Digital transformation – Is your company prepared for the new EU laws?

In order to shape Europe’s digital future, the European Commission has prepared and enacted a large number of legal regulations that form the legal framework for the digital transformation. They will have far-reaching effects on everyday business life. As a prelude to our series ’Digital Transformation’, we would like to give you an overview of the most important innovations and then provide you with more detailed information on the individual topics in the coming weeks. Please feel free to contact us.

European Data Act

The Data Act was enacted on 11 January 2024 and will come into force in September 2025.

The new rules establish the right of access to industrial data and regulate its use and exchange. Manufacturers of networked products ( ́Internet of Things ́ e.g. machines, sensors, components, household appliances or vehicles) are obliged to share data obtained in this way with users (companies or consumers), authorities and also third parties (data sharing). The regulations affect manufacturers and data holders as well as users of networked devices and providers of data processing services.

Networked products must be designed according to the requirements of the Data Act („Access by Design”). The law also requires data owners to make the data available on an ongoing basis. This will have far-reaching implications for sensitive data and trade secrets of companies, which must be adequately protected.  Conversely, access to third-party data can incentivize data-driven innovation.

In addition, data licensing agreements are required with all users in order to be able to use generated data in future.

In the future, data owners will no longer be free to use and share data without restriction.

You should prepare and implement the complex contractual and technical requirements as early as possible. It’s best to do it now!

European Artificial Intelligence Regulation (AI Act)

The possibilities of using artificial intelligence („AI”) are constantly increasing and leading to serious changes in everyday working life. The EU Commission has developed a regulatory framework that enables the use of AI, but at the same time sets limits to it. As things stand at present, the regulation is to come into force in mid-2024. After a transitional period of 24 months, it would then apply throughout Europe. It affects all manufacturers and users of AI (image, speech and text recognition, HR systems, smart home, autonomous driving, industrial applications, connected devices). 

The regulation distinguishes between four risk classes for AI applications. 

There are separate rules for each risk class, which even go as far as prohibiting its use. In any case, a mandatory quality and risk management system as well as detailed transparency obligations are envisaged. A data protection impact assessment is also likely to become mandatory. Both manufacturers and users of AI systems should consider the legal requirements at an early stage and make preparations both internally (integrated company policy, works agreement) and externally (classification and documentation). We would recommend dealing with the AI Act now in order to bring the current use of digital systems in line with the new regulations.

At the same time, a new European AI Office will be set up to oversee enforcement of the new rules on AI models. Like the GDPR, the AI Act also provides for draconian penalties in the event of a violation.

Digital Services Act

The Digital Services Act aims to create a safer digital space for users of online services and aims in particular to combat illegal content. The Digital Services Act has already entered into force and has been applicable to digital service providers since February 2024.

Online intermediaries and platforms, such as online marketplaces, social networks, app stores and online travel platforms, are obliged to detect, flag and remove illegal content.

Digital Markets Act

The Digital Markets Act, which came into force on 1 November 2022, is intended to ensure that access to and conditions in digital markets are fair and on equal terms and that companies that control market access (’gatekeepers’ e.g. Google, Apple, Microsoft, Meta) do not use their position to disadvantage third parties.

General Data Protection Regulation (GDPR)

Many companies have now implemented the requirements of the GDPR, which came into force in 2018, and integrated them into their everyday business. In light of the new EU laws, various decisions of the EU Commission and new judgements, a review and revision of internal processes is to be recommended. The GDPR will continue to play an important role in digitalization. It’s best if all requirements have already been implemented.

Cyber Resilience Act

The EU Commission’s proposal for a regulation on cybersecurity requirements for products with digital elements is intended to ensure the security of products that can be connected to each other or to the Internet („security by design”) and includes numerous obligations for manufacturers and importers. As things stand at present, the Act is to be adopted in 2024 and will enter into force after a transitional period of 36 months.

