DORA in Central and Eastern Europe: How Polish, Czech, and Hungarian Banks Are Adapting
The Parent-Subsidiary Dynamic
The Central and Eastern European (CEE) financial sector has a distinctive characteristic that shapes every aspect of DORA implementation: a high proportion of foreign-owned banks. In Poland, the Czech Republic, and Hungary, subsidiaries of Western European banking groups — UniCredit, Raiffeisen, Societe Generale, BNP Paribas, ING, KBC, Erste, OTP — represent a substantial share of the banking market.
This ownership structure creates a specific DORA compliance dynamic. Parent groups based in Western Europe are implementing DORA at the group level, with compliance frameworks, policies, and tooling designed primarily for the parent's home NCA. CEE subsidiaries inherit these frameworks — but they must also satisfy their local NCA's supervisory expectations, which may differ in emphasis, interpretation, and enforcement posture.
DORA applies identically across all EU member states — there is no "CEE version" of the regulation. But the way supervisors interpret proportionality, the rigor of their examinations, the resources they dedicate to DORA enforcement, and the specific risks they prioritize all vary by jurisdiction. Understanding these variations is essential for institutions operating in the region.
Market Structure and DORA Exposure
| Country | Banking sector structure | Major foreign-owned banks | DORA supervisor | Key domestic risk |
|---|---|---|---|---|
| Poland | Largest CEE market, mix of foreign-owned and state-influenced | Santander, BNP Paribas, ING, mBank (Commerzbank) | KNF (Komisja Nadzoru Finansowego) | Fintech growth, payment innovation, large retail base |
| Czech Republic | Concentrated, mostly foreign-owned | CSOB (KBC), Ceska sporitelna (Erste), Komercni banka (SocGen) | CNB (Czech National Bank) | High digitization, concentrated market |
| Hungary | OTP-dominant domestic player plus foreign-owned | OTP (domestic champion), UniCredit, Raiffeisen | MNB (Magyar Nemzeti Bank) | OTP's regional expansion, government influence |
The CEE financial markets collectively serve over 60 million banking customers. The technology infrastructure ranges from modern digital platforms (particularly in Poland's fintech ecosystem) to legacy systems in smaller institutions that have not undergone full modernization.
Poland: KNF and the Largest CEE Market
Poland's financial market is the largest in Central and Eastern Europe, with a banking sector that includes both major international subsidiaries and significant domestically-controlled institutions. The Polish Financial Supervision Authority (KNF) is one of the region's most active supervisors.
KNF's approach:
Technology and innovation focus. Poland has one of Europe's most dynamic fintech ecosystems, with BLIK (the Polish mobile payment system) handling billions of transactions annually. KNF's DORA supervision will likely focus on the operational resilience of digital payment infrastructure and the third-party dependencies that Polish fintechs create.
Cooperative banking sector. Poland has a significant cooperative banking sector — hundreds of small institutions with limited ICT budgets. KNF's application of proportionality under Art. 4 to these institutions is a critical question. Full DORA compliance for a cooperative bank with 50 employees and a single core banking system looks very different from compliance for a major international subsidiary.
Supervisory capacity building. KNF is expanding its supervisory capacity for operational resilience. The authority has indicated that initial DORA enforcement will focus on the largest institutions — those with the highest systemic impact and the most complex ICT environments — before extending to smaller entities.
Polish-language guidance. KNF has been publishing guidance in Polish, helping domestic institutions that may not have the resources for English-language regulatory analysis. However, the volume of KNF-specific DORA guidance has been more limited than that of larger NCAs like BaFin or the ACPR.
Czech Republic: CNB's Measured Approach
The Czech National Bank (CNB) serves as both the central bank and the financial supervisor — a dual mandate that shapes its approach to DORA. The Czech banking sector is highly concentrated, with three major foreign-owned banks (CSOB/KBC, Ceska sporitelna/Erste, Komercni banka/SocGen) accounting for a dominant market share.
CNB's approach:
Leveraging existing frameworks. The CNB has existing operational risk and ICT requirements that overlap significantly with DORA. The CNB's approach emphasizes mapping DORA requirements against existing Czech requirements and focusing supervisory attention on the gaps.
Foreign-owned bank coordination. Given that the three largest Czech banks are subsidiaries of European groups, the CNB's DORA supervision requires coordination with the home NCAs (NBB/Belgium for KBC, FMA/Austria for Erste, ACPR/France for SocGen). The practical challenge is ensuring that group-level DORA frameworks adequately address Czech-specific risks and that the CNB has sufficient visibility into the subsidiary's operational resilience posture.
| Czech DORA priority | CNB expectation | Impact on institutions |
|---|---|---|
| ICT asset register completeness | Register must reflect Czech operations specifically, not just group-level aggregation | Subsidiaries need local register detail |
| Incident reporting to CNB | Timely notification to CNB as home NCA for Czech-licensed entities | Parallel reporting to CNB and parent group NCA if cross-border |
| Third-party dependency on parent group | Documented assessment of intra-group ICT service provision | Art. 28-30 applies to parent-as-provider arrangements |
| Board reporting (Art. 14) | Czech subsidiary board must receive DORA reporting, not just parent board | Local management body accountability |
Hungary: MNB and the OTP Dynamic
Hungary's financial market is dominated by OTP Bank, a domestically controlled institution that has expanded aggressively across Central and Eastern Europe, with subsidiaries in Bulgaria, Croatia, Romania, Serbia, Montenegro, Albania, Moldova, Slovenia, and Ukraine. This makes OTP not just a Hungarian DORA compliance story but a regional one.
