Digital Law Monitor 1/2026

EU legal acts

Regulations (incl. drafts)

•    Proposal for a Digital Networks Act (DNA)

•    Proposal for an EU Cybersecurity Act 2

Directives

•    Directive (EU) 2025/2647 on alternative dispute resolution for consumer disputes

Commission Guidelines

•    Draft Commission guidance on the Cyber Resilience Act

European Data Protection Board

•    Procedure for the adoption of standard contractual clauses

•    EDPB-EDPS Joint Opinion 3/2026 on the Proposal for a European Biotech Act

•    EDPB-EDPS Joint Opinion 4/2026 on the Proposal for a Cybersecurity Act 2 and amendments to the NIS 2 Directive

Commission Delegated and Implementing Regulations (incl. drafts)

•    Adequacy Decision (Brazil)

•    Draft Implementing Regulation regarding general-purpose AI

Austrian legal acts

•    Crypto-MPfG Implementing Ordinance

•    Styrian Digitalisation Act 2025

•    Amendment to the ICT-School Ordinance

•    Amendment to the Education Documentation Ordinance 2021

•    MyHealth@EU Role Distribution Ordinance

•    Amendment to the Data-Governance Designation Ordinance

•    Draft Act amending the AVG and VStG

Bulgarian legal acts

•    Amending and Supplementing the Rules of Procedure on the Activities of the Commission for Personal Data Protection and its Administration

•    Law Amending and Supplementing the Cybersecurity Act

•    Law on the Ratification of the Multilateral Competent Authority Agreement on the Automatic Exchange of Information pursuant to the Crypto-Asset Reporting Framework

•    Law Amending and Supplementing the Public Offering of Securities Act 

•    Ordinance No. 77 of 12 March 2026 on the conditions and procedure for licensing and carrying out activities by issuers of asset-referenced tokens and by crypto-asset service providers

Croatian legal acts

•    Amendments to the Ordinance on Data Related to Corporate Governance

•    Ordinance on eInvoices

•    The Credit Institutions Act

•    Act on the Implementation of Regulation (EU) 2024/900 on Transparency and Targeting of Political Advertising

•    Act on the Implementation of Regulation (EU) 2024/1083 (European Media Freedom Act)

•    Amendments to the Ordinance on Additional Organisational Requirements for Alternative Investment Fund Managers

•    Decision on IT Solutions for the Submission of Reports for the Purposes of Resolution Planning of Credit Institutions

Czech legal acts

•    Decree on the submission of data to the unified list of blocked websites

Hungarian legal acts

•    NMHH Decree on the placement of electronic communications structures

•    Amendment to the NMHH Decree on the detailed rules for the survey of high-speed electronic communications networks  

•    Amendment to the NMHH Decree on national frequency allocation and the use of frequency bands

•    NMHH Decree on the transmission of decisions related to action against illegal content and information requests 

•    Amendment to the NMHH Decree on the detailed rules governing alternative dispute resolution bodies

•    Amendment to the NMHH Decree on the national frequency allocation and the rules on the use of frequency bands

Polish legal acts

•    Amendment to the Act on the National Cybersecurity System

•    Mandatory National e-Invoicing System

•    Draft Bill on the Protection of Minors from Access to Harmful Content Online

•    Draft Bill Amending the Act on Trust Services and Electronic Identification

•    Draft Polish Media Act

Romanian legal acts

•    The Government Emergency Ordinance on implementing measures under DORA

•    The Government's Memorandum on designation of national competent authorities under the EU AI Act

•    Law 29/2026 supplementing the Romanian Audiovisual Law

Slovenian legal acts

•    Banking Act (ZBan-4)

•    Act Amending Certain Acts Regarding the Establishment and Functioning of the European Single Access Point

•    Rules on Electronic Filing of Applications in Industrial Property Rights Procedures

•    Decision on the Use of Guidelines on Information Requirements Accompanying Transfers of Funds and Certain Crypto-Assets

•    Rules on Publication of Sales in the Online Search Engine and Online Public Auctions in Enforcement and Insolvency Proceedings

Turkish legal acts

•    Principle Decision on Loyalty Programme Authentication (2026/266)

EU legal acts

Regulations (incl. drafts)

Proposal for a Digital Networks Act (DNA)

·       On 21 January 2026, the proposal for a Digital Networks Act (DNA), COM(2026) 16 final, was published. The DNA further harmonises the legal framework for European telecommunications law. It will amend the Net Neutrality Regulation (Regulation (EU) 2015/2120), the ePrivacy Directive (Directive 2002/58/EC) and the Radio Spectrum Decision (Decision No 676/2002/EC). In addition, it will repeal, among other things, the European Electronic Communications Code (EECC, Directive (EU) 2018/1972). The EECC has already consolidated several EU legal acts in the field of telecommunications law, and the DNA continues on this path. Notably, the DNA will be adopted as a Regulation and will therefore be directly applicable in the Member States. The Commission proposal comprises 416 recitals and 210 articles. The period provided for the application of the DNA after its entry into force is only six months. For further information, please see here.

