulatory standards.

For example, in a recent case, the largest online currency exchange group in Poland had its payment institution licence revoked by the regulator due to non-compliance with supervisory requirements. This decision forced the company to cease certain operations, leading to severe financial difficulties and a real threat of insolvency.

Polish regulators focus heavily on AML/CFT procedures, increasing penalties when not properly implementing and handling AML regulations. One of the fines for AML non-compliance reached approximately PLN22 million (approximately EUR5.2 million) in 2022.

Market observers conclude that obtaining licences from local regulators is consistently becoming more complex, time-consuming and labour-intensive.

Data Protection

The GDPR requires fintechs to apply privacy by design principles to minimise the amount of data processed and properly handle consumers’ personal data. In addition, some industry participants may soon be subject to the newly adopted Data Act, which focuses on data sharing and compensation and will apply for the most part from September 2025.

Cybersecurity

Cybersecurity regulations, such as the NIS2 Directive and DORA, add further complexity. These laws mandate robust cybersecurity measures, operational resilience and incident reporting requirements for financial entities. Fintechs must demonstrate their ability to withstand and recover from ICT-related disruptions and manage third-party risks, particularly when relying on cloud providers.

This poses a challenge for fintechs, which must prioritise agile development and third-party technologies, which are harder to control. Legacy players, by contrast, often have larger budgets, dedicated compliance teams and established security infrastructures, giving them an advantage in meeting these requirements.

Crypto-Assets Regulation

MiCAR recently came into force in Poland to regulate the crypto-assets market. See 10 Blockchain.

Social Media

The Digital Services Act establishes rules for online platforms, including social media, to prevent the spread of illegal content and ensure transparency in advertising. Fintechs must disclose sponsored content and advertising practices, moderate user-generated content and avoid misleading or harmful information. Fintechs relying heavily on social media marketing face additional compliance costs related to content moderation and transparency. In contrast, traditional banks and financial institutions tend to adopt more conservative marketing practices. They are less reliant on social media, which reduces their exposure to Digital Services Act-related compliance risks.

Consumer Protection

Polish consumer protection legislation, such as the Consumer Credit Act or the Competition and Consumer Protection Act, is also relevant for fintech industry participants who target consumers.

Most fintech companies or regulated operations must provide financial statements reviewed by qualified external auditing firms. Additionally, other entities like banks, payment institutions or investment firms must prepare proper special risk management plans, conduct regular due diligence and conduct internal audits.

Most banks, payment institutions and investment firms must develop risk management frameworks, conduct due diligence and perform internal audits to identify financial and operational risks.

While audits and risk controls are legally required, many fintechs adopt stricter cybersecurity, fraud detection and compliance monitoring standards, especially for cross-border operations.

Regulatory oversight of the fintech sector is primarily conducted by state supervisory authorities, with internal audits within regulated entities playing a key role in ensuring risk management and regulatory adherence. The involvement of non-state external organisations, such as industry associations or self-regulatory bodies, remains minimal in the fintech sector. Formal state supervision and internal governance structures within regulated firms largely shape Poland’s fintech landscape.

Operating regulated and unregulated activities in parallel is generally permitted, provided all legal and regulatory requirements are met. Supervisory authorities accept this model, provided that the unregulated activity does not compromise the regulated business’s integrity, stability or compliance. Firms must ensure clear governance structures, risk management frameworks and regulatory separation where necessary to prevent conflicts and maintain compliance.

The obligation to comply with AML/CFT regulations does not depend on whether a fintech company is regulated or unregulated. Regulatory classification is determined by other legal frameworks, while AML obligations arise from the nature of the activities performed rather than the regulatory status of the entity.

AML and sanctions rules heavily impact fintech companies, requiring them to implement strict customer due diligence, transaction monitoring and reporting mechanisms. Strict compliance measures increase operational costs, requiring investment in compliance teams and automated monitoring systems. Fintech firms must also adapt to evolving regulatory requirements, including expanding lists of sanctioned entities and changes in risk assessment methodologies.

