Digital Law Monitor 4/2025

EU legal acts

Regulations (incl. drafts)

• Regulation on the transparency and targeting of political advertising (TTPA)
• Gigabit Infrastructure Act (GIA)
• Digital Omnibus (AI and European Business Wallets)
• Regulation on laying down additional procedural rules on the enforcement of the GDPR

Commission Guidelines

• Joint Guidelines on the Interplay between the DMA and the GDPR

European Council

• United Nations Convention against Cybercrime

European Data Protection Board

• Draft recommendations 2/2025 on e-commerce websites

Commission Delegated and Implementing Regulations (incl. drafts)

• Digital Services Act (DSA)
• AI Act
• Adequacy Decisions (UK)
• Cyber Resilience Act (CRA)
• Regulation on eCall systems
• Markets in Crypto-Assets Regulation (MiCA)
• eIDAS
• TTPA

Austrian legal acts

• Critical Entities Resilience Act
• Federal Act amending the SNG, SPG, TKG, BVwGG und RStDG (Federal Troja)
• Criminal Law EU Adjustment Act 2025
• Amendments to the Health Telematics Act
• Network and Information Systems Security Act 2026 (NIS Act 2026)
• Second EU Information Systems Adjustment Act
• Second Transparency Database Query Ordinance 2025

Bulgarian legal acts

• Law Amending and Supplementing the Electronic Communications Act
• Law Amending and Supplementing the Competition Protection Act
• Law Amending and Supplementing the Defence and Armed Forces of the Republic of Bulgaria Act
• Instruction re processing personal data at the Ministry of Interior
• Ordinance repealing Ordinance No. N-9 of 2020 re exchange of virtual assets

Croatian legal acts

• Act on the Implementation of the Data Governance Act
• Act on Amendments to the Penal Code
• Act on Control of Foreign Investments
• Act on Amendments to the Act on Administrative Cooperation in Tax Matters
• Act on Cross-Border Procurement of Electronic Evidence in Criminal Proceedings
• Ordinance on Amendments to the Ordinance on Casino Online Games of Chance
• Ordinance on Amendments to the Ordinance on Online Betting
• Ordinance on Covert Surveillance of Crypto-Asset Service Providers
• Ordinance on the Submission of Complaints against Offerers of Crypto-Assets
• Decision on the Supervision Fee for Issuers of Asset-Referenced and Electronic Money Tokens
• Ordinance on the Payment of Fees for the Activities Conducted by the Croatian Regulatory Authority for Network Industries
• Ordinance on the Fiscalisation of Invoices Issued to End-Users
• Ordinance on Prudential Requirements of Crypto-Asset Service Providers from Article 67 of Regulation (EU) 2023/1114
• Ordinance on the Structure and Contents of Financial Statements of Crypto-Asset Service Providers
• Ordinance on the Protection of Property of Clients using Crypto-Asset Services
• Ordinance on the Scope of Revision of Crypto-Asset Service Providers
• Ordinance on the Type and Amount of Fees levied by the Croatian Financial Services Supervisory Agency
• Ordinance on the Calculation, Amount and Payment of Fees levied by the Croatian Financial Services Supervisory Agency in 2026
• Ordinance on Amendments to the Ordinance on the Automatic Exchange of Information Relating to Taxes

Czech legal acts

• Cybersecurity Act
• Decree on the Portal of the National Cyber and Information Security Agency
• Decree on Regulated Services
• Decree on Security Measures of Providers of Regulated Services under the Lower-Obligation Regime
• Amendment to the Act on eHealth

Hungarian legal acts

• Act on the Hungarian implementation of the EU AI Act
• Government Decree on the implementation of the Act on the Hungarian implementation of the EU AI Act
• Amendment to the Act on Electronic Communications
• NMHH Decree on the technical requirements of the civil alert system
• Ministerial Decree on the specific rules governing the designation of bodies responsible for assessing compliance with the requirements applicable to high-risk AI systems
• Act on the Hungarian implementation of the EU Cyber Resilience Regulation

Moldovan legal acts

• Government Decision on approval of Moldova's National Cybersecurity Programme
• Government Decision on establishing the State Register of Cyber Incidents
• Government Decision on the National Plan for response to cyber incidents and crises
• Government Decision on coordinated disclosure of cybersecurity vulnerabilities
• Government Decision on the regulatory framework in the field of cybersecurity by service providers in critical sectors

Polish legal acts

• Draft Act amending the Act on the Provision of Electronic Services and certain other acts
• Draft Act amending the Act on the National Cybersecurity System and certain other acts
• Draft regulation on telecommunications infrastructure necessary for defence, national security and public safety
• Regulation on complaints concerning electronic communications services

Romanian legal acts

• National Directorate for Cybersecurity (DNSC) Order No. 3/2025 on the establishment of a framework for the cybersecurity of networks and information systems
• Draft law on online majority age

Slovenian legal acts

• Act Amending and Supplementing the Financial Instruments Market Act
• Act Amending and Supplementing the Investment Funds and Management Companies Act
• Act Amending and Supplementing the Alternative Investment Fund Managers Act
• Act Amending and Supplementing the General Administrative Procedure Act
• Business Register Act
• Act Amending and Supplementing the Electronic Identification and Trust Services Act
• Act on the Implementation of the EU Regulation on Harmonised Rules for Artificial Intelligence
• Exchange of Electronic Invoices and Other Electronic Documents Act
• Exchange of Electronic Invoices and Other Electronic Documents Act
• Act on the Digitalisation of Healthcare
• Regulation on the training of responsible persons in the field of information and cybersecurity risk management

Turkish legal acts

• Draft Amendments on Artificial Intelligence Regulation in Türkiye
• General Communiqué on the Tax Procedure Law
• Amendments to the Presidential Decree on Cybersecurity

EU Legal Acts, Guidelines and more

Regulations

Regulation on the transparency and targeting of political advertising (TTPA)

·       On 10 October 2025, "Regulation (EU) 2024/900 of the European Parliament and of the Council of 13 March 2024 on the transparency and targeting of political advertising" became applicable in the Member States. Its objective is to ensure a uniform and high level of transparency in political advertising services across the EU. At the same time, it aims to counteract targeted manipulation of information and undue influence through political advertising. Political advertisements must be clearly identifiable as such.