Proposal for an EU Cybersecurity Act 2

·       On 20 January 2026, the proposal for an EU Cybersecurity Act 2 (ECA 2), COM(2026) 11 final, was published. With the ECA 2, the Cybersecurity Act (EU) 2019/881 will be repealed and the organisational capacities of the EU will be restructured in view of the rapidly evolving threats posed by cybercrime.

Directives

Directive (EU) 2025/2647 on alternative dispute resolution for consumer disputes

·       On 30 December 2025, "Directive (EU) 2025/2647 of the European Parliament and of the Council of 16 December 2025 amending Directive 2013/11/EU on alternative dispute resolution for consumer disputes and amending Directives (EU) 2015/2302, (EU) 2019/2161 and (EU) 2020/1828 following the discontinuation of the European Online Dispute Resolution Platform", OJ L 2025/2647, was published. With this Directive, Directive 2013/11/EU on alternative dispute resolution for consumer disputes is extended to also cover disputes involving third-country traders and to apply where the supply of digital content or the provision of digital services is exchanged for the provision of personal data. The objective of the Directive is to strengthen alternative dispute resolution for consumer disputes.

Commission Guidelines

Draft Commission guidance on the Cyber Resilience Act

·       On 3 March 2026, the European Commission published the "Draft Commission guidance on the Cyber Resilience Act", Ares(2026)2319816. These guidelines are intended to facilitate the implementation of the Cyber Resilience Act (EU) 2024/2847 for economic operators. In doing so, the Commission fulfils its obligation pursuant to Art. 26 CRA.

European Data Protection Board

Description of the procedure for the adoption of standard contractual clauses

·       On 15 January 2026, the EDPB adopted a document laying down cooperation and procedural rules for the adoption and approval of standard contractual clauses. Pursuant to Art. 46(2)(d) and Art. 46(3)(a) GDPR, transfers of personal data to third countries may be based on standard data protection contractual clauses adopted or approved by supervisory authorities. This document sets out a procedure for the adoption and approval of such standard contractual clauses.

EDPB-EDPS Joint Opinion 3/2026 on the Proposal for a European Biotech Act

·       On 12 March 2026, the "Joint Opinion 3/2026 on the Proposal for a European Biotech Act" of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) was published. On 16 December 2025, the European Commission adopted a proposal for a European Biotech Act (EBA), COM(2025) 1022. The EBA aims to strengthen the competitiveness of the EU in the field of biotechnology. It also seeks, among other things, to promote the use of artificial intelligence in biotechnology. In their joint opinion, the EDPB and the EDPS address the protection of the rights and freedoms of data subjects whose personal data are processed for these purposes. For further information, please see here.

EDPB-EDPS Joint Opinion 4/2026 on the Proposal for a Cybersecurity Act 2 and amendments to the NIS 2 Directive

·       On 19 March 2026, the EDPB and the EDPS adopted a "Joint Opinion on the Proposal for a Cybersecurity Act 2 and the Proposal on amendments to the NIS 2 Directive". The EDPB and the EDPS welcome the envisaged cooperation with ENISA and support the establishment of a single-entry point for the notification of personal data breaches. However, they emphasise that cybersecurity measures may interfere with privacy and data protection. Cybersecurity measures must therefore be effective, but also necessary and proportionate. With regard to the European Cybersecurity Skills Framework (ECSF), the EDPB and the EDPS propose to include a profile for "Cybersecurity for generalists", which should set out minimum requirements aimed at equipping all persons residing in the EU who are of working age with the skills necessary to protect themselves, their organisation and others against cyber risks, such as AI-assisted phishing, deepfakes, impersonation and social engineering.

Commission Delegated and Implementing Regulations (incl. drafts)

Adequacy Decision

·       On 28 January 2026, "Commission Implementing Decision (EU) 2026/179 of 26 January 2026 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data by Brazil", OJ L 2026/179, was published. On the basis of this Adequacy Decision, personal data falling within the scope of the GDPR may be transferred to controllers and processors in Brazil. Brazil adopted a reciprocal Adequacy Decision.

Draft Implementing Regulation regarding general-purpose AI

·       On 12 March 2026, the "Draft Implementing Regulation on detailed arrangements for the conduct of certain proceedings by the Commission pursuant to Regulation (EU) 2024/1689 of the European Parliament and of the Council", Ares(2026)2709234, was published. Pursuant to Art. 92 of the AI Act, the Commission is empowered to evaluate general-purpose AI models, such as ChatGPT, and to designate independent experts to carry out evaluations on its behalf. Furthermore, the Commission is empowered to impose fines on providers of general-purpose AI models. This Implementing Regulation lays down rules for the evaluation of such AI models, as well as for the designation of experts. It also sets out procedural provisions for proceedings related to the imposition of fines. These include, among other things, access to the file, the protection of confidential information and limitation periods.

