For years, corporate environments in Central and Eastern Europe treated compliance departments mainly as cost centres and a necessary, bureaucratic burden. Compliance was seen as a task to be quickly ‘ticked off’ in order to get back to innovation and sales. 2026 brings this phase to a definitive end. We are witnessing an unprecedented confluence of two powerful forces: a wave of restrictive EU regulation and rapid technological and geopolitical upheavals.
According to PwC’s Global Digital Trust Insights 2026 report, as many as 60% of business and technology leaders today rank investment in cyber security as one of their top three strategic priorities in response to macroeconomic uncertainty. It is no longer a matter of avoiding administrative penalties, but a foundation that conditions the ability to operate in the market and build a competitive advantage.
From cyber warfare to the artificial intelligence race
Recent months have brutally proven that digital resilience is a matter of survival. In December 2025, Polish critical infrastructure fell victim to an advanced attack (the so-called Electrum incident) targeting distributed energy resources, including wind farms and photovoltaic installations. Successful defence against such vectors shows that hard technical competence wins out over theoretical procedures.
At the same time, fundamental changes are taking place in the cutting-edge technology market that are redefining the tools available to businesses and cybercriminals. In May 2026, according to data from leading financial platform Ramp, Anthropic overtook OpenAI for the first time ever in terms of paid adoption of its AI solutions in the US B2B market (34.4% for Anthropic vs. 32.3% for OpenAI). The introduction of the powerful Claude Opus 4.7 in April 2026 has significantly raised the bar for software engineering automation.
However, the potential of artificial intelligence raises unprecedented security challenges. A huge stir in global technology and government circles has been caused by news of Anthropic’s latest model, not made available to the general public, called ‘Mythos’, which has extremely advanced offensive capabilities in finding zero-day vulnerabilities in IT systems.
The case reverberated so much that in May 2026, the G20-appointed Financial Stability Board (FSB) demanded an official explanation of the Mythos model’s impact on the stability of the global cyber system. What’s more, attention to ethical frameworks and a refusal to adapt models to the needs of mass surveillance or autonomous weapons led to a high-profile legal dispute between Anthropic and the US Pentagon in spring 2026, resulting in the supplier being temporarily deemed a ‘supply chain risk’. This sends a clear message to boards in Europe: technology is becoming a powerful weapon, and its auditability and control of the digital supply chain are an absolute priority.
DORA: Scaling up resilience in the shadow of technological debt
The EU legislator’s response to these threats is the DORA (Digital Operational Resilience Act) regulation, which imposes extremely stringent obligations on financial sector players. The year 2025 and 2026 will see the absolute application of this legislation. DORA enforces full ICT risk mapping and makes institutions fully responsible for their subcontractors.
For Poland’s highly digitalised banking sector, this means massive investments. The main challenge lies in integrating modern, cloud-based interfaces (front-end) with outdated, monolithic core systems (legacy systems). The Union of Polish Banks (ZBP) has intervened, issuing standardised recommendations and model annexes to ICT contracts that force hundreds of software companies to undergo deep audits and advanced penetration tests at the request of banks. Compliance has become the currency here, without which small and medium-sized IT providers will simply be cut off from the lucrative financial market.
Trust as a service: The eIDAS 2.0 revolution and the EUDI
In a connected Europe, digital resilience must go hand in hand with undeniable identification. The eIDAS 2.0 framework and the construction of the European Digital Identity Wallet (EUDI) definitively end the era of compromises between security and user experience (UX). Thanks to new communication protocols, it becomes possible to offer, for example, qualified electronic signatures or remote opening of bank accounts on a large scale, almost in real time.
This environment is conducive to B2B innovation. Technology providers in the Polish market are abandoning the model of offering single solutions in favour of comprehensive Trust-as-a-Service (TaaS) platforms. An excellent example from the domestic market is the transformation of Autenti, which has evolved from a simple e-signature tool into a full-fledged European Trust Services Platform. By integrating advanced signatures (eSign), remote identity verification (eID) and electronic delivery (eDelivery) while respecting the requirements of DORA or NIS2, these platforms take the huge burden of handling compliance debt off the shoulders of corporations.
The end of regulatory arbitrage and the time of automated surveillance
Digital identity merges seamlessly with transparency in financial operations. In July 2027, the ultimate AML revolution – the AMLR – will come into force. Replacing the model of EU directives with a directly binding Single Rulebook, the AMLR will finally destroy legal loopholes resulting from uneven implementation across member states. From 2028, a powerful new Frankfurt-based authority (AMLA) will gain the power to directly supervise and audit the largest cross-border institutions.
For compliance, this means an earthquake. CDD (Customer Due Diligence) and UBO (Beneficiary Beneficiary Beneficiary Investigation) processes must rely fully on automated and continuous monitoring, as RegTech technology providers acknowledge, forced to upgrade validation systems and introduce sophisticated OCR engines integrated with sanctioning databases. However, legal harmonisation in the EU is drastically reducing the legal costs of entering new markets. This is clearly demonstrated by the expansion of Poland’s BLIK, which has successfully and with the full approval of the Slovak National Bank finalised the acquisition of the Slovak payment platform VIAMO and is opening an operating company in Romania.
CCD2 and local realities: the spectre of overregulation and the grey market
Although European harmonisation sounds promising, the practice of local implementations can shake the stability of markets. The best example is the Polish implementation process of the CCD2 directive (with a deadline of 20 November 2026), which includes under its umbrella a broad consumer credit market and ‘Buy now, pay later’ (BNPL) models.
The draft implementing law (print UC82), pushed through at the beginning of 2026 by the Polish legislature, has provoked massive opposition and accusations of so-called gold-plating, i.e. overzealous overriding of the EU directive with its own drastically stricter prohibitions. As the Polish Association of Loan Institutions (PZIP) alarmed in April 2026, with rising operating costs and as much as a 55 per cent increase in the minimum wage, maintaining the old, frozen limits on non-interest costs (MPKK) combined with absurd technical requirements (e.g. the compulsion to report in seven days to absolutely all credit information bureaus) could lead the legitimate sector to collapse.
What’s more, hard bans on optimised hyperlinks in SMS communication (replaced by a compulsion to cram a huge amount of information into a small message) are in opposition to the spirit of agile digital business. The consequence of this ‘tightening of the screw’ will be the systemic exclusion of lower-earning consumers and pushing them into an unregulated market (the so-called ‘usury grey market’) – which completely contradicts the EU’s intentions to build transparency.
According to the report ‘The State and Future of Compliance – Poland 2025y‘, the compliance function is maturing. It is no longer just an area dominated by 77% specialised leaders looking after documentation – it is now a key strategic arm building culture, profitability and resilience against cyber threats. In the face of relentless and powerful external attacks (such as the one at the end of 2025) and the frenetic pace of AI deployment, secure identification, verification of transacting parties and rigorous operational governance are no longer the domain of the law – they have become a key infrastructure ‘to be or not to be’.
