Digital Law Monitor 3/2025

EU legal acts

Regulations

• Corrigendum to Regulation (EU) 2024/2847 (Cyber Resilience Act)
• Applicability of AI Act governance provisions
• Applicability of the Data Act
• Digital Omnibus (Call for evidence)

Commission Guidelines

• General-Purpose AI Code of Practice
• Explanatory Notice and Template for the Public Summary of Training Content for General-Purpose AI Models
• General-Purpose AI Code of Practice

European Data Protection Board

• Guidelines 3/2025 on the interplay between the DSA and the GDPR (2025)

Commission Delegated and Implementing Regulations (incl. drafts)

• Open Internet Access Regulation (fair use)
• Adequacy Decisions (UK, Patent Organisation)
• Digital Services Act (data access portal)
• Cybersecurity (certification)
• Digital Operational Resilience Act (DORA)
• Markets in Crypto-Assets Regulation (MiCA)
• Regulation on the transparency and targeting of political advertising
• Energy Performance of Buildings
• Interoperable Europe Act
• eIDAS

Austrian legal acts

• Amendment to the Universities Act 2002 and Education Documentation Act 2020
• Guidelines on the Freedom of Information Act
• Data Access Act
• Freedom of Information Amendment Act
• Amendment to the Banking Act (Banking Secrecy)
• Amendment to the Criminal Code (Cyberflashing)
• Amendment to the Number Portability Ordinance 2022
• MiCA Issuer Reporting Ordinance
• Applicability of the Freedom of Information Act
• Data Governance Designation Ordinance

Bulgarian legal acts

• Act on Markets in Crypto-Assets
• Decision on the management of the radio frequency spectrum for civil needs
• Decision amending and supplementing the rules for the Free Use of the Radio Frequency Spectrum
• Decision on the Rules for the Use of Radio Frequency Spectrum
• Decree on the amendment and supplementation of the Ordinance on the register of base stations of terrestrial networks

Croatian legal acts

• Act on the Implementation of the Data Governance Act
• Ordinance on Authorisations for Crypto-Asset Service Providers
• Decision on the Method of Exercising Supervision on MiCA
• Decision on Reports for the Purpose of Supervising Issuers of Asset-Referenced Tokens
• Decision on the Handling of Complaints against Issuers of Asset-Referenced Tokens and E-Money Tokens
• Decision on the Implementation of Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
• Draft Act on Amendments to the Act on Administrative Cooperation in Tax Matters
• Draft Act on Cross-Border Procurement of Electronic Evidence in Criminal Proceedings
• Draft Act on the Amendment to the Electronic Communications Act
• Draft Ordinance on the Payment of Fees for the Activities Conducted by Croatian Regulatory Authority for Network Industries

Czech legal acts

• Amendment to the Electronic Communications Act
• Act on the Digitalisation of the Financial Market
• Act on the implementation of EU legislation in the field of financial market digitalisation and sustainability finance
• Decree on categorisation of malicious calls or other malicious communications
• Amendment to the Act on eHealth
• Cybersecurity Act
• Act amending certain laws in connection with the adoption of the Cybersecurity Act
• Critical Infrastructure Act

Hungarian legal acts

• Amendment to the implementing rules of the Cybersecurity Act
• Amendment of certain cybersecurity-related SARA decrees

Moldovan legal acts

• Law on digital economy and electronic services
• Government Decision on Cybersecurity Obligations for Critical Sectors

Polish legal acts

• Act on the National Cybersecurity Certification System
• Draft Act on the Crypto-Asset Market

Romanian legal acts

• DNSC Order on the approval of the requirements for the notification/registration process under NIS2 Directive and on the approval of criteria and thresholds

Slovenian legal acts

• Media Act
• Decision on establishing a list of categories of electronic communications and digital client devices intended for access to information society services or media
• Decision on the application of ESMA Guidelines in accordance with the Markets in Crypto-Assets Regulation (MiCA)

Turkish legal acts

• Communiqué on the Implementation Procedures and Principles of the Technology Move Programme
• Technology Move Programme Implementing Procedures and Principles Communiqué

EU Legal Acts, Guidelines and more

Regulations

Corrigendum to Regulation (EU) 2024/2847 (Cyber Resilience Act)

·         On 2 July 2025, Art. 64(10) of Regulation (EU) 2024/2847 (Cyber Resilience Act) was editorially corrected in the English-language version, OJ L 2025/90555.

Applicability of AI Act governance provisions

·         On 2 August 2025, the governance provisions of the AI Act entered into force.

Applicability of the Data Act

·         On 12 September 2025, the Data Act (2023/2854) became directly applicable. It regulates, among other things, access to data generated by data-driven technologies (Internet of Things).

Digital Omnibus

·         On 16 September 2025, the Commission published a call for evidence regarding omnibus rules for the digital sector, Ares(2025)7724296. The Commission aims to simplify the rules on data, cybersecurity and artificial intelligence.

Commission Guidelines on the AI Act

·         On 10 July 2025, the "General‑Purpose AI Code of Practice" was published. The Code of Practice is divided into three chapters: Safety and Security, Transparency and Copyright. The Code of Practice was prepared by independent experts.

