- Home
- News & Insights
Search by
Latest
The European Cybersecurity Reform – Expanded overview
We are pleased to share our updated and extended overview and critical analysis of the European cybersecurity reform, Cybersecurity Act 2.0 (CSA2), now including additional jurisdictions. This overview examines one of the most significant proposed shifts in the EU’s digital regulatory framework since the adoption of the original Cybersecurity Act. It outlines the key elements of the European Commission’s proposal, including the expansion of ENISA’s mandate, the centralisation of certain cybersecurity competences at EU level, and a harmonised framework addressing “non-technical risks” linked to third-country suppliers. The analysis also highlights the potential impact of CSA2 on Member States’ sovereignty
Upcoming changes to Romanian cookie consent framework
Romania is taking a significant step towards bringing its cookie consent rules into line with the standards established under the General Data Protection Regulation (GDPR) and the guidance of the European Data Protection Board (EDPB). A legislative proposal currently under parliamentary review would introduce binding, prescriptive requirements governing the design and operation of cookie consent mechanisms – requirements that will have direct practical consequences for any organisation operating a website or digital service accessible from Romania. The domestic legal framework on cookies is primarily governed by Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications
The European Cybersecurity Reform
We are pleased to share our latest overview and critical analysis of the European cybersecurity reform, Cybersecurity Act 2.0 (CSA2). This overview examines one of the most significant proposed shifts in the EU’s digital regulatory framework since the adoption of the original Cybersecurity Act. It outlines the key elements of the European Commission’s proposal, including the expansion of ENISA’s mandate, the centralisation of certain cybersecurity competences at EU level, and a harmonised framework addressing “non-technical risks” linked to third-country suppliers. The analysis also highlights the potential impact of CSA2 on Member States’ sovereignty, public procurement, certification schemes, and the
Transparency back in the spotlight: Revisiting GDPR awareness
In an increasingly digital and complex data environment, the GDPR continues to play a central role for organisations, even eight years after taking effect. Transparency is once again in the spotlight, with data protection authorities and EU regulatory bodies reinforcing that compliance goes beyond simply informing data subjects, and that organisations are expected to ensure transparency by design and by default. 1. Coordinated enforcement framework On 19 March, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework action for 2026. Following the 2025 coordinated action on the right to erasure, this year’s initiative focuses on compliance with transparency and information obligations
2026 Cybersecurity Countdown: New requirements are coming
The Cyber Resilience Act (Regulation EU 2024/2847 – CRA) entered into force on 10 December 2024 and introduces a comprehensive cybersecurity framework for products with digital elements placed on the EU market. The Regulation aims to address the insufficient level of cybersecurity in many digital products and the lack of timely security updates provided throughout their lifecycle. Which products are in scope? The CRA applies to “products with digital elements”, defined as software or hardware products, including their respective remote data processing solutions that can be directly or indirectly connected to a device or a network. Consequently, the CRA applies to both connected hardware products (e.g., smartphones
Europe recalibrates: AI copyright and GDPR scope under pressure
Two parallel developments suggest that Europe is drawing clearer boundaries around both AI ownership and data protection. One comes from the Council and the other from a German court, and both signal a more cautious approach toward redefining legal fundamentals in the name of innovation or administrative simplification. 1. Digital omnibus leak: Member States cut the core of the proposed GDPR reform A leaked Council compromise draft removes entirely the proposed redefinition of “personal data” under the GDPR, and that alone underscores how controversial the Digital Omnibus has become. What happened? In November 2025, the European Commission launched the Digital Omnibus, with one of its central ambitions
The Czech Cybersecurity Authority calls upon entities to notify their regulated services
On Monday, 9 February 2026, the Czech National Cyber and Information Security Agency (“Czech Cybersecurity Authority”) issued and dispatched more than 4,800 administrative decisions designating providers of regulated services pursuant to the newly enacted Czech Cybersecurity Act. The expected number of regulated entities, however, exceeds 6,000. In its press release of 11 February 2026, the Czech Cybersecurity Authority called on entities that had not yet done so to submit their notification of regulated services as soon as possible to avoid potential sanctions. Background The new Cybersecurity Act, which transposes the NIS2 Directive into Czech law, came into effect
Europe’s AI rulebook is taking shape, but the technology is not waiting
Artificial intelligence is entering a decisive phase in Europe. Despite the EU’s ambitious AI Act framework, key guidance remains pending while enforcement scrutiny intensifies and AI adoption accelerates. 1. EU AI Act: a strict framework struggling to keep pace While Europe’s ambition to regulate AI is unquestioned, recent developments signal that the legal framework is struggling to keep pace with both the rapid evolution of the technology and its own aspirations. 1.1. Missed Guidance and Growing Uncertainty The European Commission missed a key deadline on 2 February, when it failed to publish a comprehensive list of use cases to help businesses distinguish between high-risk and non-high-risk
Bulgaria’s long road to NIS2 is over
Across most of the European Union, the NIS2 Directive has already become operational reality. Bulgaria’s path to transposition, however, has been materially delayed. The Cybersecurity Act amendments intended to implement the NIS2 Directive were first submitted to the Parliament in September 2024, passed at first reading in February 2025 and reached final adoption in February 2026, with the new framework entering into force on 17 February 2026. This delay has consequences that go beyond the mere legal uncertainty. While Bulgaria was still preparing its implementation framework, in January 2026 the European Commission proposed a new EU cybersecurity package, including amendments to the NIS2 Directive and a draft Regulation
The year of digitalisation and AI in Kazakhstan: New regulations
On 6 January 2026, the President of the Republic of Kazakhstan signed a Decree declaring 2026 the Year of Digitalization and Artificial Intelligence. At present, the legislative framework in this area is actively being developed. For instance, a unified conceptual document on the development of digitalisation and artificial intelligence, Digital Qazaqstan, in which all initiatives and projects will be combined into a nationwide strategy is currently being developed. The Law on Artificial Intelligence No. 230-VIII entered into force on 18 January 2025 (the "Law"), and the Digital Code of the Republic of Kazakhstan will take effect on 11 July 2026. There is also ongoing work to align existing legislative acts with the Digital
Protecting children in the digital space
The protection of children in the digital environment has become one of the most important regulatory topics worldwide. While this area is currently addressed primarily through broad regulatory frameworks (e.g., the GDPR and DSA), combined with parental oversight and voluntary platform policies, governments are now reassessing how digital services, platforms, and technologies affect minors. Importantly, the digital protection of minors is no longer confined to social networks. It now extends to gaming platforms, online monetisation models, algorithmic design, and AI-driven services, reflecting the reality of how children interact with today’s digital ecosystem. Global regulatory developments We see a growth
Kinstellar advises Entez on the acquisition of Superpont, a leading Romanian iGaming affiliate
Kinstellar has recently provided legal assistance to Entez, a prominent iGaming affiliate company based in Riga, Latvia, on the acquisition of Superpont CT, a Romanian sports and casino affiliate. Entez is a highly regarded entity within the iGaming sector, renowned for its strategic role in connecting some of the world's leading gambling operators. Established in 2018 and headquartered in Riga, Latvia, Entez has experienced sustained growth and expanded its operations across multiple European markets. Notably, Entez has cultivated a robust presence in the Baltic region, where it has gained significant market traction. As part of its ongoing expansion strategy, Entez remains committed to exploring further growth opportunities