Poland follows the AML and CFT standards set by the Financial Action Task Force (FATF). Polish AML legislation is aligned with FATF recommendations and shaped by EU directives, ensuring compliance with international best practices.

Additionally, Poland is subject to Moneyval evaluations, a Council of Europe mechanism that assesses AML/CFT measures in certain European jurisdictions. Recent evaluations indicate that Poland is progressively strengthening its AML framework, incorporating FATF recommendations to enhance financial security and tackle illicit financial activities.

It is possible to provide regulated fintech products or services from another jurisdiction on a reverse solicitation basis, but only under narrow and strictly defined conditions. In essence, domestic regulatory licensing requirements may not be triggered if a Polish client independently initiates contact for a specific service and the provider has not engaged in any marketing or other solicitations targeting Poland.

However, the relationship must be solely initiated by the Polish client. The fintech company must be able to document and prove that the client contacted them of their own accord, without any prior proactive outreach by the provider. The precise application of reverse solicitation can vary depending on the type of fintech product or service, such as those falling under MiFID II regulations for investment services or other specific regimes (for instance, payment services or crypto-related activities).

Although regulations on reverse solicitation are relatively clear, market practice shows that many foreign entities violate these requirements, operating in ways that contradict regulatory restrictions. This is not just a challenge in Poland but across the whole of the EU, where enforcement remains difficult.

Ensuring compliance is particularly complex due to the digital nature of service offerings, allowing firms to reach Polish clients without a local presence or licence. While EU and Polish regulators actively work to enforce reverse solicitation rules, this remains a high-risk area for regulatory breaches and supervisory challenges.

Fintech companies utilising robo-advisers must adapt their business models based on the asset class they support. Traditional financial instruments, such as stocks and bonds, fall under MiFID II regulations, requiring strict risk profiling and investor suitability checks. Security tokens, classified as financial instruments, impose additional licensing and transparency obligations. Cryptocurrencies and utility tokens, regulated under MiCAR, require compliance with AML/CFT rules and enhanced risk disclosures.

Integrating digital assets into robo-advisory services presents challenges such as price volatility, liquidity management and secure custody, requiring fintechs to align their models with evolving regulations.

Legacy financial institutions are integrating robo-advisory solutions through hybrid models, where AI-driven recommendations complement human advisors. Many are launching in-house robo-advisors or partnering with fintechs for automated portfolio management and AI-driven customer engagement.

Best execution ensures trades occur under the most favourable conditions, considering price, speed, costs and market factors.

A major challenge is order routing transparency, requiring robo-advisors to avoid conflicts of interest and ensure client-focused execution. Liquidity fragmentation across exchanges can lead to price discrepancies, complicating best execution.

Market impact and slippage can affect execution quality, especially in volatile or illiquid markets. Robo-advisors must optimise execution algorithms to minimise delays and adapt to market shifts. Compliance with MiFID II regulations requires transparent execution policies, monitoring and reporting to ensure regulatory adherence.

Poland’s commercial lending regulation varies significantly depending on the type of borrower.

Consumers and SMEs

Consumer lending is subject to strict regulations to protect individual borrowers from abusive and unfair practices. The primary legal framework governing these loans is the Consumer Credit Act, which mandates transparency in loan agreements, ensuring consumers receive clear and comprehensive information before signing any contract. This includes pre-contractual disclosures, standardised contract requirements and cost limitations such as interest rates and fees. Additionally, consumer protection laws impose restrictions on collateral, preventing lenders from demanding excessive or disproportionate security, particularly in personal loans. These measures ensure that consumers are not exposed to excessive financial risk when obtaining credit.

SMEs run by natural persons may also be considered consumers under consumer legislation. If the lease is not a part of the central business activity of the enterprise, the trader falls under the consumer category. However, if an SME does not qualify for consumer protection, the lending relationship is treated as B2B, and the regulatory framework for commercial lending (B2B) applies.