AMLA – The European Money Laundering Authority comes to Frankfurt

FRANKFURT – On 22 February 2024, the representatives of the Council and the European Parliament decided that the seat of the future European Anti-Money Laundering Authority (AMLA) will be in Frankfurt am Main.

The AMLA, a new EU-wide authority with responsibilities around money laundering compliance and financial sanctions monitoring, will significantly change the way money laundering and sanctions laws are enforced within the EU. Therefore a review of existing policies and processes in the area of money laundering prevention should be undertaken immediately.

1. Introduction and subject matter

The Anti-Money Laundering Authority, which the European Parliament and the European Council agreed to establish on 13 December 2023, is expected to take up its activities in Frankfurt am Main in mid-2025. Its main tasks will be as follows:

(1) Direct supervision of anti-money laundering compliance for certain European banks and other high-risk financial service providers, including crypto-asset service providers.
(2) Ensuring compliance with financial sanctions.
(3) Indirect supervision of other obliged entities. While these entities are primarily supervised by national regulators, the AMLA will mediate disputes between national regulators and may assume supervision in exceptional circumstances.
(4) Coordination of Member States’ efforts to combat money laundering and terrorist financing in the non-financial sector.

The AMLA will directly supervise certain European banks and other financial service providers that operate across borders or are considered „high-risk”. A total of up to 40 organisations will be included in the initial selection process in Germany – around 200 companies across Europe. This direct supervision will be carried out by joint supervisory teams under the direction of the AMLA, which will carry out assessments and inspections. The list of companies designated for supervision or inspection will be reviewed every three years.

As part of the AMLA’s direct supervisory powers, the AMLA will ensure that these selected obliged entities have appropriate internal policies and procedures in place to ensure the implementation of targeted financial sanctions, such as asset freezes and asset seizures.

The AMLA will also have certain enforcement powers. In the event of serious, systematic or repeated violations of directly applicable requirements, the AMLA will be able to impose financial sanctions on the selected obliged entities.

For obliged entities in the financial sector that are not designated as „selected obliged entities”, money laundering supervision will mainly remain unchanged at national level.

In relation to the non-financial sector, the AMLA will provide support by conducting inspections and investigating possible breaches in the application of money laundering prevention rules. In doing so, it will be able to issue non-binding recommendations.
The AMLA will also coordinate the national financial intelligence units that investigate suspected violations of money laundering regulations.

The AMLA will mediate and settle disputes between national supervisory authorities and may also take over the supervision of a financial undertaking in exceptional circumstances or in the event of certain breaches of EU law.

2. Procedure for supervision until the AMLA commences its activities

Even before it was clear that the AMLA was coming to Frankfurt, we had already seen a significant increase in the focus of the German Federal Financial Supervisory Authority (BaFin) on auditing our clients in the area of money laundering prevention. In its report „Risks in Focus for 2024”, BaFin emphasises that it continues to classify the risk of being misused for money laundering, terrorist financing or other financial crimes in Germany as „high” for the more than 8,700 persons obliged to do so under the German Money Laundering Act (GWG).

In 2022, a total of 337,186 suspected money laundering reports were received by the Financial Intelligence Unit (FIU). Of these, a total of 326,123 originated from the financial sector from financial market participants such as credit and financial services institutions.

International financial transactions, for example in the export sector, are a particular contributor to the risk of money laundering. Fast-growing companies are also exposed to particular money laundering risks. Last but not least, crypto assets open up unprecedented opportunities for criminal activities.

BaFin’s repeated warnings about failures by some institutions in the area of money laundering prevention, including severe fines (most recently €6.5 million), are also increasing significantly in both their number and severity.

It is noticeable that the market is still reluctant to invest in money laundering prevention and to initiate the necessary projects and measures.

3. Direct recommendations

Against this background, we strongly recommend that you scrutinise your existing guidelines and processes in the area of money laundering prevention. Our experience has shown that there is considerable potential for improvement in order to prevent BaFin sanctions, while at the same time streamlining internal processes and thus increasing their efficiency.