·         On 24 July 2025, the European Commission published the "Explanatory Notice and Template for the Public Summary of Training Content for general-purpose AI models". In accordance with Art. 53(1)(d) AI Act (Regulation (EU) 2024/1689), providers of general-purpose AI models must draw up and make publicly available a sufficiently detailed summary of the content used to train the general-purpose AI model. In doing so, they must adhere to the Template provided by the AI-Office, which was established within the Commission. General-purpose AI models are used in applications such as ChatGPT, Microsoft Copilot and Google Gemini.

·         On 1 August 2025, the European Commission confirmed that the Code of Practice for General-purpose AI constitutes an appropriate voluntary tool for providers of GPAI models to demonstrate compliance with the AI Act 2024/1689, Commission Opinion C(2025) 5361 final. The Code of Practice was developed at the EU level with the involvement of a broad range of stakeholders and consists of the following chapters: Safety and Security, Transparency and Copyright.

European Data Protection Board (EDPB)

Guidelines 3/2025 on the interplay between the DSA and the GDPR (2025)

·         On 12 September 2025, the European Data Protection Board (EDPB) published the draft Guidelines 3/2025 on the interplay between the DSA and the GDPR for public consultation. The Guidelines of the EDPB address issues such as dark patterns, transparency, recommender systems and the protection of minors.

Commission Delegated and Implementing Regulations

Open Internet Access Regulation

·         On 23 June 2025, the EU Commission published a proposal for an implementing regulation regarding the technical conditions for fair use (based on typical usage patterns) and anti-fraud measures for international calls and text messages within the EU. Intra-EU communications differ in nature from roaming and are intended for different types of use. Contrary to intra-EU communications, regulated roaming is a cross-border service intended for periodic travelling and not for permanent use. The proposed fair use policy should provide consumers with appropriate volumes of intra-EU calls and SMS messages, while also permitting for future adjustments based on market conditions and consumers' behaviour. Typical usage of intra-EU calls and SMS messages may vary depending on the type of consumer, the provider or the Member State. Therefore, typical usage conditions should give providers sufficient flexibility to establish a fair use policy they deem appropriate, in compliance with the Open Internet Access Regulation (Regulation (EU) 2015/2120) and this proposed regulation, while also allowing for future adjustments. After the Commission's adoption, the draft act will enter into force in the fourth quarter of 2025.

Adequacy Decisions

·         On 26 June 2025, "Commission Implementing Decision (EU) 2025/1225 of 24 June 2025 amending Implementing Decision (EU) 2021/1773 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom", OJ L 2025/1225, as well as "Commission Implementing Decision (EU) 2025/1226 of 24 June 2025 amending Implementing Decision (EU) 2021/1772 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom", OJ L 2025/1226, were published. These Implementing Decisions extend the validity of the adequacy decisions applicable to the United Kingdom from 27 June 2025 until 27 December 2025, unless they are extended again.

·         On 18 July 2025, "Commission Implementing Decision (EU) 2025/1382 of 15 July 2025 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the European Patent Organisation", OJ L 2025/1382, was published. While the Commission has adopted adequacy decisions for more than a dozen third countries, the European Patent Organisation is the first international organisation to benefit from such a decision.

Digital Services Act

·         On 1 July 2025, the Commission adopted the draft "Delegated Regulation on data access under the Digital Services Act (DSA) 2022/2065", C(2025) 4340 final. This Regulation establishes the DSA data access portal, through which vetted researchers may access specific data processed by very large online platforms (VLOPs) and search engines (VLOSEs).

Cybersecurity

·         On 1 August 2025, a draft Commission Implementing Regulation was published introducing a mechanism for the peer review of National Cybersecurity certification authorities in accordance with the Cybersecurity Act (Regulation (EU) 2019/881), Ares(2025)6278765.

·         On 1 August 2025, a draft Commission Implementing Regulation, Ares(2025)6278517, was published, aiming to add or update state-of-the-art documents for cybersecurity certification. State-of-the-art documents specify the evaluation methods, techniques and tools for cybersecurity certification.

Digital Operational Resilience Act (DORA)

·         On 2 July 2025, "Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions", OJ L 2025/532, was published. This Delegated Regulation supplements the Digital Operational Resilience Act (DORA) with regulatory technical standards governing the subcontracting of ICT services.

Markets in Crypto-Assets Regulation (MiCA)

·         On 15 September 2025, "Commission Delegated Regulation (EU) 2025/1125 of 5 June 2025 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information in an application for authorisation to offer asset-referenced tokens to the public or to seek their admission to trading", OJ L 2025/1125, was published. With this Delegated Regulation, the Commission supplements "Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets […]" (MiCA) and specifies the information to be provided in an application for authorisation to offer asset-referenced tokens to the public.

·         On 15 September 2025, "Commission Implementing Regulation (EU) 2025/1126 of 5 June 2025 laying down implementing technical standards for the application of Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to the establishment of standard forms, templates and procedures for the information to be included in the application for authorisation to offer asset-referenced tokens to the public and to seek their admission to trading", OJ L 2025/1126, was published. This Implementing Regulation was also adopted based on MiCA and contains standard forms, templates and procedures for the application for authorisation to offer asset-referenced tokens to the public.