Commercial Lending (B2B)

In contrast, commercial lending operates under a more flexible regulatory framework. Unlike consumer loans, B2B lending allows larger companies and lenders to negotiate terms more freely, as commercial entities are generally expected to have more significant financial expertise and bargaining power. Despite this flexibility, lenders must still comply with applicable financial laws, particularly regarding contractual fairness, transparency and enforcement of obligations. Unlike consumer loans, commercial loans have fewer restrictions on collateral requirements, allowing lenders to secure financing through a broader range of assets.

The underwriting process varies based on loan type (consumer, SME or commercial) and follows regulatory requirements.

KYC Protocols

The underwriting process typically begins with identity verification and fraud prevention. Online lenders employ electronic identity verification systems, multifactor authentication and KYC protocols to confirm a borrower’s identity.

AML/CFT

AML and CFT laws require robust monitoring and reporting mechanisms to detect suspicious financial activities.

Creditworthiness Assessment

Poland has a centralised credit system, including BIK (Credit Bureau) and BIGs (Economic Information Bureaus). BIK compiles credit data from financial institutions, while BIGs track negative credit histories from utilities and telecom providers. Lenders rely on both sources to assess risk.

Consumer Lending

As outlined in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, consumer lending is subject to stricter underwriting requirements. Lenders must provide detailed pre-contractual disclosures, ensure loan affordability assessments and comply with interest rate caps and fee limitations. These measures are designed to protect individual borrowers from excessive debt burdens.

Commercial Lending (B2B)

For business loans, the underwriting process is more flexible and allows for negotiation of terms between the lender and borrower. While large enterprises may be assessed based on financial statements, cash flow projections and collateral, SMEs are often subject to hybrid models that blend consumer and business lending criteria.

Online lenders finance their loan portfolios through several key sources, including P2P lending, lender-raised capital, deposit-taking and securitisation. Each funding method has distinct legal and regulatory considerations shaping these entities’ operations.

P2P Lending

P2P lending platforms facilitate direct lending between individual investors and borrowers and are regulated under the European Crowdfunding Service Providers Regulation (the “ECSP Regulation”). These platforms must comply with investor protection rules, risk transparency requirements and AML/CFT regulations. However, P2P lenders cannot accept deposits or offer deposit insurance, making clear risk disclosure is essential to maintaining investor confidence.

Lender-Raised Capital

Many online lenders finance their operations through venture capital, private equity or institutional funding. Securities laws regulate this model, requiring full compliance with Polish and EU financial regulations, including disclosure obligations and transparency standards. If funds are raised through bond issuance or share offerings, additional capital market regulations apply, requiring oversight by financial regulators.

Deposit-Taking

Only licensed financial institutions, such as banks and certain regulated credit institutions, can legally accept deposits from the public. Deposit-taking lenders are subject to strict regulatory oversight, including compliance with capital adequacy requirements, consumer protection laws and deposit guarantee schemes. Online lenders without a banking licence cannot accept deposits, limiting their funding options.

Securitisation

Some lenders package their loan portfolios into securitised financial instruments that are sold to institutional investors or asset-backed securities (ABS) markets. Securitisation must comply with the EU Securitisation Regulation, ensuring risk retention, investor disclosures and transparency in structured finance transactions. While securitisation allows lenders to expand their loan capacity, it requires strict risk management and reporting mechanisms.

Loan syndication is legally permissible and is primarily used for large corporate or infrastructure loans. It allows multiple lenders to share risk and expand lending capacity, typically involving major banks rather than fintech lenders or online platforms.

Although syndication occurs, it remains relatively uncommon in the Polish market, where bilateral lending structures and direct institutional financing are more prevalent.

The process is regulated by the Polish Civil Code and the Banking Law Act, ensuring contractual transparency and a structured framework for multi-lender agreements.

General

Payment processors are free to use existing payment rails or develop new ones, provided they comply with financial regulations. Any new payment infrastructure must receive authorisation from KNF to ensure compliance with PSD2, AML and CFT requirements.

While integrating with established payment systems is often more efficient and widely accepted, innovative solutions such as blockchain-based payment systems or alternative clearing mechanisms can be introduced, provided they meet regulatory standards and obtain the necessary approvals.

