to the point: technology & digitalisation l October 2024

As we approach the end of October, also known as Cybersecurity Awareness Month, we take this opportunity to reflect on the pressing legal developments in the realm of cybersecurity across the EU. This edition of our newsletter highlights critical advancements and compliance challenges that are shaping the future of cybersecurity regulation. With a focus on ensuring robust protection for digital environments, these updates are more relevant than ever for organisations navigating the complexities of compliance and risk management.

One of the key developments, that we will delve into, is the recent passage of the Cyber Resilience Act by the European Council on 10 October. This landmark legislation aims to strengthenthe cybersecurity of digital products and services across the EU, mandating essential security requirements for manufacturers and service providers. In our feature, we will explore the implications of this Act for businesses, highlighting the obligations they will need to meet to safeguard consumer data and ensure operational resilience against cyber threats.

Additionally, we will examine the status of the NIS2 Directive implementation across Member States. As of the 17 October deadline, it has become evident that many countries have struggled to meet their obligations, raising significant concerns about the enforcement of cybersecurity standards throughout the Union.

Furthermore, the ongoing buzz surrounding artificial intelligence remains a hot topic in the legal arena. Our edition will include insights into the upcoming AI regulation in Poland, offering a glimpse into how the regulatory framework could shape the deployment and governance of AI technologies in Europe. Alongside these main features, we will cover a variety of other engaging topics in the realm of technology and digitalisation to make sure you are up to date and prepared for the challenges ahead.

We also want to address a change that some of our regular readers may have already noticed: our newsletter will now be published quarterly instead of monthly. This shift allows us to provide you with more comprehensive and in-depth coverage of critical issues, ensuring you receive timely and relevant updates in the fast-paced world of IT and digital law.

The EU's Cyber Resilience Act (CRA), officially passed on 10 October, marks a significant step forward in enhancing the cybersecurity landscape across Europe. As cyber threats grow more sophisticated and pervasive, this legislation aims to create a harmonised framework that ensures the security of digital products and services.

At its core, the CRA Act establishes essential security requirements that manufacturers and service providers must adhere to for their digital products. This encompasses a wide range of technologies, including standalone software, as well as connected devices and IoT products. Importantly, it targets both EU-based companies and non-EU entities that wish to sell digital products in the European market.

Specifically, the CRA requires that these products are designed with cybersecurity as a fundamental component, promoting a shift from reactive measures to a proactive approach. This involves integrating security features into the product development lifecycle, ensuring vulnerabilities are addressed before products reach the market. However, legal obligations extend beyond product launch. The CRA's goal is to ensure the security of digital products throughout their entire lifecycle – from supply chain to end-of-life – and to guarantee the effective management of any vulnerabilities that may arise.

Among the key legal requirements outlined in the CRA are obligations for risk assessment, vulnerability management and incident reporting. Manufacturers will be required to conduct comprehensive risk assessments to identify potential vulnerabilities in their products and implement appropriate security measures, such as encryption and secure coding practices. Furthermore, they must establish protocols for promptly reporting cybersecurity incidents, ensuring that affected users and relevant authorities are informed in a timely manner. Products that comply with the CRA will carry the "CE" symbol, indicating that they meet EU standards for safety, health and environmental protection. This label will assist consumers in identifying products with robust cybersecurity measures. By promoting the visibility of secure products, the CRA seeks to drive competition based on cybersecurity excellence, ultimately benefitting consumers and responsible manufacturers alike.

Companies that fail to comply with the CRA's obligations could face administrative fines of up to EUR 15 million or 2.5 % of their global turnover, whichever is higher. 

As of now, the CRA is in the process of being finalised for publication in the EU's Official Journal. It is expected to enter into force by the end of 2024 or early 2025 at the latest and will apply 36 months after its entry into force, with some provisions taking effect earlier. Companies should start assessing their current security practices and implementing necessary changes to align with the CRA's provisions. This is not just a regulatory challenge; it represents an opportunity for organisations to enhance their cybersecurity posture and to instil greater trust among their customers, who are increasingly concerned about IT security and data protection, especially in light of high-profile breaches and incidents.

As digital threats continue to evolve, the EU's NIS2 Directive represents a critical effort to enhance cybersecurity across Member States. With the implementation deadline of 17 October 2024 now lapsed, many countries find themselves lagging in adopting the necessary measures. This article will examine the current status of NIS2 Directive implementation across select Member States, highlighting the challenges faced and the expected timelines for implementation.  