Regulation on the transparency and targeting of political advertising

·         On 16 July 2025, "Commission Implementing Regulation (EU) 2025/1410 of 9 July 2025 on the format, template and technical specifications of the labels and transparency notices of political advertisements in accordance with Articles 11 and 12 of Regulation (EU) 2024/900 of the European Parliament and of the Council", OJ L 2025/1410, was published. This Implementing Regulation implements Regulation (EU) 2024/900 by laying down technical specifications for the labels and transparency notices of political advertisements. Specific requirements are provided for advertisements on television and radio, as well as in printed and digital media.

Energy performance of buildings

·         On 29 August 2025, "Commission Implementing Regulation (EU) 2025/1328 of 30 June 2025 implementing Directive (EU) 2024/1275 of the European Parliament and of the Council by establishing common templates for the transfer of information from national energy performance of buildings databases to the EU Building Stock Observatory", OJ  L  2025/1328, was published. This Implementing Regulation implements Directive (EU) 2024/1275 on the energy performance of buildings and sets out common templates for transferring information from the national databases for the energy performance of buildings to the EU Building Stock Observatory. Prior to transmitting the information, Member States should anonymise any personal data by aggregation at country level. Annex II of the Commission Implementing Regulation contains formulas for anonymisation.

Interoperable Europe Act

·         On 18 July 2025, "Commission Implementing Regulation (EU) 2025/1420 of 17 July 2025 laying down rules for the application of Regulation (EU) 2024/903 of the European Parliament and of the Council, as regards the establishment and the operation of the interoperability regulatory sandboxes", OJ L 2025/1420, was published. "Regulation (EU) 2024/903 – Interoperable Europe Act" aims to strengthen the cross-border interoperability of network and information systems used to provide or manage public services in the EU. This Implementing Regulation created the legal basis for the establishment and operation of interoperability regulatory sandboxes.

eIDAS

·         On 30 July 2025, (i) "Commission Implementing Regulation (EU) 2025/1566 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for the verification of the identity and attributes of the person to whom the qualified certificate or the qualified electronic attestation of attributes is to be issued", OJ L 2025/1566, (ii) "Commission Implementing Regulation (EU) 2025/1567 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the management of remote qualified electronic signature creation devices and of remote qualified electronic seal creation devices as qualified trust services", OJ L 2025/1567, (iii) "Commission Implementing Regulation (EU) 2025/1568 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards procedural arrangements for peer reviews of electronic identification schemes and for cooperation on the organisation of such reviews within the Cooperation Group and repealing Commission Implementing Decision (EU) 2015/296", OJ L 2025/1568, (iv) "Commission Implementing Regulation (EU) 2025/1569 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards qualified electronic attestations of attributes and electronic attestations of attributes provided by or on behalf of a public sector body responsible for an authentic source", OJ L 2025/1569, (v) "Commission Implementing Regulation (EU) 2025/1570 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards notification of information on certified qualified electronic signature creation devices and certified qualified electronic seal creation devices", OJ L 2025/1570, (vi) "Commission Implementing Regulation (EU) 2025/1571 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the formats and procedures for annual reports by supervisory bodies", OJ L 2025/1571, and (vii) "Commission Implementing Regulation (EU) 2025/1572 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the format and procedures for the notification of intention and the review prior to the commencement of the provision of qualified trust services", OJ L 2025/1572, were published. These seven Commission Implementing Regulations establish requirements, standards and procedures concerning the European Digital Identity Wallets under the eIDAS Regulation.

·         On 20 August 2025, the "Corrigendum to Commission Implementing Regulation (EU) 2025/1570 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards notification of information on certified qualified electronic signature creation devices and certified qualified electronic seal creation devices", OJ L 2025/90654, was published. The Corrigendum is of relevance because the date of entry into force of the corrected Implementing Regulation was brought forward from 19 December 2025 to 19 November 2025.

·         On 4 September 2025, the draft Commission Implementing Regulations "laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards requirements for qualified trust service providers providing qualified trust services", Ares(2025)7228840, and "laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the formats of advanced electronic signatures and seals to be recognised by public sector bodies and repealing Commission Implementing Decision (EU) 2015/1506", Ares(2025)7228727, were published. Both drafts will further specify requirements under the eIDAS Regulation.

Austrian Legal Acts

Amendment to the Universities Act 2002 and Education Documentation Act 2020

·         On 1 July 2025, the "Federal Act amending the Universities Act 2002 and the Education Documentation Act 2020," Federal Law Gazette I 2025/28, was published. This created the legal basis for the further development of the data network for universities and higher education institutions (DVUH) and the Austrian Higher Education System Network (AHESN), as well as for the establishment of a student register and the provision of digital student ID cards. The Register and System Network (RSV) will be connected to the Bundesrechenzentrum GmbH (BRZ).

Guidelines on the Freedom of Information Act

·         On 30 June 2025, the Austrian Data Protection Authority (DSB) published its guidelines on the Freedom of Information Act ("Informationsfreiheitsgesetz"; "IFG"). In these guidelines, the DSB provides information on the relationship between data protection law and freedom of information. It embeds its explanatory considerations within the overall context of the Freedom of Information Act and the Federal Constitution.