In BaFin’s opinion, some business models, such as payment agents, third-party acquiring, white labelling, loan fronting and trading in crypto assets, are particularly vulnerable. If you are active in these areas and have not been subject to a special audit by BaFin in recent years, this recommendation is all the more urgent.

Feel free to contact us! We are not only very experienced in scrutinising your existing guidelines and processes, identifying and implementing potential for improvement, but are also happy to assist you with projects or (special) audits by the supervisory authority. We can also act as an outsourced money laundering officer for you.

4. Outlook

There is still some uncertainty as to whether the European Public Prosecutor’s Office, an „ad hoc sanctions authority” or the AMLA should be given a role in enforcing sanctions for breaches of anti-money laundering rules or sanctions imposed. While Members of the European Parliament have repeatedly pushed for „substantial developments” in sanctions enforcement, the European Commission and Member States have generally resisted any serious change. In particular, Member States have endeavoured to keep the enforcement of sanctions entirely within their competence.
Although the AMLA will only start its work once all political issues have been resolved, the industry needs to be aware of the upcoming changes in the monitoring and enforcement of money laundering and financial sanctions and prepare accordingly.

The Hungarian ESG Act has arrived

Due to the holiday season and the legislative dumping at the end of the year, the important new milestone in the ESG field did not receive much publicity, even though Act CVIII of 2023, the ESG Act, which is the first comprehensive Hungarian regulation in the field, entered into force as of January 1, 2024. The field, which until now has mostly been covered by EU sources of law and in one Hungarian law, has finally ceased to be a stepchild and has been given the first comprehensive and unified law, which the legislator himself named the ESG Act.

What is ESG?

ESG has been a hot topic for years, but in the beginning, it is worth noting that ESG is an acronym that contains the initials of three areas: environmental, social and governance.

These are the aspects that have so far been fragmented and mostly imposed on the largest companies in EU legislation (e.g. the Taxonomy Regulation, the CSRD Directive) and in domestic legislation (e.g. the Accounting Act, Act LXVII of 2019), so that they take into account these aspects and sustainability issues in their operations and investments.

Until now, there has been no single Hungarian ESG regulation, but the duties and obligations of the companies concerned had to be selected from the EU and national legal sources that entered into force at different times – emphasises Dr. Péter Weidinger, LL.M., partner of act Bán & Partners.

Scope of the ESG Act

The new single regulation, which is called Act No CVIII of 2023 on the rules of corporate social responsibility, taking into account environmental, social and societal aspects, and amending other related acts, in order to promote sustainable financing and unified corporate responsibility, is therefore a step forward from a regulatory and enforcement perspective. This is particularly true if we consider that the ESG Act contains rules applicable not only to the companies concerned but also to the public regulators/authorities and to the ESG market players.

The ESG Act applies mainly to large companies with a balance sheet total of more than HUF 10 000 million, an annual net turnover of more than HUF 20 000 million and more than 250 or 500 employees. According to the ESG Act, at least two of the previous annual figures of a large enterprise must exceed the above thresholds set out in the Act in order to be covered by the Act.

Small and medium-sized enterprises that qualify as a public interest entity are also subject to the law, regardless of the above thresholds, i.e. not only giant companies should get acquainted with the new ESG Act, calls the attention Dr. Péter Weidinger, LL.M., expert at act Bán & Partners. Such a public interest SME is a company whose transferable securities are admitted to trading on a regulated market in a state of the European Economic Area. In other words, Hungarian-based companies listed on an EEA stock exchange already fall into this category and are subject to the new rules.

However, due to its comprehensive nature, the scope of the Act extends not only to these companies, but also to service providers in the ESG market, i.e. ESG certifiers, ESG qualifiers, but also companies producing and distributing ESG softwares.

Obligations of the companies

The law has created a number of obligations for companies subject to the ESG Act, the breach of which can result in fines of up to millions of forints. However, the good news for the companies concerned is that not all of these obligations will be required from 2024 and fines for non-compliance with ESG reporting obligations will only be imposed from January 1, 2026.