... in Austria

The timeline for implementing the NIS2 Directive in Austria remains uncertain, primarily due to the ongoing parliamentary legislative process. Following recent parliamentary elections, the government is currently in a transitional phase, making it difficult to predict when implementation will finally take place.

The latest draft of the Austrian Implementation Act, the Network and Information Security Act 2024 (NISG 2024), faced a setback when it was rejected by parliament on 4 July 2024. A key challenge is that this draft includes constitutional provisions that impact the balance of power between the federal government and the states. Because of this, the NISG 2024 requires a two-thirds majority in parliament, which it did not achieve.

Opposition parties have voiced significant concerns regarding the proposed allocation of responsibilities for enforcing NIS2 to the Ministry of the Interior. They are particularly concerned about the establishment of a separate cybersecurity authority within the ministry, which would consist of around 200 personnel. Critics argue that this structure could grant the ministry excessive power, potentially compromising the goal of enhancing cybersecurity.

On a positive note, the content of the NISG 2024 draft aligns closely with the requirements outlined in the NIS2 Directive. It is estimated that between 3,000 and 5,000 companies in Austria will be classified as "essential" or "important" entities, thus falling under the new regulatory framework of the NISG 2024. While the timeline for the passage of the Austrian Implementation Act remains uncertain, it is essential for Austrian companies to begin preparing for the upcoming changes.

While the Czech Republic has been a pioneer in the area of cybersecurity regulation, being one of first countries to have its own dedicated law, the national legislators decided to enact a completely new Act on cybersecurity ("Act") to align with the NIS2 requirements. This Act is currently in the advanced stage of the legislative process. It is expected to become effective as of 1 January 2025, however due to political turmoil surrounding its adoption, the reality is currently uncertain.

Whereas the current regulatory framework already provides for a comprehensive set of obligations, the new Act is set to extend the scope of NIS2 requirements with greater reach, enhanced (stricter) security requirements, heavier penalties, heightened officers' liability and risk screening of suppliers of strategically important services – in cooperation with intelligence services and other state authorities with relevant information for assessing the credibility of the supplier.

The Act will further build on the existing Czech rules and NIS2 and impose on the regulated providers a set of core obligations around which the specific rules are structured, including registration and data and incident reporting, implementation and enforcement of security measures and countermeasures and cybersecurity management. The Act will also greatly affect suppliers of all regulated providers, as the whole supply chain shall be subject to cybersecurity measures.

In contrast to the current regulatory framework, the new Act will substantially broaden the law's scope to cover new sectors and expand the existing ones. As a result, the number of regulated entities (referred to as regulated providers under the Act) is expected to increase significantly, from currently around 300 Czech entities to up to 10,000. Compared to NIS2, the Act covers and broadens additional sectors such as financial services providers (e.g. payment services providers), the defence industry, transportation, energy and healthcare providers; even small companies may be subject to the regulation notwithstanding the number of their employees or turnover.

The regulated providers will have to follow a new (self-)identification procedure with the supervisory authority (National Cyber and Information Security Agency - NCISA) and – depending on their size and turnover – will be classified as either essential or important service providers, which will determine the applicable regulatory regime and the extent of their obligations.

As is common for such high-impact EU regulation transposition, the Act will provide for higher and additional forms of sanctions, including GDPR-like fines based on a percentage of the global turnover. Furthermore, given the EU-wide high priority of cybersecurity regulation, the NCISA is expected to conduct rigorous inspections, with its significantly increased powers including the authorisation to carry out dawn raids at the companies.

Specific obligations under the Act are expected to roll out during 2025, but we recommend that every Czech company stays up to date with the legal developments.

In Poland, work on a law to implement the NIS2 Directive is still ongoing. The deadline for implementing the NIS2 Directive regulations (17 October 2024) has passed, and the Ministry of Digital Affairs is currently managing this process.

The draft law underwent public consultations, during which 1,567 comments were submitted. According to the Ministry of Digital Affairs, the latest version of the bill includes 70 % of the proposed amendments.

In October this year, the Ministry presented a second draft of the bill, featuring provisions to ease compliance for companies. Sector-specific requirements have been standardised, and supply chain security regulations have been limited to direct suppliers only. Several deadlines were also extended, such as those for registration of essential and important entities and the timeline for conducting the first audit for essential entities. The obligation to use ISO standards as a basis for presumed compliance was removed, replaced by guidelines from the European Commission to ensure consistent security standards across the EU. NIS2 is expected to apply to approximately 6,000 entities in Poland.

