Digital Law Monitor 2/2025

For weekly news please subscribe to the Schönherr Datenschutzmonitor for updates on legal acts and guidelines (in German)

EU Legal Acts

Regulations and Directives (incl. drafts)

• Omnibus IV Simplification Package

Commission Guidelines

• Commission Guidelines on Protection of Minors online under the Digital Services Act

European Data Protection Board

• Guidelines 02/2024 on Article 48 GDPR

Counsel Recommendations

• Cyber Blueprint

European Commission Decisions

• Digital Markets Act – Apple and Meta
• Digital Services Act – AliExpress

Commission Delegated and Implementing Regulations (incl. drafts)

• Regulation on Political Advertising
• eIDAS
• Markets in Crypto-Assets Regulation (MiCAR)

Austrian legal acts

• Ordinance on Itemised Bills 2025
• Upper Austrian Information Technology Application Act
• "ID Austria" mobile app
• Austrian Accessibility Act
• Austrian Data Access Act

Bulgarian legal acts

• Act on Accessibility Requirements for Products and Services
• Act on Markets in Crypto-Assets

Croatian legal acts

• Decision on the Publication of Price Lists and Quotation of Additional Prices Intended as a Measure of Direct Price Control in Retail Sale
• Act on Accessibility Requirements for Products and Services
• Fiscalisation Act

Hungarian legal acts

• Act amending certain laws in connection with cash payment

Moldovan legal acts

• Law on Cyber Security
• Law on promoting fairness and transparency for business users of online intermediation services
• Law on Electronic Communications
• Instruction regarding the procedure for stopping access to web pages containing crime-related information

Polish legal acts

• Act amending the Act on Electronic Delivery
• Guide to Data Protection Breaches
• Act on Accessibility Requirements for Products and Services

Romanian legal acts

• Norm No. 14/2025 on the management of operational risks generated by information systems
• Regulation No. 1/2025 on the amendment of certain legal acts issued by the National Bank of Romania
• Law No. 232/2022 on accessibility requirements applicable to products and services
• Draft Order on the approval of the requirements for the notification/registration process under NIS2
• Draft Order on the approval of criteria and thresholds for determining the degree of disruption of a service and the methodology for assessing the risk level of entities under NIS2

Slovenian legal acts

• Act amending the Act on the Promotion of Digital Inclusion
• Act amending the Act on Prevention of Money Laundering and Terrorist Financing Act
• Act amending the Banking Act
• Act implementing Regulation (EU) on information accompanying the transfer of funds and certain crypto-assets
• Regulation implementing Regulation (EU) on digital operational resilience for the financial sector
• Information Security Act

Turkish legal acts

• Compliance Obligations for Cross-Border E-Commerce Products
• Communiqué on keeping commercial books not related to the accounting of the business in electronic format
• Implementation of the Centralised Crypto-Asset Reporting System
• Cybersecurity Law No. 7545

EU Legal Acts, Guidelines and more

Regulations and directives (incl. drafts) 

Omnibus IV Simplification Package

·      The European Commission aims to reduce the administrative burden for companies with the so-called Omnibus Packages. On 21 May 2025, the Omnibus IV Package was published. This Package includes, amongst others, a (i) "Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2016/1036, (EU) 2016/1037, (EU) 2017/1129, (EU) 2023/1542 and (EU) 2024/573 as regards the extension of certain mitigating measures available for small and medium sized enterprises to small mid-cap enterprises and further simplification measures", COM(2025) 501 final; (ii) "Proposal for a Directive of the European Parliament and of the Council amending Directives 2014/65/EU and (EU) 2022/2557 as regards the extension of certain mitigating measures available for small and medium sized enterprises to small mid-cap enterprises and further simplifying measures", COM(2025) 502 final; (iii) "Proposal for a Directive of the European Parliament and of the Council amending Directives 2000/14/EC, 2011/65/EU, 2013/53/EU, 2014/29/EU, 2014/30/EU, 2014/31/EU, 2014/32/EU, 2014/33/EU, 2014/34/EU, 2014/35/EU, 2014/53/EU, 2014/68/EU and 2014/90/EU of the European Parliament and of the Council as regards digitalisation and common specifications", COM(2025) 503 final; and (iv) "Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) No 765/2008, (EU) 2016/424, (EU) 2016/425, (EU) 2016/426, (EU) 2023/1230, (EU) 2023/1542 and (EU) 2024/1781 as regards digitalisation and common specifications", COM(2025) 504 final. The Commission introduces the new term "small mid-cap enterprises" (SMCs), which is intended to cover larger companies than the previous term of SMEs. Like SMEs, this new category of enterprises will benefit from the administrative burden reduction measures of Omnibus IV. In addition to the GDPR, the MiFID and the CER directives will be revised. The other two legislative proposals modernise several specified Directives and Regulations by introducing the "digital by default" principle. According to the first proposal, COM(2025) 501 final, the GDPR obligation to maintain a record of processing activities will no longer apply to companies and organisations with fewer than 750 employees, provided the processing activity is unlikely to result in a high risk within the meaning of Art. 35 GDPR. Read more in our technology & digitalisation newsletter 06/2025.