Data Access Act

·         On 23 July 2025, the Data Access Act ("Datenzugangsgesetz"), Federal Law Gazette I 33/2025, was published. By this federal act, the Data Governance Act (DGA), Regulation (EU) 2022/868, is implemented into national law. The DGA governs the re-use of certain data held by public sector bodies. Implementation into national law is not required, as it is an EU Regulation. Under the Data Access Act, the Federal Chancellor acts as the competent authority for the registration of data altruism organisations and as the single information point. Furthermore, the DGA contains provisions on the allocation of data protection roles, penal provisions and an exemption from fees.

Freedom of Information Amendment Act

·         On 24 July 2025, the "Federal Act adapting legislation to the Freedom of Information Amendment Act" ("Informationsfreiheits-Anpassungsgesetz"), Federal Law Gazette I  50/2025, was published. With this omnibus amendment, 138 federal acts, including the acts on administrative procedure, are adapted to the new fundamental right to information and to the Freedom of Information Act ("IFG").

Amendment to the Banking Act

·         On 23 July 2025, the "Federal Act amending the Austrian Banking Act", Federal Law Gazette I  37/2025, was published. This amendment aligns the provisions on banking secrecy with the fundamental right to information and the Freedom of Information Act.

Amendment to the Criminal Code

·         On 24 July 2025, the "Federal Act amending the Criminal Code", Federal Law Gazette I  45/2025, was published. Under this amendment to the Criminal Code ("Strafgesetzbuch – StGB"), cyberflashing – the unsolicited sending of images of genitals – becomes a criminal offence.

Amendment to the Number Portability Ordinance 2022

·         On 18 July 2025, the "Ordinance of the Rundfunk und Telekom Regulierungs-GmbH amending the Number Portability Ordinance 2022" ("Nummernübertragungsverordnung 2022"), Federal Law Gazette II  164/2025, was published. The amendment concerns the continuation of the contract with the transferring provider of a mobile voice communications service.

MiCA Issuer Reporting Ordinance

·         On 25 July 2025, the "Ordinance of the Austrian Financial Market Authority (FMA) on reporting dates, reporting intervals, structure and content of reports pursuant to Regulation (EU) 2023/1114 on markets in crypto-assets concerning issuers of asset-referenced tokens and issuers of e-money tokens (MiCA Issuer Reporting Ordinance – MiCAR-Emittenten-Meldeverordnung; MiCAR-E-MV)", Federal Law Gazette II 170/2025, was published. The MiCAR-E-MV determines, among other things, the content of reports to be submitted by issuers of asset-referenced tokens and issuers of e-money tokens.

Applicability of the Freedom of Information Act

·         On 1 September 2025, the new fundamental right of access to information and the Freedom of Information Act ("IFG") entered into force. On the same day, the availability of the information register was published by ordinance of the Federal Chancellor, Federal Law Gazette  II   2025/52. Information of general interest must therefore be made available at www.data.gv.at no later than 1 December 2025.

Data Governance Designation Ordinance

·         On 26 August 2025, the Data Governance Designation Ordinance ("Daten-Governance-Benennungsverordnung" - DGBenV), Federal Law Gazette II 2025/186, was published. This ordinance designates the Federal Institute "Statistics Austria" as the competent body for access to the re-use of protected data in certain data categories pursuant to Section 5(1) of the Data Access Act (DZG).

Bulgarian Legal Acts

Act on Markets in Crypto-Assets

·         On 4 July 2025, the Act on Markets in Crypto-Assets was published in State Gazette No. 54/2025. The Act introduces the measures for the implementation of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA), as well as the implementing acts related to the conditions and procedures for the licensing, operation and state supervision of crypto-asset issuers and crypto-asset service providers.

·         On 15 August 2025, minor amendments and supplements to the Act on Markets in Crypto-Assets were published in State Gazette No. 67/2025. The supplements mainly consist of a new competence of the Financial Supervision Commission (FSC). The FSC may publish a list of websites offering crypto-asset-related services provided by persons who are not authorised to operate within the territory of the Republic of Bulgaria. The FSC has the right to submit a request to the Chairman of the Sofia District Court to order all undertakings providing public electronic communications networks and/or services to block access to these websites or to display an explicit warning to customers and crypto-asset holders when accessing them.

Decision No. 213 of 26 June 2025 of the Communications Regulation Commission on the adoption of a Regulatory policy for the management of the radio frequency spectrum for civil needs

·         The Decision was published in State Gazette No. 59/2025 on 22 July 2025. The regulatory policy for the management of radio spectrum for civil needs sets out the main objectives that the Communications Regulation Commission must pursue to promote the efficient and coordinated use of radio spectrum, support the establishment and development of pan-European networks, and ensure connectivity, wide availability and the use of very high-capacity networks.

Decision No. 225 of 10 July 2025 of the Communications Regulation Commission, amending and supplementing the Rules for the Free Use of the Radio Frequency Spectrum

·         The Decision was published in State Gazette No. 60/2025 on 25 July 2025. The amendments to the rules are related to the implementation and incorporation into Bulgarian legislation of (i) Commission Implementing Decision (EU) 2024/3157 on the harmonised use of radio spectrum in the 5 945–6 425 MHz frequency band for the implementation of wireless access, systems including radio local area networks (WAS/RLANs); (ii) Commission Implementing Decision (EU) 2025/105 updating harmonised technical conditions in the area of radio spectrum use for short-range devices; and (iii) Commission Implementing Decision (EU) 2025/650 on the update of harmonised technical conditions for short-range devices within the 874-876 and 915-921 MHz frequency bands.