Austrian legal acts

Crypto-MPfG Implementing Ordinance

·       On 30 December 2025, the Crypto-MPfG Implementing Ordinance, Federal Law Gazette II 2025/331, was published. Through this Ordinance, the Federal Minister of Finance establishes procedures for fulfilling verification obligations related to the exemption from reporting obligations for providers of crypto-asset services, as well as procedures for the registration of crypto-asset operators.

Styrian Digitalisation Act 2025

·       On 30 December 2025, the Styrian Digitalisation Act 2025 (StDigG 2025), Provincial Law Gazette 2025/125, was published. This Act is intended, among other things, to enable and promote electronic communications within the scope of the provincial administration, as well as the fully electronic conduct of proceedings in administrative procedures governed by provincial law.

Amendment to the ICT-School Ordinance

·       On 20 January 2026, the "Ordinance of the Federal Minister for Education amending the ICT-School Ordinance, the Certificate Forms Ordinance and the Externists' Examination Ordinance", Federal Law Gazette II 2026/14, was published. Among other things, this Ordinance amends the legal basis for the data processing systems of schools. In addition, the requirements for end-device management (Mobile Device Management) are expanded to require the integration of child protection functionality into digital end-devices issued to pupils.

Amendment to the Education Documentation Ordinance 2021

·       On 18 February 2026, the "Ordinance of the Federal Minister of Education and the Federal Minister of Agriculture and Forestry, Climate and Environmental Protection, Regions and Water Management amending the Education Documentation Ordinance 2021", Federal Law Gazette II 2026/26, was published. This Ordinance governs the processing of pupils' personal data by educational institutions.

MyHealth@EU Role Distribution Ordinance

·       On 24 February 2026, the "MyHealth@EU Role Distribution Ordinance", Federal Law Gazette II 2026/32, was published. MyHealth@EU is the cross-border infrastructure for the processing of personal data in cross-border healthcare applications. The "EU prescription" and the "EU patient summaries" have been established as cross-border applications. The Federation of Social Insurances, the federal minister responsible for healthcare, and the respective healthcare providers involved, act as data processors. The published Ordinance constitutes an agreement on joint processing within the meaning of Art. 26 GDPR, issued as an ordinance by the responsible federal minister.

Amendment to the Data-Governance Designation Ordinance

·       On 17 March 2026, the "Amendment to the Data-Governance Designation Ordinance", Federal Law Gazette II 2026/56, was published. This Ordinance designates Statistics Austria for research micro data and official statistics datasets and the Austrian National Public Health Institute (Gesundheit Österreich GmbH) as competent authorities within the meaning of Section 5 of the Data Access Act (DZG).

Draft Bill amending the AVG and VStG

·       On 17 March 2026, a draft amending the General Administrative Procedure Act (AVG) and the Administrative Penal Act (VStG), 89/ME XXVIII, was published. This amendment aims to drive forward digitalisation in the administration. Artificial intelligence is increasingly being integrated into communication between citizens and public authorities. In the future, applications submitted via chatbot will be able to lead to a decision in a fully automated manner if this is stipulated for a specific matter. Under the new so-called "no-stop procedure", decisions will be issued without the intervention of a natural person. Even the initiation of proceedings will be automated. The amendments to the VStG concern, in particular, the payment of fines imposed by anonymous penalty notice or summary penalty notice via online banking.

Bulgarian legal acts

Amending and Supplementing the Rules of Procedure on the Activities of the Commission for Personal Data Protection and its Administration

·       On 20 January 2026, the Rules of Procedure Amending and Supplementing the Rules of Procedure on the Activities of the Commission for Personal Data Protection and its Administration were published in the State Gazette No. 7/2026. The amendments aim to improve the operational efficiency and organisation of the administration, optimise its supervisory and control activities, and align its internal rules with the latest legislative changes.

Law Amending and Supplementing the Cybersecurity Act

·       On 13 February 2026, the Law Amending and Supplementing the Cybersecurity Act was published in the State Gazette No. 17/2026. The amendments transpose Directive (EU) 2022/2555 (NIS2) and address gaps and inconsistencies in the existing legislation, with a view to achieving a higher overall level of cybersecurity and full harmonisation with EU law. For further information, please see here.