·      On 16 June 2025, the Council and the European Parliament reached a provisional deal on the draft of the new GDPR Procedural Regulation, COM(2023) 348 final. This Regulation aims to harmonise the admissibility of cross-border data protection complaints. Among other things, deadlines and mechanisms in the coherence mechanism were agreed upon (Press release of the Council; Press release of the EP).

Commission guidelines

Commission Guidelines on Protection of Minors Online under the Digital Services Act

·      On 13 May 2025, the Commission published its Guidelines on the Protection of Minors Online for public consultation. Pursuant to Art. 28 Digital Services Act ("Online Protection of Minors"), online platforms accessible to minors must take appropriate and proportionate measures to ensure a high level of privacy, safety and security of minors within their services. While the DSA does not prescribe specific measures, Art. 28(4) empowers the Commission to issue guidelines to assist platform providers in the application of such measures. Read more in our technology & digitalisation newsletter 06/2025.

European Data Protection Board (EDPB)

Guidelines 02/2024 on Article 48 GDPR²

·      Following a public consultation, the EDPB published the final "Guidelines 02/2024 on Article 48 GDPR²" on 5 June 2025. Pursuant to Art. 48 GDPR, judgments or decisions of courts and administrative authorities of a third country may only be recognised or enforced if based on an international agreement. The Guidelines provide recommendations to controllers and processors on how to handle requests from courts and administrative authorities from third countries. They clarify that the disclosure of personal data at the request of a third country's authority is only permissible if it complies with the principles of Art. 5 GDPR, is based on a legal basis under Art. 6 GDPR and relies on a valid transfer mechanism under Chapter V GDPR ("two-step test").

Council recommendation

Cyber Blueprint

·      On 6 June 2025, the "Cyber Blueprint", a recommendation of the Council, was adopted. This blueprint aims to establish a Union-wide framework for cybersecurity crisis management in the event of a large-scale cybersecurity incident. It describes cooperation mechanisms between the various actors involved.

European Commission decisions

Digital Markets Act – Apple and Meta

·      On 23 April 2025, the European Commission (EC) published a press release announcing, among other things, that it had imposed fines on Apple and Meta based on the Digital Markets Act (DMA). Apple was fined EUR 500m for failing to comply with the DMA's steering terms. Meta was fined EUR 200m for a binary "consent or pay" model (which in the meantime has been modified). Furthermore, the EC determined that Facebook Marketplace should no longer be designated as an online intermediation service under the DMA (EC press release 23 April 2025, IP/25/1085).

Digital Services Act – AliExpress

·      On 18 June 2025, the European Commission (EC) published a press release announcing its acceptance of commitments offered by AliExpress to comply with the Digital Services Act (DSA), while noting violations by AliExpress regarding the dissemination of illegal products. Through the commitments offered and made binding, the Commission hopes to increase the transparency of the platform's advertising and recommender systems (EC press release 18 June 2025, IP/25/1551).

Commission delegated and implementing regulations (incl. drafts)

Regulation on Political Advertising

·      On 30 April 2025, the European Commission published a Draft Implementing Regulation including an annex to Regulation (EU) 2024/900 on the transparency and targeting of political advertising. The Implementing Regulation specifies the format, template and technical specifications for labelling and transparency notices related to political advertisements.

eIDAS

·      On 7 May 2025, the following Commission Implementing Regulations were published: (i) "Commission Implementing Regulation (EU) 2025/846 of 6 May 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards cross-border identity matching of natural persons", OJ L 2025/846; (ii) "Commission Implementing Regulation (EU) 2025/847 of 6 May 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reactions to security breaches of European Digital Identity Wallets", OJ L 2025/847; (iii) "Commission Implementing Regulation (EU) 2025/848 of 6 May 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the registration of wallet-relying parties", OJ L 2025/848; and (iv) "Commission Implementing Regulation (EU) 2025/849 of 6 May 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the submission of information to the Commission and to the Cooperation Group for the list of certified European Digital Identity Wallets", OJ L 2025/849. These four implementing regulations establish and specify requirements and obligations concerning European Digital Identity Wallets within the meaning of eIDAS.