Decision No. 237 of 17 July 2025 of the Communications Regulation Commission on the amendment and supplementation of the Rules for the Use of Radio Frequency Spectrum for Radio Equipment of the Amateur Radio Service

·         The Decision was published in State Gazette No. 64/2025 on 5 August 2025. The Rules introduce a ten-year validity period for personal identification marks of radio amateurs and clubs, personal listener marks, and identification marks of amateur repeaters, radio beacons and other types of automatic fixed radio stations. The relevant documents, including amateur radio operator licences, will be reissued ex officio.

Decree No. 183 as of 12 September 2025 on the amendment and supplementation of the Ordinance on the content, conditions and procedure for keeping, maintaining and using the register of base stations of terrestrial networks

·         The Decree of the Council of Ministers was published in State Gazette No. 76/2025 on 16 September 2025. The amendments to the Ordinance aim to clarify its provisions to address practical issues that have arisen during the use of the register.

Croatian Legal Acts

Act on the Implementation of Regulation (EU) 2022/868 on European Data Governance (Data Governance Act)

·         The Act on the Implementation of Regulation (EU) 2022/868 on European Data Governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (the "Implementing Act") was adopted by the Croatian Parliament on 26 September 2025 and is expected to enter into force on the eighth day after its publication in the Official Gazette. The Implementing Act determines the national single information point for the reuse of protected data, defines the procedure and fees for the reuse of protected data, and regulates the registration of data intermediation service providers and data altruism organisations.

Ordinance on Authorisations for Crypto-Asset Service Providers, Qualifying Holdings Acquisition Assessment and Appointment Consents for Members of the Management Board

·         The Ordinance on Authorisations for Crypto-Asset Service Providers, Qualifying Holdings Acquisition Assessment and Appointment Consents for Members of the Management Board (the "Ordinance"), adopted by the Croatian Financial Services Supervisory Agency ("HANFA") and published in Official Gazette No. 95/2025, entered into force on 6 July 2025. The Ordinance was adopted as part of a series of regulations implementing the Croatian Act on the Implementation of Regulation (EU) 2023/1114 on markets in crypto-assets. It lists the required content of authorisation applications submitted to HANFA by crypto-asset service providers, sets out the conditions for appointing management board members of such providers, and defines the method for assessing the good repute of acquirers of qualifying holdings in crypto-asset service providers.

Decision on the Method of Exercising Supervision by the Croatian National Bank of the Implementation of Regulation (EU) 2023/1114 on Markets in Crypto-Assets and the Act Implementing that Regulation

·         The Decision on the Method of Exercising Supervision by the Croatian National Bank of the Implementation of Regulation (EU) 2023/1114 on Markets in Crypto-Assets and the Act Implementing that Regulation (the "Decision"), adopted by the governor of the Croatian National Bank (the "HNB") and published in Official Gazette No. 100/2025, entered into force on 17 July 2025. The Decision defines the rules for the two supervisory methods applied by the HNB to persons seeking admission to trading of asset-referenced tokens and e-money tokens, namely the continuous monitoring of reports, data and documents, and the direct supervision of the persons concerned.

Decision on Reports for the Purpose of Supervising Issuers of Asset-Referenced Tokens

·         The Decision on Reports for the Purpose of Supervising Issuers of Asset-Referenced Tokens (the "Decision"), adopted by the governor of the Croatian National Bank (the "HNB") and published in Official Gazette No. 100/2025, entered into force on 17 July 2025. The Decision regulates the mandatory content and deadlines for submitting financial and supervisory reports as part of the HNB's supervision of issuers of asset-referenced tokens.

Decision on the Handling of Complaints against Issuers of Asset-Referenced Tokens and E-Money Tokens

·         The Decision on the Handling of Complaints against Issuers of Asset-Referenced Tokens and E-Money Tokens (the "Decision"), adopted by the governor of the Croatian National Bank (the "HNB") and published in Official Gazette No. 105/2025, entered into force on 31 July 2025. The Decision regulates the procedure adopted by HNB for handling consumer-filed complaints against issuers of asset-referenced tokens and e-money tokens.

Decision on the Implementation of Regulation (EU) 2024/1183 establishing the European Digital Identity Framework

·         The Decision on the Implementation of Regulation (EU) 2024/1183 establishing the European Digital Identity Framework (the "Decision"), adopted by the Government of the Republic of Croatia and published in Official Gazette No. 121/2025, entered into force on 25 September 2025. The Decision defines the responsibilities of various public bodies in the implementation of the European Digital Identity Framework. The principal implementing activities include the modification and upgrade of the state information infrastructure and the development of the national European digital identity wallet.

Draft Act on Amendments to the Act on Administrative Cooperation in Tax Matters

·         On 26 September 2025, the Draft Act on Amendments to the Act on Administrative Cooperation in Tax Matters (the "Draft Act") completed its first reading in the Croatian Parliament. The first draft of the Draft Act contains provisions governing the regulatory supervision of the fulfilment of data-gathering and deep screening obligations imposed on crypto-asset service providers.

