- Home
- News & Insights
Search by
Latest
New pressure, new delays: the EU’s double move on AI
Europe has just introduced two significant developments that will directly affect how companies build, deploy, and oversee AI in 2026. One strengthens reporting. The other reshapes key compliance deadlines. 1. The AI act whistleblower tool is live—and it changes the game The EU’s new AI Act Whistleblower Tool is officially online, allowing any individual professionally connected to an AI model provider to flag risky or unlawful practices linked to general-purpose AI models and certain regulated AI systems. Reports can be submitted anonymously, in any EU language together with supporting documents via a secure inbox that also supports follow-up questions. While the AI Office will maintain strict
ISS & Glass Lewis – The end of standardised proxy voting recommendations?
For years, proxy advisors Institutional Shareholder Services (“ISS”) and Glass Lewis & Co. (“Glass Lewis”) have shaped voting behaviour at annual general meetings (“AGMs”) of publicly listed companies, including in Austria, through their uniform “benchmark” voting recommendations. This approach, it appears, will soon be history. What’s new Beginning in 2027, Glass Lewis will discontinue its long-standing practice of issuing single, default “benchmark” voting recommendations and instead collaborate with institutional clients to create fully customised voting policies supported by company-specific research reports ahead of AGMs. Glass Lewis aims to have all clients transitioned
NIS2 and the New Serbian Law on Information Security
The Republic of Serbia has adopted a new Law on Information Security (Zakon o informacionoj bezbednosti) (“Serbian NIS2”), marking a significant reform of the national cybersecurity framework and alignment with the EU NIS2 Directive. The Serbian NIS2 broadens the range of regulated entities, strengthens institutional coordination, and introduces clearer obligations for organisations operating ICT systems of special importance. Secondary legislation is expected in 2025–2026, and the previous law remains partially applicable until the end of 2025 to secure continuity during the transition period. This article provides an overview of the key novelties introduced by the Serbian NIS2, together with an outline of the
Bulgaria completes Digital Services Act implementation
Nearly two years after the Digital Services Act (“DSA”) became applicable across the EU and amidst discussions on the “Digital Omnibus” simplification package announced by the European Commission, Bulgaria has finally aligned its national framework with DSA provisions. On 6 November 2025, the Bulgarian parliament adopted amendments to the Electronic Communications Act (“ECA”), confirming the designation of the Communications Regulation Commission (“CRC”) as the Digital Services Coordinator, vesting it with supervisory powers and the authority to certify out-of-court dispute settlement bodies and award trusted flagger and vetted researcher status, while also introducing comprehensive enforcement architecture.
GDPR x AI: When privacy meets machine intelligence
As Europe moves ahead with the AI Act, the European Commission has made clear that there will be “no stop the clock, no grace period, and no pause”, despite calls from major tech players such as Google, Meta, Mistral, and ASML to delay implementation. The timeline remains firm: core provisions apply from February 2025, general-purpose model rules from August 2025, and high-risk AI obligations from August 2026. The message is clear: the Commission intends to keep its ambitious AI timeline on track, while it looks to streamline other digital obligations for companies. Against this backdrop, the GDPR may also be entering a new chapter. Nearly seven years after its adoption, a leaked draft of the Digital Omnibus package
Notification obligation under the Austrian Investment Control Act (Investitionskontrollgesetz) for data centre investments in Austria
Increasing digitalisation, the market growth of cryptocurrencies, and the growing importance and use of AI are among the reasons that have led to an increasing demand for data centres and a growing interest in investments in this asset class in recent years. In addition to numerous other challenges associated with the acquisition and/or development of data centres, such as, in particular – (i) the search for a suitable location, for which the most important criteria are power supply and network infrastructure, as well as zoning and building regulations; (ii) obtaining the necessary public law approvals, whereby in addition to building and operating permits, also nature and water law approvals, as well as the conclusion
AI awareness: Safeguarding your brand in an era of AI-generated content
The way we consume information is changing at an incredible pace, and we wanted to share a quick insight into a shift that may have real implications for your business. Recently, several clients have reached out to us with concerns about articles that are evidently AI-generated, potentially damaging their brand image and reputation. Unfortunately, this isn't an isolated issue, but it is part of a larger shift in the digital landscape. For the first time, more than half of all the visual and text-based content on the internet is now AI-generated. This means that the data your company relies on and the data it feeds into AI carries significant risks, demanding proactive strategies to remain compliant. What
Brace for AI impact: From hype to risk – is your company ready?
In 2022, we were writing about the promising but at the time still hypothetical impact of generative AI on HR—from recruitment and performance reviews to promotion decisions—as well as the potential implication of the then-proposed EU AI Regulation (AI Act). Today, generative AI is no longer a future ambition. Multinational companies are rapidly deploying AI tools into daily business operations: from content creation and data analytics to automated decision-making. What was once a speculative legal concern has become a tangible compliance challenge, with the AI Act published in 2024 and its full application expected by August 2026. As we move towards 2026, the real question is not whether to use AI, but whether
Updates on NIS2 in Romania
Following up on our initial article regarding the transposition of the NIS2 Directive (EU) 2022/2555 (“NIS2”) in Romania via Government Emergency Ordinance no. 155/30.12.2024 (“GEO 155”), we would like to inform you of the following relevant evolutions in this area as of today, 20 August 2025: The Romanian National Directorate for Cybersecurity ("DNSC”) has issued the long awaited application norms for registering with DNSC as important or essential entity. DNSC Order no. 1/2025 was published in the Official Gazette of Romania on 20 August 2025. As of publication, in-scope entities have 30 days at their disposal to register with DNSC. Registration should primarily be done using the online
Navigating NIS 2: How businesses can achieve cybersecurity compliance across the EU
The NIS 2 Directive is the European Union’s cybersecurity framework that requires considerable efforts by companies in sectors like energy, transportation, life sciences and digital infrastructure to establish the required compliance. The directive mandates that the companies within the scope of NIS 2 implement a large number of technical and organizational measures to manage cybersecurity risks and puts cybersecurity as a top management responsibility. EU Member States must transpose the NIS 2 Directive into their national acts of law. Although a number Member States are delayed in this legislative process, other jurisdictions are already well past requiring registration and implementation of cybersecurity risk management.
Open banking: Ukraine enters new stage of payments market digital transformation
The National Bank of Ukraine (NBU) enacted a series of regulations on 1 August 2025 that establish an open banking system in Ukraine and significantly improve the regulatory environment for modern fintech services. The new legal framework sets out clear legal standards for secure data sharing, API-based payment services, and third-party access to user accounts — all aligned with the EU’s PSD2 Directive. The reforms are important step in the digital transformation of Ukraine’s financial services market. Click on one of the images below or use the following links to read our overview in English or in Ukrainian. Download in English: Download in Ukrainian:
The automotive industry is rapidly transforming through digital technologies
This shift introduces complex legal and compliance challenges under EU law, particularly around data collection, processing, and sharing. Key frameworks such as the GDPR and ePrivacy Directive govern issues like user consent, data transparency, access, and deletion. Manufacturers must embed privacy by design and strengthen cybersecurity. How does the GDPR impact data collection in infotainment systems? Infotainment, telematics, and autonomous features gather vast user data - raising critical questions of control, purpose, and protection. The Data Act grants users broader rights to access and share vehicle data, while public safety tools like eCall must still ensure compliance with data