MiCAR

·      On 10 June 2025, the following three delegated regulations supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets [...] (MiCAR) were published: (i) "Commission Delegated Regulation (EU) 2025/1140 of 27 February 2025, supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the records to be kept in relation to all crypto-asset services, activities, orders, and transactions," OJ L 2025/1140; (ii) "Commission Delegated Regulation (EU) 2025/1141 of 27 February 2025 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the requirements for conflict of interest policies and procedures for issuers of asset-referenced tokens," OJ L 2025/1141; and (iii) "Commission Delegated Regulation (EU) 2025/1142 of 27 February 2025 supplementing Regulation (EU) 2023/ 1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the requirements for conflicts of interest policies and procedures for crypto-asset service providers and the details and methods for the content of conflicts of interest disclosures," OJ L 2025/1142. These three delegated regulations supplement MiCAR by establishing technical regulatory standards on record-keeping obligations and conflicts of interest. The record-keeping obligations cover both recording modalities and retention obligations.

Austrian Legal Acts

Ordinance on Itemised Bills 2025

·      On 23 April 2025, the "Ordinance of the Austrian Regulatory Authority for Broadcasting and Tele-communications (RTR-GmbH) specifying the level of detail and the format for itemised bills" ("Einzelentgeltnachweisverordnung 2025"; EEN-V 2025) was published in the Federal Law Gazette II 2025/75. The Ordinance on Itemised Bills 2025 regulates the format of itemised bills for charging the provision of number-based interpersonal communication services and internet access services. Number-based interpersonal communications services are fixed (landline) and mobile telecommunication services, but also internet-based services that enable communication with a telephone number (e.g. Viber). Internet access services provide access to the internet (e.g. A1, Magenta and Hutchison Drei).

Upper Austrian Information Technology Application Act

·      On 12 June 2024, the "Upper Austrian Information Technology Application Act" (Oö ITEG) was published in the Provincial Law Gazette 2025/46. The aim is to promote digital transformation, the usage of artificial intelligence and automated decisions in the state parliament, the state court of audit, the state administrative court, and the authorities and agencies of the state of Upper Austria, the Upper Austrian municipalities and municipal associations, and other Upper Austrian public entities. In particular, participation in AI regulatory sandboxes is encouraged. In addition, decisions made by these entities as holders of private rights may be based on automated decisions.

"ID Austria" mobile app

·      On 20 June 2025, the "ID Austria" mobile app (formerly "Digitales Amt") for digital identity was officially launched, enhancing eID, eSignature and qualified signature services (https://secure.oesterreich.gv.at). The login process has also been changed. Users can now choose between fingerprint or facial recognition or enter their device password or PIN code. ID Austria enables users to verify their identity to digital applications and authorities (digital identity) and meets the requirements of the eIDAS Regulation, making it legally valid throughout Europe.

Austrian Accessibility Act

·      The "Austrian Accessibility Act" (Barrierefreiheitsgesetz or BaFG) implementing Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services, OJ L 2019/151, 70, into Austrian law, was published in the Federal Law Gazette I 76/2023 and will enter into force on 28 June 2025. The Act establishes mandatory accessibility requirements for certain products and services provided to consumers, including, but not limited to, POS terminals, ATMs, e-readers, electronic communication services, audiovisual media services, banking services and e-commerce services. The Act contains provisions governing the obligations of producers, importers, distributors and service providers, as well as enforcement provisions for ensuring compliance.

Austrian Data Access Act

·      On 18 June 2025, the Austrian National Council adopted the government's bill on the Austrian Data Access Act (Datenzugangsgesetz, DZG) , implementing Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act; OJ L 2022/152). The Act will establish a federal law governing data governance, providers of data intermediation services and data altruism organisations. Its aim is to introduce a uniform governance framework for the reuse of public sector data and data ecosystems, and to promote data altruism.

