In The Debrief, our Practice Leaders across CEE share updates on recent and upcoming legislation, consider the impact of recent court decisions, showcase landmark projects, and keep our readers apprised of the latest developments impacting their respective practice areas.
This House – Implemented Legislation
Highlighting updates in energy in North Macedonia, Law Firm Ana Kolevska Partner Ana Kolevska points out that “a new Energy Law has been in force since the end of May 2025. Entities licensed for energy activities were obliged to harmonize their licenses with the new law in a 30-day window, under the risk of losing their license.” According to her, “licensees were publicly and transparently notified of this obligation, besides being informed thereof directly by the independent regulatory body – the Energy Regulatory Commission (ERC). Following the expiration of the harmonization deadline, June 30, 2025, the licenses of entities that did not fulfill the obligation were terminated by force of law. To continue performing energy activities, these entities need to re-license. While harmonization within the legal term was free of charge and followed a simple procedure, re-licensing requires payment of a fee and submission of complete documentation.”
“According to data published by the ERC, 167 entities lost their licenses due to non-compliance, which represents around 15% of the total number of issued licenses across all energy segments, including electricity, gas, heat generation, trade, and supply,” Kolevska adds, noting that “most entities that failed to align are those whose primary business is not energy-related: mainly entities that installed electricity generation plants for self-consumption, while holding a license to trade surplus production.”
Kolevska believes that “given that the harmonization deadline is prescribed by law, despite pressure from non-compliant entities, it cannot be extended, except by amending the Energy Law.” Consequently, “the high number of license terminations highlights the need for greater awareness among entities, particularly those for whom energy is not a core business activity, regarding the legal obligations tied to holding an energy license. As demonstrated by the harmonization failure among licensees primarily engaged in other sectors, entering the energy market, even for limited purposes such as surplus electricity trading, entails compliance with strict regulatory requirements that cannot be overlooked.”
DLA Piper Hungary Partner Zoltan Kozma draws attention to the latest developments in cybersecurity laws in Hungary. “As of July 2025, Hungary remains actively engaged in implementing its new cybersecurity legislative framework, which transposes the EU’s NIS2 Directive into national law and lays down the detailed cybersecurity regulations,” he notes. “Recent amendments effective from July 19, 2025, have introduced specific penalties for non-compliance with audit-related obligations under the Cybersecurity Act. Among others, failure to conclude an agreement with a registered auditor within the statutory deadline, August 31, 2025, may result in fines ranging from HUF 1 million to HUF 15 million. Failure to conduct the cybersecurity audit within the statutory deadline, that is, June 30, 2026, may lead to a penalty of up to 2% of the organization’s previous year’s net revenue, capped at HUF 150 million.”
Nestor Nestor Diculescu Kingston Petersen Partner Anca Diaconu emphasizes recent amendments to the Romanian Competition Law, in force since June 26, 2025, that “adjust the treatment and related procedure of communications between companies and lawyers during inspections by the Competition Council (RCC).”
“Notably, the core principle remains unchanged: communications made exclusively for the exercise of the right of defense and connected to the object of the investigation may not be seized or used as evidence in RCC proceedings,” Diaconu notes. “This statutory option will continue to generate discussions as to its conformity with EU law. Specifically, in its Orde van Vlaamse Balies (Case C-694/20) ruling, the European Court of Justice clarified that Article 7 of the EU Charter of Fundamental Rights protects all forms of legal advice, not solely those linked to the exercise of the right of defense. This wider protection has been, and continues to be, absent under Romanian law.”
“As a point of novelty, the amended law now expressly authorizes RCC inspectors to conduct a summary examination of the document’s extrinsic elements, such as its general appearance, title, author, recipient, date, or even subject, to assess the validity of the claim,” Diaconu adds. “While this seemingly brings more company protection, the devil is always in the details. As the lines between purely extrinsic elements and communication on merits are often blurred in practice, one should expect this to be a contentious point during dawn raids.”
“Where, based on this assessment, the inspectors reach a definitive conclusion that legal privilege is not applicable, with a significant probability of lack of protected character, they are entitled to seal and seize the communication in duplicate,” Diaconu points out. “The document is then referred to the President of the RCC, who decides whether to accept or reject the privilege claim.”
Drakopoulos Senior Associate Sofia Angelakou stresses that in Greece, a new FDI screening mechanism has been enacted. “On May 23, 2025, Law 5202/2025 (Law 5202) came into effect, introducing Greece’s long-awaited foreign direct investment screening mechanism,” she notes. “The aim of this legal framework is to ensure alignment with EU law regarding the implementation of Regulation (EU) 2019/452, as well as to protect national security and public order by monitoring FDI in strategic sectors.”
