The Evolution of the Fintech Market in Poland in 2025

Over the last 12 months, the Polish fintech market entered a phase of regulatory consolidation and execution. While 2024 was largely characterised by legislative design and policy debate at the EU level, 2025 marked the moment when key regulatory frameworks began to produce tangible operational, organisational and cost-related consequences for market participants.

This shift has been driven primarily by three interrelated regulatory developments: the application of the EU Digital Operational Resilience Act (DORA), the first full year of the EU Markets in Crypto-Assets Regulation (MiCA) in practice, and the gradual entry into force of the EU Artificial Intelligence Act. Together, these regimes are reshaping how fintechs in Poland design products, manage technology risk and structure their internal governance.

Outlook: What Will Shape the Market in the Next 12 Months

Looking ahead, the Polish fintech market is expected to be shaped primarily by the deepening practical application of existing regulatory regimes rather than by new legislative initiatives.

AI governance will become a central compliance topic as firms prepare for the next phases of the AI Act’s application, including more extensive obligations related to high-risk systems and general-purpose AI models.

At the same time, supervisory practice under DORA is likely to intensify, with greater attention paid to incident handling, testing outcomes and third-party risk management.

In the crypto-asset space, much will depend on whether and how the Polish legislature revisits the national framework following the presidential veto. The resolution of this issue will be critical for determining Poland’s long-term position within the EU crypto-asset market.

Overall, if 2024 was the year of regulatory architecture, 2025 can be seen as the year in which regulation began to meaningfully shape fintech operations in Poland, with the next 12 months likely to test the resilience, governance maturity and strategic flexibility of market participants.

Polish fintech companies operate through various models. Payments are the dominant sector, followed by online currency exchange and alternative lending. Banks also integrate fintech solutions, driving innovation.

Poland’s fintech landscape spans digital payments, alternative lending, wealth management, insurtech, regtech and blockchain-based financial services.

Digital Payments

Fintech firms develop infrastructure for seamless payment processing, mobile transactions and banking services. The sector is dominated by digital wallets, contactless payments and online banking.

Lending and Alternative Financing

Alternative lending platforms provide financing for consumers and SMEs using AI-driven risk assessment and alternative credit scoring. Peer-to-peer (P2P) lending, marketplace lending and buy now, pay later models enhance financial flexibility and reduce dependence on traditional banks.

Wealthtech and Investment Solutions

Wealth management platforms utilise automation, robo-advisers and algorithmic trading to optimise investment strategies. Retail investors gain access to diversified portfolios, fractional investing and alternative assets with lower entry barriers.

Insurtech and Digital Insurance Models

AI and data analytics enhance underwriting, claims processing and risk assessment. Insurance models adapt to consumer needs with personalised, usage-based and on-demand solutions, improving efficiency and customer experience.

Regtech and Compliance Automation

Regtech solutions help financial institutions meet changing legal requirements through automation, machine learning and blockchain verification. These tools streamline AML, KYC and risk management, reducing costs and enhancing compliance.

Blockchain-Based Financial Solutions

Blockchain is increasingly used in transaction security, smart contracts and decentralised finance (DeFi). Digital asset platforms support cross-border transactions, asset tokenisation and transparent record-keeping, reducing reliance on intermediaries.

Poland’s fintech industry operates within a regulatory framework shaped by both national legislation and EU regulations. Key regulatory bodies include the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego or KNF), which oversees banking, lending, insurance and investment activities, and the Office of Competition and Consumer Protection (Urzad Ochrony Konkurencji i Konsumentow or UOKiK), which ensures consumer protection in financial services.

A key challenge in Poland remains the balance between EU regulations and local implementation. Additionally, Poland’s implementation of EU directives is often characterised by gold-plating, leading to stricter local requirements compared to minimum EU standards, which can increase compliance burdens for fintech firms.

This is especially true in crypto, where national authorities have yet to fully integrate MiCA into domestic law. This creates regulatory uncertainty for blockchain-based businesses operating in the country. This regulatory uncertainty has been further compounded by the lack of political and institutional consensus on the final shape of the national crypto-assets framework, as evidenced by the presidential veto of the crypto-assets bill adopted by the Polish parliament.

The regulatory regime applicable to the fintech industry varies according to particular verticals.

The compensation models employed by market participants to charge customers differ according to their regulatory status, the services they provide and their customer type. Different verticals must also comply with various regulatory requirements, including disclosure obligations. The two most commonly used compensation models are: the commission-based model and the fee-based model.

Generally, regulated participants (eg, banks or payment institutions) are subject to various disclosure regimes. This applies to specific pre-contractual and ongoing information requirements. Obligations are stricter if the service recipient is a consumer. This is as a result of EU consumer protection laws (eg, the Consumer Credit Directive or the Distance Marketing of Consumer Financial Services Directive) which have been implemented into the Polish legal framework.

Traditional financial institutions and fintech companies must comply with financial regulations if their activities are within a regulated scope. However, traditional banks face stricter requirements under Basel III and Solvency II, and broader capital and risk rules.

Fintech firms often navigate regulatory uncertainty due to innovative services that may not fit existing frameworks. The Polish authorities address this through the Innovation Hub and sandbox environments, offering guidance and supervised testing with reduced compliance burdens.

Some fintech models exploit regulatory gaps to avoid licensing, particularly in crypto, DeFi and alternative payments. While fostering innovation, this raises consumer-protection and financial-stability concerns. Regulators are assessing these models, with potential future legislation expanding oversight.

In 2019, KNF developed an Innovation Hub Programme to allow fintech companies to test new solutions in a controlled environment, ensuring compliance with legal standards while fostering innovation. The aim was to promote the introduction of innovative technologies into the Polish financial market and test them in a safe environment. Another aim of the programme was to improve communication with legacy players and fintech companies.