Bulgarian Legal Acts

Act on Accessibility Requirements for Products and Services

·         On 11 April 2025, the Act on Accessibility Requirements for Products and Services, implementing Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services, OJ L 2019/151, 70, and providing for measures for the implementation of Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products, OJ L 2019/169, into Bulgarian law, was published in the State Gazette No. 31/2025. The Act will enter into force on 28 June 2025. The Act regulates: (i) the accessibility requirements for certain products and services (e.g. audiovisual media services, consumer banking services, e-commerce services, etc.); (ii) the procedure for assessing the conformity of products with accessibility requirements; (iii) the obligations of economic operators making products available on the market or providing services; (iv) the supervision of products made available on the market and/or put into service; and (v) monitoring the compliance of the provided services with accessibility requirements.

Act on Markets in Crypto-Assets

·      On 20 June 2025, the National Assembly adopted the Act on Markets in Crypto-Assets. The Act introduces the measures for the implementation of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCAR), as well as the implementing acts related to the conditions and procedures for the licensing, operation and state supervision of crypto-asset issuers and crypto-asset service providers. The Act has not yet been published in the State Gazette but is expected imminently.

Croatian Legal Acts

Decision on the Publication of Price Lists and Quotation of Additional Prices Intended as a Measure of Direct Price Control in Retail Sale

·      The Decision on the Publication of Price Lists and Quotation of Additional Prices Intended as a Measure of Direct Price Control in Retail Sale (the "Decision"), adopted by the Government of the Republic of Croatia and published in the Official Gazette No. 75/2025, entered into force on 15 May 2025. The Decision provides for mandatory online publication of retail prices for foodstuffs, drinks, cleaning products, toiletries and household items, and applies to all retailers categorised as supermarkets, hypermarkets, discount shops and cash & carry. The retailers are required to publish their price lists in digital, machine-readable format (.xml or .csv), compatible with software tools and automated programs designed to gather price data in real time. The price lists must be updated daily and accessible online for 30 days after publication.

Act on Accessibility Requirements for Products and Services

·      The Act on Accessibility Requirements for Products and Services (the "Accessibility Act"), implementing Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services, OJ L 2019/151, 70, into Croatian law, was published in the Official Gazette No. 89/2025 and will enter into force on 28 June 2025. The Act introduces mandatory accessibility requirements for certain products and services provided to consumers, including, but not limited to, POS terminals, ATMs, e-readers, electronic communication services, audiovisual media services, banking services and e-commerce services. The Act contains provisions governing the obligations of producers, importers, distributors and service providers, as well as enforcement provisions for ensuring compliance.

Fiscalisation Act

·      The Fiscalisation Act, published in the Official Gazette No. 89/2025 and scheduled to enter into force on 1 September 2025, is set to replace the current Act on the Fiscalisation of the Circulation of Cash. The new Act consolidates the existing rules on fiscalisation of cash transactions and electronic invoices in B2C relations and extends their application to all B2B relations and cashless transactions. The new legal framework is expected to reduce the administrative burden on taxpayers, as all electronic invoices will be automatically registered with the Tax Administration.

Hungarian Legal Acts

Act amending certain laws in connection with cash payment

·      On 20 June 2025, Act LXII of 2025 on the Amendment of Certain Laws in Connection with the Use of Cash (the "Act") was published in the Hungarian Gazette No. 2025/74 and will enter into force on 1 July 2025. Hungary has recently recognised cash payment as a fundamental right. In connection with this, the Act obligates businesses to offer consumers the option to settle payments in cash. Notably, the Act sets out certain exceptions, including online service contracts, cross-border online sales contracts and sales conducted in automated stores.

Moldovan Legal Acts

Law on Cybersecurity

·      On 1 January 2025 the Law on Cybersecurity No.°48 dated 16 March 2023 (Legea privind securitatea cibernetica) entered into force, as published in Official Gazette No.151-153 of 28 April 2023. It transposes Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). The law establishes the normative, organisational and cooperation framework for cybersecurity in Moldova, sets out the competences of public authorities and institutions in the field, defines the national crisis management framework for cybersecurity, and introduces requirements, measures and mechanisms to ensure the security of networks and IT systems essential for the functioning of society. It also provides for the management of cyber incidents at a national level.