Law on the Ratification of the Multilateral Competent Authority Agreement on the Automatic Exchange of Information pursuant to the Crypto-Asset Reporting Framework and of the Addendum to the Multilateral Competent Authority Agreement on the Automatic Exchange of Financial Account Information

·       On 27 February 2026, the Law on the Ratification of the Multilateral Competent Authority Agreement on the Automatic Exchange of Information pursuant to the Crypto-Asset Reporting Framework and of the Addendum to the Multilateral Competent Authority Agreement on the Automatic Exchange of Financial Account Information was published in the State Gazette No. 23/2026.

Law Amending and Supplementing the Public Offering of Securities Act

·       By the Transitional and Final Provisions of the Law Amending and Supplementing the Public Offering of Securities Act, published in the State Gazette No. 25/2026 on 10 March 2026, the Crypto-Assets Markets Act was supplemented to require all crypto-asset issuers and service providers to maintain a profile in the Secure Electronic Delivery System and to notify the Financial Supervision Commission within seven days, with a three-month transitional period for registration. The amendments further designate the Commission as a data-collection body for the purposes of ESAP and clarify the rules on service of notices, including deemed delivery after seven days and, where necessary, service by way of publication on the Commission's website.

Ordinance No. 77 of 12 March 2026 on the conditions and procedure for licensing and carrying out activities by issuers of asset-referenced tokens and by crypto-asset service providers

·       On 27 March 2026, Ordinance No. 77 of 12 March 2026 on the conditions and procedure for licensing and carrying out activities by issuers of asset-referenced tokens and by crypto-asset service providers was published in the State Gazette No. 30/2026. By this Ordinance, the Financial Supervision Commission establishes the conditions and procedure for licensing issuers of asset-referenced tokens and crypto-asset service providers in accordance with MiCAR (Regulation (EU) 2023/1114), including the requirements for their internal organisation and disclosure of information.

Croatian legal acts

Ordinance on Amendments to the Ordinance on Data Related to Corporate Governance to be Submitted by Issuers to the Croatian Financial Services Supervisory Agency, and on the Form, Deadlines and Manner of Their Submission

·       The Ordinance on Amendments to the Ordinance on Data Related to Corporate Governance to be Submitted by Issuers to the Croatian Financial Services Supervisory Agency (HANFA), and on the Form, Deadlines and Manner of Their Submission, adopted by HANFA and published in the Official Gazette No. 6/2026, entered into force on 24 January 2026. The Ordinance updates corporate governance reporting requirements, including sustainability, cybersecurity and digital resilience aspects, and introduces electronic data submission via a web interface.

Ordinance on eInvoices

·       The Ordinance on eInvoices, published in the Official Gazette No. 11/2026, entered into force on 31 January 2026. The Ordinance regulates the exchange and fiscalisation of eInvoices, including technical standards, security requirements and the operation of the fiscalisation system, as well as rules on data storage and access.

The Credit Institutions Act

·       The Credit Institutions Act, published in the Official Gazette No. 22/2026, entered into force on 13 March 2026. The Act aligns the Croatian banking regulatory framework with recent EU legislation, including provisions related to digital finance, in particular the issuance of electronic money and tokens, as well as services related to crypto-assets.

Act on the Implementation of Regulation (EU) 2024/900 on Transparency and Targeting of Political Advertising

·       The Act on the Implementation of Regulation (EU) 2024/900 on Transparency and Targeting of Political Advertising, published in the Official Gazette No. 22/2026, entered into force on 13 March 2026. The Act designates competent national authorities and establishes rules for the supervision and enforcement of obligations related to online political advertising, including transparency requirements, targeting techniques and the operation of electronic databases of political advertisements.

Act on the Implementation of Regulation (EU) 2024/1083 establishing a Common Framework for Media Services in the Internal Market (European Media Freedom Act)

·       The Act on the Implementation of Regulation (EU) 2024/1083 establishing a Common Framework for Media Services in the Internal Market (European Media Freedom Act), published in the Official Gazette No. 27/2026, entered into force on 26 March 2026. The Act designates the competent national authority and sets out rules for the supervision and regulation of media services, including electronic publications and online audiovisual services, as well as obligations related to transparency of media ownership and the labelling of content generated by artificial intelligence.

Ordinance on Amendments to the Ordinance on Additional Organisational Requirements for Alternative Investment Fund Managers

·       The Ordinance on Amendments to the Ordinance on Additional Organisational Requirements for Alternative Investment Fund Managers, adopted by the Croatian Financial Services Supervisory Agency (HANFA) and published in the Official Gazette No. 27/2026, entered into force on 26 March 2026. The Ordinance introduces enhanced requirements relating to the management and security of network and information systems, including obligations to implement ICT risk management frameworks, data protection measures and business continuity and recovery plans.