The most important obligation for companies, which is reflected in principle in the ESG Act, is to assess and manage the social and environmental impacts of their operations and to prevent, minimise or eliminate social or environmental risks.

The most tangible obligation is that the companies concerned will be required to prepare and publish ESG reports on an annual basis (in ascending system). The first stakeholder group will have to prepare ESG reports for the first time in 2025 for the financial year 2024 and the last stakeholder group will have to prepare it in 2027 for the financial year 2026. The ESG report should be made publicly available free of charge on the company’s website and should include, among other things, a description of the company’s sustainability due diligence process, the social responsibility and environmental risks identified by the company, or the measures taken by the company and the company’s objectives.

Other obligations include setting up a risk management system, carrying out regular risk analyses, or reporting ESG data. It is important to underline that it is not enough for companies to look in-house, but that they also need to look at the whole supply chain, as well as the activities of direct suppliers and subsidiaries. This can ultimately lead to a company being obliged to suspend or, in the worst case, terminate its business relationship with a direct supplier that persistently breaches its environmental obligations, emphasises Dr. Péter Weidinger, LL.M., partner at act Bán & Partners.

It is worth pointing out that companies should also ensure that they have an internal or external complaints system in place to enable anyone to report the company’s social responsibility (“CSR”) and environmental risks and breaches of CSR or environmental obligations arising from the economic activities of the company, its subsidiaries or its direct suppliers. It is important to note that a company may also use its internal whistleblowing system, established under the Hungarian Whistleblowing Act transposing the EU Whistleblowing Directive, as such a complaint handling forum.

State actors

The ESG Act also regulates the role of the state in ESG. The Minister responsible for this area will be the Minister responsible for economic development, who will establish and operate the National ESG Council. The members of the Council will be delegates from several ministries and economic actors (e.g. the Hungarian Chamber of Commerce and Industry), while the Council will be chaired by the Minister.

The tasks of the authority will be carried out by the Authority for the Supervision of Regulated Activities (“SZTFH”). This is the authority that, among other things, supervises gambling, tobacco and bailiffs and liquidators. It will also maintain the records required by law, e.g. on ESG reporting companies, ESG certifiers and ESG qualifiers.

The SZTFH has also been given strong powers of control and sanction, as it has the right to enter the premises, buildings and other facilities of the company during its inspections, and can also inspect and make copies of documents. And anyone who obstructs the inspections of the SZTFH can face fines of up to millions of forints.

SZTFH will also be the operator of the electronic platform for the preparation and submission of the ESG report, the ESG management platform.

Additional rules

The attention of practitioners should also be drawn to the changes of the Accounting Act and the Auditing Act, which also entered into force as of January 1, 2024. Of particular importance is the new chapter of the Accounting Act on Sustainability Reporting, which will also become an indispensable point of Hungarian ESG regulation.

Since the ESG Act is a framework regulation, the specific details will be laid down in government decrees, ministerial orders and decrees of the President of the SZTFH. These will therefore complete the Hungarian ESG regulation, but in the meantime it is worthwhile for affected companies to prepare for ESG-compliant operation and implementation of the ESG Act rules, concludes Dr. Péter Weidinger, LL.M., partner of act Bán & Partners.

Fake environmental awareness, or the “green washing” phenomenon – according to the Hungarian Competition Authority

Today, more and more companies are trying to convince consumers with the pretence of a sustainable future and environmental awareness. However, in many cases, there is no real responsibility behind such marketing activities, which are simply intended as an effective advertising ploy to make green claims.

The Hungarian Competition Authority (“GVH”) has analysed the impact of green marketing claims on consumers’ purchasing behaviour in several studies. The market analysis has shown that consumers’ behaviour is strongly influenced by green claims on the packaging, which have an impact on purchase intentions, despite the fact that consumers are often unaware of the exact meaning of the green claims. Businesses should be vigilant about the materials they use to promote sustainability, as misleading advertising or information can easily be considered unlawful. In response to this problem, the GVH has issued recommendations to businesses to ensure that green washing is discouraged and that consumers receive truthful information about a product or service – emphasises Dr. Lili Horváth, expert at act Bán & Partners.