BLIK

BLIK is a notable example of a locally developed payment rail in Poland. It is a domestic mobile payment system that transforms cashless transactions, operating independently of global payment networks (legacy card systems operators). It provides an alternative infrastructure for real-time digital payments and offers seamless integration with the Polish banking system.

BLIK supports in-store and e-commerce payments, where customers authenticate transactions using a one-time code. It also allows ATM withdrawals and cash deposits without a physical card. Users can make P2P transfers using just a phone number and process instant bank transfers between accounts. The system enables recurring payments for subscriptions, bills and transactions via QR codes, facilitating seamless integration with online and offline merchants. It recently introduced a contactless payment feature using NFC technology, enabling mobile payments without a traditional payment card.

BLIK functions exclusively within Poland. Since its launch, it has become one of the country’s most widely used payment methods, surpassing card transactions in mobile banking apps. While currently limited to the domestic market, discussions about its potential expansion to other European countries or integration with international payment networks are ongoing.

National and EU financial laws regulate Poland’s cross-border payments and remittances. Since Poland is a part of the Single Euro Payments Area (SEPA), the SEPA Regulation also applies. This Regulation allows relevant cross-border cashless payments in euros to be made similarly to domestic ones. The SEPA Regulation applies to all payments across the EU and several non-EU countries.

Strict AML measures require customer due diligence and usage of KYC protocols.

The execution and settlement of cross-border payments do not raise significant regulatory concerns, as the existing framework remains stable and well-defined. The primary focus of regulatory oversight is on AML and CFT compliance, ensuring transparency, risk mitigation and the prevention of illicit financial activities.

Poland’s fintech market allows various types of marketplaces and trading platforms, each subject to specific regulatory frameworks.

Traditional Stock Exchanges

Traditional stock exchanges, such as the Warsaw Stock Exchange (the “WSE”), operate under the supervision of KNF and must comply with MiFID II regulations and the Act on Trading in Financial Instruments, ensuring transparency, investor protection and fair market practices.

In addition to the main stock exchange, Poland has NewConnect, an alternative trading system designed for small and medium-sized enterprises seeking capital with fewer regulatory requirements than the WSE’s main market. Meanwhile, Catalyst serves as Poland’s regulated market for corporate and municipal bonds, facilitating both retail and wholesale bond trading while ensuring compliance with MiFID II regulations and national securities laws.

Cryptocurrency Exchanges

See 10 Blockchain.

Forex and CFD Trading/Platforms

Forex and CFD Trading Platforms operate under MiFID II regulations, offering leveraged financial instruments such as contracts for difference (CFDs) and currency trading (Forex). These platforms must be licensed by KNF or another EU regulator under the passporting regime. Many retail trading platforms in this segment operate under foreign licences, although they remain subject to Polish consumer protection and financial market regulations.

Crowdfunding Platforms

Crowdfunding platforms, while facilitating investments, differ from traditional trading platforms as they do not provide active secondary market trading. They operate under the European Crowdfunding Service Providers Regulation and allow investors to participate in equity crowdfunding (acquiring shares in start-ups and SMEs) or debt/lending crowdfunding (financing businesses through loans). Unlike stock exchanges, these platforms lack liquidity and secondary market mechanisms, meaning investors hold assets until a liquidity event, such as an acquisition or buyback.

Others

Other trading platforms, such as multilateral trading facilities (MTFs) and organised trading facilities (OTFs), are also permitted. They operate under MiFID II regulations and require appropriate licensing and compliance with the best execution and market integrity standards.

The regulatory frameworks for traditional securities and crypto-assets differ significantly, reflecting the distinct nature of these financial instruments.

Traditional Securities

Traditional securities, such as stocks and bonds, are primarily governed by the Polish Act on Trading in Financial Instruments. This Act aligns with MiFID II regulations, ensuring standardised regulation across EU member states. KNF oversees activities related to these financial instruments, enforcing compliance with established financial market laws.

Crypto-Assets

The regulatory landscape for crypto-assets wasn’t regulated until recently, when at the start of this year, the EU’s MiCAR came fully into force. This Regulation establishes a comprehensive EU-wide framework for crypto-assets and related services. MiCAR separates crypto-assets into three classes: asset-referenced tokens, e-money tokens and other tokens (including utility tokens).