Decision on IT Solutions for the Submission of Reports for the Purposes of Resolution Planning of Credit Institutions

·       The Decision on IT Solutions for the Submission of Reports for the Purposes of Resolution Planning of Credit Institutions, adopted by the Croatian National Bank (HNB) and published in the Official Gazette No. 27/2026, entered into force on 26 March 2026. The Decision regulates the format and method for submitting regulatory reports to the HNB, including the use of standardised electronic formats (XBRL-CSV), data validation rules and technical requirements for reporting systems in line with applicable EU implementing regulations.

Czech legal acts

Decree on the submission of data to the unified list of blocked websites and the data published therein

·       The Decree on the submission of data to the unified list of blocked websites and the data published therein, published on 19 December 2025 in the Official Gazette No. 569/2025, entered into force on 1 January 2026. This Decree responds to the amendment to the Electronic Communications Act enacted by Act No. 23/2025, which entrusted the Office with responsibility for collecting data and publishing a list of all websites blocked under other legal regulations. The new decree specifies the scope, method, form and conditions for the transfer of data for the purpose of maintaining a unified list of blocked websites, as well as the scope of the data published therein.

Hungarian legal acts

NMHH Decree on the placement of electronic communications structures and the related administrative procedures

·       On 30 January 2026, Decree No. 1/2026 (I. 30.) of the President of the National Media and Infocommunications Authority on the placement of electronic communications structures and on administrative procedures related to electronic communications structures was published in the Hungarian Gazette No. 2026/12 and entered into force on 7 February 2026. At the same time, NMHH Decree No. 20/2020 (XII. 18.) ceased to be in force. The new regulation aligns with EU rules and sets procedural rules for authorisation, registration, control and supervision of construction and demolition of electronic communications structures. It also details cooperation requirements for establishing short-range wireless access points. Key changes include the introduction of the unified communications object model (EHO) and the joint public utility plan, supporting digitisation and simplifying procedures.

Amendment to the NMHH Decree on the detailed rules for the survey of high-speed electronic communications networks

·       On 12 February 2026, Decree No. 2/2026 (II. 12.) of the President of the National Media and Infocommunications Authority on the amendment of NMHH Decree No. 9/2020 (XII. 10.) on the detailed rules for the survey of high-speed electronic communications networks was published in the Hungarian Gazette No. 2026/16. The amendment, taking into account the market developments that have occurred since the entry into force of the NMHH Decree, clarifies the definition of the data provider, specifying which service providers are required to submit data, and simplifies the rules governing data provision and the verification procedures applicable to the submitted data, in order to ensure an efficient and comprehensive assessment of electronic communications networks.

Amendment to the NMHH Decree on national frequency allocation and the use of frequency bands

·       On 12 February 2026, Decree No. 3/2026 (II. 12.) of the President of the National Media and Infocommunications Authority amending NMHH Decree No. 7/2015 (XI. 13.) on the national frequency allocation and the rules on the use of frequency bands, as well as NMHH Decree No. 5/2024 (IV. 23.) amending NMHH Decree No. 7/2015 (XI. 13.) was published in the Hungarian Gazette No. 2026/16. The amendment revises the national frequency allocation and the rules on the use of frequency bands, with particular regard to obligations arising from international agreements, including those related to decisions of the International Telecommunication Union, as well as to the implementation of changes in EU regulations, the introduction of new applications, and the development and clarification of rules in response to evolving user needs.

NMHH Decree on the transmission of decisions related to action against illegal content and information requests

·       On 10 March 2026, Decree No. 4/2026 (III. 10.) of the President of the National Media and Infocommunications Authority on the transmission of decisions related to action against illegal content and information requests was published in the Hungarian Gazette No. 2026/26. The purpose of the Decree is to ensure that decisions related to Articles 9 and 10 of the EU Digital Services Act (Regulation (EU) 2022/2065) are transmitted to the President of the NMHH in a uniform manner and in a prescribed format, to facilitate effective enforcement. The Decree also sets out the rules governing the transmission of decisions concerning action against illegal content and the provision of information to the NMHH and to the Digital Services Coordinators of the Member States.

Amendment to the NMHH Decree on the detailed rules governing alternative dispute resolution bodies

·       On 16 March 2026, Decree No. 5/2026 (III. 16.) of the President of the National Media and Infocommunications Authority on the amendment of NMHH Decree No. 4/2024 (III. 21.) on the detailed rules governing alternative dispute resolution bodies was published in the Hungarian Gazette No. 2026/29. The amendment abolishes the applicant's fee in proceedings before the Online Platform Dispute Resolution Council, thereby facilitating enforcement and reducing administrative burdens. According to the amendment, the applicant's fee is HUF 0. Service providers pay HUF 50,000–150,000 depending on the outcome and must reimburse the applicant's reasonable costs if the applicant prevails, even in part.