Information on products and services

According to the GVH, a common problem with product labelling is that consumers do not understand why a product is considered environmentally friendly. Generalised, vague claims are common, such as “environmentally friendly product”, “renewable packaging” or “environmentally responsible choice”. Such claims do not make it clear to the consumer what criteria or characteristics qualify a product as “green”.

The GVH advises businesses to be clear and specific. It must be clear which aspect of the product the claim refers to, whether it is about the product itself, the packaging or perhaps its manufacture or the delivery. Clarity also means that the language used must be understandable to the average consumer, because without clear information the consumer cannot make an informed decision. Nor should a business use claims that hide the real impact of a product or service on the environment by highlighting a single characteristic. It is a common practice for companies to highlight the positive environmental impact of the product packaging without mentioning that it is negligible in relation to the environmental damage caused by the production and processing of the materials.

A business should only make claims that are true, accurate and easy to verify. Practices where information is not available to consumers in Hungarian are highly objectionable, as is the practice where the information can only be found after significant research and multiple click troughs.

It is considered bad practice for a company to emphasise legal compliance as a distinguishing advantage over identical or similar products of other companies, when it is required for all products by manufacturers in the sector. Marketing materials that highlight environmental performance relative to the company’s past performance can also be misleading, because if a company has not paid attention to this, achieving a significant improvement is not a real challenge for the company.

Comparative advertising

In the field of comparative advertising, the GVH considers it fundamental that the claims are objective, relevant and verifiable. Vague and intangible statements should be avoided, and clear, concrete and quantified claims should be made; for example, it is worth expressing in percentage how much less harmful substances a company uses than an another company producing a comparable product. It should be borne in mind that a company claiming to be the “greenest” or “most environmentally friendly” is also a comparative claim. The company must be able to prove the veracity of the claim in relation to all relevant products on the market for the entire period of the advertisement.

What do the certification labels certify?

In particular, the GVH also highlighted the importance of ensuring that the qualities certified by the certification labels on the product can be easily checked by consumers and that the advertising message communicated through the label does not go beyond what the label actually certifies.

Environmentally conscious promises

Companies should also be wary of making brand-building statements about their future activities. The companies should only make commitments that they are able to deliver in the foreseeable future, that are realistic and that consumers can follow. It is not advisable to make commitments that the company is already delivering, as this does not represent a real change, requires no effort and misleads the consumers.

Businesses need to be aware that not only specific environmental or sustainability claims can be considered green marketing, but also implicit signals such as the green colour, the visual placement of flowers or a globe, or even specific sound effects. Companies need to be aware of the overall effect, and should not imply that a product is environmentally friendly, even by implicit signals, if it is not, concludes Dr. Lili Horváth, expert at act Bán & Partners.

act legal European law firm advised Doosan Škoda Power s.r.o. on executing EPC agreement with Orlen S.A.

Thanks to the partnership collaboration of act legal offices from Poland and the Czechia that provided legal services during the procurement procedure and negotiations, Doosan Škoda Power s.r.o. struck an EPC agreement with Orlen S.A. for modernization of TG-4 and TG-5 turbine generator sets of 55 MW each at Orlen’s combined heat and power plant in Płock, as well as a long-term service agreement (LTSA).

Interdisciplinary team of lawyers engaged in the project included:

  • Mgr. Jakub Adamek – Senior Lawyer/ act legal Czechia,
  • Mgr. Jan Havel – Partner/ act legal Czechia,
  • Marek Wojnar – Managing Partner, attorney-at-law/ act legal Poland,
  • Piotr Giżyński – Senior Lawyer, attorney-at-law/ act legal Poland.