Gigabit Infrastructure Act (GIA)

·       On 12 November 2025, the Gigabit Infrastructure Act (GIA, Regulation (EU) 2024/1309) became applicable in the Member States. It lays down rules on permit-granting procedures for the deployment of fibre telecommunication networks. For further information see here.

Draft Regulations – Digital Omnibus, Digital Omnibus on AI and European Business Wallets

·       On 19 November 2025, the European Commission published proposals for (i) a "Digital Omnibus", COM(2025) 837 final, (ii) a "Digital Omnibus on AI", COM(2025) 836 final, and (iii) the establishment of "European Business Wallets", COM(2025) 838 final. Among other things, the draft regulations are intended to simplify compliance with the GDPR, the AI Act and the Data Act. For further information see here.

GDPR Procedural Regulation

·       On 12 December 2025, "Regulation (EU) 2025/2518 of the European Parliament and of the Council of 26 November 2025 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679", OJ L 2025/2518, was published. This Regulation lays down procedural rules for the conduct of investigations in cross-border cases. For further information see here.

Commission Guidelines

EDPB/Commission – Joint Guidelines on the Interplay between the DMA and the GDPR

On 9 October 2025, the European Data Protection Board (EDPB) and the European Commission published a draft of Joint Guidelines on the Interplay between the DMA and the GDPR. The guidelines specifically address the processing of personal data of data subjects by gatekeepers within the meaning of the Digital Markets Act (DMA). The so-called "Pay or Consent" Model is considered arguably inapplicable where gatekeepers seek to rely on it. The guidelines also specify details on data portability as well as effective, continuous and real-time access to data generated by end users. Moreover, the responsibility for obtaining the end user's consent to access data by business users is clarified, and details on coordinated enforcement and consistent application by competent authorities are addressed.

European Council

United Nations Convention against Cybercrime

·       On 11 November 2025, "Council Decision (EU) 2025/2307 of 13 October 2025 on the signing, on behalf of the European Union, of the United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes”, OJ L 2025/2307, was published. The United Nations Convention against Cybercrime is intended to strengthen the fight against cybercrime and international cooperation in this field.

European Data Protection Board

Draft recommendations 2/2025 on e-commerce websites

·       On 3 December 2025, the EDPB adopted the draft "Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites". The EDPB recommends allowing the use of e-commerce websites as a "guest".

Commission Delegated and Implementing Regulations (incl. drafts)

AI Act

·       On 2 December 2025, the draft "Commission Implementing Regulation (EU) laying down rules for the application of Regulation (EU) 2024/1689 of the European Parliament and of the Council as regards the establishment, development, implementation, operation and supervision of AI regulatory sandboxes", Ares(2025)10569703, was published. This Implementing Regulation further specifies the use of AI regulatory sandboxes within the meaning of the AI Act.

Digital Services Act (DSA)

·       On 9 October 2025, "Commission Delegated Regulation (EU) 2025/2050 of 1 July 2025 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council by laying down the technical conditions and procedures under which providers of very large online platforms and of very large online search engines are to share data with vetted researchers", OJ L 2025/2050, was published. Pursuant to Art. 40(4) of Regulation (EU) 2022/2065 (DSA), providers of very large online platforms and of very large online search engines must provide access to data upon a reasoned request by the Digital Services Coordinator for the performance of research that contributes to the detection, identification and understanding of systemic risks. The Delegated Regulation lays down the procedure and technical conditions for granting access through a data access portal. The Commission is designated as the data processor of the DSA data access portal.

Adequacy Decisions

·       On 23 December 2025, (i) "Commission Implementing Decision (EU) 2025/2571 of 19 December 2025 amending Commission Implementing Decision (EU) 2021/1773 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom", OJ L 2025/2571, and (ii) "Commission Implementing Decision (EU) 2025/2574 of 19 December 2025 amending Commission Implementing Decision (EU) 2021/1772 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom", OJ L 2025/2574, were published. These Commission Implementing Decisions extend the validity of the adequacy decisions applicable to the United Kingdom from 27 December 2025 until 27 December 2031.

Cyber Resilience Act (CRA)

·       On 16 October 2025, the draft "Commission Delegated Regulation supplementing Regulation (EU) 2024/2847 of the European Parliament and of the Council by specifying the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications", Ares(2025)8809980, was published. This Delegated Regulation specifies Cyber Resilience Act 2024/2847 (CRA) by setting out the conditions under which the national Computer Security Incident Response Team (CSIRT) may, under exceptional circumstances, delay the dissemination of a security notification.

Regulation (EU) 2015/758 (eCall systems)

·       On 28 October 2025, "Commission Delegated Regulation (EU) 2025/1871 of 23 July 2025 amending Regulation (EU) 2015/758 of the European Parliament and of the Council as regards the standards relating to eCall and amending Delegated Regulation (EU) 2017/79 as regards the technical requirements and test procedures for approval of motor vehicles equipped with 112-based eCall in-vehicle systems", OJ L 2025/1871, was published. This Delegated Regulation lays down test procedures concerning eCall systems within the meaning of Regulation (EU) 2015/758 for new types of vehicles.

Markets in Crypto-Assets Regulation (MiCAR)

·       On 3 October 2025, "Commission Delegated Regulation (EU) 2025/1264 of 27 June 2025 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the minimum contents of the liquidity management policy and procedures for certain issuers of asset-referenced tokens and e-money tokens", OJ  L  2025/1264, was published. This Delegated Regulation specifies the minimum contents of the liquidity management policy and procedures for certain issuers of asset-referenced tokens or e-money tokens.

eIDAS

·       On 30 September 2025, (i) "Commission Implementing Regulation (EU) 2025/1942 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards qualified validation services for qualified electronic signatures and qualified validation services for qualified electronic seals", OJ L 2025/1942, (ii) "Commission Implementing Regulation (EU) 2025/1943 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for qualified certificates for electronic signatures and qualified certificates for electronic seals", OJ L 2025/1943, (iii) "Commission Implementing Regulation (EU) 2025/1944 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for processes for sending and receiving data in qualified electronic registered delivery services and as regards interoperability of those services", OJ L 2025/1944, (iv) "Commission Implementing Regulation (EU) 2025/1945 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the validation of qualified electronic signatures and of qualified electronic seals and the validation of advanced electronic signatures based on qualified certificates and of advanced electronic seals based on qualified certificates", OJ L 2025/1945, and (v) "Commission Implementing Regulation (EU) 2025/1946 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards qualified preservation services for qualified electronic signatures and for qualified electronic seals", OJ L 2025/1946, were published. These five Implementing Regulations lay down reference standards and specifications under the eIDAS.

