Poland’s private sector is juggling overlapping EU digital frameworks while investors and counterparties raise the bar in transactions. Traple Konarski Podrecki & Partners Co-Managing Partner Agnieszka Wachowska, SSW Partner Jakub Kubalski, Schoenherr Partner Katarzyna Szczudlik, Woloszanski & Partners Head of Crypto Practice Lukasz Kudela, and Addleshaw Goddard Head of TMT/IP Szymon Sieniewicz break down where companies stand now, what’s coming next, how internal compliance is changing, where deals are feeling it, and the risks many still underestimate.
Navigating a Moving Rulebook
Across industries, the immediate challenge is less about any single statute and more about staying coherent across many. “Companies are facing a real challenge in common adapting EU tech regulations such as DORA, NIS2, the GDPR, the Data Act, the AI Act, the Digital Services Act, and the Accessibility Act,” Wachowska begins. “Many of these frameworks overlap in scope and timing, and several are still pending national implementation, such as NIS2, the Data Act, and the AI Act. This creates difficulties for Polish businesses operating in online services and the financial sector, where multiple regimes apply simultaneously.” According to her, organizations often struggle to identify which rules concern them, and then to design compliance processes that do not create contradictions between different frameworks. “The scale and pace of these developments make compliance management increasingly complex and require organization-wide coordination and constant monitoring. For many Polish companies, maintaining clarity amid this regulatory overlap has become a genuine concern.”
Echoing this, Kubalski says that “in the area of cybersecurity, the implementation of the DORA Regulation is already generating significant preparatory and compliance work, including classification of ICT service providers. Furthermore, although NIS2 and the CER Directive have not yet been implemented in Poland, entities are already preparing internally and partially implementing the directives by introducing more rigorous incident reporting procedures and adapting contracts to the new requirements.” Additionally, Kubalski says that the legislative process to adopt a national framework supporting the MiCA Regulation has “only recently gained momentum, with the draft crypto-assets law being recently forwarded to the Sejm, facing widespread criticism from market participants. Rather than engaging in preparatory compliance efforts, many crypto businesses are reportedly relocating their operations, citing the content of the proposed national regime.”
Furthermore, Kubalski reports that “e-commerce companies have largely adapted to the provisions of the Digital Content Directive and the Omnibus Directive, which together have strengthened consumer protection in the digital environment. In turn, the DSA has brought about significant changes, particularly for online platforms and marketplaces, in terms of content moderation policies, reporting and removal mechanisms, and reporting obligations.”
“Polish companies are in the midst of adapting to a rapidly expanding set of EU tech regulations,” Sieniewicz chimes in. “Many international clients are already rolling out EU-wide compliance programs, anticipating upcoming obligations and aiming for harmonized implementation across jurisdictions. In contrast, local firms tend to wait for the Polish transposition acts, which are expected to bring greater clarity on enforcement and supervision.”
Sieniewicz notes that larger and more regulated players, particularly in the “financial and technology sectors, are ahead of the curve: they are conducting internal audits, mapping gaps, and adjusting contractual frameworks to reflect the new rules.”
The Next Big Obligations
“In my view, the NIS2 Directive will be one of the most important regulatory developments for the Polish market in the coming years,” Wachowska continues. “Its significance lies in the fact that it substantially expands the range of sectors covered by cybersecurity obligations, beyond traditional operators of essential services. Under NIS2, many new industries such as waste and water management, postal and courier services, digital infrastructure providers, managed service providers, and manufacturers of critical products (including medical devices and chemicals) will now fall under cybersecurity supervision for the first time,” she explains. “The directive also tightens requirements on risk management, incident reporting, and supply-chain security, which will directly influence internal governance and procurement processes across these sectors. Even smaller entities, though not formally covered by the directive, will feel its effects indirectly through stricter cybersecurity expectations imposed by their business partners within the supply chain.”
Still, the implementation of NIS2 is pending. “Work on the amendment to the Act on the National Cybersecurity System has been ongoing for over one and a half years, with the delay of implementation already exceeding twelve months. The final legislation is likely to be adopted at the end of 2025 or even 2026,” Wachowska says.
On the other hand, Kubalski feels that the three pieces of legislation that will have the greatest impact are “the Digital Services Act, the AI Act, and the Data Act.” Crucially, he believes that “the DSA fundamentally changes the rules of the game for online platforms, imposing broad obligations on them in terms of content moderation, algorithm transparency and systemic risk management. For many Polish e-commerce companies and online service providers, this means having to rebuild key internal processes.” Moreover, the AI Act “will force companies to classify, document, and monitor every AI system they use. This challenge goes far beyond legal issues, as it touches on strategy and data management. This will require companies not only to comply with the law, but often also to undergo technological and organizational restructuring.” And, as for the Data Act, Kubalski feels that it will “revolutionize contractual and technical relationships in the cloud services market by introducing minimum service provision conditions as well as interoperability requirements.”
Sieniewicz agrees that the Data Act will “fundamentally reshape how businesses manage access to and sharing of data generated by connected devices and cloud services. It affects not only compliance frameworks but also business models, as companies will need to redesign products and contracts to ensure secure and fair data access for customers and partners.” And, as for the NIS2, he too believes it will “dramatically expand the cybersecurity perimeter in Poland. According to government estimates, the new rules will cover around 38,000 additional entities that were not previously subject to NIS1 obligations. The directive also introduces a self-identification duty, meaning organizations must determine for themselves whether they fall within the scope of NIS2 and register accordingly.”