Amendment to the NMHH Decree on the national frequency allocation and the rules on the use of frequency bands

·       On 19 March 2026, Decree No. 6/2026 (III. 19.) of the President of the National Media and Infocommunications Authority on the amendment of NMHH Decree No. 7/2015 (XI. 13.) on the national frequency allocation and the rules on the use of frequency bands was published in the Hungarian Gazette No. 2026/30. The amendment aims to ensure alignment with Commission Implementing Decisions (EU) 2025/2499 and (EU) 2026/291, particularly regarding harmonised standards for short-range devices and mobile systems on board aircraft, while also addressing the additional use cases for the paired frequency bands 874.4–880 MHz and 919.4–925 MHz used by railway mobile radio, and provides for the opening of the previously reserved portion of the 700 MHz frequency band for mobile radio telephone services, together with the establishment of the relevant regulatory provisions.

Polish legal acts

Amendment to the Act on the National Cybersecurity System – NIS2 Implementation

·       On 23 January 2026, Poland adopted the Act amending the National Cybersecurity System Act (ustawa o krajowym systemie cyberbezpieczeństwa), implementing the NIS2 Directive. On 19 February 2026, the President of Poland signed the Act. Simultaneously, the President referred certain provisions – including those on high-risk suppliers and administrative penalties – to the Constitutional Tribunal for review. The new regulation entered into force on 3 April 2026 and applies to a wide range of entities, estimated at over 30,000 organisations. It replaces the previous classification of operators of essential services and digital service providers with two new categories: essential entities (podmioty kluczowe) and important entities (podmioty ważne). The scope of the Act is extensive and covers organisations across 18 sectors, including industry, chemicals, pharmaceuticals, healthcare, energy, food production, waste management and ICT-related entities. Full compliance with risk management and incident reporting obligations is required within 12 months and the first security audit for essential entities must be completed within 24 months. The Act introduces a tiered incident reporting regime (24-hour early warning, 72-hour notification, one-month final report) and strengthens management board liability for cybersecurity oversight. The Act implementing NIS2 also introduces several obligations for entities within its scope, including the implementation of an information security management system. Entities that, as of 3 April 2026, meet the criteria to be classified as essential or important will be required to comply with these obligations by 3 April 2027. Penalties for non-compliance are significant: up to EUR 10m or 2 % of annual turnover for essential entities, and up to EUR 7m or 1.4 % of annual turnover for important entities. Notably, financial liability may also extend to members of the entity's management. The amending act has been published in the Official Journal of the Republic of Poland. For further information, please see here.

Mandatory National e-Invoicing System (KSeF)

·       Poland's mandatory e-invoicing system (Krajowy System e-Faktur, KSeF) is being rolled out in phases. From 1 February 2026, KSeF became mandatory for large taxpayers (2024 turnover exceeding PLN 200m), and from 1 April 2026, the obligation extends to all remaining VAT taxpayers. Micro-taxpayers with monthly turnover not exceeding PLN 10,000, must comply from 1 January 2027. All invoices must conform to the FA(3) XML schema, be assigned a unique KSeF identification number, and be stored on the platform for ten years. Benefits include a reduced VAT refund period (from 60 to 40 days) and elimination of JPK_FA filing obligations. Transitional relief applies through the end of 2026, including simplified invoices for transactions up to PLN 450 and a moratorium on penalties for KSeF-related violations.

Draft Bill on the Protection of Minors from Access to Harmful Content Online

·       Poland is introducing mandatory age verification for online pornographic content. Service providers will be required to conduct a risk assessment every 24 months and implement verification mechanisms compliant with guidelines issued by the Minister of Digital Affairs (Minister Cyfryzacji). NASK will maintain a non-public register of non-compliant domains. Internet access providers must block registered domains within 48 hours, free of charge. Supervision will rest with the President of the Office of Electronic Communications (Prezes UKE). Adoption of the draft by the Council of Ministers is scheduled for Q2 2026, with enactment of the act anticipated in Q4 2026.

Draft Bill Amending the Act on Trust Services and Electronic Identification – Implementation of eIDAS 2.0

·       Poland is transposing eIDAS 2.0 (Regulation (EU) 2024/1183). The centrepiece is the European Digital Identity Wallet (EUDI Wallet) available to natural and legal persons, serving as an EU-wide digital identity document. Natural persons will receive a free qualified electronic signature via the Wallet, limited to private (non-professional) use. The current mObywatel app ecosystem will be expanded to include a new EUDI Wallet application running in parallel with mObywatel. The final integration model is still under discussion. The text of the draft bill was first published in February 2026. On 27 February 2026, the assumptions of the IT project were to be submitted to the Governmental Committee for Digital Affairs. Adoption of the draft by the Council of Ministers is scheduled for Q2 2026. The act is expected to enter into force by the end of 2026.