Poland’s Innovation Hub does not provide exemptions from financial regulations, but instead offers regulatory guidance and support for fintech firms navigating compliance requirements. Eligible participants include start-ups, financial institutions and technology providers developing innovative solutions. Applicants must demonstrate that their solutions involve a high degree of innovation and have potential benefits for the financial sector.

A key advantage of the programme is enhanced communication between fintechs, legacy financial institutions and regulators, allowing for a more flexible regulatory approach while maintaining market stability. Although Poland has not yet introduced a full-scale sandbox that grants temporary regulatory relief, the Innovation Hub serves as a stepping stone towards a more structured fintech-friendly regulatory framework.

KNF is the primary financial regulator, overseeing banks, payment operators, investment firms, AML and CFT compliance. Under the proposed Crypto-Assets Act, which was adopted by parliament but subsequently vetoed by the president, KNF was designated as the competent authority for supervising the crypto-asset market.

The General Inspector of Financial Information (the “GIIF”), operating under the Ministry of Finance, enforces AML/CFT regulations, monitors transactions and co-operates with law enforcement to combat financial crime.

Other key regulators include UOKiK, which ensures fair competition and consumer protection and the National Bank of Poland (NBP), which is responsible for monetary policy and financial stability.

The Ministry of Finance oversees financial legislation and tax policy.

Polish regulators collaborate with EU bodies like the European Central Bank (ECB), the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), which oversee major financial institutions and ensure market stability.

KNF does not issue “no-action” letters. Although the Polish financial regulator does not issue formal “no-action” letters, market participants can seek regulatory guidance on the compliance of their planned activities by asking for a written opinion from the regulator. While these opinions are not legally binding, they help reduce regulatory risk by clarifying supervisory expectations.

Unlike “no-action” letters in other jurisdictions, these opinions do not guarantee immunity from enforcement actions, as the regulator retains discretion to intervene if needed. However, this approach supports innovation while ensuring regulatory compliance.

Additionally, the regulator provides informal guidelines to market participants. These so-called “soft laws” provide essential insights into whether a particular activity aligns with regulatory requirements. The participants may expect that fulfilling those guidelines will result in no negative actions from the regulator.

Outsourcing regulated functions to external service providers is permitted but subject to strict requirements, which vary depending on the nature of the outsourced activity (eg, investment or payment services).

Several general principles apply across nearly all regulated financial services. These principles primarily derive from the Act on Supervision of the Securities Market, the Revised Payment Services Directive (PSD2) and DORA, as well as EU-level outsourcing guidelines, including the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-157-2403) and related domestic laws.

Regulated entities must consider and address all the risks associated with outsourcing arrangements before proceeding. This requires thorough due diligence on potential service providers to ensure they possess the appropriate skills, experience and resources to perform the outsourced services effectively.

Furthermore, regulated entities must have a written outsourcing policy in place and ensure that outsourcing arrangements do not compromise their ability to fulfil legal obligations or hinder the competent authority’s ability to supervise them. Significantly, outsourcing does not relieve the regulated entity of responsibility to clients or third parties to deliver regulated services.

Additionally, a written outsourcing agreement must be established between the regulated entity and the service provider, including specific mandatory provisions covering aspects such as data protection, security, the right of the regulated entity and KNF to monitor and audit the outsourcing provider and termination rights. Stricter requirements apply when outsourcing critical functions like risk management, ICT or AML.

While outsourcing to a regulated entity is not always required, it is often preferable, as such providers are already subject to supervisory controls, reducing compliance risks.

Fintech providers are considered “gatekeepers” in certain regulatory areas, particularly under AML/CFT legislation. They are required to conduct customer due diligence (KYC), monitor transactions and report suspicious activities to the relevant authorities. These obligations help ensure the legality, security and integrity of financial activities on fintech platforms.

Additionally, depending on their business model, some fintech companies may have broader consumer protection and market integrity responsibilities, such as preventing fraud or unauthorised financial activities. The Digital Markets Act introduces further obligations for large fintech platforms that could be designated as “gatekeepers” under EU law, potentially subjecting them to stricter compliance and operational transparency requirements.

While fintech providers have significant compliance responsibilities, their liability for user activities depends on the nature of their services and whether they actively facilitate or merely provide access to financial transactions.

National supervisory authorities enforce regulations in the fintech sector to ensure market integrity and consumer protection. The most severe is licence revocation or suspension, which can be imposed for serious violations of regulatory requirements. Regulators also impose penalties and fines on non-compliant fintech firms, serving as a deterrent against breaches of financial regulations. Additionally, supervisory authorities can mandate corrective measures, such as improving internal controls, enhancing security protocols or modifying business practices to align with regulatory standards.

For example, in a recent case, the largest online currency exchange group in Poland had its payment institution licence revoked by the regulator due to non-compliance with supervisory requirements. This decision forced the company to cease certain operations, leading to severe financial difficulties and a real threat of insolvency.

Polish regulators focus heavily on AML/CFT procedures, increasing penalties when AML regulations are not properly implemented or handled. One of the fines for AML non-compliance reached nearly PLN22 million (approximately EUR5.2 million) in 2022.

Market observers conclude that obtaining licences from local regulators is consistently becoming more complex, time consuming and labour intensive.

Data Protection

The GDPR requires fintechs to apply privacy by design principles to minimise the amount of data processed and properly handle consumers’ personal data. In addition, some industry participants are subject to the EU Data Act, which focuses on data sharing and compensation mechanisms.