Poland has yet to prepare national implementation of the Cryptoassets Act.

See 10 Blockchain.

The emergence of cryptocurrency exchanges, both centralised and decentralised, has led to significant regulatory developments in Poland and the EU more broadly.

As mentioned in 6.2 Regulation of Different Asset Classes, the EU introduced MiCAR to regulate emerging cryptocurrency exchanges, both centralised and decentralised. However, Poland is still working on the legislation to implement national rules and procedures.

See 10 Blockchain.

Listing standards for shares, bonds and crypto-assets differ significantly. Listing financial instruments on trading venues is highly regulated mainly by the Act on Public Offering, Conditions Governing the Introduction of Financial Instruments to Organised Trading and on Public Companies, the Act on Trading in Financial Instruments and the Act on Supervision on Securities Market.

Polish legislation requires trading venue operators to have transparent rules for trading, admission of financial instruments to trading and access to the trading venue. The criteria used on their systems must be objective. Furthermore, the trading rules must ensure fair and orderly trading.

While traditional financial instruments are subject to well-established regulatory frameworks, crypto-assets are governed under the EU’s MiCAR, which introduce a new set of listing requirements. As Poland has yet to finalise the national implementation of MiCAR, crypto-asset listing standards remain in transition, with further details expected upon full regulatory adoption.

Order handling rules apply to regulated financial markets, including securities and derivatives trading under MiFID II regulations. These rules ensure execution at the best terms, transparency and fair client treatment. Brokers must prioritise price, speed and cost while avoiding conflicts of interest.

KNF also sets specific order-handling rules for regulated markets, MTFs and OTFs.

P2P trading platforms are growing but remain smaller than traditional exchanges. They are mainly used by individual traders and offer privacy and diverse payment methods but have lower liquidity.

P2P trading reduces intermediaries, prompting fintechs to adopt hybrid models. Regulators face AML/CFT and investor protection challenges, as many P2P platforms lack KYC oversight, increasing risks. While P2P crypto trading influenced DeFi regulations, its market impact remains limited. As regulations evolve, its remit may expand.

Payment for order flow (PFOF) is restricted under MiFID II regulations, as it conflicts with best execution principles. Recent amendments introduce a complete phase-out by 30 June 2026.

PFOF has never been widely adopted in Poland, as KNF strictly enforces best execution rules. Polish brokers generally avoid PFOF, meaning the 2026 ban will have little impact on the domestic market.

Market integrity and market abuse regulations fall under the European Market Abuse Regulation (the “MAR”), which is enforced alongside the Act on Trading in Financial Instruments and the Penal Code. KNF oversees compliance and sanctions.

Prohibited practices include insider trading and market manipulation, such as inflating volumes or spreading misleading price signals. UOKiK also monitors abuses affecting retail investors.

The Regulation ensures fair competition, investor protection and market stability. KNF actively supervises trading and issues public warnings about suspected market abuse.

High-frequency (HFT) and algorithmic trading are regulated under MiFID II regulations, requiring firms to register with KNF and meet market-making obligations for transparent trading.

Firms must implement risk controls, trading thresholds and continuity plans to ensure compliance. Trading venues must provide fair access and monitor market abuses linked to HFT strategies.

Regulations apply across equities, bonds and derivatives, although risk controls vary by market structure and liquidity, with bond markets requiring different safeguards than equities.

Under the Act on Trading in Financial Instruments, investment firms acting as market makers must obtain a broker licence from KNF. Their role is to provide continuous liquidity by regularly offering buy and sell prices at competitive levels on one or more trading venues.

Market makers must comply with best execution principles, risk management requirements and transparency obligations. They are also subject to transaction reporting and state supervision to prevent market manipulation. Failure to meet market-making obligations can result in regulatory sanctions, including fines or loss of licence.

Under MiFID II regulations, algorithmic trading regulations apply uniformly to investment firms, regardless of whether they are dealers or investment funds. Both must implement risk controls to prevent disorderly trading.

