In order to shape Europe’s digital future, the European Commission has prepared and enacted a large number of legal regulations that form the legal framework for the digital transformation. They will have far-reaching effects on everyday business life. As a prelude to our series ‚Digital Transformation‚, we would like to give you an overview of the most important innovations and then provide you with more detailed information on the individual topics in the coming weeks. Please feel free to contact us.

European Data Act

The Data Act was enacted on 11 January 2024 and will come into force in September 2025.

The new rules establish the right of access to industrial data and regulate its use and exchange. Manufacturers of networked products ( ́Internet of Things ́ e.g. machines, sensors, components, household appliances or vehicles) are obliged to share data obtained in this way with users (companies or consumers), authorities and also third parties (data sharing). The regulations affect manufacturers and data holders as well as users of networked devices and providers of data processing services.

Networked products must be designed according to the requirements of the Data Act („Access by Design“). The law also requires data owners to make the data available on an ongoing basis. This will have far-reaching implications for sensitive data and trade secrets of companies, which must be adequately protected.  Conversely, access to third-party data can incentivize data-driven innovation.

In addition, data licensing agreements are required with all users in order to be able to use generated data in future.

In the future, data owners will no longer be free to use and share data without restriction.

You should prepare and implement the complex contractual and technical requirements as early as possible. It’s best to do it now!

European Artificial Intelligence Regulation (AI Act)

The possibilities of using artificial intelligence („AI“) are constantly increasing and leading to serious changes in everyday working life. The EU Commission has developed a regulatory framework that enables the use of AI, but at the same time sets limits to it. As things stand at present, the regulation is to come into force in mid-2024. After a transitional period of 24 months, it would then apply throughout Europe. It affects all manufacturers and users of AI (image, speech and text recognition, HR systems, smart home, autonomous driving, industrial applications, connected devices). 

The regulation distinguishes between four risk classes for AI applications. 

There are separate rules for each risk class, which even go as far as prohibiting its use. In any case, a mandatory quality and risk management system as well as detailed transparency obligations are envisaged. A data protection impact assessment is also likely to become mandatory. Both manufacturers and users of AI systems should consider the legal requirements at an early stage and make preparations both internally (integrated company policy, works agreement) and externally (classification and documentation). We would recommend dealing with the AI Act now in order to bring the current use of digital systems in line with the new regulations.

At the same time, a new European AI Office will be set up to oversee enforcement of the new rules on AI models. Like the GDPR, the AI Act also provides for draconian penalties in the event of a violation.

Digital Services Act

The Digital Services Act aims to create a safer digital space for users of online services and aims in particular to combat illegal content. The Digital Services Act has already entered into force and has been applicable to digital service providers since February 2024.

Online intermediaries and platforms, such as online marketplaces, social networks, app stores and online travel platforms, are obliged to detect, flag and remove illegal content.

Digital Markets Act

The Digital Markets Act, which came into force on 1 November 2022, is intended to ensure that access to and conditions in digital markets are fair and on equal terms and that companies that control market access (‚gatekeepers‘ e.g. Google, Apple, Microsoft, Meta) do not use their position to disadvantage third parties.

General Data Protection Regulation (GDPR)

Many companies have now implemented the requirements of the GDPR, which came into force in 2018, and integrated them into their everyday business. In light of the new EU laws, various decisions of the EU Commission and new judgements, a review and revision of internal processes is to be recommended. The GDPR will continue to play an important role in digitalization. It’s best if all requirements have already been implemented.

Cyber Resilience Act

The EU Commission’s proposal for a regulation on cybersecurity requirements for products with digital elements is intended to ensure the security of products that can be connected to each other or to the Internet („security by design“) and includes numerous obligations for manufacturers and importers. As things stand at present, the Act is to be adopted in 2024 and will enter into force after a transitional period of 36 months.

FRANKFURT – On 22 February 2024, the representatives of the Council and the European Parliament decided that the seat of the future European Anti-Money Laundering Authority (AMLA) will be in Frankfurt am Main.

The AMLA, a new EU-wide authority with responsibilities around money laundering compliance and financial sanctions monitoring, will significantly change the way money laundering and sanctions laws are enforced within the EU. Therefore a review of existing policies and processes in the area of money laundering prevention should be undertaken immediately.