·    On 28 October 2025, "Commission Implementing Regulation (EU) 2025/2160 of 27 October 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards, specifications and procedures for the management of risks to the provision of non-qualified trust services", OJ L 2025/2160, and "Commission Implementing Regulation (EU) 2025/2162 of 27 October 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the accreditation of conformity assessment bodies evaluating qualified trust service providers and the qualified trust services they provide, the conformity assessment report and the conformity assessment system", OJ L 2025/2162, were published. These two Implementing Regulations establish reference standards and specifications, as well as the accreditation of conformity assessment bodies under the eIDAS.

·       On 2 December 2025, the draft "Commission Implementing Regulation (EU) laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards onboarding of users to the European Digital Identity Wallets by electronic identification means conforming to assurance level high or by electronic identification means conforming to assurance level substantial in conjunction with additional remote onboarding procedures where the combination meets the requirements of assurance level high", Ares(2025)10575642, was published. This Implementing Regulation lays down reference standards for onboarding users to the European Digital Identity Wallet within the meaning of eIDAS.

·       On 17 December 2025, (i) "Commission Implementing Regulation (EU) 2025/2527 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for qualified certificates for website authentication", OJ L 2025/2527, (ii) "Commission Implementing Regulation (EU) 2025/2530 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards requirements for qualified trust service providers providing qualified trust services", OJ L 2025/2530, (iii) "Commission Implementing Regulation (EU) 2025/2531 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards and specifications for qualified electronic ledgers", OJ L 2025/2531, and (iv) "Commission Implementing Regulation (EU) 2025/2532 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards and specifications for qualified electronic archiving services", OJ L 2025/2532, were published. With these four implementing regulations, reference standards and specifications, as well as requirements for qualified trust service providers, are laid down under the eIDAS.

TTPA

·       On 23 December 2025, the draft "Commission Implementing Regulation (EU) … setting out detailed arrangements for the provision of a common data structure, standardised metadata, standardised authentication and common application programming interface for the European repository for online political advertisements in accordance with Regulation (EU) 2024/900 of the European Parliament and of the Council", Ares(2025)11556145, was published. This Commission Implementing Regulation lays down standards to facilitate the inclusion of political advertisements within the meaning of the TTPA (EU) 2024/900 in the European repository.

Bulgarian Legal Acts

Law Amending and Supplementing the Competition Protection Act

·       By the Transitional and Final Provisions of the Law Amending and Supplementing the Competition Protection Act, published in the State Gazette No. 95/2025 on 7 November 2025, the Electronic Communications Act was amended to allow, where necessary, the Commission on Protection of Competition (CPC) to obtain, as provided by law, data from undertakings providing public electronic communications networks and/or services for the needs and purposes of proceedings under the Competition Protection Act.

Law Amending and Supplementing the Electronic Communications Act

·       On 21 November 2025, the Law Amending and Supplementing the Electronic Communications Act was published in the State Gazette No. 99/2025. The adopted amendments ensure the application of the Digital Services Act (DSA). The amendments lay down the functions and powers of the national authorities, their competence to supervise providers of intermediary services for compliance with the DSA and introduce mechanisms for imposing the penalties and fines specified in the Regulation. Other amendments expressly grant consumers the right, without penalty, to terminate their contract for a publicly available electronic communications service, other than a number-independent interpersonal communications service, before the end of the agreed term due to an imposed price increase (price indexation).

Law Amending and Supplementing the Defence and Armed Forces of the Republic of Bulgaria Act

·       By the Transitional and Final Provisions of the Law Amending and Supplementing the Defence and Armed Forces of the Republic of Bulgaria Act, published in the State Gazette No. 100/2025 on 25 November 2025, Article 301, paragraph 3 of the Electronic Communications Act was supplemented to provide that the Bulgarian Armed Forces may, by technical means, block the use of electronic communications services when this is done for the purposes of using technical means for detecting and neutralising unmanned systems in the protection of military sites and garrison areas, as well as military units, equipment and military vessels located outside garrison areas, on the basis of procedures and rules approved by the Minister of Defence that take into account the use of such technical means.

Instruction amending Instruction No. 8121з-1280 of 7 October 2021 on the procedure for processing personal data at the Ministry of Interior

·       The instruction amending Instruction No. 8121з-1280 of 7 October 2021 on the procedure for processing personal data at the Ministry of Interior was published in the State Gazette No. 114/2025 on 24 December 2025. According to the amendment, when the Ministry of Interior processes personal data and where the time limits or circumstances for the erasure of personal data, or for the periodic review of the need for their retention, are not laid down in a normative act or by an order of the Minister of Interior, the retention period shall be 50 years from the commencement of processing, and the period for periodic review shall be five years.

Ordinance repealing Ordinance No. N-9 of 2020 on the terms and procedure for registration in the register of persons who, by way of business, provide services for exchange between virtual currencies and recognised currencies without gold backing, services for the transfer or exchange of virtual assets, services for the custody and management of virtual assets enabling control over such assets, and services related to the public offering of virtual assets, as well as of wallet providers offering custodial services

·       The repealing Ordinance was published in the State Gazette No. 114/2025 on 24 December 2025, and the repeal of the said Ordinance has entered into force as of 28 December 2025.

Croatian Legal Acts

Act on the Implementation of Regulation (EU) 2022/868 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act)

·       The Act on the Implementation of Regulation (EU) 2022/868 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act), published in the Official Gazette No. 126/2025, entered into force on 11 October 2025. The Act designates the national bodies competent for the implementation of the Data Governance Act, the procedure for the re-use of protected data, registration of data intermediation service providers and data altruism organisations, the competent national regulatory entities and the procedure and sanctions for breaches.

Act on Amendments to the Penal Code

·       The Act on Amendments to the Penal Code, published in the Official Gazette No. 136/2025, entered into force on 13 November 2025. A new criminal offence was introduced which penalises the endangerment of life and property by means of an artificial intelligence (AI) system, with potential penalties reaching up to 15 years in prison.