The final version of the amendment to the National Cybersecurity Act may still be subject to change. However, the Ministry of Digital Affairs anticipates that by the end of 2024, the draft will be adopted by the Council of Ministers and then submitted to parliament, with the law expected to be passed in 2025.

NIS 2 is set to significantly enhance the responsibilities of management bodies for the security of network and information systems. Article 20 of the NIS 2 emphasises that cybersecurity is a top-level management issue, mandating that EU Member States ensure their national laws require management bodies to not only approve but also oversee risk management measures in cybersecurity. This Directive aims to prevent the delegation of these critical responsibilities solely to IT departments, thereby holding board members personally accountable for any infringements.

Austria did not comply with the implementation deadline of NIS 2. The available draft of the NIS 2 Implementation Act (NISG 2024) does, however, incorporate these liability requirements of management bodies stipulated in NIS 2. Although the NISG 2024 does not explicitly address personal liability for breaches, it implies that management could face civil liability for damages caused by non-compliance.

The NISG 2024 also introduces a definition for "management bodies", encompassing individuals or administrative bodies responsible for managing or supervising an entity's operations. This definition aims to encompass the actual management and supervisory levels, excluding roles such as procurators but including boards, managing directors and supervisory boards.

Furthermore, the NIS 2 requires management bodies to participate in specialised cybersecurity training. It also mandates regular cybersecurity training for all relevant employees, ensuring they possess the necessary knowledge and skills to identify, assess and manage cybersecurity risks effectively. Non-compliance with these training requirements can result in administrative penalties for both the entity and its management.

In conclusion, NIS 2 becomes an integral component of IT compliance regulations in the EU. Management must establish robust internal control systems to implement and monitor required risk management measures. Additionally, they must acquire the necessary expertise and participate in training to meet the personal accountability standards set by NIS 2. These measures should be reflected in the internal corporate governance frameworks to ensure comprehensive cybersecurity oversight and compliance.

The AI Act represents the first comprehensive legal instrument worldwide to regulate artificial intelligence within the EU. However, in order to realise the AI Act's objectives, Member States must adopt appropriate national regulations to implement and enforce the AI Act. Among other things, the new EU regulations aim to grant necessary powers to national supervisory authorities, which will be responsible for removing AI systems that do not comply with AI Act requirements from the market.

Therefore, the draft of the Polish law on AI (currently under public consultation) will regulate issues such as:

1. the designation of relevant national authorities, including a market surveillance authority and a notification authority;
2. introducing provisions allowing to impose financial penalties for violations of the AI Act; and
3. establishing a procedure for enforcing the prohibition of AI systems that violate the regulations, including the possibility of filing complaints against the use of such systems.

Given that there is currently no appropriate institution in Poland that meets the requirements set forth in the AI Act, the Polish authorities decided that the most effective solution would be to create a new institution responsible for supervising the AI sector and supporting its development. This institution, named the Commission for the Development and Security of Artificial Intelligence (the "Commission"), is supposed to perform not only a supervisory role, but also support the AI industry in Poland and cooperate with other public institutions. It is worth mentioning here that direct supervision of AI systems by the Minister of Digitalisation or any other Ministry is not possible due to the fact that the supervisory body shall remain independent from the central government, as is required by the AI Act.

The members of the Commission, in addition to the Chairman and his two Deputies, will represent key bodies related to the AI sector, such as the Office of Personal Data Protection, the Office of Competition and Consumer Protection, the Financial Supervisory Commission and the Ombudsman and Child Ombudsman offices. However, the Commission will not include corporate representatives in order to avoid conflicts of interest, as corporations are supervised entities.

The Commission's tasks will include, among others, monitoring compliance with regulations, promoting innovation in the field of AI, preventing threats to the security of AI systems, participating in the drafting of legislation and organising educational activities.

Meanwhile, the Chairman of the Commission will be selected by the Prime Minister through an open recruitment process and must have relevant knowledge and experience in the field of AI or law, as well as work experience in relevant IT-related entities.

In addition, the draft of the Polish law provides for the establishment of a Social Council for Artificial Intelligence (the "Council") to provide a platform for experts, entrepreneurs and scientists to cooperate and support the Commission in its activities. The Council will mainly be tasked with expressing opinions on matters referred to it by the Commission.

Last week, the Hungarian Competition Authority (GVH) published the results of its market analysis on the impact of AI on competition and consumer decisions. The GVH emphasises in its market analysis that the use of artificial intelligence can increase competitiveness, innovation and efficiency of businesses. It also calls for targeted public interventions to ensure that the potential of AI technology can be maximised in Hungary. At the same time, the rapid development and application of AI pose risks from a competition/consumer protection law perspective, as it can distort competition and make consumers more vulnerable.