Cybersecurity

Cybersecurity regulations, such as the NIS2 Directive and DORA, add further complexity. These laws mandate robust cybersecurity measures, operational resilience and incident reporting requirements for financial entities. Fintechs must demonstrate their ability to withstand and recover from ICT-related disruptions and manage third-party risks, particularly when relying on cloud providers.

This poses a challenge for fintechs, which must prioritise agile development and third-party technologies, which are harder to control. Legacy players, by contrast, often have larger budgets, dedicated compliance teams and established security infrastructures, giving them an advantage in meeting these requirements.

Alongside institution-level cybersecurity and operational resilience requirements introduced by DORA, the EU Cyber Resilience Act will add a complementary layer of regulation focused on the security of digital products themselves. Unlike DORA, which addresses organisational processes and governance, the Cyber Resilience Act targets software and hardware used in the delivery of financial services. As a result, fintechs will need to consider not only their internal resilience and third-party risk management, but also the cybersecurity standards applicable to the technological products on which their services are built.

Crypto-Assets Regulation

MiCA recently came into force in Poland to regulate the crypto-assets market. See 10. Blockchain.

Social Media

The Digital Services Act establishes rules for online platforms, including social media, to prevent the spread of illegal content and ensure transparency in advertising. Fintechs must disclose sponsored content and advertising practices, moderate user-generated content and avoid misleading or harmful information. Fintechs relying heavily on social media marketing face additional compliance costs related to content moderation and transparency. In contrast, traditional banks and financial institutions tend to adopt more conservative marketing practices. They are less reliant on social media, which reduces their exposure to Digital Services Act-related compliance risks.

Consumer Protection

Polish consumer protection legislation, such as the Consumer Credit Act or the Competition and Consumer Protection Act, is also relevant for fintech industry participants who target consumers.

In addition, recent EU-level consumer law reforms will increasingly affect fintech products and customer journeys. Directive (EU) 2023/2673 introduces enhanced transparency and withdrawal requirements for financial services offered through digital channels, while Directive (EU) 2023/2225 (CCD2) updates the consumer credit framework to reflect digital distribution models, including certain short-term and “buy now, pay later” (BNPL)-type products, with practical application expected from 2026.

Most fintech companies or regulated operations must provide financial statements reviewed by qualified external auditing firms. Additionally, other entities like banks, payment institutions or investment firms must prepare proper special risk management plans, conduct regular due diligence and conduct internal audits.

Most banks, payment institutions and investment firms must develop risk management frameworks, conduct due diligence and perform internal audits to identify financial and operational risks.

While audits and risk controls are legally required, many fintechs adopt stricter cybersecurity, fraud detection and compliance monitoring standards, especially for cross-border operations.

Regulatory oversight of the fintech sector is primarily conducted by state supervisory authorities, with internal audits within regulated entities playing a key role in ensuring risk management and regulatory adherence. The involvement of non-state external organisations, such as industry associations or self-regulatory bodies, remains minimal in the fintech sector. Formal state supervision and internal governance structures within regulated firms largely shape Poland’s fintech landscape.

Operating regulated and unregulated activities in parallel is generally permitted, provided all legal and regulatory requirements are met. Supervisory authorities accept this model, provided that the unregulated activity does not compromise the regulated business’s integrity, stability or compliance. Firms must ensure clear governance structures, risk management frameworks and regulatory separation where necessary to prevent conflicts and maintain compliance.

The obligation to comply with AML/CFT regulations does not depend on whether a fintech company is regulated or unregulated. Regulatory classification is determined by other legal frameworks, while AML obligations arise from the nature of the activities performed rather than the regulatory status of the entity.

AML and sanctions rules heavily impact fintech companies, requiring them to implement strict customer due diligence, transaction monitoring and reporting mechanisms. Strict compliance measures increase operational costs, requiring investment in compliance teams and automated monitoring systems. Fintech firms must also adapt to evolving regulatory requirements, including expanding lists of sanctioned entities and changes in risk assessment methodologies.

Poland follows the AML and CFT standards set by the Financial Action Task Force (FATF). Polish AML legislation is aligned with FATF recommendations and shaped by EU directives, ensuring compliance with international best practices.

Additionally, Poland is subject to Moneyval evaluations, a Council of Europe mechanism that assesses AML/CFT measures in certain European jurisdictions. Recent evaluations indicate that Poland is progressively strengthening its AML framework, incorporating FATF recommendations to enhance financial security and tackle illicit financial activities.

It is possible to provide regulated fintech products or services from another jurisdiction outside the EU on a reverse solicitation basis, but only under narrow and strictly defined conditions. In essence, domestic regulatory licensing requirements will not be triggered if a Polish client independently initiates contact for a specific service from a service provider in another jurisdiction if the provider has not engaged in any marketing or other solicitations targeting Poland.

However, the relationship must be solely initiated by the Polish client. The fintech company must be able to document and prove that the client contacted them of their own accord, without any prior proactive outreach by the provider. The precise application of reverse solicitation can vary depending on the type of fintech product or service, such as those falling under MiFID II regulations for investment services or other specific regimes (for instance, payment services or crypto-related activities).

Although regulations on reverse solicitation are relatively clear, market practice shows that many foreign entities violate these requirements, operating in ways that contradict regulatory restrictions. This is not just a challenge in Poland but across the whole of the EU, where enforcement remains difficult.

Ensuring compliance is particularly complex due to the digital nature of service offerings, allowing firms to reach Polish clients without a local presence or licence. While EU and Polish regulators actively work to enforce reverse solicitation rules, this remains a high-risk area for regulatory breaches and supervisory challenges.