Draft Act on Cross-Border Procurement of Electronic Evidence in Criminal Proceedings

·         The e-public consultation for the Draft Act on Cross-Border Procurement of Electronic Evidence in Criminal Proceedings (the "Draft Act") ended on 30 August 2025. The Draft Act is intended to implement Regulation (EU) 2023/1543 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings in the Croatian legal framework by designating the competent national bodies for the issuing of European production orders and European preservation orders.

Draft Act on the Amendment to the Electronic Communications Act

·         The e-public consultation for the Draft Act on the Amendment to the Electronic Communications Act ("Draft Act") ended on 17 August 2025. The Draft Act implements Regulation (EU) 2024/1309 on measures to reduce the cost of deploying gigabit electronic communications networks (Gigabit Infrastructure Act) by designating the competent national bodies for the implementation of the Regulation and establishing appropriate dispute resolution mechanisms.

Draft Ordinance on the Payment of Fees for the Activities Conducted by the Croatian Regulatory Authority for Network Industries

·         The Croatian Regulatory Authority for Network Industries ("HAKOM") published the Draft Ordinance on the Payment of Fees for the Activities Conducted by the Croatian Regulatory Authority for Network Industries (the "Draft Ordinance"), with the subsequent e-public consultation ending on 10 September 2025. The Draft Ordinance sets the fees payable by electronic communications operators used to fund the activities of HAKOM. These include the address and numbering space management fee, the radiofrequency spectrum management fee, and the fee for other activities in the field of electronic communications.

Czech Legal Acts

Amendment to the Electronic Communications Act

·         On 7 February 2025, the Amendment to the Electronic Communications Act, Gazette No. 23/2025, was published. This amendment updates the Electronic Communications Act and related laws, including adjustments to the Act on the Right to Digital Services. It introduces stricter duties for providers (e.g. obligations on network operators regarding risk assessment, data handling and anti-fraud measures) and updates definitions and procedural rules. The Act also strengthens consumer protection – for instance, by limiting termination fees, ensuring non-discrimination in tariffs and mandating free access to emergency services – and revises enforcement and administrative structures. The main effects entered into force on 1 July 2025.

Act to the Digitalisation of the Financial Market

·         On 14 February 2025, the Act on the Digitalisation of the Financial Market, Gazette No. 31/2025, was published. This Act establishes a national framework for MiCA and other EU digital-finance rules. It defines the rights and obligations of entities providing crypto-asset services and entrusts supervisory powers to the Czech National Bank. The Act introduces requirements for the licensing, governance and safeguarding of client assets.

Act amending certain laws in the field of financial market digitalisation and sustainability finance

·         On 14 February 2025, the Act amending certain laws in connection with the implementation of EU legislation in the field of financial market digitalisation and sustainability finance, Gazette No. 32/2025, was published. It updates numerous domestic laws, including the Trade Licensing Act, Banking Act, Act on Savings and Credit Cooperatives and Capital Markets Supervision Act, to accommodate requirements under MiCA, DORA, green finance regulations and related EU acts by inserting new types of regulated activities (e.g. issuing asset-backed tokens, crypto-asset services, crowdfunding services) and aligning oversight, reporting, sanction and procedural regimes.

Decree on categorisation of malicious calls or other malicious communications

·         On 27 March 2025, the Decree on categorisation of malicious calls or other malicious communications, Gazette No. 85/2025, was published. It sets out categories of malicious emergency-line communications and related blocking measures. The Decree implements Section 33(19) of the Electronic Communications Act and establishes specific procedural rules for the interruption of malicious communications.

Amendment to the Act on eHealth

·         On 15 July 2025, the Amendment to the Act on eHealth, Gazette No. 236/2025, was published. The amendment updates the eHealth framework, including electronic documentation, interoperability and data sharing.

Cybersecurity Act

·         On 4 August 2025, the Cybersecurity Act, Gazette No. 264/2025, was published. This new Act, effective as of 1 November 2025, transposes the NIS-2-Directive and introduces broad duties for regulated entities, which have 60 days to complete their registration with the National Cyber and Information Security Agency (NÚKIB). The number of regulated entities is expected to increase up to tenfold compared to the current regulation.

Act amending certain laws in connection with the adoption of the Cybersecurity Act

·         On 4 August 2025, the Act amending certain laws in connection with the adoption of the Cybersecurity Act, Gazette No. 265/2025, was published. It harmonises sanctions and procedures across the legal system in connection with the new Cybersecurity Act.

Critical Infrastructure Act

·         On On 4 August 2025, the Critical Infrastructure Act, Gazette No. 266/2025, was published. It transposes the CER Directive and imposes new obligations on digital-infrastructure operators, among others.

Hungarian Legal Acts

Amendment to the implementing rules of the Cybersecurity Act

·         On 3 July 2025, Government Decree No. 189/2025. (VII. 3.) on the implementation of the Act on Cybersecurity of Hungary was published in Hungarian Gazette No. 2025/80. The objective of the amendment is to further implement the EU NIS-2-Directive and to clarify provisions in light of practical experience gained during their application. Notably, the amendment introduces new infringements and significantly increases the fines that may be imposed by the competent authority. Read more about cybersecurity in Hungary here: https://www.schoenherr.eu/content/cybersecurity-in-hungary-how-to-avoid-million-forint-fines-in-2025.