1. Introduction and subject matter

The Anti-Money Laundering Authority, which the European Parliament and the European Council agreed to establish on 13 December 2023, is expected to take up its activities in Frankfurt am Main in mid-2025. Its main tasks will be as follows:

(1) Direct supervision of anti-money laundering compliance for certain European banks and other high-risk financial service providers, including crypto-asset service providers.
(2) Ensuring compliance with financial sanctions.
(3) Indirect supervision of other obliged entities. While these entities are primarily supervised by national regulators, the AMLA will mediate disputes between national regulators and may assume supervision in exceptional circumstances.
(4) Coordination of Member States‘ efforts to combat money laundering and terrorist financing in the non-financial sector.

The AMLA will directly supervise certain European banks and other financial service providers that operate across borders or are considered „high-risk“. A total of up to 40 organisations will be included in the initial selection process in Germany – around 200 companies across Europe. This direct supervision will be carried out by joint supervisory teams under the direction of the AMLA, which will carry out assessments and inspections. The list of companies designated for supervision or inspection will be reviewed every three years.

As part of the AMLA’s direct supervisory powers, the AMLA will ensure that these selected obliged entities have appropriate internal policies and procedures in place to ensure the implementation of targeted financial sanctions, such as asset freezes and asset seizures.

The AMLA will also have certain enforcement powers. In the event of serious, systematic or repeated violations of directly applicable requirements, the AMLA will be able to impose financial sanctions on the selected obliged entities.

For obliged entities in the financial sector that are not designated as „selected obliged entities“, money laundering supervision will mainly remain unchanged at national level.

In relation to the non-financial sector, the AMLA will provide support by conducting inspections and investigating possible breaches in the application of money laundering prevention rules. In doing so, it will be able to issue non-binding recommendations.
The AMLA will also coordinate the national financial intelligence units that investigate suspected violations of money laundering regulations.

The AMLA will mediate and settle disputes between national supervisory authorities and may also take over the supervision of a financial undertaking in exceptional circumstances or in the event of certain breaches of EU law.

2. Procedure for supervision until the AMLA commences its activities

Even before it was clear that the AMLA was coming to Frankfurt, we had already seen a significant increase in the focus of the German Federal Financial Supervisory Authority (BaFin) on auditing our clients in the area of money laundering prevention. In its report „Risks in Focus for 2024“, BaFin emphasises that it continues to classify the risk of being misused for money laundering, terrorist financing or other financial crimes in Germany as „high“ for the more than 8,700 persons obliged to do so under the German Money Laundering Act (GWG).

In 2022, a total of 337,186 suspected money laundering reports were received by the Financial Intelligence Unit (FIU). Of these, a total of 326,123 originated from the financial sector from financial market participants such as credit and financial services institutions.

International financial transactions, for example in the export sector, are a particular contributor to the risk of money laundering. Fast-growing companies are also exposed to particular money laundering risks. Last but not least, crypto assets open up unprecedented opportunities for criminal activities.

BaFin’s repeated warnings about failures by some institutions in the area of money laundering prevention, including severe fines (most recently €6.5 million), are also increasing significantly in both their number and severity.

It is noticeable that the market is still reluctant to invest in money laundering prevention and to initiate the necessary projects and measures.

3. Direct recommendations

Against this background, we strongly recommend that you scrutinise your existing guidelines and processes in the area of money laundering prevention. Our experience has shown that there is considerable potential for improvement in order to prevent BaFin sanctions, while at the same time streamlining internal processes and thus increasing their efficiency.

In BaFin’s opinion, some business models, such as payment agents, third-party acquiring, white labelling, loan fronting and trading in crypto assets, are particularly vulnerable. If you are active in these areas and have not been subject to a special audit by BaFin in recent years, this recommendation is all the more urgent.

Feel free to contact us! We are not only very experienced in scrutinising your existing guidelines and processes, identifying and implementing potential for improvement, but are also happy to assist you with projects or (special) audits by the supervisory authority. We can also act as an outsourced money laundering officer for you.

4. Outlook

There is still some uncertainty as to whether the European Public Prosecutor’s Office, an „ad hoc sanctions authority“ or the AMLA should be given a role in enforcing sanctions for breaches of anti-money laundering rules or sanctions imposed. While Members of the European Parliament have repeatedly pushed for „substantial developments“ in sanctions enforcement, the European Commission and Member States have generally resisted any serious change. In particular, Member States have endeavoured to keep the enforcement of sanctions entirely within their competence.
Although the AMLA will only start its work once all political issues have been resolved, the industry needs to be aware of the upcoming changes in the monitoring and enforcement of money laundering and financial sanctions and prepare accordingly.