Act on Control of Foreign Investments

·       The Act on Control of Foreign Investments, published in the Official Gazette No. 136/2025, entered into force on 13 November 2025. The Act introduces a prior and ex post facto control of foreign investments in sectors potentially influencing national security and public order concerns, including in the digital sector. The exact affected sectors and the criteria for identifying individual obliged entities are yet to be defined by a separate Government regulation. For further information see here.

Act on Amendments to the Act on Administrative Cooperation in Tax Matters

·       The Act on Amendments to the Act on Administrative Cooperation in Tax Matters, published in the Official Gazette No. 146/2025, entered into force on 11 December 2025. The amendments regulate various obligations imposed on crypto-asset service providers, such as data-gathering, notification to tax authorities and deep screening of clients.

Act on Cross-Border Procurement of Electronic Evidence in Criminal Proceedings

·       The Act on Cross-Border Procurement of Electronic Evidence in Criminal Proceedings, published in the Official Gazette No. 151/2025, will enter into force on 18 February 2026, with certain provisions entering into force only on 18 August 2026. The Act implements Regulation (EU) 2023/1543 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings in the Croatian legal framework by designating the competent national bodies for the issuing of European production orders and European preservation orders.

Ordinance on Amendments to the Ordinance on Casino Online Games of Chance accessed through Interactive Online Playing Sales Channels

·       The Amendments to the Ordinance on Online Gambling in Casinos by means of Interactive Online Playing Sales Channels, published in the Official Gazette No. 129/2025, entered into force on 16 October 2025. The amendments introduce more stringent criteria for online identity verification and player exclusions for online players.

Ordinance on Amendments to the Ordinance on Online Betting

·       The Amendments to the Ordinance on Online Betting, published in the Official Gazette No. 129/2025, entered into force on 16 October 2025. The amendments introduce more stringent criteria for online identity verification and player exclusions for online bettors.

Ordinance on Covert Surveillance of Crypto-Asset Service Providers

·       The Ordinance on Covert Surveillance of Crypto-Asset Service Providers, adopted by the Croatian Financial Services Supervisory Agency (HANFA) and published in the Official Gazette No. 129/2025, entered into force on 23 October 2025. The Ordinance contains procedural rules governing mystery shopping with respect to crypto-asset service providers.

Ordinance on the Submission of Complaints against Offerers or Persons Seeking Admissions to Trading of Crypto-Assets not considered Asset-Referenced Crypto-Assets or Electronic Money Tokens and Crypto-Asset Service Providers and the Complaint-Handling Procedure of the Croatian Financial Services Supervisory Agency

·       The Ordinance on the Submission of Complaints to Offerers or Persons Seeking Admissions to Trading of Crypto-Assets not considered Asset-Referenced Crypto-Assets or Electronic Money Tokens and Crypto-Asset Service Providers and the Complaint-Handling Procedure of the Croatian Financial Services Supervisory Agency, adopted by HANFA and published in the Official Gazette No. 129/2025, entered into force on 23 October 2025. The Ordinance regulates the form and content of complaints against offerors, persons seeking admission to trading of crypto-assets and crypto-asset service providers, as well as HANFA's procedure for handling submitted complaints.

Decision on the Supervision Fee for Issuers of Asset-Referenced and Electronic Money Tokens

·       The Decision on the Supervision Fee for Issuers of Asset-Referenced and Electronic Money Tokens, adopted by the Croatian National Bank (HNB) and published in the Official Gazette No. 139/2025, entered into force on 20 November 2025. The Decision sets the fees payable by issuers of asset-referenced and electronic money tokens for the regulatory supervision performed by the HNB.

Ordinance on the Payment of Fees for the Activities Conducted by the Croatian Regulatory Authority for Network Industries

·       The Ordinance on the Payment of Fees for the Activities Conducted by the Croatian Regulatory Authority for Network Industries, adopted by the Croatian Regulatory Authority for Network Industries ("HAKOM") and published in the Official Gazette No. 154/2025, entered into force on 1 January 2026. The Ordinance sets the fees payable by electronic communications operators used to fund the activities of HAKOM. These include the address and numbering space management fee, the radiofrequency spectrum management fee, and the fee for other activities in the field of electronic communications.

Ordinance on the Fiscalisation of Invoices Issued to End-Users

·       The Ordinance on the Fiscalisation of Invoices Issued to End-Users, published in the Official Gazette No. 153/2025, entered into force on 1 January 2026. The Ordinance contains detailed technical provisions on the implementation of mandatory fiscalisation of all end-user invoices.

Ordinance on Prudential Requirements of Crypto-Asset Service Providers from Article 67 of Regulation (EU) 2023/1114

·       The Ordinance on Prudential Requirements of Crypto-Asset Service Providers from Article 67 of Regulation (EU) 2023/1114, published in the Official Gazette No. 153/2025, entered into force on 1 January 2026. The Ordinance regulates the contents, form and statutory deadlines for submitting reports on satisfaction of prudential requirements set by the MiCAR.

Ordinance on the Structure and Contents of Financial Statements of Crypto-Asset Service Providers

·       The Ordinance on the Structure and Contents of Financial Statements of Crypto-Asset Service Providers, published in the Official Gazette No. 153/2025, entered into force on 1 January 2026. The Ordinance regulates the structure, contents and statutory deadlines for submitting financial statements of crypto-asset service providers to HANFA.

Ordinance on the Protection of Property of Clients using Crypto-Asset Services

·       The Ordinance on the Protection of Property of Clients using Crypto-Asset Services, published in the Official Gazette No. 157/2025, entered into force on 1 January 2026. The Ordinance imposes various regulatory obligations on crypto-asset services providers connected with the protection of property of their clients' crypto assets.

Ordinance on the Scope of Revision of Crypto-Asset Service Providers

·       The Ordinance on the Scope of Revision of Crypto-Asset Service Providers, published in the Official Gazette No. 157/2025, entered into force on 1 January 2026. The Ordinance regulates the scope of the financial revision of crypto-asset service providers, as well as the grounds for rejection of the revised annual financial statements and revised reports on satisfaction of prudential requirement.