Fintech companies utilising robo-advisers must adapt their business models based on the asset class they support. Traditional financial instruments, such as stocks and bonds, fall under MiFID II regulations, requiring strict risk profiling and investor suitability checks. Security tokens, classified as financial instruments, impose additional licensing and transparency obligations. Cryptocurrencies and utility tokens, regulated under MiCA, require compliance with AML/CFT rules and enhanced risk disclosures.

Integrating digital assets into robo-advisory services presents challenges such as price volatility, liquidity management and secure custody, requiring fintechs to align their models with evolving regulations.

Legacy financial institutions are integrating robo-advisory solutions through hybrid models, where AI-driven recommendations complement human advisers. Many are launching in-house robo-advisers or partnering with fintechs for automated portfolio management and AI-driven customer engagement.

Best execution ensures trades occur under the most favourable conditions, considering price, speed, costs and market factors.

A major challenge is order routing transparency, requiring robo-advisers to avoid conflicts of interest and ensure client-focused execution. Liquidity fragmentation across exchanges can lead to price discrepancies, complicating best execution.

Market impact and slippage can affect execution quality, especially in volatile or illiquid markets. Robo-advisers must optimise execution algorithms to minimise delays and adapt to market shifts. Compliance with MiFID II regulations requires transparent execution policies, monitoring and reporting to ensure regulatory adherence.

Poland’s commercial lending regulation varies significantly depending on the type of borrower.

Consumers and SMEs

Consumer lending is subject to strict regulations to protect individual borrowers from abusive and unfair practices. The primary legal framework governing these loans is the Consumer Credit Act, which mandates transparency in loan agreements, ensuring consumers receive clear and comprehensive information before signing any contract. This includes pre-contractual disclosures, standardised contract requirements and cost limitations such as interest rates and fees. Additionally, consumer protection laws impose restrictions on collateral, preventing lenders from demanding excessive or disproportionate security, particularly in personal loans. These measures ensure that consumers are not exposed to excessive financial risk when obtaining credit.

SMEs run by natural persons may also be considered consumers under consumer legislation. If the lease is not a part of the central business activity of the enterprise, the trader falls under the consumer category. However, if an SME does not qualify for consumer protection, the lending relationship is treated as B2B, and the regulatory framework for commercial lending (B2B) applies.

Poland is in the process of updating its consumer lending regime to implement CCD2 (Directive (EU) 2023/2225) and the revised EU rules on the distance marketing of financial services (Directive (EU) 2023/2673). A draft new Consumer Credit Act published in July 2025 is intended to replace the current 2011 Act, with the new rules to be applied in line with EU timelines. These reforms are expected to expand the scope of regulated consumer lending, strengthen affordability assessments and information requirements, and increase scrutiny of digital distribution models, including short-term and BNPL-type products.

Commercial Lending (B2B)

In contrast, commercial lending operates under a more flexible regulatory framework. Unlike consumer loans, B2B lending allows larger companies and lenders to negotiate terms more freely, as commercial entities are generally expected to have more significant financial expertise and bargaining power. Despite this flexibility, lenders must still comply with applicable financial laws, particularly regarding contractual fairness, transparency and enforcement of obligations. Unlike consumer loans, commercial loans have fewer restrictions on collateral requirements, allowing lenders to secure financing through a broader range of assets.

The underwriting process varies based on loan type (consumer, SME or commercial) and follows regulatory requirements.

KYC Protocols

The underwriting process typically begins with identity verification and fraud prevention. Online lenders employ electronic identity verification systems, multifactor authentication and KYC protocols to confirm a borrower’s identity.

AML/CFT

AML and CFT laws require robust monitoring and reporting mechanisms to detect suspicious financial activities.

Creditworthiness Assessment

Poland has a centralised credit system, including BIK (Credit Bureau) and BIGs (Economic Information Bureaus). BIK compiles credit data from financial institutions, while BIGs track negative credit histories from utilities and telecom providers. Lenders rely on both sources to assess risk.

Consumer Lending

As outlined in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, consumer lending is subject to stricter underwriting requirements. Lenders must provide detailed pre-contractual disclosures, ensure loan affordability assessments and comply with interest rate caps and fee limitations. These measures are designed to protect individual borrowers from excessive debt burdens.

Commercial Lending (B2B)

For business loans, the underwriting process is more flexible and allows for negotiation of terms between the lender and borrower. While large enterprises may be assessed based on financial statements, cash flow projections and collateral, SMEs are often subject to hybrid models that blend consumer and business lending criteria.

Online lenders finance their loan portfolios through several key sources, including P2P lending, lender-raised capital, deposit-taking and securitisation. Each funding method has distinct legal and regulatory considerations shaping these entities’ operations.

P2P Lending

P2P lending platforms facilitate direct lending between individual investors and borrowers and are regulated under the European Crowdfunding Service Providers Regulation (the “ECSP Regulation”). These platforms must comply with investor protection rules, risk transparency requirements and AML/CFT regulations. However, P2P lenders cannot accept deposits or offer deposit insurance, making it clear that risk disclosure is essential to maintaining investor confidence.

Lender-Raised Capital

Many online lenders finance their operations through venture capital, private equity or institutional funding. Securities laws regulate this model, requiring full compliance with Polish and EU financial regulations, including disclosure obligations and transparency standards. If funds are raised through bond issuance or share offerings, additional capital market regulations apply, requiring oversight by financial regulators.

Deposit-Taking

Only licensed financial institutions, such as banks and certain regulated credit institutions, can legally accept deposits from the public. Deposit-taking lenders are subject to strict regulatory oversight, including compliance with capital adequacy requirements, consumer protection laws and deposit guarantee schemes. Online lenders without a banking licence cannot accept deposits, limiting their funding options.