Amendment of certain cybersecurity-related SARA decrees

·         On 21 August 2025, Decree No. 8/2025. (VIII. 21.) of the President of the Supervisory Authority for Regulated Activities (SARA) on the amendment of certain decrees relating to cybersecurity and to sustainability-related due diligence obligations was published in Hungarian Gazette No. 2025/96. The amendments concerning cybersecurity-related decrees include the extension of the scope of information that entities must provide during registration with SARA, as well as amendments to the requirements applicable to those authorised to conduct vulnerability assessments.

Moldovan Legal Acts

Law on amending certain normative acts (supporting the digital economy and electronic services)

·         The Law on amending certain normative acts (supporting the digital economy and electronic services) No. 144 dated 19 June 2025 [Legea pentru modificarea unor acte normative (sustinerea economiei digitale si a serviciilor electronice]) was published in Official Gazette No. 328 on 20 June 2025 and entered into force on 20 September 2025. The main goal of the amendments is to promote the digital economy and align the Republic of Moldova with global trends in this domain. The key provisions of the law include: (i) allowing cash withdrawals at the point of sale, subject to limits; (ii) extending the legal framework for digital nomads to live and work remotely from Moldova under defined conditions; (iii) requiring fiscal receipts to be issued in both paper and electronic formats; (iv) simplifying online registration for legal entities and individual entrepreneurs; (v) updating the legal framework for crowdfunding platforms, including technical, operational and transparency requirements; (vi) aligning Moldovan regulations with EU standards, particularly for cross-border communications and roaming; and (vii) expanding the use of electronic identification for client verification, including for EU citizens with qualified digital certificates.

Government Decision on Cybersecurity Obligations for Critical Sectors

·         Government Decision on Cybersecurity Obligations for Critical Sectors No. 562 dated 3 September 2025 (Hotararea cu privire la modul de realizare a obligatiilor de asigurare a securitătii cibernetice de catre furnizorii de servicii in sectoarele critice) was published in Official Gazette No. 467-470 on 5 September 2025 and entered into force on 5 October 2025. The Government Decision establishes the regulatory framework for ensuring cybersecurity by providers of essential and important services in critical sectors. It partially transposes Commission Implementing Regulation (EU) 2024/2690, which implements the NIS-2-Directive, setting technical and methodological requirements for risk management and incident notification, and amends existing national legislation.

Polish Legal Acts

Act on the National Cybersecurity Certification System

·         On 28 August 2025, the Act on the National Cybersecurity Certification System came into force. The aim of the new regulations is to enhance the level of digital protection in Poland and enable the issuance of European cybersecurity certificates in the country, which will be automatically recognised by all EU Member States. The national cybersecurity certification system introduced by the Act is based on the European Cybersecurity Act and is intended to confirm that a given product or service meets specific security standards.

Draft Act on the Crypto-Asset Market

·         On 26 June 2025, the Polish Parliament received a government-drafted Act on the crypto-assets market. The proposed draft act will transpose the EU's MiCA (Regulation (EU) 2023/1114) into national law. The draft act sets out, among other things, the conditions for the issuance and trading of crypto-assets, the regulatory framework for companies providing related services, as well as supervisory mechanisms for this sector. The draft Act can be found here.

Romanian Legal Acts

DNSC Order No. 1/2025 on the approval of the requirements for the notification/registration process under NIS2 Directive and Order No. 2/2025 on the approval of criteria and thresholds for determining the degree of disruption of a service and the methodology for assessing the risk level of entities under the NIS-2-Directive

·         On 20 August 2025, the following orders issued by the National Directorate for Cyber Security (DNSC) were adopted and published in the Romanian Official Gazette:

–      Order No. 1/2025 on the requirements regarding the notification process for the registration of essential and important entities and the method of transmitting information (Ordinul pentru aprobarea cerințelor privind procesul de notificare în vederea înregistrării și metoda de transmitere a informațiilor);

–      Order No. 2/2025 on the criteria and thresholds for determining the degree of disruption of a service and the methodology for assessing the risk level of entities (Ordinul pentru aprobarea criteriilor și pragurilor de determinare a gradului de perturbare a unui serviciu și metodologia de evaluare a nivelului de risc al entităților).

·         Based on these acts, the obligation of DNSC notification for registration became effective. Essential and important entities were required to register with the DNSC within 30 days as of 20 August 2025 (respectively until 22 September 2025), via the NIS2@RO Tool available online (in Romanian and English).

·         Note: Although the registration deadline has expired, essential and important entities under the NIS-2-Directive (as transposed by Romanian Government Emergency Ordinance No. 155/2025) are still obliged to notify the DNSC for registration. Failure to comply with this obligation constitutes a contravention and is punishable by fines of up to RON 500,000 (approx. EUR 100,000).