Ordinance on the Type and Amount of Fees levied by the Croatian Financial Services Supervisory Agency

·       The Ordinance on the Type and Amount of Fees levied by HANFA, published in the Official Gazette No. 157/2025, entered into force on 1 January 2026. The Ordinance defines the corresponding amounts of various fees levied by HANFA for regulatory services provided in the field of crypto-assets.

Ordinance on the Calculation, Amount and Payment of Fees levied by the Croatian Financial Services Supervisory Agency in 2026

·       The Ordinance on the Calculation, Amount and Payment of Fees levied by the Croatian Financial Services Supervisory Agency in 2026, published in the Official Gazette No. 157/2025, entered into force on 1 January 2026. The Ordinance defines various annual fees levied by HANFA for regulatory services provided in the field of crypto-assets.

Ordinance on Amendments to the Ordinance on the Automatic Exchange of Information Relating to Taxes

·       The Ordinance on Amendments to the Ordinance on the Automatic Exchange of Information Relating to Taxes, published in the Official Gazette No. 158/2025, entered into force on 1 January 2026. The amendments contain detailed provisions on the implementation of legislative changes introduced by the amended Act on Administrative Cooperation in Tax Matters (see above).

Czech Legal Acts

Cybersecurity Act

·       The Cybersecurity Act, published in the Official Gazette No. 264/2025, entered into force on 1 November 2025. The Act transposes the NIS2 Directive and introduces broad duties for regulated entities, which have 60 days to complete their registration with the National Cyber and Information Security Agency (NÚKIB). The number of regulated entities is expected to increase up to tenfold compared to the current regulation.

Decree on the Portal of the National Cyber and Information Security Agency

·       The Decree on the Portal of the National Cyber and Information Security Agency, published in the Official Gazette No. 334/2025, entered into force on 1 November 2025. This Decree regulates the operation of the online portal of the NÚKIB and sets out technical and procedural requirements for selected electronic acts carried out via the portal, incl. identification, authentication, submission of data, and communication with NÚKIB. The Decree supports the digitalisation of cybersecurity supervision and standardises how regulated entities fulfil certain statutory obligations electronically.

Decree on Regulated Services

·       The Decree on Regulated Services was published in the Official Gazette No. 408/2025 on 14 October 2025. This new Decree, effective as of 1 November 2025, implements and elaborates provisions of the new Cybersecurity Act (Act No. 264/2025 Coll.) by defining the list of "regulated services", the criteria for determining when a service provider is significant, and the classification of service providers into regulatory regimes (higher vs. lower obligations). It sets out how providers should assess whether they fall within the scope of the Act's obligations and clarifies which regulatory regime applies to them under the Czech cybersecurity framework aligned with the NIS2 Directive.

Decree on Security Measures of Providers of Regulated Services under the Lower-Obligation Regime

·       The Decree on Security Measures of Providers of Regulated Services under the Lower-Obligation Regime was published in the Official Gazette No. 410/2025 on 14 October 2025. This Decree, effective as of 1 November 2025, specifies a proportionate set of baseline technical and organisational cybersecurity measures for providers subject to a reduced regulatory regime, focusing on risk management, incident handling and basic protection of information systems. The Decree aims to ensure an adequate level of cybersecurity while limiting the administrative burden for smaller or lower risk regulated service providers under the supervision of the NÚKIB.

Amendment to the Act on eHealth

·       The Amendment to the Act on eHealth, published in the Official Gazette No. 236/2025, entered into force on 1 January 2026. The amendment updates the eHealth framework, including electronic documentation, interoperability and data sharing.

Hungarian Legal Acts

Act on the Hungarian implementation of the EU AI Act

·       On 31 October 2025, Act LXXV of 2025 on the implementation in Hungary of the European Union's Regulation on Artificial Intelligence Act was published in the Hungarian Gazette No. 2025/127. The Act establishes the national framework for implementing the EU AI Act in Hungary, including defining the core competences and procedural rules of the national AI notifying authority and the AI market surveillance authority, and establishing the Hungarian Artificial Intelligence Council to promote the uniform application of the law. The Act aims to ensure fundamental rights-respecting use of AI, promote consistent enforcement through the issuance of guidance, and support the development of a national AI strategy and cooperative domestic AI ecosystem.

Government Decree on the implementation of the Act on the Hungarian implementation of the EU AI Act

·       On 31 October 2025, Government Decree No. 344/2025. (X. 31.) on the implementation of Act LXXV of 2025 on the implementation in Hungary of the European Union's Regulation on Artificial Intelligence was published in the Hungarian Gazette No. 2025/127. The Decree lays down detailed procedural rules and designates the bodies responsible for carrying out the tasks of the AI notifying authority and the AI market surveillance authority.

Amendment to the Act on Electronic Communications

·       On 28 November 2025, Act LXXXVII of 2025 on the amendment of Act C of 2023 on Electronic Communications was published in the Hungarian Gazette No. 2025/142. The new provisions support the implementation of EU and national objectives aimed at ensuring that all households have access to gigabit-capable internet connections by 2030. The amendment sets out detailed rules within the competence of EU Member States, including the introduction of additional exemptions from licensing procedures.

NMHH Decree on the technical requirements of the civil alert system for defence and security purposes

·       On 10 December 2025, Decree No. 11/2025. (XII. 10.) of the President of the National Media and Infocommunications Authority (NMHH) on the technical requirements of the civil alert system for defence and security purposes was published in the Hungarian Gazette No. 2025/151. The Decree establishes the technical requirements that enable the near-simultaneous transmission of alert messages to devices located within a designated alert area using mobile radio-telephone technology.

Ministerial Decree on the specific rules governing the designation of bodies responsible for assessing compliance with the requirements applicable to high-risk AI systems, the activities of such designated bodies, and the administrative service fees payable for the designation procedure

·       On 23 December 2025, Decree No. 44/2025. (XII. 23.) of the Minister for National Economy on the specific rules governing the designation of bodies responsible for assessing compliance with the requirements applicable to high-risk AI systems, the activities of such designated bodies, and the administrative service fees payable for the designation procedure was published in the Hungarian Gazette No. 2025/157. The Decree aims to establish detailed rules concerning the designation of organisations certifying the preliminary technical compliance of high-risk AI systems. It sets out specific procedural provisions, including requirements related to liability insurance and the administrative service fees applicable to the designation process.