Due to the holiday season and the legislative dumping at the end of the year, the important new milestone in the ESG field did not receive much publicity, even though Act CVIII of 2023, the ESG Act, which is the first comprehensive Hungarian regulation in the field, entered into force as of January 1, 2024. The field, which until now has mostly been covered by EU sources of law and in one Hungarian law, has finally ceased to be a stepchild and has been given the first comprehensive and unified law, which the legislator himself named the ESG Act.

What is ESG?

ESG has been a hot topic for years, but in the beginning, it is worth noting that ESG is an acronym that contains the initials of three areas: environmental, social and governance.

These are the aspects that have so far been fragmented and mostly imposed on the largest companies in EU legislation (e.g. the Taxonomy Regulation, the CSRD Directive) and in domestic legislation (e.g. the Accounting Act, Act LXVII of 2019), so that they take into account these aspects and sustainability issues in their operations and investments.

Until now, there has been no single Hungarian ESG regulation, but the duties and obligations of the companies concerned had to be selected from the EU and national legal sources that entered into force at different times – emphasises Dr. Péter Weidinger, LL.M., partner of act Bán & Partners.

Scope of the ESG Act

The new single regulation, which is called Act No CVIII of 2023 on the rules of corporate social responsibility, taking into account environmental, social and societal aspects, and amending other related acts, in order to promote sustainable financing and unified corporate responsibility, is therefore a step forward from a regulatory and enforcement perspective. This is particularly true if we consider that the ESG Act contains rules applicable not only to the companies concerned but also to the public regulators/authorities and to the ESG market players.

The ESG Act applies mainly to large companies with a balance sheet total of more than HUF 10 000 million, an annual net turnover of more than HUF 20 000 million and more than 250 or 500 employees. According to the ESG Act, at least two of the previous annual figures of a large enterprise must exceed the above thresholds set out in the Act in order to be covered by the Act.

Small and medium-sized enterprises that qualify as a public interest entity are also subject to the law, regardless of the above thresholds, i.e. not only giant companies should get acquainted with the new ESG Act, calls the attention Dr. Péter Weidinger, LL.M., expert at act Bán & Partners. Such a public interest SME is a company whose transferable securities are admitted to trading on a regulated market in a state of the European Economic Area. In other words, Hungarian-based companies listed on an EEA stock exchange already fall into this category and are subject to the new rules.

However, due to its comprehensive nature, the scope of the Act extends not only to these companies, but also to service providers in the ESG market, i.e. ESG certifiers, ESG qualifiers, but also companies producing and distributing ESG softwares.

Obligations of the companies

The law has created a number of obligations for companies subject to the ESG Act, the breach of which can result in fines of up to millions of forints. However, the good news for the companies concerned is that not all of these obligations will be required from 2024 and fines for non-compliance with ESG reporting obligations will only be imposed from January 1, 2026.

The most important obligation for companies, which is reflected in principle in the ESG Act, is to assess and manage the social and environmental impacts of their operations and to prevent, minimise or eliminate social or environmental risks.

The most tangible obligation is that the companies concerned will be required to prepare and publish ESG reports on an annual basis (in ascending system). The first stakeholder group will have to prepare ESG reports for the first time in 2025 for the financial year 2024 and the last stakeholder group will have to prepare it in 2027 for the financial year 2026. The ESG report should be made publicly available free of charge on the company’s website and should include, among other things, a description of the company’s sustainability due diligence process, the social responsibility and environmental risks identified by the company, or the measures taken by the company and the company’s objectives.

Other obligations include setting up a risk management system, carrying out regular risk analyses, or reporting ESG data. It is important to underline that it is not enough for companies to look in-house, but that they also need to look at the whole supply chain, as well as the activities of direct suppliers and subsidiaries. This can ultimately lead to a company being obliged to suspend or, in the worst case, terminate its business relationship with a direct supplier that persistently breaches its environmental obligations, emphasises Dr. Péter Weidinger, LL.M., partner at act Bán & Partners.

It is worth pointing out that companies should also ensure that they have an internal or external complaints system in place to enable anyone to report the company’s social responsibility (“CSR”) and environmental risks and breaches of CSR or environmental obligations arising from the economic activities of the company, its subsidiaries or its direct suppliers. It is important to note that a company may also use its internal whistleblowing system, established under the Hungarian Whistleblowing Act transposing the EU Whistleblowing Directive, as such a complaint handling forum.

State actors

The ESG Act also regulates the role of the state in ESG. The Minister responsible for this area will be the Minister responsible for economic development, who will establish and operate the National ESG Council. The members of the Council will be delegates from several ministries and economic actors (e.g. the Hungarian Chamber of Commerce and Industry), while the Council will be chaired by the Minister.