However, dealers and funds may operate under different regimes. Dealers trade on their own account, often as market makers, and usually require an investment firm licence. Investment funds manage client assets under UCITS or AIFMD, focusing on portfolio management rather than liquidity provision.

Despite structural differences, regulations focus on trading activities rather than entity type, ensuring market integrity across both models.

Regulations focus on firms, not individual programmers, developing trading algorithms. However, investment firms, particularly those engaged in HFT and algorithmic trading, must ensure compliance with MiFID II regulations and DORA, even when outsourcing software development.

Firms remain liable for the risk controls, security and compliance of their trading systems. While not directly regulated, programmers may face scrutiny if their algorithms facilitate market manipulation or system failures. Additionally, firms must assess service providers’ reliability and ensure adherence to regulatory and cybersecurity standards.

Insurtech companies mostly follow the same regulations as traditional insurers, operating under the Insurance and Reinsurance Activity Act and KNF supervision, with Solvency II ensuring capital adequacy and risk management.

Insurers must act in the customer’s best interest, comply with pre-contractual and contractual obligations and maintain transparent underwriting standards. Online underwriting for consumer insurance requires clear disclosures, explicit consent and strict compliance with consumer protection laws.

This framework allows insurtech firms to innovate, but within strict regulatory boundaries, ensuring fairness and risk transparency in underwriting.

All insurers operate under the Insurance and Reinsurance Activity Act, supervised by KNF. Life insurance requires stricter capital reserves and consumer protections, while property and casualty insurance follow different risk models. Solvency II and the Insurance Distribution Directive further differentiate capital requirements and distribution rules across insurance types.

Regtech providers are not directly regulated unless they engage in regulated financial activities such as AML monitoring or regulatory reporting. In these cases, they may require licensing or registration. Financial institutions using regtech solutions must comply with regulated outsourcing laws, which impose strict oversight on third-party providers (TPPs) handling critical functions. Firms remain fully responsible for compliance, ensuring service providers meet regulatory and operational standards.

DORA further strengthens cybersecurity and resilience requirements for ICT providers working with financial institutions. Outsourcing agreements must meet detailed legal requirements, covering audit rights, risk management, reporting obligations and termination conditions. These contractual terms ensure that financial firms maintain control over outsourced services, linking directly to performance and accuracy requirements.

Regulated outsourcing agreements in financial services must include detailed contractual provisions to ensure compliance, security and service reliability. Contracts define service levels, regulatory obligations and liability for breaches. Financial institutions must ensure that outsourced services meet legal requirements under MiFID II regulations, PSD2 and national financial laws.

DORA sets overarching cybersecurity and resilience requirements, but outsourcing regulations dictate specific contractual obligations. These requirements make compliance legally binding rather than a matter of market practice. Financial firms impose strict controls on regtech providers to mitigate risks and maintain regulatory oversight.

Traditional financial institutions in Poland are increasingly exploring blockchain to enhance security, efficiency and transparency. Many banks are testing blockchain-based solutions for digital documentation, compliance and settlement processes. The tokenisation of assets is gaining traction, allowing for fractional ownership and improved liquidity in capital markets.

A notable blockchain-based initiative is the durable medium technology developed by the KIR. This system integrates blockchain and WORM solutions to ensure secure and immutable storage of documents in online banking. Many banks and financial institutions have adopted this system to meet regulatory requirements.

Several legacy financial players are also members of the Blockchain and New Technologies Chamber, a non-governmental organisation supporting the adoption of blockchain. Meanwhile, the NBP is analysing blockchain’s potential in central bank digital currencies (CBDC).

Polish legislation is still adapting to MiCAR, with KNF set to oversee the crypto-asset market. A unified regulatory approach could strengthen blockchain adoption in the financial industry, fostering greater integration of DLT and compliance standards.

Polish regulators are actively shaping the legal framework for blockchain and cryptocurrency, with KNF preparing to oversee the crypto-assets market under MiCAR. However, Poland has not yet passed a national law implementing MiCAR, meaning that no entity currently holds CASP status in Poland and no one has been able to apply for a CASP licence either.