Slovenian Legal Acts

Media Act

·         On 3 September 2025, a new Media Act (Zakon o medijih; ZMed-1) was adopted (Official Gazette of the Republic of Slovenia No. 69/2025), introducing several fundamental improvements aimed at strengthening media transparency, digital development and journalistic protections. One of the key changes is the requirement for greater transparency in media ownership and funding, including mandatory disclosure of state advertising. The new Media Act also supports the digital transition by introducing new financial schemes to assist in the digitalisation of print media and to bolster the growth of digital media outlets. In response to the evolving media landscape, the new Media Act now includes online platforms and influencers within its regulatory scope, imposing higher legal and ethical responsibilities on them. Lastly, the new law aligns Slovenian media regulation with European standard, specifically the European Media Freedom Act (EMFA) and Digital Services Act (DSA). It will enter into force on 27 September 2025.

Decision on establishing a list of categories of electronic communications and digital client devices intended for access to information society services or media

·         On 4 September 2025, the Government of the Republic of Slovenia adopted a "Decision on establishing a list of categories of electronic communications and digital client devices intended for access to information society services or media" (Sklep o določitvi seznama kategorij elektronskih komunikacijskih in digitalnih odjemalnih naprav, ki so namenjene dostopu do storitev informacijske družbe ali medijev) (Official Gazette of the Republic of Slovenia No. 68/2025). This decision outlines a list of devices that, pursuant to the Slovenian Act on the use of the Slovenian Language in Public, must make available the Slovenian language and Slovenian orthography to its users in such a way that the functionality of the device is equivalent to the functionality of the device in other available languages. The list of devices includes personal computers and laptops, electronic tablets and readers, smart mobile phones, smart TVs, connected cars and car parts (operating systems and graphical user interfaces), and interfaces for accessing IPTV (set-top boxes).

DECISION on the application of ESMA Guidelines on supervisory practices of competent authorities for the prevention and detection of market abuse in accordance with the Markets in Crypto-Assets Regulation (MiCA)

·         On 31 July 2025, the Slovenian Securities Market Agency (Agencija za trg vrednostnih papirjev) adopted a Decision on the application of ESMA Guidelines on supervisory practices of competent authorities for the prevention and detection of market abuse in accordance with the Regulation on Markets in Crypto-Assets (MiCA) (Sklep o uporabi Smernic ESMA o nadzornških praksah pristojnih organov za preprečevanje in odkrivanje zlorab trga v skladu z Uredbo o trgih kriptosredstev (MiCA)), (Official Gazette of the Republic of Slovenia No. 60/2025). The Decision determines that the Agency will apply the ESMA guidelines when carrying out supervisory tasks under Articles 86 to 92 of the MiCA, with the aim of ensuring consistent and effective prevention, detection and enforcement against market abuse related to crypto-asset markets across the EU.

Turkish Legal Acts

Communiqué on the Implementation Procedures and Principles of the Technology Move Programme

·         On 9 July 2025, the Ministry of Industry and Technology of the Republic of Türkiye issued a communiqué in the Official Gazette (No. 32951), amending the "Technology-Oriented Industry Move Programme Implementing Procedures and Principles Communiqué" (the "Communiqué"). The amendments, adopted under Presidential Decree No. 1 and Decision No. 9903, entered into force on the same date.

Among the notable revisions, the title of the original communiqué, previously published in the Official Gazette dated 18 September 2019 (No. 30892), has been changed from "Technology-Oriented Industry Move Programme Implementing Procedures and Principles Communiqué” (Teknoloji Odaklı Sanayi Hamlesi Programı Uygulama Usul ve Esasları Tebliği) to "Technology Move Programme Implementing Procedures and Principles Communiqué" (Teknoloji Hamlesi Programı Uygulama Usul ve Esasları Tebliği).

The revised Communiqué introduces several procedural and institutional changes to the incentive scheme designed to support investments in medium-high and high-technology manufacturing sectors. For applications to be considered for state support within the scope of Presidential Decision No. 9903 and Council of Ministers Decision No. 2016/9495, investors are required to submit the relevant forms and information, as set out under the applicable legislation, via the Programme Portal (Program Portalı). Upon submission, project evaluation committees assess the application files and provide a formal opinion to the Ministry regarding the project's eligibility for public support instruments.

Technology Move Programme Implementing Procedures and Principles Communiqué

·         The "Regulation on the Identification and Certification of Technology- and Innovation-Focused Enterprises" (Teknoloji ve Yenilik Odaklı Girişimlerin Belirlenmesi ve Belgelendirilmesine Dair Yönetmelik) (the "Regulation") was published in the Official Gazette dated 3 July 2025, No. 32945, by the Ministry of Industry and Technology of the Republic of Türkiye, and entered into force on the same date.

The Regulation establishes the legal framework for identifying enterprises operating in Türkiye that engage in technology- and innovation-based activities and adopt scalable business models. Enterprises that meet the eligibility criteria may apply to receive the official Tech-Entrepreneurship Badge (Teknogirişim Rozeti), which serves as a formal recognition of their innovative and scalable business structure. Eligibility requires, among other things, that the applicant be an SME (Small and Medium-sized Enterprise), have been established for no more than 15 years, and operate as an independent enterprise under Turkish law.

To better understand Türkiye's evolving digital legal framework, please see: https://www.schoenherr.eu/content/turkiye-s-evolving-digital-legal-framework-regulatory-developments-in-innovation-and-data-protection.