The tasks of the authority will be carried out by the Authority for the Supervision of Regulated Activities (“SZTFH”). This is the authority that, among other things, supervises gambling, tobacco and bailiffs and liquidators. It will also maintain the records required by law, e.g. on ESG reporting companies, ESG certifiers and ESG qualifiers.

The SZTFH has also been given strong powers of control and sanction, as it has the right to enter the premises, buildings and other facilities of the company during its inspections, and can also inspect and make copies of documents. And anyone who obstructs the inspections of the SZTFH can face fines of up to millions of forints.

SZTFH will also be the operator of the electronic platform for the preparation and submission of the ESG report, the ESG management platform.

Additional rules

The attention of practitioners should also be drawn to the changes of the Accounting Act and the Auditing Act, which also entered into force as of January 1, 2024. Of particular importance is the new chapter of the Accounting Act on Sustainability Reporting, which will also become an indispensable point of Hungarian ESG regulation.

Since the ESG Act is a framework regulation, the specific details will be laid down in government decrees, ministerial orders and decrees of the President of the SZTFH. These will therefore complete the Hungarian ESG regulation, but in the meantime it is worthwhile for affected companies to prepare for ESG-compliant operation and implementation of the ESG Act rules, concludes Dr. Péter Weidinger, LL.M., partner of act Bán & Partners.

Today, more and more companies are trying to convince consumers with the pretence of a sustainable future and environmental awareness. However, in many cases, there is no real responsibility behind such marketing activities, which are simply intended as an effective advertising ploy to make green claims.

The Hungarian Competition Authority (“GVH”) has analysed the impact of green marketing claims on consumers’ purchasing behaviour in several studies. The market analysis has shown that consumers’ behaviour is strongly influenced by green claims on the packaging, which have an impact on purchase intentions, despite the fact that consumers are often unaware of the exact meaning of the green claims. Businesses should be vigilant about the materials they use to promote sustainability, as misleading advertising or information can easily be considered unlawful. In response to this problem, the GVH has issued recommendations to businesses to ensure that green washing is discouraged and that consumers receive truthful information about a product or service – emphasises Dr. Lili Horváth, expert at act Bán & Partners.

Information on products and services

According to the GVH, a common problem with product labelling is that consumers do not understand why a product is considered environmentally friendly. Generalised, vague claims are common, such as “environmentally friendly product”, “renewable packaging” or “environmentally responsible choice”. Such claims do not make it clear to the consumer what criteria or characteristics qualify a product as “green”.

The GVH advises businesses to be clear and specific. It must be clear which aspect of the product the claim refers to, whether it is about the product itself, the packaging or perhaps its manufacture or the delivery. Clarity also means that the language used must be understandable to the average consumer, because without clear information the consumer cannot make an informed decision. Nor should a business use claims that hide the real impact of a product or service on the environment by highlighting a single characteristic. It is a common practice for companies to highlight the positive environmental impact of the product packaging without mentioning that it is negligible in relation to the environmental damage caused by the production and processing of the materials.

A business should only make claims that are true, accurate and easy to verify. Practices where information is not available to consumers in Hungarian are highly objectionable, as is the practice where the information can only be found after significant research and multiple click troughs.

It is considered bad practice for a company to emphasise legal compliance as a distinguishing advantage over identical or similar products of other companies, when it is required for all products by manufacturers in the sector. Marketing materials that highlight environmental performance relative to the company’s past performance can also be misleading, because if a company has not paid attention to this, achieving a significant improvement is not a real challenge for the company.

Comparative advertising

In the field of comparative advertising, the GVH considers it fundamental that the claims are objective, relevant and verifiable. Vague and intangible statements should be avoided, and clear, concrete and quantified claims should be made; for example, it is worth expressing in percentage how much less harmful substances a company uses than an another company producing a comparable product. It should be borne in mind that a company claiming to be the “greenest” or “most environmentally friendly” is also a comparative claim. The company must be able to prove the veracity of the claim in relation to all relevant products on the market for the entire period of the advertisement.

What do the certification labels certify?

In particular, the GVH also highlighted the importance of ensuring that the qualities certified by the certification labels on the product can be easily checked by consumers and that the advertising message communicated through the label does not go beyond what the label actually certifies.

Environmentally conscious promises

Companies should also be wary of making brand-building statements about their future activities. The companies should only make commitments that they are able to deliver in the foreseeable future, that are realistic and that consumers can follow. It is not advisable to make commitments that the company is already delivering, as this does not represent a real change, requires no effort and misleads the consumers.