Compliance Goes Cross-Functional
“In my view, recent and upcoming EU tech regulations are forcing Polish companies to rethink the way they manage compliance internally,” Wachowska says. “Compliance can no longer be handled as a purely legal or documentation-driven function. Nowadays, it requires active cooperation between legal, IT, cybersecurity, and business teams. This shift is also driving the creation of new roles, such as compliance coordinators or data governance officers, and a stronger involvement of management boards in oversight.”
However, Wachowska also feels that companies are struggling with a shortage of qualified cybersecurity and data protection specialists, “which makes it difficult to build the necessary internal expertise. As new frameworks such as the AI Act or NIS2 introduce further obligations, many rely on external advisors or ad-hoc solutions, which are not always sustainable.”
Agreeing, Szczudlik adds that this complexity is “also driving adoption of legaltech tools designed to help organizations navigate these regulations. However, internal compliance teams often overestimate the capabilities of legaltech, including AI-based tools. They may overlook the fact that such tools require extensive training and, for the time being, struggle with newly introduced regulations due to a lack of available data for effective training.” Interestingly, Szczudlik points out that “smaller companies sometimes choose not to comply with certain regulations because of the high cost of compliance, lack of in-house expertise, or the time needed to meet technical legal requirements. This approach carries significant risks, especially in the event of audits by supervisory authorities.”
Focusing on the crypto-asset market, Kudela says that “service providers have so far focused mainly on AML policies, leaving many other operational processes unaddressed. Today, AML is only one of many required elements. Newly required documents, such as order execution policies aimed at preventing the misuse of client order information, and procedures for segregating clients’ crypto-assets and funds, which must accompany the permit application, are now mandatory. Consequently, firms will need to rethink their internal structures and design operating models that genuinely ensure compliance rather than merely satisfy formal requirements.”
Deals Feel the New Rules
“In my view, new EU tech regulations are already having a clear impact on all three areas: deals, due diligence, and contract negotiations,” Wachowska says. “Regulatory compliance has become an increasingly important aspect of transactional risk assessment, with buyers and investors paying more attention to data protection, cybersecurity, and digital governance frameworks.” According to her, in IT and technology-related contracts in particular, “cybersecurity clauses now occupy significantly more space and time in negotiations. Parties are carefully defining responsibilities for preventing and responding to cyber incidents, as well as allocating potential liability for data breaches or regulatory fines imposed by supervisory authorities.”
In tech-heavy M&A, Sieniewicz reports that buyers and investors are “paying much closer attention to cybersecurity and data governance compliance, particularly in light of the AI Act, NIS2, and DORA frameworks. These changes are also starting to influence transaction documentation, with more detailed representations and warranties relating to data-related obligations.” From a contractual perspective, he says that the Data Act is “already prompting a rethink of the contractual framework for cloud and IoT services. Parties are renegotiating clauses on data access, portability, interoperability, and liability allocation to reflect the new rules and ensure business continuity.”
Agreeing, Szczudlik adds that “standard due diligence questionnaires increasingly include questions related to newer regulations, such as the AI Act. Many entities are unaware of their obligations under these laws and may incorrectly claim they are not subject to them, despite, for example, already being required to provide AI literacy training to employees.” As she outlines it, during contract negotiations, financial institutions “often demand high levels of cybersecurity compliance, even from companies not directly covered by regulations like DORA. This is particularly relevant for IT firms serving financial clients.”
Blind Spots and Late Surprises
“Many Polish companies still underestimate the depth and complexity of upcoming EU regulations,” Kubalski says. “Smaller entities in particular often assume that they will not be subject to the obligations arising from, for example, the AI Act or NIS2. Others focus exclusively on superficial compliance measures, overlooking issues related to technical infrastructure.”
Moreover, he feels that the “obligations under the DSA regarding content, especially for platforms hosting user-generated content, are proving to be much more demanding than originally assumed, both when pursuing protection under the DSA as well as being subject to extensive reporting obligations.”
Focusing on the crypto space, Kudela says he noticed that “many companies operating in the crypto-asset market continue to underestimate the regulatory impact of MiCA on the distribution of popular stablecoins. ESMA had clearly stated that CASPs should cease offering or facilitating trading in ARTs and EMTs whose issuers lack EU authorization. Despite this, some platforms continue to provide access to such tokens, exposing themselves to potential supervisory action.” According to him, by early 2025, “CASPs were expected to implement restrictions and maintain only a ‘sell-only’ option for investors to liquidate existing positions. As of now, firms that have not fully aligned their operations with MiCA face significant legal and operational risks within the EU market.”
Finally, Sieniewicz posits that “many companies underestimate the coordination effort required to comply with multiple overlapping regulations. It’s not enough to treat the Data Act, NIS2, DORA, and the AI Act as separate projects; compliance must be integrated across business functions.” Another blind spot he sees is timing. “Organizations often delay preparations until national transposition is complete, but by then, the compliance window may be too short,” Sieniewicz concludes.
This article was originally published in Issue 12.9 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