Work on implementing MiCAR is still ongoing and the proposed bill includes a complete ban on staking and crypto lending, although this provision is still being debated by the industry.

KNF supports blockchain-based innovation through its Innovation Hub, helping fintechs navigate compliance challenges. However, it does not function as a regulatory sandbox, meaning companies must still adhere to existing financial laws.

The NBP remains highly sceptical of cryptocurrencies, frequently warning about their volatility and speculative nature. Meanwhile, KNF’s 2020 guidelines on crypto-asset trading continue to emphasise high investment risks and the need for investor caution.

In Poland, the classification of blockchain assets follows MiCAR, which directly defines three classes of tokens: e-money tokens, asset-referenced tokens and other tokens (including utility tokens). Since MiCAR is directly applicable across the EU, Poland has not introduced additional classification rules.

Before MiCAR, there were no specific Polish regulations defining blockchain asset classifications and crypto-assets were generally assessed under existing financial and consumer protection laws. To date, there are no comprehensive official statements from Polish regulators regarding how tokens should be classified beyond the MiCAR framework.

In terms of security v non-security classification, Poland applies EU-wide regulations without national modifications, relying on MiFID II and ESMA guidelines.

Due to the limited number of token issuances in Poland before MiCAR, there is no well-established regulatory practice in this area. As a result, assessments are made on a case-by-case basis.

Under MiCAR, “issuers” of crypto-assets must publish a white paper outlining key details about the asset, issuer and risks. It must be submitted to KNF, although formal approval is only required for asset-referenced tokens and e-money tokens, which also face additional capital and governance requirements.

In Poland, regulations for “issuers” derive directly from MiCAR, with no significant national modifications. KNF will oversee compliance, but no issuer has been able to submit a white paper yet, as Poland has not passed the MiCAR implementation law.

Non-compliance with MiCAR can result in severe administrative sanctions, including fines, operational bans and restrictions on business activities. Additionally, CASPs such as exchanges and wallet providers must obtain authorisation and comply with AML/CFT regulations.

Under MiCAR, blockchain asset trading platforms are classified as CASPs and must obtain authorisation. They must comply with AML/CFT regulations, security standards and transparency requirements.

Cryptocurrency exchanges fall under MiCAR, requiring CASP registration and adherence to AML, transparency and consumer protection rules. However, Poland has not yet implemented MiCAR, meaning that no entity currently holds CASP status and no one has been able to apply for a CASP licence.

Poland follows MiCAR without significant national modifications. The upcoming Cryptoassets Act focuses on CASP registration rather than adding new obligations for trading platforms.

Secondary market trading, including intermediaries and P2P transactions, is subject to MiCAR. While P2P transactions remain decentralised, high-volume traders may need to register and comply with financial rules. KNF will oversee compliance, enforce regulations and impose sanctions to maintain market integrity.

Under MiCAR, EU member states have the authority to regulate staking services at the national level (Recital 94). Poland’s draft Cryptoassets Act proposes significant restrictions on staking, although the exact scope remains legally uncertain.

The wording of the draft law suggests that staking services provided by CASPs will generally be prohibited, with limited exceptions arising from the diversity of staking models.

The proposed ban has faced criticism from the market, with industry representatives arguing that MiCAR allows for regulation rather than prohibition. The legislative process is still ongoing, meaning that the final version of the law could maintain the ban, modify its scope or abandon it entirely.

Under MiCAR, EU member states have the authority to regulate crypto lending at the national level (Recital 94). Poland’s draft Cryptoassets Act explicitly bans crypto lending, making it one of the strictest regulatory approaches in the EU.

The prohibition is clearly stated in the draft law, leaving no room for interpretation.

The ban applies specifically to CASPs, meaning that regulated entities will not be allowed to grant crypto loans or facilitate lending transactions in any form.

The proposed ban has faced criticism from the market, with industry representatives arguing that MiCAR allows for regulation rather than prohibition. The legislative process is still ongoing, meaning that the final version of the law could maintain the ban, modify its scope or abandon it entirely.