Businesses need to be aware that not only specific environmental or sustainability claims can be considered green marketing, but also implicit signals such as the green colour, the visual placement of flowers or a globe, or even specific sound effects. Companies need to be aware of the overall effect, and should not imply that a product is environmentally friendly, even by implicit signals, if it is not, concludes Dr. Lili Horváth, expert at act Bán & Partners.

With the Digital Operational Resilience Act („DORA“ for short), the European Union has created a regulation for cyber security, ICT risks and digital operational resilience for almost all supervised financial institutions – we strongly recommend starting early implementation. As this regulation is intended to address the digital transformation and the increasing dangers posed by cyber threats, we strongly advise companies to start implementing it at an early stage. But what exactly is it about?

I. Introduction and subject matter

1. Introduction and implementation effort

Against the background of the very contract- and IT-heavy regulatory content, a considerable implementation period is to be expected. IT projects must be implemented in accordance with Banking supervisory requirements for IT („BA-IT“) – it remains to be seen whether DORA will replace or completely „overhaul“ these – but this will not save implementation in accordance with their (current) requirements. Furthermore, financial institutions are likely to have numerous internal guidelines that must be observed during implementation. Negotiations with Information and communication technology („ICT“) service providers are also likely to take a considerable amount of time, as not only the financial institutions but also their ICT service providers will have to adapt to the DORA changes.

We therefore strongly recommend starting the implementation process at an early stage and not only involving the IT and compliance departments, but also seeking internal and external regulatory advice.

2. Further legal acts

DORA is flanked by numerous other legal acts:

1. EU Directive 2022/2556 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience in the financial sector of 14 December 2022 
2. EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive) of 14 December 2022 
3. EU Directive on the resilience of critical facilities and repealing Council Directive 2008/114/EC of 14 December 2022
4. Drafts of RTS, ITS, guidelines, etc., which (in some cases) still need to be finalised and implemented.

3. Regulatory content, focal points

All legal acts deal with regulations on the digital operational resilience of financial organisations. This refers to the ability to keep all information and communication technologies („ICT„) used by a financial organisation operational and to protect them from attacks. DORA aims to strengthen the digital operational resilience of the entire European financial sector in these six key areas: 

1. ICT risk management

• Reporting serious ICT-related incidents and – on a voluntary basis – significant cyber threats to the competent authorities; 
• Reporting of serious payment-related operational or security incidents by certain listed financial organisations to the competent authorities; 
• Tests of digital operational resilience;
• Sharing information and intelligence on cyber threats and vulnerabilities; 
• Measures for the sound management of ICT third party risk; 

2. Reporting of ICT incidents and significant cyber threats
3. Testing digital operational resilience including threat-led penetration testing (TLPT) 
4. Establishment of requirements in relation to contractual agreements between ICT third-party service providers and financial organisations; 
5. Rules on the establishment and implementation of the monitoring framework for critical third-party ICT service providers in the provision of services to financial organisations; 
6. information sharing and cyber crisis and emergency exercises, in particular rules on cooperation between competent authorities and rules on the supervision and enforcement by competent authorities of all matters covered by this Regulation. 

II. Timetable and consultations

The implementation of DORA is subject to an ambitious timetable for the implementation of EU Directives 2022/2555 and 2022/2557 (by 18 October 2024) and 2022/2556 (by 17 January 2025). Implementation in Germany is essentially carried out by the Financial Market Digitisation Act (FinmadiG). The FinmadiG aims to transpose the European Markets in Crypto-Assets (“MiCA“) Regulation, the revised version of the EU Funds Transfer Regulation and the DORA package into national law. The BMF published the draft bill for the FinmadiG on 23 October 2023.

1. Timetable

2. Completed consultations

The joint consultation of the ESAs on the first tranche of the technical regulatory and implementation standards for DORA from 19 June 2023 to 11 September 2023 contains the following drafts

1. Consultation on RTS on ICT risk management framework (Art. 15) and RTS on simplified ICT risk management (Art. 16)
2. Consultation on RTS on criteria for the classification of ICT related incidents (Art. 18.3)
3. Consultation on ITS to establish the templates for the register of information (Art. 28.9)
4. Consultation on RTS to specify the policy on ICT services performed by ICT third party service providers (Art. 28.10)) 2022/2554 with public consultation from 26 May 2023 to 23 June 2023.
5. The public consultation for the opinion of the ESAs (EBA, ESMA and EIOPA) for the European Commission on the delegated acts under the European supervisory framework in accordance with Articles 31 and 43 of Regulation (EU) 2022/2554 took place from 26 May 2023 to 23 June 2023.