Law on Promoting Fairness and Transparency for Business Users of Online Intermediation Services

·      On 22 April 2025 the Law on Promoting Fairness and Transparency for Business Users of Online Intermediation Services No.°53 dated 20 March 2025 (Legea privind promovarea echităţii şi a transparenţei pentru întreprinderile utilizatoare de servicii de intermediere online) was published in Official Gazette No. 193-194 and will enter into force on 22 April 2026. The law partially transposes "Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services" (P2B Regulation). Its purpose is to ensure the smooth functioning of the market by establishing rules that guarantee an adequate degree of fairness, transparency and effective remedial measures for businesses using online intermediation services and professional website users in their interactions with online search engines.

Law on Electronic Communications

·      On 15 May 2025, the Law on Electronic Communications No.°72 dated 10 April 2025 (Legea comunicatiilor electronice) was published in Official Gazette No. 226-228, with entry into force slated for 1 January 2026. It partially transposes several European Union directives and regulations, including Directive (EU) 2018/1972 establishing the European Electronic Communications Code (Recast), Commission Delegated Regulation (EU) 2021/654 supplementing Directive (EU) 2018/1972, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, Commission Directive 2008/63/EC on competition in the markets in telecommunications terminal equipment, Regulation (EU) 2021/1232 on a temporary derogation from certain provisions of Directive 2002/58/EC as regards the use of technologies by providers of number-independent interpersonal communications services for the processing of personal and other data for the purpose of combating online child sexual abuse. The law establishes the national regulatory framework for electronic communications networks and services, associated facilities and certain aspects of terminal equipment. It defines the responsibilities of relevant authorities, as well as the rights and obligations of natural and legal persons involved in the creation, management and use of electronic communications networks.

Instruction regarding the procedure for stopping access to web pages containing information intended and used for preparing or committing crimes and for removing the respective content at the source

·      On 28 May 2025, the Government of the Republic of Moldova adopted Decision No.°317 on the approval of the Instruction regarding the procedure for stopping access to web pages containing information intended and used for preparing or committing crimes and for removing the respective content at the source. This decision was published in Official Gazette No. 289-292 of 3 June 2025. The instruction establishes the procedures for the identification of web pages containing information intended and used for preparing or committing crimes, for the implementation of the order to stop access to a web page or to remove online content at the source, as well as for the cooperation between the Ministry of Internal Affairs and/or the Information and Security Service and Internet access service providers, online content hosting service providers and/or content providers, in order to implement measures to stop access or removal of the content at the source.

Polish Legal Acts

Act amending the Act on Electronic Delivery

·      On 1 January 2025, the Act amending the Act on Electronic Delivery dated 18 November 2020 came into force. The amendment introduces a transitional period, which will last until 31 December 2025, during which public entities will be able to waive the service of correspondence to an electronic delivery address or using a public hybrid service due to organisational reasons assessed by the authority itself. The reason for the amendment is that some public entities are not ready to apply the solutions set out in the Act on Electronic Delivery, in particular with regard to the delivery of correspondence using the Public Registered Electronic Delivery Service (PURDE) or the Public Hybrid Service (PUH). The amended Act can be found here.

Guide to Data Protection Breaches (Poradnik na gruncie RODO - Obowiązki administratorów związane z naruszeniami ochrony danych osobowych)

·      On 20 February 2025, the President of the Personal Data Protection Office published an updated version of its Data Protection Breaches Guide. The guide is a source of knowledge for controllers and data protection officers. The latest version takes into account the current legislation, the experience from the past practice of applying the GDPR and the results of the public consultation. The guide was published on the website of the President of the Personal Data Protection Office.

Act on Accessibility Requirements for Products and Services

·         By 28 June 2025, businesses (excluding microenterprises) must adapt their products and services to meet EU accessibility requirements. The new Act on Accessibility Requirements for Products and Services will apply to manufacturers, importers, distributors and service providers. Products subject to accessibility requirements include computers and operating systems, payment and self-service terminals (e.g. ATMs, ticket machines), consumer end-user devices used to provide telecommunications and e-book readers. Services subject to accessibility requirements include telecommunications and audiovisual media services, passenger transport services (rail, air, road and water), retail banking, e-commerce and e-book services. The Act can be found here.

Romanian Legal Acts

Norm No. 14/2025 amending and supplementing Norm of the Financial Supervisory Authority No. 4/2018 on the management of operational risks generated by information systems used by entities authorised/approved/registered, regulated and/or supervised by the Financial Supervisory Authority ("Norm 14/2025")

·      On 26 May 2025, Norm 14/2025 was published in the Romanian Official Gazette No. 587 of 26 May 2025. It introduces slight amendments to the existing Norm 4/2018 in order to align with the provisions of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/101 (DORA) for entities regulated and/or supervised by the Romanian Financial Supervisory Authority.