“Law 5202 distinguishes between FDI in ‘sensitive’ sectors, such as energy, transport, health, information and communication technologies, and digital infrastructure, and ‘particularly sensitive’ sectors, such as defense and national security, cybersecurity, artificial intelligence, port infrastructure, critical undersea infrastructure, and tourism infrastructure in border areas,” Angelakou adds. “Different thresholds of participation trigger the screening mechanism established under Law 5202, depending on whether the target undertaking operates in ‘sensitive’ or ‘particularly sensitive’ sectors. As a general rule, FDI in ‘sensitive’ sectors is subject to screening when participation in the target undertaking exceeds 25%, whereas FDI in ‘particularly sensitive’ sectors is subject to screening when participation exceeds 10%. Law 5202 also sets out specific participation thresholds that would trigger the screening mechanism.”
“Foreign investors are required to comply with the provisions of Law 5202 and the relevant ministerial decisions, which are expected to be issued,” Angelakou says. “They must also notify the relevant authority of any intended FDI that falls within the scope of the screening mechanism.” According to her, “failure to notify an FDI that falls within the scope of Law 5202, or notification after completion, may result in the FDI being reversed or other mitigating measures being taken. Failure to submit information or submission of false information constitutes grounds for prohibiting the investment. Additionally, administrative sanctions may be imposed, with fines ranging from EUR 5,000 to EUR 100,000. In cases of serious non-compliance, fines may amount to double the value of the investment.”
This House – Reached an Accord
Rowan Legal Partner Jan Tomisek reports that the Czech Republic enacted a new cybersecurity act to implement NIS2. “On June 26, 2025, the Czech Republic adopted a new Cybersecurity Act, transposing the EU NIS2 Directive into national law,” he notes. “The legislation significantly broadens the scope of regulated entities, now covering companies across key sectors such as energy, healthcare, finance, digital infrastructure, and others.”
According to Tomisek, “the act introduces stricter cybersecurity obligations, including mandatory supply chain risk management, enhanced executive accountability, and robust incident reporting. It is expected to take effect in November 2025. Regulated entities will then have 60 days to identify the ‘regulated services’ they provide and notify the National Cyber and Information Security Agency. To comply, businesses must revise their cybersecurity frameworks – from assessing third-party risks to updating internal policies and delivering targeted training for staff and executives – to avoid penalties.”
Tomisek adds that “the act also reflects the NIS2 Directive’s exclusive jurisdiction regime for certain digital service providers, e.g., cloud services, online marketplaces, social platforms. However, this ‘one-stop-shop’ model does not apply automatically. Determining whether a provider falls under exclusive supervision by a single Member State requires careful assessment of how services are provided across jurisdictions, including operational and governance structures. A misjudgment could result in overlapping or missed obligations. The accompanying explanatory memorandum to the new Cybersecurity Act supports this risk-based approach, aiming to reduce duplicative oversight while ensuring appropriate accountability.”
This House – The Latest Draft
Kozma highlights that, in Hungary, “a new ministerial decree by the Minister of Energy is currently under public consultation. This forthcoming regulation will define the qualification, professional training, and continuing education requirements for individuals involved in cybersecurity under the Cybersecurity Act.” Notably, he says, “it will include specific provisions on the continuing education of persons responsible for the security of electronic information systems of in scope entities. The draft was published in May 2025 and is expected to be finalized and adopted in the near future.”
Peterka & Partners Partner Adela Krbcova draws attention to a recent draft bill on labor in the Czech Republic. “The Chamber of Deputies approved a bill proposal aiming to decrease the administrative burden of the employer,” she points out. “Instead of filing approximately 25 various forms, employers will newly file only one electronic notification monthly with data that will go to the Ministry of Labor and Social Affairs, the Ministry of Finance, the Social Security administration, the institute evaluating health, labor administrations, tax administrations, and the Czech Statistical Office. Unfortunately, health insurance companies were not included in the bill. If the bill is approved by the Senate and signed by the President, most obligations of the employer will be in force from April 2026.”
“As part of legislative changes to various acts related to the above bill, the new regime of employee stock ownership plans (ESOP regime) will apply too,” Krbcova notes. “This will allow employees to be offered a part of a business without being immediately taxed. The principle no tax before cash will apply, meaning that the taxation will take place only at the moment when an employee sells their shares or gains a real profit from them. No social security or health insurance contributions will be deducted from the new ESOPs. The effectiveness of the new regime is expected for 2026.”
Regulators Weigh In
Act Legal WMWP Partner Roman Hager looks at an increased regulatory oversight on “finfluencers” in Austria. “Finfluencers, as social media content creators who present financial topics, face a complex and evolving set of legal requirements in Austria,” he notes. “Their activities not only affect investor behavior but also fall squarely within the scope of Austrian and EU financial market regulation.”
“The Austrian Financial Market Authority (FMA) has established a dialogue with finfluencers, seeking to raise awareness of legal boundaries and encourage compliance,” Hager points out. “The authority is also reviewing whether regulatory frameworks sufficiently address finfluencers’ influence over retail investors and whether further adaptation is necessary. FMA applies the regulatory framework equally to social media as to traditional media. Core statutes include the Securities Supervision Act 2018 (WAG 2018), Banking Act, Media Act, E-Commerce Act, and the Unfair Competition Act. WAG 2018, which implements MiFID II, sets out strict obligations for investment advice and recommendations.”