3. Ongoing consultations

The public consultation of the European Supervisory Authorities EBA, ESMA and EIOPA on the following drafts will take place from 8 December 2023 to 4 March 2024:

1. Consultation of the RTS on Threat Led Penetration Testing (Art. 26.11)
2. Consultation of the RTS on the specification of elements in the subcontracting of critical or important functions (Art. 30.5)
3. Consultation of the RTS to determine the reporting of serious ICT incidents (Art. 20.a)
4. Consultation of the ITS to determine the details of reporting on major ICT-related incidents (Art. 20.b)
5. Consultation of the GL for cooperation between the ESAs and the CAs regarding the structure of supervision (Art. 32.7)
6. Consultation of the RTS on harmonisation of the conditions for carrying out monitoring activities (Art. 41)

III. Focus of DORA

DORA essentially focusses on (1) ICT risk management and (2) the monitoring of critical ICT third-party service providers. These are implemented in Germany by the FinmadiG. Implementation takes place through amendments to numerous laws and ordinances, which is why we have referred to the provisions and structure of DORA in the following brief summary for the sake of clarity:

1. Focus: ICT risk management

1. Art.5 DORA – Responsibility of the management:
   Management is responsible for ICT risk management. Management must actively keep abreast of ICT risks and attend regular ICT-specific training sessions.
   
2. Art.6 DORA – ICT Risk Management Control Function
   The function of the ICT Risk Management Control Function must be set up by the management. The tasks are similar to those of the Information Security Officer (ISO). Strict separation of the control function and first line (IT). Strong regulatory expectation to keep the ISB in-house.
   
3. Art.8 DORA – Knowledge of own information and systems
   ICT systems and information used in business functions must be identified and classified. This also applies to information that is not held in centralised systems (such as Office documents or IDVs).
   
4. Art.6 DORA – Stricter requirements for encryption
   Data must be encrypted in all states (at rest, in transit & in use). Internal as well as external network traffic must be encrypted. Lifecycle management must be set up for cryptographic keys.
   
5. Art.10 DORA – Prioritising the elimination of vulnerabilities
   Requirements for automated vulnerability scans and the elimination of vulnerabilities have increased. Automated vulnerability scans at least weekly. Supply chain risk is moving into focus. Elimination of vulnerabilities through patches has top priority.
   
6. Art.11 DORA – Detailed safety requirements
   Only use authorised software and storage media. Security must also be in place in the home office and when working remotely. Special training for employees who administer cloud access. Special protection for cloud access.
   
7. Art. 16 DORA – Testing the source code
   Authorisation must be obtained from specialist departments and asset owners for security measures, among other things. Test environments should adequately reflect the production environment. The integrity of the source code must be protected. Source code and software from third parties must be analysed and tested.
   
8. Art.13 DORA – Strengthening network security
   Creation of a visual network plan. Internal and external protection of network traffic. Regular testing and certification of firewall rules. Annual review of the network architecture. Creation of the option to temporarily isolate subnets, network components and devices.
   
9. Art.21 DORA – User identification
   Each natural person should be given a unique identity, which should also be retained in the event of reorganisation and after the end of the collaboration. Access and access management requirements remain largely the same.
   
10. Art.27 DORA – Test scenarios for cyber attacks
    Comprehensive specifications for emergency management. RTS focusses on the minimum content of recovery plans and on testing them. Minimum test scenarios increase from four (MaRisk) to nine.
    
11. Art.6 para.5 DORA – Regular review of the ICT framework
    Formal documentation of the current status of the ICT risk framework must be prepared. This must be made available to the supervisory authority upon request.

2. Focus: Monitoring of critical ICT third-party service providers

Financial companies may only use critical ICT third-party service providers from third countries if they establish a registered office in the EU within twelve months of being categorised. However, there is no obligation to store data only within the EU (although there may be data protection problems if this is not the case).