In addition to outlining the regulatory landscape and summarising available AI studies of other competition authorities in the first part of the report, as well as a presentation of the possible competition related issues and risks regarding the use of AI on the relevant markets, the GVH also approached several players present on the Hungarian market with questions. It sent questionnaires to major tech companies, prominent generative AI model developers and significant AI users (especially in the financial and telecom sectors). The current description of the Hungarian market landscape is based on the answers received from these players.

The report contains the following main conclusions/tasks:

1. protection of competition: The development and application of AI requires substantial resources, which are typically available to only a limited number of large enterprises. The GVH's analysis highlights the dual impact of AI: while it can drive innovation and efficiency, it also poses risks of monopolistic practices and market dominance by a few key players. The GVH suggests promoting the use of AI in the domestic corporate sector, with a special focus on SMEs. 
2. consumer protection: The rapid integration of AI technologies can significantly influence consumer behaviour and data security. The study emphasises the importance of consumer awareness and education to mitigate risks related to data privacy and security. It also calls for stringent measures to provide up-to-date and transparent information to consumers when providing AI based services.
3. AI strategy development in Hungary: The study reviews existing regulatory framework and international practices, highlighting the need of a review of the national strategy for AI, with special attention to the development and support of specialised training, and the rational coordination of the currently fragmented research directions and government AI strategy.
4. Localised AI models: The GVH recommends the creation of localised AI models that cater to specific linguistic and cultural needs, enhancing the relevance and effectiveness of AI applications. The market study also emphasises the importance of continuous learning and adaptation to keep pace with technological advancements, and advocates for international collaboration to exchange best practices.

The GVH's market analysis provides a set of recommendations aimed at fostering a competitive and fair AI landscape in Hungary, ensuring that the benefits of AI are widely accessible and that consumer interests are adequately protected.

Due to the evolving nature of AI, the regulatory landscape and the market analysis instrument as such, the report is more of an overview of the current status of AI both generally and within Hungary. It provides limited insight into potential enforcement steps or trends are to be expected from the HCA. Naturally, competition law enforcement regarding AI is still in a very early stage, not only in Hungary. 

Even if the report's conclusions do not necessarily foresee any imminent enforcement actions from the Hungarian watchdog, companies should start familiarising themselves not only with the highlighted conclusions and policy recommendations, but also with the competition law and consumer protection law related risk areas outlined in the study, as AI related competition law infringements/unfair practices towards consumers may involve significant fines by competition authorities, including the GVH, in the future.

The use of artificial intelligence (AI) is transforming recruitment, management, and employee monitoring in businesses, providing tailored employee experiences and streamlining HR processes. However, these advancements come with risks such as discrimination and privacy concerns that employers must navigate carefully. The introduction of the EU AI Act, effective from August 2024, highlights the need for clarity regarding employer responsibilities in the AI landscape, particularly concerning its potential applicability to Serbian employers.

The EU AI Act does have provisions that allow its extraterritorial application, meaning it can apply to Serbia, as non-EU entity, under certain circumstances. For instance, AI system providers based in Serbia could fall under the EU AI Act if their systems are used within the EU. However, for Serbian employers who act as deployers (users) of AI systems for their needs within Serbia, the Act does not apply.

For employers in the EU, the EU AI Act introduces strict requirements related to high-risk AI systems. These systems are typically those that monitor employee performance, profile individuals, or make automatic decisions regarding working conditions, promotions, or terminations. Consequently, employers in the EU are required to conduct Data Protection Impact Assessments (DPIA) for high-risk systems and adhere to strict implementation procedures.

It’s important to note that while the EU AI Act mandates DPIAs for high-risk systems, local data protection regulators in EU member states also adopt their own lists of cases where DPIAs are mandatory. These lists may not align perfectly with Annex III of the Act, potentially expanding the scope of AI-related activities requiring a DPIA. This is a notable aspect for Serbia, as the country does not yet have AI-specific legislation, but a working group is currently drafting new AI regulations, making it interesting to observe how these developments will align with EU standards.

Currently, Serbian employers who use AI systems for their internal needs are not subject to the obligations of the EU AI Act. A working group has been established and is working on drafting new AI legislation in Serbia, with the law expected to be completed within a year. Until then, the use of AI systems by Serbian employers will remain governed by the Data Protection Act (DPA).