Regulation (EU) 2024/1083 of the European Parliament and of the Council: European Media Freedom Act (EMFA) and the draft Polish Media Act

·       EMFA (Regulation (EU) 2024/1083) has been directly applicable since 8 August 2025. It protects editorial independence, requires transparent allocation of public advertising funds, and establishes the European Board for Media Services. Poland is working on implementing legislation under the lead of the Ministry of Culture and National Heritage (Ministerstwo Kultury i Dziedzictwa Narodowego), covering public media funding, reform of the National Broadcasting Council (KRRiT), and media pluralism. Enactment is planned for 2026.

Romanian legal acts

The Government Emergency Ordinance on implementing measures under DORA

·       On 11 March 2026, Government Emergency Ordinance No. 14/2026, laying down implementing measures for Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No. 1.060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1.011 ("GEO 14/2026"), was published in the Romanian Official Gazette No. 188/11.03.2026. It establishes certain measures for the implementation of DORA provisions regarding the designation of competent authorities responsible for supervising information and communication technology risk management in the financial sector and the sanctioning regime applicable in the event of infringements. Accordingly, the National Bank of Romania (BNR) and the Financial Supervisory Authority (ASF) have been designated as competent supervisory authorities, with the BNR assigned as the TLPT coordinator. In addition, GEO 14/2026 establishes a detailed sanctions regime, with the highest fines up to RON 23m (approx. EUR 4.5m) or 10 % of annual turnover for non-compliance by financial entities.

The Government's Memorandum on designation of national competent authorities under the EU AI Act

·       On 12 March 2026, the Romanian Government issued a Memorandum designating the following national competent authorities in the application of the EU AI Act: (i) ANCOM (the National Authority for Management and Regulation in Communications) as market surveillance authority and single national point of contact; (ii) the ASF and BNR as market surveillance authorities for high-risk AI systems in the field of financial services whose introduction on the market, putting into operation or use is directly related to the provision of the respective financial services; (iii) ANSPDCP (the Romanian Data Protection Authority) as market surveillance authority for high-risk AI systems in the field of biometrics for law enforcement, border control management, migration, asylum and administration of justice and democratic processes; (iv) the sector-specific authorities already designated under EU legislation to supervise the areas of activity regulated by Union regulatory acts, listed in Annex I Section A of the AI Act, for high-risk AI systems related to regulated products; and (v) ADR (the Romanian Digitalisation Authority) as the notifying authority responsible at the national level for carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies, as well as their monitoring.

Law 29/2026 supplementing the Romanian Audiovisual Law

·       On 14 March 2026, Law No. 29/2026 came into force, amending the Romanian Audiovisual Law (Law No. 504/2002). The amendment introduces a new obligation for broadcasters to transmit educational audiovisual communications about the dangers of disinformation and the importance of verifying information from reliable and multiple sources. Specifically, these communications must inform citizens about the risks of fake news and encourage reliance on official public authority sources, in line with Romanian state strategies and EU recommendations on combating disinformation. The National Audiovisual Council (CNA) is responsible for defining the content of these communications and for organising public awareness campaigns.

Slovenian legal acts

Banking Act

·       On 11 February 2026, the new Banking Act (Zakon o bančništvu; ZBan-4), Official Gazette of the Republic of Slovenia No. 15/2026, was adopted. ZBan-4 replaces the previous Banking Act (ZBan-3) and comprehensively regulates the establishment, operation and orderly cessation of credit institutions in Slovenia. The Act transposes Directive 2013/36/EU (CRD), as last amended, and Directive 2014/59/EU (BRRD) into Slovenian law. The new act entered into force on 12 March 2026. From a digital law perspective, ZBan-4 incorporates several key provisions: it defines crypto-asset services among the financial services that credit institutions may provide. The Act also establishes requirements for managing risks arising from direct and indirect crypto-asset exposures, including prior risk assessments and reporting obligations to the Bank of Slovenia. Furthermore, ZBan-4 aligns with Regulation (EU) 2022/2554 (DORA) by requiring banks to maintain ICT business continuity plans, as well as ICT response and recovery plans, and to undergo digital operational resilience testing. The Act also references the European Single Access Point (ESAP) established under Regulation (EU) 2023/2859, setting out obligations for the submission and disclosure of information in data-exportable and machine-readable formats.