Act on the Hungarian implementation of the EU Cyber Resilience Regulation and the amendment of certain cybersecurity provisions

·       On 29 December 2025, Act CXXXV of 2025 on the implementation in Hungary of the European Union's Regulation on Cyber Resilience and amendment of certain cybersecurity provisions was published in the Hungarian Gazette No. 2025/158. The Act establishes the domestic legal framework for implementing Regulation (EU) 2024/2847 and clarifies certain cybersecurity provisions. Notably, it amends the scope of the Hungarian Cybersecurity Act.

Moldovan Legal Acts

Government Decision on approval of Moldova's National Cybersecurity Programme for 2026–2030

·       On 29 December 2025, Government Decision No. 821 on approval of Moldova's National Cybersecurity Programme for 2026–2030 was published in the Official Gazette No. 656-658 dated 31 December 2025. The programme responds to threats and capability gaps, setting strategic objectives and practical measures to achieve and maintain a high level of network and information system security, and to strengthen national capacity for prevention, detection, response and recovery in the face of cyber incidents.

Government Decision on establishing the State Register of Cyber Incidents

·       On 29 December 2025, Government Decision No. 822 on establishing the State Register of Cyber Incidents was published in the Official Gazette No. 646-650 dated 30 December 2025. The decision approves both the concept and the regulation on how the State Register of Cyber Incidents is to be maintained, designating the Cybersecurity Agency to create, implement, operate and develop the system.

Government Decision on approval of the Regulation governing the development, updating and implementation of the National Plan for response to cyber incidents and crises

·       On 29 December 2025, Government Decision No. 823 on approval of the Regulation governing the development, updating and implementation of the National Plan for response to cyber incidents and crises was published in the Official Gazette No. 656-658 dated 31 December 2025. The Regulation sets principles (legality, coordination/cooperation, responsibility), mandates alignment with the National Crisis Management Plan, and assigns roles and responsibilities at strategic, operational and tactical levels for unified and timely responses.

Government Decision on approval of the Regulation on coordinated disclosure of cybersecurity vulnerabilities

·       On 29 December 2025, Government Decision No. 824 on approval of the Regulation on coordinated disclosure of cybersecurity vulnerabilities was published in the Official Gazette No. 646-650 dated 30 December 2025. The Regulation establishes the substantive and procedural legal framework for the notification, assessment, remediation and coordinated disclosure of vulnerabilities in information and communications technology products and services to improve cybersecurity.

Government Decision on approval of the Regulation on state supervision and control over compliance with the regulatory framework in the field of cybersecurity by service providers in critical sectors

·       On 29 December 2025, Government Decision No. 825 on approval of the Regulation on state supervision and control over compliance with the regulatory framework in the field of cybersecurity by service providers in critical sectors was published in the Official Gazette No. 656-658 dated 31 December 2025. The Regulation establishes the legal, organisational and procedural framework for the exercise by the Cybersecurity Agency of the function of state supervision and control of the way service providers in critical sectors ensure compliance with the provisions of the regulatory framework in the field of cybersecurity.

Polish Legal Acts

Draft Act amending the Act on the Provision of Electronic Services and certain other acts

·       The draft act concerns the adjustment of Polish regulations to Regulation (EU) 2022/2065 of the European Parliament and of the Council on the Digital Single Market (Digital Services Act). This will create a modern system in Poland for effectively combating illegal content and disinformation, which will protect online users and ensure transparent operating rules for internet platforms. On 19 December 2025, the Polish Parliament completed work on the draft act and submitted it to the Polish president for signature. On 9 January 2026, the Polish president did not sign the bill and exercised his veto, arguing that some of the solutions presented in the draft act are harmful to ordinary citizens. As a result, the draft act returned to the parliament for amendments to the provisions indicated by the president.

Draft Act amending the Act on the National Cybersecurity System and certain other acts

·       The Draft Act amending the Act on the National Cybersecurity System and certain other acts was submitted to the Polish Parliament on 7 November 2025, and the first reading of the bill took place on 5 December 2025. The draft act concerns the implementation of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS2 Directive) (OJ EU L 333 of 27 December 2022, p. 80). The new provisions provide, among other things, for the extension of the list of entities covered by the national cybersecurity system to include new sectors of the economy (wastewater, ICT management, space, postal services, manufacturing, chemical production and distribution, food production and distribution), the purchase of equipment and modernisation of infrastructure, the creation of cybersecurity incident response teams, increased responsibility for persons managing enterprises and institutions covered by the national cybersecurity system, and the introduction of mandatory reporting of network incidents.

Draft regulation of the Minister of Digital Affairs on the scope of data on telecommunications infrastructure necessary for the preparation of communications systems for the purposes of defence, national security and public safety and order

·       On 14 October 2025, the Minister of Digital Affairs presented the draft regulation to the Polish government. The draft regulation covers issues related to data on telecommunications infrastructure for the preparation of communications systems for defence and security purposes. Until now, these issues have been regulated by a document issued by the Minister of Infrastructure 15 years ago, and the changes were prompted by the Electronic Communications Law passed in 2024. The President of the Office of Electronic Communications will continue to be responsible for obtaining data from telecommunications operators. Until now, he has requested entities to provide the required information within 30 days. The new regulation reverses this situation: now operators will have until 31 March to submit data on infrastructure as at the end of the previous year. One of the most important points of the draft are the provisions including the Minister of National Defence and the minister responsible for internal affairs among the entities involved. The President of the Office of Electronic Communications will make the collected data available to them for the purpose of planning activities related to security, public order and defence.

Regulation of the Minister of Digital Affairs of 29 September 2025 on complaints concerning electronic communications services or optional account charging services

·       On 14 March 2026, a new regulation of the Minister of Digital Affairs on complaints about electronic communications services will come into force. The Regulation will enter into force in connection with the implementation of Article 378(7) of the Electronic Communications Law, pursuant to which the Minister of Digital Affairs will specify, by way of a regulation, the detailed complaint procedure and the elements that should be included in a response to a complaint about an electronic communications service or an optional billing service, taking into account the necessary protection of the end user's interests, the maximum simplification of the complaint procedure and ensuring its transparency.