In particular, the supervisory authorities have the following powers vis-à-vis ICT service providers:

1. Request for information and documentation: relevant business or operational records, contracts, policies and guidelines, documentation, ICT security audit reports, ICT-related incident reports, and any information about parties to whom the critical third-party ICT service provider has outsourced operational functions or activities;
   
2. Investigations and inspections at the premises of the ICT third-party service provider in relation to: records, data, procedures, etc.; summoning representatives of the critical ICT third-party service provider, including making oral or written statements; interviewing any other natural or legal person who consents to such interview for the purpose of obtaining information about the subject matter of an investigation; transmitting recordings of telephone conversations and data transmissions;
   
3. to make recommendations that the supervisor considers relevant in relation to the following:

• the application of specific ICT security and quality requirements or procedures, in particular in relation to the issuance of patches, updates, encryption and other security measures necessary to ensure the ICT security of services provided to financial organisations;
• the use of conditions, including their technical implementation, under which the critical third party ICT service providers provide ICT services to financial entities in order to prevent the occurrence or amplification of sporadic failures or to minimise potential systemic impact in the Union financial sector in the event of ICT concentration risk;
• under certain conditions: any planned subcontracting that the critical third-party ICT service providers intend to enter into with other third-party ICT service providers or with ICT subcontractors established in a third country and which may entail risks for the provision of services by the financial undertaking or risks for financial stability;

4. Request reports detailing the actions taken or remedial measures implemented by the critical third party ICT service providers in relation to the issues referred to in point (2). 2) recommendations referred to in point (2).

The monitoring of critical ICT third-party service providers by the supervisory authority does not release financial companies from their obligation to monitor the service provider. The supervisory authorities examine how the financial companies take into account the risks identified in the recommendations for the critical ICT third-party service provider as part of their third-party risk management. If the risks are not or not sufficiently taken into account by financial undertakings, the supervisory authority shall notify the financial undertaking of its assessment and may, within 60 days of this notification, as a last resort, require financial undertakings to suspend the use of the critical third-party ICT service provider in whole or in part until the risks have been eliminated or to terminate the contracts with the critical third-party ICT service provider in whole or in part. 

Feel free to contact us at any time if you have any questions. We specialise in the realisation and implementation of compliance-related IT projects in the financial regulatory environment.

We can help you prepare for the new requirements of DORA.

We advise our clients to familiarise themselves with the regulation and the consultation versions of the RTS/IST/Guidelines, including the recitals.

Compare the requirements from DORA with the regulatory requirements that already exist (e.g. MaRisk, BAIT, EBA Guidelines on outsourcing arrangements, BaFin Cloud guidance).

Over the past 11 years, the long-established griep Group, based in Wiesbaden, has developed into one of Germany’s leading construction logistics specialists. With around 190 employees, griep covers the entire range of construction logistics services for a wide variety of construction projects – from railway station buildings to high-rise buildings, in city centres or in the countryside.

Win-win: In Swiss Post, the griep Group has found the perfect partner for growth and expansion opportunities in Germany and Switzerland. Swiss Post is successfully active in the field of logistics support for construction projects – from logistics planning and construction site logistics to disposal logistics – and in griep now has an experienced sparring partner for optimising and expanding its construction logistics services.

Subject to the approval of the German Federal Cartel Office, the collaboration is scheduled to begin in January 2024.

Advisor griep Group:
act legal Germany – act AC Tischendorf Rechtsanwälte: Dr Fabian Brocke, LL.M. (Corporate/M&A); Dr Nina Honstetter (Corporate/M&A); Dr Fabian Laugwitz, MBA, LL.M. Eur. (Commercial)

Dr Alexander Höpfner: „With the continuation of business operations by the investor, a good solution has been found for the creditors that also takes into account the interests of those in need of care.

In addition, around 180 jobs at the nine operating sites in Hesse, Rhineland-Palatinate, North Rhine-Westphalia, Bavaria, Thuringia, Saxony and Saxony-Anhalt will be taken over.

Advisor/proprietary administration DigniCare: LIESER Rechtsanwälte Partnerschaft mbB – Jens Lieser and Dr Martin Kaltwasser (general representatives)

Administration: act AC Tischendorf Rechtsanwälte – Dr Alexander Höpfner (administrator), Dr Felix Melzer, Maximilian Dieler (both restructuring/insolvency)

Alexander Höpfner, Sven Tischendorf and Felix Melzer as well as Tara Kamiyar-Müller (Real Estate) have been responsible for the self-administration of the Germany-wide asset and investment manager and leading company in the privatisation of residential real estate – Alpha Real Estate Group – since 27 November 2023.

The entire property and construction industry in Germany is currently struggling with the consequences of high interest rates, rising construction costs and uncertainty in the face of falling property prices. In recent months, for example, the major nationwide property project developer Gerch and Euroboden in Munich, Nuremberg-based Project Immobilien and the Düsseldorf-based property companies Centrum and Development Partner have already had to file for insolvency.