Securitisation

Some lenders package their loan portfolios into securitised financial instruments that are sold to institutional investors or asset-backed securities (ABS) markets. Securitisation must comply with the EU Securitisation Regulation, ensuring risk retention, investor disclosures and transparency in structured finance transactions. While securitisation allows lenders to expand their loan capacity, it requires strict risk management and reporting mechanisms.

Loan syndication is legally permissible and is primarily used for large corporate or infrastructure loans. It allows multiple lenders to share risk and expand lending capacity, typically involving major banks rather than fintech lenders or online platforms.

Although syndication occurs, it remains relatively uncommon in the Polish market, where bilateral lending structures and direct institutional financing are more prevalent.

The process is regulated by the Polish Civil Code and the Banking Law Act, ensuring contractual transparency and a structured framework for multi-lender agreements.

General

Payment processors are free to use existing payment rails or develop new ones, provided they comply with financial regulations. Any new payment infrastructure must receive authorisation from KNF to ensure compliance with PSD2, AML and CFT requirements.

While integrating with established payment systems is often more efficient and widely accepted, innovative solutions such as blockchain-based payment systems or alternative clearing mechanisms can be introduced, provided they meet regulatory standards and obtain the necessary approvals.

BLIK

BLIK is a notable example of a locally developed payment rail in Poland. It is a domestic mobile payment system that transforms cashless transactions, operating independently of global payment networks (legacy card systems operators). It provides an alternative infrastructure for real-time digital payments and offers seamless integration with the Polish banking system.

BLIK supports in-store and e-commerce payments, where customers authenticate transactions using a one-time code. It also allows ATM withdrawals and cash deposits without a physical card. Users can make P2P transfers using just a phone number and process instant bank transfers between accounts. The system enables recurring payments for subscriptions, bills and transactions via QR codes, facilitating seamless integration with online and offline merchants. It recently introduced a contactless payment feature using near-field communication (NFC) technology, enabling mobile payments without a traditional payment card.

BLIK originated as a domestic Polish payment system and remains primarily focused on the local market, although initial cross-border expansion (notably to Slovakia) has already begun. Since its launch, it has become one of the country’s most widely used payment methods, surpassing card transactions in mobile banking apps. While currently limited to the domestic market, discussions about its potential expansion to other European countries, or integration with international payment networks are ongoing.

National and EU financial laws regulate Poland’s cross-border payments and remittances. Since Poland is a part of the Single Euro Payments Area (SEPA), the SEPA Regulation also applies. This regulation allows relevant cross-border cashless payments in euros to be made similarly to domestic ones. The SEPA Regulation applies to all payments across the EU and several non-EU countries.

Strict AML measures require customer due diligence and usage of KYC protocols.

The execution and settlement of cross-border payments do not raise significant regulatory concerns, as the existing framework remains stable and well defined. The primary focus of regulatory oversight is on AML and CFT compliance, ensuring transparency, risk mitigation and the prevention of illicit financial activities.

Poland’s fintech market allows various types of marketplaces and trading platforms, each subject to specific regulatory frameworks.

Traditional Stock Exchanges

Traditional stock exchanges, such as the Warsaw Stock Exchange (WSE), operate under the supervision of KNF and must comply with MiFID II regulations and the Act on Trading in Financial Instruments, ensuring transparency, investor protection and fair market practices.

In addition to the main stock exchange, Poland has NewConnect, an alternative trading system designed for small and medium-sized enterprises seeking capital that has fewer regulatory requirements than the WSE’s main market. Meanwhile, Catalyst serves as Poland’s regulated market for corporate and municipal bonds, facilitating both retail and wholesale bond trading while ensuring compliance with MiFID II regulations and national securities laws.

Cryptocurrency Exchanges

See 10. Blockchain.

Forex and CFD Trading/Platforms

Forex and CFD Trading Platforms operate under MiFID II regulations, offering leveraged financial instruments such as contracts for difference (CFDs) and currency trading (Forex). These platforms must be licensed by KNF or another EU regulator under the passporting regime. Many retail trading platforms in this segment operate under foreign licences, although they remain subject to Polish consumer protection and financial market regulations.

Crowdfunding Platforms

Crowdfunding platforms, while facilitating investments, differ from traditional trading platforms as they do not provide active secondary market trading. They operate under the ECSP Regulation and allow investors to participate in equity crowdfunding (acquiring shares in start-ups and SMEs) or debt/lending crowdfunding (financing businesses through loans). Unlike stock exchanges, these platforms lack liquidity and secondary market mechanisms, meaning investors hold assets until a liquidity event, such as an acquisition or buyback.

Others

Other trading platforms, such as multilateral trading facilities (MTFs) and organised trading facilities (OTFs), are also permitted. They operate under MiFID II regulations and require appropriate licensing and compliance with the best execution and market integrity standards.

The regulatory frameworks for traditional securities and crypto-assets differ significantly, reflecting the distinct nature of these financial instruments.

Traditional Securities

Traditional securities, such as stocks and bonds, are primarily governed by the Polish Act on Trading in Financial Instruments. This Act aligns with MiFID II regulations, ensuring standardised regulation across EU member states. KNF oversees activities related to these financial instruments, enforcing compliance with established financial market laws.

Crypto-Assets

A harmonised EU regulatory framework for crypto-assets was introduced with the full application of MiCA in 2024. This regulation establishes a comprehensive EU-wide framework for crypto-assets and related services. MiCA separates crypto-assets into three classes: asset-referenced tokens, e-money tokens and other tokens (including utility tokens).

Poland has not yet adopted national implementing legislation for MiCA, as the crypto-assets bill passed by parliament was vetoed by the president.