Cryptocurrency derivatives fall under MiFID II regulations if they qualify as financial instruments. On 17 December 2024, ESMA’s Final Report (Annex III) outlined criteria for classifying crypto-assets as financial instruments.

If a derivative is based on a crypto-asset meeting these criteria, it is regulated under MiFID II regulations, requiring authorisation and compliance with investor protection rules. Otherwise, it may remain outside financial regulations, subject only to consumer protection laws.

Poland follows EU regulations without national modifications, assessing crypto-asset derivatives on a case-by-case basis.

DeFi is not currently explicitly regulated under EU or Polish law. ESMA’s October 2023 report highlights challenges in applying existing rules to decentralised systems that lack intermediaries. MiCAR and the DLT Pilot regime do not directly cover DeFi, leaving a regulatory gap.

In Poland, there are no dedicated regulations for DeFi and no established supervisory practice has yet developed. A DeFi service facilitating security token or crypto trading is not automatically exempt from regulation. If its activities fall under MiFID II regulations or AML laws, it may still have to comply.

There are currently no specific rules regarding investing in crypto-assets. Therefore, the general rules applied to investing funds apply.

Virtual currencies are legally defined under AML regulations, distinguishing them from other blockchain assets. The definition follows EU AML directives, recognising virtual currencies as a digital representation of value that is not issued or guaranteed by a central authority and does not have the status of legal tender.

The key difference between virtual currencies and other blockchain assets lies in their intended use. Virtual currencies are mainly used as a means of exchange or store of value, whereas blockchain assets can include security tokens, utility tokens or other financial instruments with broader applications.

NFTs are not explicitly regulated under Polish or EU financial laws. They are unique digital assets stored on a blockchain, typically representing ownership of digital or physical items.

However, only “true” NFTs, genuinely unique and non-interchangeable, fall outside financial regulations. If an NFT is not “truly unique”, it may be classified as a regular crypto-asset under MiCAR (potentially subjecting it to financial regulations).

PSD2 defines the regulatory framework for open banking in Poland, requiring banks to provide TPPs access to customer accounts via secure application programming interfaces (APIs). KNF enforces compliance and most banks use Berlin Group API standards. Poland has also introduced PolishAPI, a national standard developed by the Polish Bank Association to improve API integration and compliance.

Despite a strong fintech sector, challenges persist. Strict authentication rules complicate user experience, while API inconsistencies remain a barrier. Some banks have delayed or limited API functionality, treating open banking as a compliance obligation rather than an opportunity. Regulatory interventions have been necessary to enforce compliance.

PSD3 is expected to address these issues, introducing stricter oversight and standardised interfaces to improve API interoperability.

Banks and technology providers use encryption, tokenisation and strong customer authentication (SCA) to protect data in open banking. AI-driven fraud detection and transaction monitoring help ensure compliance with PSD2 and the GDPR. However, fintechs face barriers to accessing banking APIs and strict SCA rules impact user experience. Regulatory audits and industry collaboration seek to balance security and seamless transactions.

Fraud in fintechs includes identity theft, where criminals steal personal data to access bank accounts or secure loans. Phishing scams also pose a threat, with fraudsters impersonating banks or authorities to extract sensitive information through fake emails or calls.

Investment fraud remains a major risk, luring victims with promises of high returns on fictitious ventures, such as real estate or foreign markets, often leading to severe financial losses.

Polish regulators are focused on authorised push payment fraud, investment scams, crypto fraud and identity theft. Payment providers must detect suspicious transactions and warn users. Banks and fintechs face growing pressure to enhance AML measures, fraud detection and transaction monitoring to improve customer protection.

A fintech provider’s liability depends on its services and regulations. Under PSD2, fintechs offering payment services must use SCA, report breaches and compensate for unauthorised transactions unless proven otherwise.

Polish consumer protection laws favour refunds, ensuring strong customer rights. For unregulated services, liability is based on contracts and consumer laws. Fintechs may still be responsible for fraud, negligence or security failures, with regulators imposing sanctions for non-compliance.