Due to the economic challenges posed by the war in Ukraine, the energy crisis and, in particular, the drastic rise in interest rates and the resulting restraint on the financing and investment market, Alpha Real Estate’s business model has now also found itself in a precarious situation. business model of Alpha Real Estate also found itself in a precarious situation, which led to liquidity bottlenecks and the need for comprehensive restructuring.

With the subsequent applications for self-administration for Alpha Real Estate Holding and 13 of its subsidiaries, which the Mannheim Local Court decided in favour of, the starting signal has now been given for successful and far-reaching restructuring and reorganisation measures towards a repositioning and realignment in the current market. Jens Lieser from the insolvency law firm Lieser Rechtsanwälte, which specialises in insolvency law, has been appointed as provisional administrator.

With a transaction volume of 1.4 billion and a portfolio of 350 thousand square metres of residential and commercial space, the Mannheim-based investment house has been successfully designing and developing investment properties for private investors, tenants and owner-occupiers as well as institutional investors throughout Germany for 10 years with its full-service concept. Alpha Real Estate’s range of services covers the entire property value creation process, from buying and selling to active and value-enhancing asset and property management.

The ACT team is optimally positioned for the planned reorientation, as in addition to the well-known insolvency and restructuring practice of Sven Tischendorf and Alexander Höpfner, the strong expertise of the ACT Real Estate division under the leadership of Tara Kamiyar-Müller, which focuses on special property law situations/restructurings, will also be deployed here.

Alpha Real Estate self-administration:
act AC Tischendorf Rechtsanwälte, Frankfurt: Dr. Alexander Höpfner (lead, general representative, CIO), Dr. Sven Tischendorf, MBA (lead, general representative, CRO), Dr. Felix Melzer (general representative, restructuring), Dr. Tara Kamiyar-Müller (real estate restructuring), Dr. Fabian Laugwitz, MBA, LL.M. (real estate, commercial)

act legal Germany has provided legal and tax advice to the shareholders of CRS medical GmbH („CRS medical„) on the sale of all shares in CRS medical to Asker Healthcare Group („ASKER„).

CRS medical has been providing services in the field of medical technology since 2004. Many years of experience and extensive knowledge in the medical technology sector have made CRS medical a dynamic and powerful medium-sized company. With over 210 employees, CRS medical is now represented on almost every continent in the world.

Headquartered in Sweden, ASKER now consists of more than 30 companies in 14 countries and 2,400 employees, supporting healthcare providers and patients to improve patient outcomes, reduce the total cost of care and ensure a fair and sustainable value chain.

CEO and founder Michael Schlapp will remain with the company in his operational role. The parties have agreed not to disclose further details of the transaction.

With more than 300 professionals throughout Central Europe act legal offers sophisticated national as well as international legal advice – the attractive alternative to large international law firms.

Advisors CRS medical: act legal Germany: Christoph O. Breithaupt, M.B.L. (HSG) (Private Equity/Corporate), Sandra Brieske (Private Equity/Corporate), Dr. Stephan Schwilden, MBA (Employment law), Dr. Florian Wäßle, LL.M. (IT/IP), Dr. Fabian Laugwitz, MBA, LL.M. Eur. (Real Estate); Dr. Frank Bayer (frb-tax, Tax)

Dr Alexander Höpfner, DigniCare’s trustee: „I see a concrete need for care services, a business model that is in demand on the market and opportunities for restructuring that are also in the interest of the creditors“.

Due to the high shortage of labour and skilled workers in the care sector as well as a decline in sales of private cost coverage for certain care and nursing services, the outpatient care service with around 200 employees at 14 operating sites nationwide got into financial difficulties. Within the framework of self-administration and under the constructive support of the restructuring process by the restructuring experts of LIESER Rechtsanwälte Partnerschaft mbB and act AC Tischendorf Rechtsanwälte, who are particularly experienced in the area of nursing services/hospitals, the outpatient nursing services can be continued without restriction and interruption and the wages and salaries of the employees can be secured via insolvency benefits.

Property administration: act AC Tischendorf Rechtsanwälte – Dr. Alexander Höpfner (property administrator), Dr. Felix Melzer, Maximilian Dieler (both restructuring/insolvency)

For additional information see also our LinkedIn article (in German language only): https://www.linkedin.com/posts/ac-tischendorf-rechtsanwaelte_zukunftsstark-pflegesektor-sanierung-activity-7105924240507351040-vaXw?utm_source=share&utm_medium=member_desktop