Romanian Legal Acts

DNSC Order No. 3/2025 approving the Norms for supervision, verification and control of compliance with Government Emergency Ordinance No. 155/2024 on the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace and the Methodology for risk-based prioritisation of supervision, verification and control activities ("Order 3/2025")

·       On 11 December 2025, Order 3/2025 issued by the National Directorate for Cybersecurity (DNSC) was published in the Romanian Official Gazette and entered into force, thereby approving two legal acts:

• the Norms for supervision, verification and control of compliance with Government Emergency Ordinance No. 155/2024 on the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace. The norms establish the procedural framework for oversight, verification and control of compliance with Romania's cybersecurity regime under Government Emergency Ordinance (GEO) 155/2024, which transposed the NIS2 Directive at the national level. They define the roles and powers of the DNSC, including the authority to request documents and data, perform non‑intrusive proactive scans, order ad‑hoc cyber audits, access premises and systems during controls, and coordinate with sectoral authorities.
• the Methodology for risk-based prioritisation of supervision, verification and control activities. The methodology complements the above-mentioned norms by setting out how the DNSC ranks entities for supervision and control activities based on cybersecurity risk, in order to allocate oversight resources proportionately and efficiently.

Draft law on online majority age

·       The draft law on online majority age was approved by the Romanian Senate on 6 October 2025. The draft law aims to protect minors from harmful online content and sets an "online majority" at age 16. Until said majority age, minors may access online services or create accounts only with verifiable parental consent. If adopted, the law would apply broadly to online services, including social media, streaming, e-commerce, gaming, banking and mobile apps, but would not apply to online learning platforms authorised at the national level by the Ministry of Education and Research or at the European level by the competent authorities. The status of the adoption process may be tracked here.

Slovenian Legal Acts

Act Amending and Supplementing the Financial Instruments Market Act

·       The Act Amending and Supplementing the Financial Instruments Market Act was adopted on 25 September 2025 and entered into force on 22 October 2025. The amendment aligns Slovenian financial markets law with EU digital regulation by implementing DORA and strengthening ICT security, digital operational resilience and algorithmic trading controls for investment firms and regulated markets. It also introduces new digital reporting and machine-readable disclosure obligations in support of the European Single Access Point (ESAP), enhancing transparency and data accessibility across the EU.

Act Amending and Supplementing the Investment Funds and Management Companies Act

·       The Act Amending and Supplementing the Investment Funds and Management Companies Act was adopted on 25 September 2025 and entered into force on 22 October 2025. The amendment aligns Slovenian fund management legislation with the EU digital regulation by transposing Directive (EU) 2022/2556 and applying DORA requirements to management companies' ICT systems. It establishes a unified framework for ICT risk management, cybersecurity and digital operational resilience in the asset management sector.

Act Amending and Supplementing the Alternative Investment Fund Managers Act

·       The Act Amending and Supplementing the Alternative Investment Fund Managers Act was adopted on 25 September 2025 and entered into force on 22 October 2025. The amendment aligns Slovenian law on alternative investment fund managers with the EU digital regulation by transposing Directive (EU) 2022/2556 and applying DORA requirements to their ICT systems. It establishes a unified framework for ICT risk management, cybersecurity and digital operational resilience in the asset management sector.

Act Amending and Supplementing the General Administrative Procedure Act

·       The Act Amending and Supplementing the General Administrative Procedure Act was adopted on 23 October 2025 and will enter into force on 6 February 2026. The amendment mandates, among other things, electronic service of documents for all business entities, public institutions and professionals, using secure electronic mailboxes provided by the Ministry of Digital Transformation or official registers. It also introduces shorter service fiction periods, prolongs deadlines for appeals, and modernises electronic and physical document delivery to improve efficiency and digital procedural resilience.

Business Register Act

·       The new Business Register Act was adopted on 23 October 2025. The act entered into force on 21 November 2025 but will begin to apply on 21 November 2027 (the provision relating to the processing of data on the addresses of secure electronic mailboxes for the purpose of service under the general administrative procedure act will begin to apply on 21 November 2026). The new act was adopted with the aim of a comprehensive legal, substantive and technical overhaul of the Slovenian Business Register. The new act introduces, among other things, mandatory registration of a secure electronic mailbox address in the Business Register to enable electronic service of documents in administrative, judicial and other proceedings. It strengthens digital-by-default communication between public authorities and companies, enhancing procedural efficiency, legal certainty and digitalisation of public administration.

Act Amending and Supplementing the Electronic Identification and Trust Services Act

·       The Act Amending and Supplementing the Electronic Identification and Trust Services Act was adopted on 23 October 2025 and entered into force on 21 November 2025. The amendment strengthens the security and proper use of electronic identification of trust services, including qualified certificates, by clearly defining holder responsibilities, preventing unauthorised use and expanding access points for digital authorisation. It also introduces an official electronic registry of authorisations and aligns national rules with the revised EU eIDAS Regulation, while updating sanctions for non-compliant service providers.

Act on the Implementation of the EU Regulation on Harmonised Rules for Artificial Intelligence

·       The new Act on the Implementation of the EU Regulation on Harmonised Rules for Artificial Intelligence was adopted on 23 October 2025 and entered into force on 21 November 2025. The new act adapts Slovenian law to Regulation (EU) 2024/1689 by designating competent authorities, establishing oversight and enforcement mechanisms, and defining sanctions for AI non-compliance. It also sets the legal framework for AI regulatory sandboxes, high-risk system registries, market supervision and ethical oversight, supporting trustworthy and human-centric AI across the EU.

Exchange of Electronic Invoices and Other Electronic Documents Act

·       The new Business Register Act was adopted on 23 October 2025. The act entered into force on 6 December 2025 but will mostly begin to apply on 1 January 2028. It mandates the use of electronic invoices for all domestic B2B transactions in Slovenia, ensuring secure, automated and traceable exchange through regulated e-invoice service providers. It also aligns national law with EU Directive 2025/516, promotes digitalisation of business processes, and strengthens legal certainty, efficiency and cybersecurity in electronic invoicing.

Act on the Digitalisation of Healthcare

·       The new Act on Digitalisation of Healthcare was adopted on 21 November 2025 and entered into force on 19 December 2025. This Act regulates the establishment and maintenance of public central information and communication infrastructure in the field of healthcare in Slovenia, the processing of data and databases in the field of healthcare and compulsory health insurance, their controllers, contractual processors, data users, and the use of data for the purposes of healthcare and compulsory health insurance, public health, development, research and statistical purposes.