The Magyar Nemzeti Bank (MNB) serves as both the central bank and the integrated financial supervisor.
MNB's approach:
OTP as a regional systemic institution. OTP's pan-CEE presence means that its DORA compliance must be coordinated across multiple NCAs, with the MNB as the home supervisor. The MNB's approach to OTP's group-wide operational resilience framework will be closely watched across the region.
Digital HUF and financial innovation. Hungary has been actively exploring central bank digital currency (CBDC) and digital financial innovation. The MNB's DORA supervision will address the intersection of innovation and operational resilience — ensuring that new digital services are built on resilient foundations.
Proportionality for smaller institutions. Hungary has a significant number of smaller financial institutions — savings cooperatives, building societies, and specialized financial companies — that fall within DORA's scope but require proportionate treatment. The MNB's interpretation of Art. 4 proportionality for these institutions is pending.
Cross-CEE Themes
1. The Group Framework vs. Local Compliance Tension
Foreign-owned subsidiaries receive DORA compliance frameworks from their parent groups. These frameworks are typically designed for the parent's home jurisdiction and may not adequately address:
- Local regulatory interpretations specific to the CEE NCA
- Local technology infrastructure that differs from the parent's standard platform
- Local third-party providers not covered by the group's vendor management
- Local language requirements for board reporting and documentation
- Local incident reporting obligations to the CEE NCA
The practical recommendation is to adopt the group framework as a baseline and supplement it with a local adaptation layer that addresses NCA-specific requirements.
2. ICT Budget Constraints
CEE institutions generally operate with lower ICT budgets than their Western European counterparts. The cost of DORA compliance is not trivial, and smaller CEE institutions may struggle to fund the necessary investments in tooling, staffing, and testing programmes.
This creates a proportionality challenge. Art. 4 provides the legal basis for proportionate application, but the practical question is where the line falls between "proportionate simplification" and "inadequate compliance."
| Institution size | Estimated DORA compliance investment | Key cost drivers |
|---|---|---|
| Large CEE subsidiary (>5,000 employees) | EUR 2-5M initial, EUR 1-2M annual | Testing programme, GRC tooling, staffing |
| Medium CEE institution (500-5,000 employees) | EUR 500K-2M initial, EUR 300K-800K annual | Third-party management, incident reporting |
| Small CEE institution (<500 employees) | EUR 100K-500K initial, EUR 50K-200K annual | Basic compliance, simplified testing |
3. Supervisory Capacity
CEE supervisors are building DORA enforcement capacity in parallel with their supervised entities. The EBA and ESMA provide guidance and coordination, but the depth of supervisory examination capability varies across CEE NCAs. Institutions should expect that supervisory scrutiny will increase progressively as NCAs build their operational resilience examination teams.
4. Cross-Border Incident Reporting
A major ICT incident at a foreign-owned CEE subsidiary triggers reporting obligations to the local NCA (as the home supervisor for the subsidiary) and potentially to the parent's NCA (through the group's internal reporting). The practical challenge is ensuring that reporting is timely to both NCAs and that the reports are consistent.
Recommendations for CEE Institutions
Engage with your NCA proactively. CEE NCAs are still developing their DORA enforcement approaches. Early engagement — through industry associations, bilateral meetings, or supervisory sandbox programmes — provides insight into supervisory expectations and positions the institution as a cooperative partner.
Build on group frameworks, adapt locally. For foreign-owned subsidiaries, the group DORA framework is the starting point, not the endpoint. Identify where local NCA expectations differ and supplement the group framework accordingly.
Invest in the asset register first. The ICT asset register is the foundation for every other DORA obligation. For CEE institutions with limited budgets, this is the highest-return investment.
Address intra-group ICT service provision. Where the parent group provides ICT services to the CEE subsidiary (shared core banking, centralized infrastructure), document this as an ICT third-party arrangement under Art. 28-30. This is a frequent supervisory focus for foreign-owned subsidiaries.
Use the DORA readiness assessment to baseline your compliance maturity, review the pillars overview for a complete requirements map, and consult the RTS/ITS reference for technical standards.
Conclusion
DORA's application in Central and Eastern Europe is shaped by the region's distinctive market structure: foreign-owned banking sectors, ICT budget constraints, and supervisors building enforcement capacity in real time. The institutions that navigate this landscape successfully are those that balance group-level compliance frameworks with local adaptation, invest proportionately in the foundational elements (asset register, third-party management, incident reporting), and engage proactively with NCAs that are themselves learning how to supervise operational resilience.
Resume en francais
Les marches financiers d'Europe centrale et orientale (Pologne, Republique tcheque, Hongrie) presentent des dynamiques distinctes pour la mise en oeuvre de DORA : des secteurs bancaires majoritairement detenus par des groupes etrangers, des institutions domestiques plus petites avec des budgets TIC limites et des superviseurs nationaux en cours de construction de leurs capacites d'application. Cet article analyse l'approche de chaque superviseur : la KNF polonaise avec son focus sur la fintech et le secteur cooperatif, la CNB tcheque avec son approche mesuree et la coordination avec les ANC des maisons-meres, et la MNB hongroise avec la dynamique specifique du groupe OTP et son expansion regionale. Les themes transversaux incluent la tension entre cadres de groupe et conformite locale, les contraintes budgetaires TIC, la construction des capacites de supervision et le signalement transfrontalier des incidents. Les recommandations cles sont d'engager proactivement les ANC, de construire sur les cadres de groupe avec adaptation locale et d'investir en priorite dans le registre des actifs TIC.