See 10. Blockchain.

The emergence of cryptocurrency exchanges, both centralised and decentralised, has led to significant regulatory developments in Poland and the EU more broadly.

As mentioned in 6.2 Regulation of Different Asset Classes, the EU introduced MiCA to regulate emerging cryptocurrency exchanges, both centralised and decentralised. However, Poland is still working on the legislation to implement national rules and procedures.

See 10. Blockchain.

Listing standards for shares, bonds and crypto-assets differ significantly. Listing financial instruments on trading venues is highly regulated mainly by the Act on Public Offering, Conditions Governing the Introduction of Financial Instruments to Organised Trading and on Public Companies, the Act on Trading in Financial Instruments and the Act on Supervision of the Securities Market.

Polish legislation requires trading venue operators to have transparent rules for trading, admission of financial instruments to trading and access to the trading venue. The criteria used on their systems must be objective. Furthermore, the trading rules must ensure fair and orderly trading.

While traditional financial instruments are subject to well-established regulatory frameworks, crypto-assets are governed under the EU’s MiCA, which introduces a new set of listing requirements. As Poland has yet to finalise the national implementation of MiCA, crypto-asset listing standards remain in transition, with further details expected upon full regulatory adoption.

Order handling rules apply to regulated financial markets, including securities and derivatives trading under MiFID II regulations. These rules ensure execution under the best terms, transparency and fair client treatment. Brokers must prioritise price, speed and cost while avoiding conflicts of interest.

KNF also sets specific order-handling rules for regulated markets, MTFs and OTFs.

P2P trading platforms are growing but remain smaller than traditional exchanges. They are mainly used by individual traders and offer privacy and diverse payment methods but have lower liquidity.

P2P trading reduces intermediaries, prompting fintechs to adopt hybrid models. Regulators face AML/CFT and investor protection challenges, as many P2P platforms lack KYC oversight, increasing risks. While P2P crypto-trading influenced DeFi regulations, its market impact remains limited. As regulations evolve, its remit may expand.

Payment for order flow (PFOF) is restricted under MiFID II regulations, as it conflicts with best execution principles. Recent amendments introduce a complete phase-out by 30 June 2026.

PFOF has never been widely adopted in Poland, as KNF strictly enforces best execution rules. Polish brokers generally avoid PFOF, meaning the 2026 ban will have little impact on the domestic market.

Market integrity and market abuse regulations fall under the European Market Abuse Regulation (MAR), which is enforced alongside the Act on Trading in Financial Instruments and the Penal Code. KNF oversees compliance and sanctions.

Prohibited practices include insider trading and market manipulation, such as inflating volumes or spreading misleading price signals. UOKiK also monitors abuses affecting retail investors.

The regulation ensures fair competition, investor protection and market stability. KNF actively supervises trading and issues public warnings about suspected market abuse.

High-frequency trading (HFT) and algorithmic trading are regulated under MiFID II regulations, requiring firms to register with KNF and meet market-making obligations for transparent trading.

Firms must implement risk controls, trading thresholds and continuity plans to ensure compliance. Trading venues must provide fair access and monitor market abuses linked to HFT strategies.

Regulations apply across equities, bonds and derivatives, although risk controls vary by market structure and liquidity, with bond markets requiring different safeguards than equities.

Under the Act on Trading in Financial Instruments, investment firms acting as market makers must obtain a broker’s licence from KNF. Their role is to provide continuous liquidity by regularly offering buy and sell prices at competitive levels on one or more trading venues.

Market makers must comply with best execution principles, risk management requirements and transparency obligations. They are also subject to transaction reporting and state supervision to prevent market manipulation. Failure to meet market-making obligations can result in regulatory sanctions, including fines or loss of licence.

Under MiFID II regulations, algorithmic trading regulations apply uniformly to investment firms, regardless of whether they are dealers or investment funds. Both must implement risk controls to prevent disorderly trading.

However, dealers and funds may operate under different regimes. Dealers trade on their own account, often as market makers, and usually require an investment firm licence. Investment funds manage client assets under Undertakings for Collective Investment in Transferable Securities (UCITS) or the Alternative Investment Fund Managers Directive (AIFMD), focusing on portfolio management rather than liquidity provision.

Despite structural differences, regulations focus on trading activities rather than entity type, ensuring market integrity across both models.

Regulations focus on firms developing trading algorithms, and not individual programmers. However, investment firms, particularly those engaged in HFT and algorithmic trading, must ensure compliance with MiFID II regulations and DORA, even when outsourcing software development.

Firms remain liable for the risk controls, security and compliance of their trading systems. While not directly regulated, programmers may face scrutiny if their algorithms facilitate market manipulation or system failures. Additionally, firms must assess service providers’ reliability and ensure adherence to regulatory and cybersecurity standards.

Insurtech companies mostly follow the same regulations as traditional insurers, operating under the Insurance and Reinsurance Activity Act and KNF supervision, with Solvency II ensuring capital adequacy and risk management.

Insurers must act in the customer’s best interest, comply with pre-contractual and contractual obligations, and maintain transparent underwriting standards. Online underwriting for consumer insurance requires clear disclosures, explicit consent and strict compliance with consumer protection laws.

This framework allows insurtech firms to innovate, but within strict regulatory boundaries, ensuring fairness and risk transparency in underwriting.

All insurers operate under the Insurance and Reinsurance Activity Act, supervised by KNF. Life insurance requires stricter capital reserves and consumer protections, while property and casualty insurance follow different risk models. Solvency II and the Insurance Distribution Directive further differentiate capital requirements and distribution rules across insurance types.