Regulation No. 1/2025 on the amendment of certain legal acts issued by the National Bank of Romania ("Regulation 1/2025")

·      The National Bank of Romania (NBR) made some amendments to its existing regulations to align with the DORA Regulation through Regulation 1/2025 (Regulamentul nr. 1/2025 privind modificarea unor acte normative emise de Banca Naţională a României). The main amendments introduced by Regulation 1/2025 refer to the observance of the DORA requirements in the context of ICT activities and ICT incident reporting. Regulation 1/2025 was published in the Romanian Official Gazette No. 489 on 26 May 2025.

Law No. 232/2022 on accessibility requirements applicable to products and services ("Law 232/2022")

·      Law 232/2022 (Legea nr. 232/2022 privind cerinţele de accesibilitate aplicabile produselor şi serviciilor), which enters into force on 28 June 2025, transposes the EU Accessibility Act into national law and sets specific requirements for products and services, including websites and apps, to ensure they are accessible to individuals with disabilities.

Draft Order on the approval of the requirements for the notification/registration process under NIS2

·      On 30 April 2025, the Romanian National Directorate for Cybersecurity (DNSC) published a draft order for approving the requirements regarding the notification/registration process under the NIS2 Directive (Ordinul pentru aprobarea cerințelor privind procesul de notificare în vedereaînregistrării și metoda de transmitere a informațiilor). The draft order establishes the registration process and an online platform where the companies that fall under the requirements of NIS2 must register as essential/important entities. The draft order is currently awaiting final approval following the public consultation.

Draft order on the approval of criteria and thresholds for determining the degree of disruption of a service and the methodology for assessing the risk level of entities under NIS2

·      On 30 April 2025, the DNSC also published a draft order regarding the criteria and thresholds for determining the degree of disruption of a service and the methodology for assessing the risk level of entities under NIS2 (Ordinul pentru aprobarea criteriilor și pragurilor de determinare a gradului de perturbare a unui serviciu și metodologia de evaluare a nivelului de risc al entităților). The draft order establishes a set of criteria and a methodology that would help entities determine whether they qualify as essential or important entities under NIS2. The draft order is currently awaiting final approval following the public consultation.

Slovenian Legal Acts

Act amending the Act on the Promotion of Digital Inclusion (Zakon o spremembah Zakona o spodbujanju digitalne vključenosti)

·      On 13 February 2025, the act on the promotion of digital inclusion underwent a minor amendment, predominantly eliminating a state-run mechanism that allowed rental of computer equipment. The act was published in the Official Gazette of the Republic of Slovenia, No. 12/2025.

Act amending the Act on Prevention of Money Laundering and Terrorist Financing Act (Zakon o spremembah Zakona o preprečevanju pranja denarja in financiranja terorizma)

·      On 29 March 2025, the Prevention of Money Laundering and Terrorist Financing Act underwent an amendment following the transposition of Directive 2015/849/EU insofar as it relates to amendments to the crypto-asset market. Regulation 2020/2223/EU, which establishes cooperation between the competent national authority and the European Anti-Fraud Office (OLAF), has also been implemented. The act was published in the Official Gazette of the Republic of Slovenia, No. 17/2025.

Act amending the Banking Act (Zakon o spremembah Zakona o bančništvu)

·      On 29 March 2025, the Banking Act underwent an amendment following alignment with Regulation 2023/1114/EU (MiCAR) insofar as it relates to amendments to Directive 2013/36/EU. The act was published in the Official Gazette of the Republic of Slovenia, No. 17/2025.

Act implementing Regulation (EU) on information accompanying the transfer of funds and certain crypto-assets (Zakon o izvajanju uredbe (EU) o informacijah, ki spremljajo prenos sredstev in nekaterih kriptosredstev)

·      On 2 April 2025, the act implementing Regulation (EU) 2023/1113 of 31 May 2023 on information accompanying transfers of funds and certain cryptocurrencies and amending Directive (EU) 2015/849, entered into force. The act sets out the competent authorities for the supervision of payment service providers and intermediary payment service providers, cryptocurrency service providers and intermediary cryptocurrency service providers, the manner in which supervision is to be carried out, the supervisory measures, the procedure for imposing supervisory measures, and the offences and fines relating to the implementation of Regulation 2023/1113/EU. The act was published in the Official Gazette of the Republic of Slovenia, No. 17/2025.