Act Amending Certain Acts Regarding the Establishment and Functioning of the European Single Access Point

·       On 28 January 2026, the Act Amending Certain Acts Regarding the Establishment and Functioning of the European Single Access Point (Zakon o spremembah in dopolnitvah določenih zakonov glede vzpostavitve in delovanja evropske enotne točke dostopa; ZdZEETD), Official Gazette of the Republic of Slovenia No. 10/2026, was adopted. This act transposes Directive (EU) 2023/2864 and implements Regulations (EU) 2023/2859 and (EU) 2023/2869 on the establishment and functioning of the European Single Access Point (ESAP). To this end, ZdZEETD amends 12 Slovenian financial sector laws, including the Financial Conglomerates Act (Zakon o finančnih konglomeratih), the Takeover Act (Zakon o prevzemih), the Auditing Act (Zakon o revidiranju), the Companies Act (Zakon o gospodarskih družbah), the Investment Funds Act (Zakon o investicijskih skladih in družbah za upravljanje), the Alternative Investment Fund Managers Act (Zakon o upravljavcih alternativnih investicisjkih skladov) and the Act on the Implementation of the Regulation on Crypto-Asset Markets (MiCAR). The act designates the Bank of Slovenia, the Securities Market Agency, the Insurance Supervision Agency, the Agency for Public Oversight of Auditing and the Agency for Public Records and Services as data-collection bodies. It requires supervised entities to submit information in data-exportable or machine-readable formats, accompanied by specified metadata, including the legal entity identifier. ZdZEETD entered into force on 25 February 2026.

Rules on Electronic Filing of Applications in Industrial Property Rights Procedures

·       On 23 January 2026, the Rules on Electronic Filing of Applications in Industrial Property Rights Procedures (Pravilnik o elektronskem vlaganju prijav v postopkih za pridobitev pravic industrijske lastnine), Official Gazette of the Republic of Slovenia No. 6/2026, were adopted, replacing the previous Rules on Electronic Filing of Applications in Trademark and Design Registration Procedures. These rules govern the electronic filing of applications for the registration of trademarks and designs as well as the grant of patents through the electronic filing system managed by the Slovenian Intellectual Property Office. The rules entered into force on 14 February 2026. They set out the requirements for e-filings, including the use of qualified electronic certificates and time stamps, the formats and sizes of electronic attachments, and the confirmation process for submitted applications.

Decision on the Use of Guidelines on Information Requirements Accompanying Transfers of Funds and Certain Crypto-Assets

·       On 29 January 2026, the Decision on the Use of Guidelines on Information Requirements Accompanying Transfer of Funds and Certain Crypto-Assets (Sklep o uporabi Smernic o zahtevah glede informacij, ki spremljajo prenose sredstev in nekaterih kriptosredstev v skladu z Uredbo (EU) 2023/1113), Official Gazette of the Republic of Slovenia No. 7/2026, was adopted. By this decision, the Slovenian Securities Market Agency implemented the EBA Guidelines (EBA/GL/2024/11) on the requirements under Regulation (EU) 2023/1113 (MiCAR). The guidelines set out the factors that crypto-asset service providers (CASPs) and intermediary CASPs should consider when establishing procedures for detecting and managing transfers of crypto-assets that lack the required originator and beneficiary information. They also address the technical aspects of the application of MiCAR, including measures related to the identification and assessment of money laundering and terrorism financing risks associated with crypto-asset transfers directed at or originating from unhosted addresses. The decision entered into force on 19 February 2026.

Rules on Publication of Sales in the Online Search Engine and Online Public Auctions in Enforcement and Insolvency Proceedings

·       On 17 February 2026, the Rules on Publication of Sales in the Online Search Engine and Online Public Auctions in Enforcement and Insolvency Proceedings (Pravilnik o objavah prodaj spletnem iskalniku in spletnih javnih dražbah v izvršilnih in stečajnih postopkih), Official Gazette of the Republic of Slovenia No. 13/2026, were adopted, replacing the previous Rules on Publication of Sales in the Online Search Engine and Online Public Auctions in Enforcement and Insolvency Proceedings, extending their scope to also cover insolvency proceedings. The rules entered into force on 7 March 2026. The rules regulate online publication of sales of assets in enforcement and insolvency proceedings through the e-Auction portal (sodnedrazbe.si), managed by the Supreme Court of the Republic of Slovenia. They also establish a comprehensive framework for conducting online public auctions, including identity verification via SI-PASS, the assignment of anonymous bidder identifiers, and detailed procedures for ascending and descending price auctions.

Turkish legal acts

Principle Decision on Loyalty Programme Authentication (2026/266)

·       On 28 February 2026, a principle decision dated 11 February 2026 (No. 2026/266) was published in the Official Gazette. The decision concerns loyalty programme practices where discounts or points are applied based solely on the declaration of a phone number or loyalty card number, without verifying whether the person carrying out the transaction is the account holder. The principle decision also clarifies that contractual provisions assigning responsibility to users do not relieve the statutory obligations of data controllers. The Authority requires the implementation of appropriate authentication mechanisms (e.g. OTP via SMS at checkout, QR/barcode through mobile applications, PIN or physical card verification), including risk-based or transaction-based verification models.