Regtech providers are not directly regulated unless they engage in regulated financial activities such as AML monitoring or regulatory reporting. In these cases, they may require licensing or registration. Financial institutions using regtech solutions must comply with regulated outsourcing laws, which impose strict oversight on third-party providers (TPPs) handling critical functions. Firms remain fully responsible for compliance, ensuring service providers meet regulatory and operational standards.

DORA further strengthens cybersecurity and resilience requirements for ICT providers working with financial institutions. Outsourcing agreements must meet detailed legal requirements, covering audit rights, risk management, reporting obligations and termination conditions. These contractual terms ensure that financial firms maintain control over outsourced services, linking directly to performance and accuracy requirements.

Regulated outsourcing agreements in financial services must include detailed contractual provisions to ensure compliance, security and service reliability. Contracts define service levels, regulatory obligations and liability for breaches. Financial institutions must ensure that outsourced services meet legal requirements under MiFID II regulations, PSD2 and national financial laws.

DORA sets overarching cybersecurity and resilience requirements, but outsourcing regulations dictate specific contractual obligations. These requirements make compliance legally binding rather than a matter of market practice. Financial firms impose strict controls on regtech providers to mitigate risks and maintain regulatory oversight.

Traditional financial institutions in Poland are increasingly exploring blockchain to enhance security, efficiency and transparency. Many banks are testing blockchain-based solutions for digital documentation, compliance and settlement processes. The tokenisation of assets is gaining traction, allowing for fractional ownership and improved liquidity in capital markets.

A notable blockchain-based initiative is the durable medium technology developed by the National Clearing House or KIR (a state-owned company). This system integrates blockchain and “write once, read many” (WORM) solutions to ensure secure and immutable storage of documents in online banking. Many banks and financial institutions have adopted this system to meet regulatory requirements.

Several legacy financial players are also members of the Blockchain and New Technologies Chamber, a non-government organisation supporting the adoption of blockchain. Meanwhile, the NBP is analysing blockchain’s potential in central bank digital currencies (CBDC).

Polish legislation still needs to adapt to MiCA (since the crypto-assets act adopted by parliament was subsequently vetoed by the president). KNF is presently designated as the competent authority responsible for supervision of the crypto-asset market. A unified regulatory approach could strengthen blockchain adoption in the financial industry, fostering greater integration of DLT and compliance standards.

Polish regulators are actively shaping the legal framework for blockchain and cryptocurrency, with KNF preparing to oversee the crypto-assets market under MiCA. However, Poland has not yet passed a national law implementing MiCA, meaning that no entity currently holds crypto-asset service provider (CASP) status in Poland and no one has been able to apply for a CASP licence either.

The crypto-assets act, adopted by parliament, but vetoed by the president, proposed extensive restrictions, including a ban on staking and crypto-lending, reflecting ongoing regulatory uncertainty around MiCA implementation in Poland.

KNF supports blockchain-based innovation through its Innovation Hub, helping fintechs navigate compliance challenges. However, it does not function as a regulatory sandbox, meaning companies must still adhere to existing financial laws.

The NBP remains highly sceptical of cryptocurrencies, frequently warning about their volatility and speculative nature. Meanwhile, KNF’s 2020 guidelines on crypto-asset trading continue to emphasise high investment risks and the need for investor caution.

In Poland, the classification of blockchain assets follows MiCA, which directly defines three classes of tokens: e-money tokens, asset-referenced tokens and other tokens (including utility tokens). Since MiCA is directly applicable across the EU, Poland has not introduced additional classification rules.

Before MiCA, there were no specific Polish regulations defining blockchain asset classifications, and crypto-assets were generally assessed under existing financial and consumer protection laws. To date, there have been no comprehensive official statements from Polish regulators regarding how tokens should be classified beyond the MiCA framework.

In terms of security versus non-security classification, Poland applies EU-wide regulations without national modifications, relying on MiFID II and ESMA guidelines.

Due to the limited number of token issuances in Poland before MiCA, there is no well-established regulatory practice in this area. As a result, assessments are made on a case-by-case basis.

Under MiCA, “issuers” of crypto-assets must publish a white paper outlining key details about the asset, issuer and risks. It must be submitted to KNF, although formal approval is only required for asset-referenced tokens and e-money tokens, which also face additional capital and governance requirements.

In Poland, the regulatory regime for crypto-asset issuers derives directly from MiCA, which is fully applicable at the EU level. However, the absence of adopted national implementing legislation – following the presidential veto of the crypto-assets act passed by parliament – has created practical uncertainty as to supervisory procedures and local enforcement, including the role of KNF in the formal review of white papers.

Non-compliance with MiCA can result in severe administrative sanctions, including fines, operational bans and restrictions on business activities. Additionally, CASPs such as exchanges and wallet providers must obtain authorisation and comply with AML/CFT regulations.

Tokenisation of real-world assets (RWA) is an emerging area of the Polish fintech market, driven by interest in fractionalisation and broader investor access to traditionally illiquid assets. In practice, however, many RWA structures face legal constraints linked to formal transfer requirements under Polish law and the legal character of the tokenised rights; where tokens represent transferable securities or other financial instruments (eg, tokenised shares or bonds), such projects typically fall within the scope of MiFID II. Additional uncertainty stems from the absence of adopted national MiCA-related legislation.

Under MiCA, blockchain asset trading platforms are classified as CASPs and must obtain authorisation. They must comply with AML/CFT regulations, security standards and transparency requirements.

Cryptocurrency exchanges fall under MiCA, requiring CASP registration and adherence to AML, transparency and consumer protection rules. However, Poland has not yet implemented MiCA, meaning that no entity currently holds CASP status and no one has been able to apply for a CASP licence.