Regulation implementing Regulation (EU) on digital operational resilience for the financial sector (Uredba o izvajanju uredbe (EU) o digitalni operativni odpornosti za finančni sektor)

·      On 26 April 2025, the regulation implementing Regulation (EU) 2022/2554 (DORA) entered into force. Among other things, the regulation sets out the competent bodies overseeing compliance with DORA and fines for non-compliance, which may range up to EUR 500,000. The regulation was published in the Official Gazette of the Republic of Slovenia, No. 25/2025.

Information Security Act (Zakon o informacijski varnosti)

·      On 19 June 2025, the amended Information Security Act entered into force. The act upgrades the national cybersecurity system and transposes the European NIS2 Directive (Directive 2022/2555/EU) into national legislation. The key new features include the introduction of a self-registration platform for entities covered by this law, a unified platform for incident reporting, and a platform for secure information exchange. The act was published in the Official Gazette of the Republic of Slovenia, No. 40/2025.

Turkish Legal Acts

Compliance obligations for cross-border e-commerce products

·      A new regulation issued by the Turkish Ministry of Trade to enhance product safety in e-commerce has officially entered into force. The Regulation on Market Surveillance of Products Offered through Remote Communication Tools (the "Regulation") was published in Official Gazette No. 32707 on 30 October 2024 and became effective on 1 April 2025. The Regulation sets out the conditions for offering products through remote communication tools and defines the obligations of economic operators and service providers, aiming to strengthen consumer protection, ensure that products sold online meet applicable safety standards and align national practices with EU market surveillance frameworks. Under the revised rules, appointing a responsible economic operator established in Türkiye has become a prerequisite for the sale of products procured from abroad through remote communication tools. These operators are responsible for preparing and retaining technical documentation, notifying the competent authority of non-compliant products in a timely manner and implementing corrective actions when necessary. The Regulation further requires that all product listings clearly include seller and manufacturer information, safety warnings in Turkish, conformity markings and accurate visuals and descriptions.

Communiqué on keeping commercial books not related to the accounting of the business in electronic format

·      A new Communiqué, published in Official Gazette No. 32813 on 14 February 2025, introduced the option and, in some cases, the obligation for companies in Türkiye to maintain non-accounting commercial books, such as share ledgers and board resolution books, in electronic form through the Electronic Bookkeeping System (EBS), integrated with Central Registration Systems (MERSIS). As of 1 July 2025, all companies incorporated on or after 1 January 2026, as well as specific regulated entities including banks, insurance firms, financial institutions and capital market players, are mandated to use the EBS. Voluntary transition is available for other companies, provided they digitise all relevant books.

Implementation of the Centralised Crypto-Asset Reporting System by the Central Securities Depository of Türkiye

·      On 27 May 2025, the Central Securities Depository of Türkiye (MKK) initiated the implementation of a new digital infrastructure for crypto-asset data reporting (the "System"). This System has been developed pursuant to the Communiqué on the Principles of Establishment and Operation of Crypto-Asset Service Providers (III-35/B.1) and the Communiqué on the Operational Procedures and Capital Adequacy Requirements of Crypto-Asset Service Providers (III-35/B.2), both issued by the Capital Markets Board of Türkiye and published in Official Gazette No. 32840 dated 13 March 2025. The System is designed to ensure secure and standardised data flow between the MKK and platforms operating as crypto-asset service providers. These platforms will be required to report transaction-level information, such as purchase and sale operations, initial offerings or distributions, clearing and transfers, as well as custody records and customer balances, directly to the MKK. With the implementation, investors will be able to verify and compare platform records with those of the MKK through the e-YATIRIMCI (e-investors). The deadline for crypto service providers to complete their technical and integration applications to the MKK has been set for 20 June 2025.

Law on Cybersecurity

·      Cybersecurity Law No.° 7545 (the "Cybersecurity Law"), which was published in Official Gazette No. 32840 and entered into force on 19 March 2025, establishes a national cybersecurity framework applicable to public institutions, private entities and individuals operating in cyberspace. The law grants extensive authority to the Cybersecurity Directorate, including the regulation and supervision of the sector, on-site inspections, imposition of administrative sanctions and development of standards for cybersecurity products and services. The Cybersecurity Law also imposes specific obligations on IT and cybersecurity companies, such as incident reporting, procurement of certified cybersecurity tools for use in public infrastructure and obtaining prior approval for certain transactions and exports.