Regulations pertaining to the insurance market and the financial markets in Poland

The AI Act (Regulation (EU) 2024/1689) went into effect on 1 August 2024. In 2025, the first obligations took effect, with bans on certain practices and requirements for advancing AI literacy as of 2 February 2025, and with rules for general-purpose AI models (GPAI), supervisory structures and a penalty regime, among others, as of 2 August 2025. Most of the remaining provisions will apply as of 2 August 2026, and some of the requirements for GPAI models launched before 2 August 2025 will apply as of 2 August 2027.

For financial institutions, it is important to map AI applications in terms of risk classes – in particular, assessing risk as “high” for such applications as creditworthiness evaluations or pricing in the case of insurance – which implies requirements in risk management, data quality, human oversight and documentation. Analyses of the AI Act interface with sector regulations for financial services were published in 2025.

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) became effective on 17 January 2025; it covers banks, insurance companies and key ICT vendors¹. In 2025, key elements of the regulatory framework were finalized – notably through the entry into force in July 2025 of the Delegated Regulation on ICT subcontracting – meaning that the structure of DORA requirements became complete.

In practice, 2025 brought a significant increase in operational and supervisory obligations for insurers and banks, as regulators have made the enforcement of DORA one of their priorities. As a result, financial institutions had to:

• strengthen ICT risk management processes, including through the implementation of detailed control rules and continuous monitoring mechanisms;
• maintain and regularly update ICT outsourcing and subcontracting records, identifying critical and essential functions;
• implement uniform processes for classifying and reporting ICT incidents, in line with the DORA methodology and harmonized at the EU level;
• prepare for Threat-Led Penetration Testing (TLPT) which will become mandatory for many entities in the coming years;
• adjust ICT provider contracts to meet requirements in subcontracting, audit rights, reporting and business continuity controls, among others.

Taken together, the changes in 2025 made DORA one of the most challenging regulatory areas for insurers and banks, forcing a significant professionalization of management of technology risk, cyber security and ICT vendor relationships.

The Data Act (Regulation (EU) 2023/2854) went into effect on 12 September 2025. It introduced the right for users to access and make available data generated by products and related services (Internet of Things, IoT), as well as mechanisms to facilitate switching cloud service providers. This has opened up new sources of data (such as vehicle telematics) for insurance and financial services.

The Data Act has significantly changed the way insurers and banks acquire, process and make available data by:

• making IoT data (including telematics data, sensor data, vehicle logs or smart-home data) more available for insurers, enabling them to produce more accurate risk models, engage in dynamic pricing and develop usage-based and parametric products. Insurers get easier access not only to raw data, but also to enriched signals and metadata, which significantly improves underwriting and speeds up claims handling;
• making fraud detection better and enhancing KYC/AML – the Data Act increases the scope of available data streams, making it easier to create advanced tools for identity verification, behavioral analysis or transactional monitoring. Devicegenerated data can support anti-fraud efforts in both banking and insurance;
• for banks – putting more pressure on interoperability and open cloud services, including the ability to easily switch vendors (reduce vendor lock-in).

As a result, in 2025, the Data Act became one of the strongest impulses to modernize the data infrastructure in both insurance and banking. It has opened access to new data sources, strengthened customer rights, accelerated the development of data-driven models and forced changes in the area of cloud services and data management.

In 2025, work continued on the Financial Data Access Regulation (FiDA) to create a unified European open finance ecosystem. The document was expected to be finalized by the end of the year, and implementation was expected to begin in 2027, with a clear focus on proportionality and cost containment. The regulation will cover data on credit products, investment products, selected insurance, as well as data used in customer risk assessment processes, such as investment preferences and suitability assessments.

Once the regulation is implemented, insurers will gain access to a broader set of customer data, enabling more accurate underwriting and better tailoring of products to the customers’ individual needs. At the same time, there is the opportunity to create hybrid products based on external data, with the obligation to share one’s own data on an interoperable as well as fair, reasonable and non-discriminatory (FRAND) basis. This means adjusting processes for handling consent and for protecting sensitive data to meet new regulatory requirements.

Banks will become both key providers and consumers of data, which can significantly support the development of advanced analytics and scoring services. New interoperability and security requirements will require the API structure to be modernized and data management oversight to be strengthened. The FRAND rule will reduce the extant negotiating advantage of the largest players, leveling the playing field for access to data and making it easier for smaller players in the sector.

The AML/CFT package was published in the Official Journal on 19 June 2024; preparations for its implementation continued in 2025. The new, directly applicable AML Regulation will enter into force on 10 July 2027, while the 6th AML Directive must be transposed into national law by the same date. What is an important element of the reform, is the creation of the European Anti-Money Laundering authority (AMLA), based in Frankfurt, which will place selected high-risk entities in the EU under direct supervision from 2028.

The AML/CFT package will introduce uniform EU rules against money laundering and terrorist financing, which means tighter KYC/EDD requirements for the entire financial sector, with the need for better transaction monitoring, and higher data quality standards. For insurers, this will involve more frequent updates to customer data and a clarification of AML risk assessment, especially with investment products. Banks will feel the most operational pressure, with the need to revamp AML processes under a single rulebook and to be ready for potential direct AMLA oversight from 2028. For all financial institutions, the package means increased operating costs, more controls and the need to strengthen governance and IT systems responsible for AML compliance.

On 8 January 2025, Directive 2025/2 amending Solvency II was published, which Member States should transpose into national law by 30 January 2027. The amendment strengthens the principle of proportionality, simplifies reporting, stabilizes the valuation of liabilities through changes in long-term guarantees, and lowers capital requirements by reducing the risk margin, among other things. This will make it easier for insurers to increase exposure to long-term investments.

At the same time, the European Commission has proposed amendments to Delegated Regulation 2015/35 (to take effect from 2027), including a spread risk recalibration, LTG updates, modifications in catastrophic risk, and clarified group rules. Together, these changes make capital requirements more aligned with the real risk profile, reduce regulatory conservatism and ease the administrative burden on smaller companies.

Amendments to Solvency II – despite the general trend involving the lowering of capital requirements – will result in an increase in the capital requirement for PZU due to its shareholdings in two banks. The key changes involve the inclusion of the requirements concerning the combined credit institution buffer in the calculation of the PZU Group’s capital requirement.

Directive (EU) 2025/1 established the first EUharmonized recovery and resolution regime for insurers and reinsurers, modeled on the BRRD logic applied to banks. It is effective from January 2025, and Member States have until 29 January 2027 to transpose it into national law, with full application from 30 January 2027.

Companies will have to prepare recovery plans, while national authorities will have to prepare resolution plans and operational structures to implement them. Work on technical standards and guidelines, led by EIOPA, began in 2025 and will continue to prepare the sector for full application of the framework as of 30 January 2027.

On 16 December 2025, the EU institutions finalized the agreement on the Omnibus I package, which aims to significantly simplify corporate sustainability reporting (CSRD) and due diligence (CSDDD) requirements. Key changes include raising the CSRD application thresholds to >1,000 employees and >€ 450 million in net revenue, exempting financial holding companies, and reducing the trickle-down effect on smaller players in the value chain. The CSDDD has thresholds increased to 5,000 employees and €1.5 billion in turnover, limiting due diligence obligations to only the largest companies. In practice, the package significantly eases the burden on the financial sector, with most insurers, banks and financial institutions falling out of the framework of mandatory reporting and due diligence; this reduces compliance costs and simplifies ESG processes. Reducing the trickle-down effect protects smaller players from excessive reporting demands, and the ability to consolidate obligations at the group level increases the proportionality and predictability of regulation, allowing resources to be focused on real sustainability-oriented activities.