MiCA applies directly in Poland without material national deviations. The vetoed Polish crypto-assets act was intended mainly to establish supervisory procedures and CASP registration, rather than to introduce additional substantive obligations for trading platforms.

Secondary market trading, including intermediary and P2P transactions, is subject to MiCA. While P2P transactions remain decentralised, high-volume traders may need to register and comply with financial rules. KNF oversees compliance, enforces regulations and imposes sanctions to maintain market integrity.

Under MiCA, EU member states have the authority to regulate staking services at the national level (Recital 94). The Polish crypto-assets act vetoed by the president contained far-reaching restrictions on staking services provided by CASPs. As the bill did not come into force, these restrictions are not currently applicable, and the future approach to staking under Polish law remains open.

Under MiCA, EU member states have the authority to regulate crypto-lending at the national level (Recital 94). The Polish crypto-assets act vetoed by the president contained an explicit ban on crypto-lending activities provided by CASPs. As the bill did not come into force, this prohibition is not currently applicable, and the future regulatory approach to crypto-related lending under Polish law remains open.

Cryptocurrency derivatives fall under MiFID II regulations if they qualify as financial instruments. On 17 December 2024, ESMA’s Final Report (Annex III) outlined criteria for classifying crypto-assets as financial instruments.

If a derivative is based on a crypto-asset meeting these criteria, it is regulated under MiFID II regulations, requiring authorisation and compliance with investor protection rules. Otherwise, it may remain outside financial regulations, subject only to consumer protection laws.

Poland follows EU regulations without national modifications, assessing crypto-asset derivatives on a case-by-case basis.

DeFi is not currently explicitly regulated under EU or Polish law. ESMA’s October 2023 report highlights challenges in applying existing rules to decentralised systems that lack intermediaries. MiCA and the DLT Pilot regime do not directly cover DeFi, leaving a regulatory gap, which was reaffirmed by a joint ESMA–EBA report in January 2025 identifying DeFi as a niche segment associated with heightened ICT and AML/CFT risks, rather than an area subject to imminent dedicated regulation.

In Poland, there are no dedicated regulations for DeFi and no established supervisory practice has as yet been developed. A DeFi service facilitating security token or crypto-trading is not automatically exempt from regulation. If its activities fall under MiFID II regulations or AML laws, it may still have to comply.

There are currently no specific rules in Poland regarding investing in crypto-assets. Therefore, the general rules for investing funds apply.

Virtual currencies are legally defined under AML regulations, distinguishing them from other blockchain assets. The definition follows EU AML directives, recognising virtual currencies as a digital representation of value that is not issued or guaranteed by a central authority and does not have the status of legal tender.

The key difference between virtual currencies and other blockchain assets lies in their intended use. Virtual currencies are mainly used as a means of exchange or store of value, whereas blockchain assets can include security tokens, utility tokens or other financial instruments with broader applications.

Non-fungible tokens (NFTs) are not explicitly regulated under Polish or EU financial laws. They are unique digital assets stored on a blockchain, typically representing ownership of digital or physical items.

However, only “true” NFTs, genuinely unique and non-interchangeable, fall outside financial regulations. If an NFT is not “truly unique”, it may be classified as a regular crypto-asset under MiCA (potentially subjecting it to financial regulations).

Stablecoins are regulated in Poland primarily through directly applicable EU law (MiCA), rather than through a standalone national regime. At the national level, Poland has not adopted the complementary crypto-assets statute. As mentioned previously, Poland has not yet adopted a crypto-assets act. As a result, while the substantive stablecoin rulebook applies directly under MiCA, certain local supervisory procedures and enforcement mechanisms remain dependent on further domestic legislative action.

PSD2 defines the regulatory framework for open banking in Poland, requiring banks to provide TPPs access to customer accounts via secure application programming interfaces (APIs). KNF enforces compliance and most banks use Berlin Group API standards. Poland has also introduced PolishAPI, a national standard developed by the Polish Bank Association to improve API integration and compliance.

Despite a strong fintech sector, challenges persist. Strict authentication rules complicate user experience, while API inconsistencies remain a barrier. Some banks have delayed or limited API functionality, treating open banking as a compliance obligation rather than an opportunity. Regulatory interventions have been necessary to enforce compliance.

PSD3 is expected to address these issues, introducing stricter oversight and standardised interfaces to improve API interoperability.

Banks and technology providers use encryption, tokenisation and strong customer authentication (SCA) to protect data in open banking. AI-driven fraud detection and transaction monitoring help ensure compliance with PSD2 and the GDPR. However, fintechs face barriers to accessing banking APIs and strict SCA rules impact user experience. Regulatory audits and industry collaboration seek to balance security and seamless transactions.

Fraud in fintechs includes identity theft, where criminals steal personal data to access bank accounts or secure loans. Phishing scams also pose a threat, with fraudsters impersonating banks or authorities to extract sensitive information through fake emails or calls.

Investment fraud remains a major risk, luring victims with promises of high returns on fictitious ventures, such as real estate or foreign markets, often leading to severe financial losses.

Polish regulators are focused on authorised push payment fraud, investment scams, crypto-fraud and identity theft. Payment providers must detect suspicious transactions and warn users. Banks and fintechs face growing pressure to enhance AML measures, fraud detection and transaction monitoring to improve customer protection.

A fintech provider’s liability depends on its services and regulations. Under PSD2, fintechs offering payment services must use SCA, report breaches and compensate for unauthorised transactions, unless proven otherwise.

Polish consumer protection laws favour refunds, ensuring strong customer rights. For unregulated services, liability is based on contracts and consumer laws. Fintechs may still be responsible for fraud, negligence or security failures, with regulators imposing sanctions for non-compliance.