Having said that, beside ensuring that employees are dully notified on processing of their data, and that legal basis for processing is ensured (which can be tricky when employees' data is processed), using any AI systems that fall under high-risk category of EU AI Act also requires DPIA under Serbian DPA. Namely, under Serbian DPA DPIA is required among other things, when personal data processing is conducted using new technologies (namely AI) and represents a potential risk to the rights and freedoms of the individuals whose data is being processed. For instance, it is explicitly required in cases of automated processing or profiling if based on such automatic processing a decision is made that significantly influences the life of an individual. According to the Commissioner's decision, a DPIA and the DPO's opinion are mandatory for specific processing actions (such as the use of employee monitoring tools based on biometric data).

Thus, employers as controllers who are processing personal data using AI systems which could be qualified as high-risk systems under EU AI Act, are obligated under the DPA to inter alia: (i) conduct a DPIA, (ii) seek the opinion of the Data Protection Officer (DPO), and (iii) request prior consultation with the Commissioner for Data Protection (before any processing takes place).

Although the EU AI Act does not currently apply to employers in Serbia, and the signing of the Stabilization and Association Agreement obliges Serbia, among other things, to align its legislation with that of the EU Serbian employers should definitely closely monitor the development of this new legal area in EU as to be prepared to what might apply to them in same or similar scope. Regardless, employers should definitely continue compliance with DPA, but also conduct control of currently used AI systems to check whether they are fully compliant with DPA, create records of AI systems used by their employees and create internal rules and policies concerning compliant use of AI systems by their employees and compliant application thereof, all in order to prevent any possible liability in that regards.

On 8 October 2024, significant amendments to the Bulgarian Public Health Act (PHA) were introduced to modernise the healthcare system, enhance data management and improve patient care. Key initiatives include the transition to electronic health records (EHR), regulation of telemedicine and the implementation of a digital scheduling system for medical appointments.

One key focus of the revised PHA is the prioritisation of EHRs over traditional paper-based records. The law mandates that all medical activities must be recorded in each Bulgarian citizen's electronic health record, ensuring centralised access to health information. Additionally, medical software will be evaluated to ensure usability and proper integration with EHR systems, enhancing data accuracy and security.

The amendments also streamline digital health management by formally regulating telemedicine, which allows remote diagnostic and medical activities. This aims to expand healthcare access, particularly in underserved areas. Furthermore, a digital scheduling system for appointments in public hospitals will enable patients to book visits online, reducing wait times and improving overall patient experience.

These changes are expected to significantly enhance patient care. The new systems will particularly benefit patients with special needs or those in remote locations, making it easier for them to access necessary medical specialists without the financial burden of private practices. Additionally, the amendments clarify that doctors employed in state hospitals cannot practise in private clinics during their working hours, promoting efficient use of public healthcare resources.

Overall, these amendments represent a substantial step towards modernising Bulgaria's healthcare system, with a focus on improving patient access and the quality of care through digital innovations.

Convertible loans have become a crucial financial instrument for start-ups seeking early-stage funding, particularly during pre-seed and seed rounds, often referred to as angel investment. These loans blend debt and equity financing, allowing companies that are not ready for formal valuations to secure needed capital and bridge gaps between funding rounds.

At their core, convertible loans are debt instruments that can be converted into equity during subsequent funding rounds. This structure allows start-ups to access capital quickly, which is vital for maintaining operations, research and development and market expansion. Additionally, obtaining a convertible loan is typically faster than traditional venture capital, which often involves lengthy due diligence.

For investors, convertible loans reduce risk by initially structuring the investment as a loan with a fixed interest rate and maturity date. If the start-up succeeds and raises equity financing, the loan can convert into equity at predetermined terms, often with a discount on the share price. This potential for a discounted equity stake makes convertible loans an attractive option for investors.

The agreements governing convertible loans are typically simpler and less complex than traditional financing arrangements. They can be customised regarding interest rates, conversion discounts and repayment schedules, thereby reducing transaction costs. Key components of these agreements include loan terms, conversion mechanisms, investor rights and subordination clauses that set repayment priority in the event of insolvency.

Recent changes in Hungarian legislation have further facilitated the use of convertible loans, particularly for SMEs. As of 1 September 2023, the law allows for convertible loans without requiring supervisory approval from the National Bank of Hungary, provided certain conditions are met. This development is expected to strengthen Hungary's venture capital market by enabling more accessible funding options for start-ups.

In conclusion, convertible loans offer a strategic and flexible funding solution for start-ups, balancing the immediate need for capital with the complexities of early-stage valuation. As the venture capital landscape evolves, these loans are likely to remain a vital component of start-up financing, providing essential support for future growth.