“Finfluencers who violate licensing obligations risk administrative penalties and civil claims for damages,” Hager adds. “Administrative fines can apply under several statutes. Activities amounting to unlicensed investment services can also result in prohibition orders and reputational damage. One of the gravest regulatory risks is market manipulation, as defined by the Market Abuse Regulation and the Stock Exchange Act. Finfluencers who create artificial price movements, e.g., by spreading false or misleading information, promoting ‘pump and dump’ schemes, or concealing conflicts of interest, can trigger both administrative and criminal consequences.”
As for Turkiye, AECO Law Partner Cagri Cetinkaya reports that, “On July 1, 2025, the Turkish DPA issued a guideline decision addressing misleading practices in obtaining explicit consent via SMS.” He explains that “the Turkish DPA observed that in many cases, the SMS content and any prior communications did not include adequate disclosures regarding the data processing for marketing purposes. In such cases, data controllers obtained marketing consent during the SMS verification process without sufficient transparency, which the Turkish DPA considers misleading. Additionally, the decision reiterates that data subjects must not be required to give consent for marketing or other unrelated processing activities as a condition for receiving goods or services. Consent mechanisms must clearly indicate that refusal will not impact access to services.” Finally, Cetinkaya says that “the Turkish DPA emphasized that data controllers must implement regular training and awareness programs for employees involved, as well as proper internal controls.” According to him, “non-compliant practices may result in binding orders and administrative fines of up to approximately EUR 290,000.”
On a different note, Cetinkaya also highlights that the Turkish ICT Authority has published its 2024 annual report, “which includes key data from the National Cyber Incident Response Centre (USOM). According to the report, over 123,000 malicious URLs were identified and blocked as part of USOM’s operations in 2024. In addition, more than 15,000 cybersecurity notifications were sent to relevant institutions and organizations to ensure that necessary measures were taken.” According to him, “along with the recent Turkish Cybersecurity Law and increasing numbers of data breach notifications to the Turkish DPA, the findings in this report highlight the priority given to cybersecurity issues from the perspective of regulatory authorities and the legislator in Turkiye.”
Redcliffe Partners Partner Yuriy Terentyev looks at how competition is evolving within Ukraine’s public procurement system. “Mega-tenders across energy, logistics, and pharmaceuticals are shaping the market: modular gas power units, national-level logistics, and over UAH 14 billion in medical supplies have been procured through transparent e-platforms,” Terentyev explains. “Companies in sectors such as pharma, IT, and construction are taking a more strategic view of public tenders, as a means of market entry and long-term growth. At the same time, many businesses remain wary of dealing with public funds, fearing that even well-founded participation may attract unwanted attention from law enforcement or compliance bodies. This regulatory anxiety means many firms hesitate or lack the internal structure to compete confidently, reinforcing the importance of legal risk management from the outset.”
“The Antimonopoly Committee of Ukraine continues to act as the central review body for complaints,” Terentyev adds. “Its reasoning has grown more structured, especially in exclusion and discrimination cases.”
In Related News
Wolf Theiss Associate Oliwia Pecht emphasizes Poland’s pilot program that will explore models of reduced working time. “Announced by the Ministry of Labor, the initiative will run throughout 2026 and is open to employers who have been operating for at least 12 months and whose workforce consists of at least 75% employees hired under employment contracts,” she says. “Under the program, participating employers will be able to test various work time models, including shorter working weeks, reduced daily hours, or additional paid time off. To qualify, companies must involve at least 50% of their workforce and commit to maintaining a minimum of 90% of their initial employment level for the duration of the pilot. Crucially, employees’ pay and working conditions must not worsen during participation.”
“Employers selected for the program may receive public funding of up to PLN 1 million per project, with a cap of PLN 20,000 per employee,” Pecht adds. “The program is intended to demonstrate the potential benefits of reduced working time arrangements, such as improved employee well-being and productivity. Applications will be accepted between August 14 and September 15, 2025.”
Finally, CMS Sofia Managing Partner Kostadin Sirleshtov says that “in June 2025, Sofia, Bulgaria, became the capital of the conversation about the future of energy. For five days between June 16-20 2025 the Green Transition Forum 5.0 met more than 5,500 participants, 350 speakers from 32 countries, 40 panels, the partnership of more than 60 companies, 507 publications in 120 media outlets that reached more than 7 million people, the forum became a platform where institutions, businesses, academics and citizens did not just discuss Europe’s transformation, they articulated its direction.”
Sirleshtov adds that “on June 20, 2025, Bulgaria reached a point where, for several hours, all electricity consumed in the country was produced from its own photovoltaic capacities.” Furthermore, “in the first half of 2025, Bulgaria experienced a significant increase in both electricity production and exports.”
Additionally, “during the last month, the project for the construction of Units 7 and 8 of Kozloduy Nuclear Power Plant was given another boost by the huge Japanese delegation led by the Japanese Vice-Minister of Economy, Trade, and Industry Akiyoshi Kato,” Sirleshtov notes.
This article was originally published in Issue 12.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