Regulation on the training of responsible persons in the field of information and cybersecurity risk management

·       The Regulation on the training of responsible persons in the field of information and cybersecurity risk management was adopted on 9 October 2025 and entered into force on 25 October 2025. The regulation, adopted on the basis of the Information Security Act, sets out the programme and methods of training for responsible persons of essential or important entities in managing information and cybersecurity risks and their impact on the activities or services performed by the entity, with the aim of ensuring a high level of security of networks and information systems and protection against cyberthreats.

Turkish Legal Acts

Draft Amendments on Artificial Intelligence Regulation in Türkiye

·       On 7 November 2025, the Draft Law on Amendments to Turkish Criminal Code and Certain Laws was submitted to the Grand National Assembly of Türkiye with the aim of introducing a regulatory framework for artificial intelligence. The Draft proposes to insert definitions, obligations and enforcement mechanisms into existing legislation, including Law No. 5651, the Turkish Criminal Code, the Personal Data Protection Law, the Electronic Communications Law and the Cybersecurity Law. It introduces obligations on labelling deepfake and AI-generated content, accelerated content removal and access-blocking for harmful AI content, data governance and non-discrimination requirements for training datasets, and technical and organisational safeguards for high-risk systems, as well as criminal and administrative liability regimes for users and developers.

General Communiqué on the Tax Procedure Law

·       On 27 November 2025, the General Communiqué on the Tax Procedure Law (Serial No. 585) was published in the Official Gazette, announcing a revaluation rate of 25.49 % for 2026. In line with this rate, the administrative fines set out under Article 18 of the Turkish Data Protection Law No. 6698 were increased as of 1 January 2026. As a result, the upper limit of administrative fines applicable to certain infringements, in particular breaches of data security obligations, failure to comply with Personal Data Protection Board decisions and failure to register with the Data Controllers' Registry (Veri Sorumluları Sicili, VERBİS), has exceeded TRY 17m. Breach of the information obligation may result in administrative fines ranging from approximately TRY 85,000 to TRY 1.7m, while failure to implement adequate technical and organisational data security measures may give rise to fines of up to approximately TRY 17m. Similarly, failure to comply with decisions or instructions of the Personal Data Protection Board and failure to register with or notify the Data Controllers' Registry, where required, may each result in administrative fines of up to approximately TRY 17m. In addition, failure to notify the Board of standard contractual clauses used for cross-border data transfers may lead to fines of up to approximately TRY 1.8m.

Amendments to the Presidential Decree on Cybersecurity

·       On 25 December 2025, the Presidential Decree Amending the Presidential Decree on Cybersecurity was published in the Official Gazette No. 33118, introducing structural and functional changes to the Cybersecurity Directorate. The Decree expands the Directorate's mandate, including its role in coordinating the alignment of national legislation with international regulatory frameworks, and assigns new responsibilities relating to electronic (E-devlet) and digital government infrastructure, data governance principles for artificial intelligence, common data space infrastructure and data quality standards. It also authorises the establishment of new organisational units and entities both domestically and abroad.

Austrian Legal Acts

Critical Entities Resilience Act

·       On 16 October 2025, the Federal Act adopting the Federal Act ensuring a high level of resilience of critical entities (Critical Entities Resilience Act – RKEG) and amending the Expungement Act 1972, Federal Law Gazette I 2025/60, was published. The RKEG transposes Directive (EU) 2022/2557 on the resilience of critical entities (CER Directive) into national law. The Federal Minister of the Interior is designated as the competent authority and as the controller within the meaning of data protection law.

Federal Act amending the SNG, SPG, TKG, BVwGG and RStDG

·       On 29 September 2025, the Federal Act amending the State Protection and Intelligence Service Act, the Security Police Act, the Telecommunications Act 2021, the Federal Administrative Court Act and the Judicial and Public Prosecutor Service Act, Federal Law Gazette I 2025/54, was published. This Act creates a legal basis for the surveillance of end-to-end encrypted communication (such as via WhatsApp or Signal) for the purpose of combating threats relevant to the protection of the constitution. The Federal Administrative Court (BVwG) is competent for the authorisation of investigative measures.

Criminal Law EU Adjustment Act 2025

·       On 31 October 2025, the Criminal Law EU Adjustment Act 2025, Federal Law Gazette I 2025/65, was published. With this omnibus amendment, Regulation (EU) 2019/816 "establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN)…" is implemented into Austrian law. The act regulates, among other things, the taking and processing of fingerprints in criminal records and the obtaining of criminal records from other EU Member States and the UK.

Amendment to the Health Telematics Act

·       On 3 November 2025, the Federal Act amending the Health Telematics Act 2012 and the General Social Insurance Act, Federal Law Gazette I 2025/71, was published. This amendment creates a legal bases for cross-border health applications (MyHealth@EU, ePrescription service, EU patient summary).

·       On 23 December 2025, an amendment to the Health Telematics Act 2012, Federal Law Gazette I 2025/93, was published. The amendment concerns a retention period, which is extended from ten to 30 years.

Second EU Information Systems Adjustment Act

·       On 12 December 2025, the Second EU Information Systems Adjustment Act, Federal Law Gazette I 2025/87, was published. By this omnibus amendment, interoperability between EU information systems is established and the European Travel Information and Authorisation System (ETIAS) is set up.

Second Transparency Database Query Ordinance 2025

·       On 19 December 2025, the Second Transparency Database Query Ordinance 2025, Federal Law Gazette II 2025/313, was published. The ordinance governs read permissions for service offerings containing sensitive data in the Transparency Database.

Network and Information Systems Security Act 2026 (NIS Act 2026)

·       On 23 December 2025, the "Federal Act enacting the Federal Act to ensure a high level of cybersecurity of network and information systems (Network and Information Systems Security Act 2026 – NIS Act 2026) and amending the Telecommunications Act 2021 and the Health Telematics Act 2012", Federal Law Gazette I 2025/94, was published. The new NIS Act 2026 transposes the NIS2 Directive into Austrian law and also implements Regulation (EU) 2021/887 establishing the European Cybersecurity Competence Centre. The NIS Act 2026 will enter into force on 1 October 2026. The Telecommunications Act 2021 and the Health Telematics Act 2012 were aligned with the NIS Act 2026. For further information see here.