The total value of the project exceeds EUR 125 million (PLN 540 million).

Doosan Škoda Power s.r.o. is a manufacturer and supplier of turbine generator sets which ensure maximum efficiency, strength and reliability in the power generation sector.

The PKN Orlen’s combined heat and power plant in Płock is the biggest industrial CHP plant in Poland and one of the largest in Europe in terms of thermal capacity; it produces heat and electrical power in high-efficiency cogeneration process. It is also a major supplier of heat contained in steam and heating water, as well as electricity, used for production facilities and external customers, including the city of Płock.

The new project will contribute to increased energy efficiency of the CHP plant in Płock.

The project completion is planned for mid- 2029.

The European Sustainability Reporting Standards (ESRS) under the CSRD are coming – „to dos” for companies

The new reporting obligation under the Corporate Sustainability Reporting Directive (CSRD) begins in the 2024 financial year for all companies already covered by the Non-Financial Reporting Directive (NFRD). The report must be submitted for the first time in 2025 for the year 2024; for numerous other companies, the reporting obligations will begin between 2025 and 2028.

I. Introduction

In the European Sustainability Reporting Standards (ESRS), the European Commission has drawn up binding guidelines on the structure and content of the report. Below we provide a brief overview of the structure and content of the ESRS.

In Germany, the CSRD is being implemented with the CSR Directive Implementation Act (CSR-RUG). This ensures that companies deal with the implementation of the law in good time and collect the data required for reporting in the legally prescribed form. After all, those who „lag behind” here will not only suffer a negative impact on the company’s (ESG) rating, making it less attractive to investors – not to mention the reputational damage. In addition, violations are punishable by fines; the amounts range from 50,000 euros to 10 million euros – or even 5% of the annual group turnover.

It is therefore advisable to stay „ahead of the curve” – not only to avoid fines, but also and especially to remain or become attractive to investors, customers and even skilled workers.

II. What is it all about?

The CSRD is a European directive that aims to improve corporate reporting on sustainability aspects and thus replace the Non-Financial Reporting Directive (NFRD). Companies already required to report under the NFRD will have to report for the 2024 financial year in 2025. From the 2025 financial year, new companies that fulfil the respective size criteria will be added annually.

However, the CSRD does not regulate the content and structure of the reports to be submitted. These contents and structure are bindingly defined in the Delegated Regulation on the first sentence of the ESRS published by the European Commission on 31 July 2023 in order to ensure the comparability of sustainability reports.

Unfortunately, it cannot be said that the European Commission has succeeded in drafting these standards in a clear, easy-to-understand and concise manner. On the contrary: companies subject to reporting requirements are facing an immense amount of work in order to fulfil their reporting obligations from 2025. We recommend that every company begins to familiarise itself intensively with the ESRS at least 18 to 24 months before the end of the financial year for which it is required to report for the first time. Only in this way can it ensure that it collects the required data for the reporting year in a way that meets the requirements of the first 12 (!) published ESRS standards – more will follow.

These twelve published standards comprise two overarching standards and five topic-related standards on environmental topics, four topic-related standards on social topics and one topic-related standard on governance topics. In terms of content, these standards are based on the requirements of the Corporate Sustainability Reporting Directive (CSRD) and structurally on the structure of the Task Force on Climate-related Financial Disclosures (TCFD) with the reporting elements „Governance”, „Strategy”, „Risk Management” and „Key Figures and Targets”.

Sustainability aspects must be reported on the basis of the principle of „dual materiality”. Information on a sustainability aspect must therefore be disclosed if it is considered material either from an impact perspective (effects of business activities on the environment and society) or from a financial perspective (financial effects of sustainability-related risks and opportunities) or from both perspectives.

III. Who has to report for which financial year and when?

The scope of the ESRS depends on the following key figures, which are subject to reporting requirements:

(1)       from the 2024 financial year in the 2025 annual report: companies that are already subject to a reporting obligation under the Non Financial Reporting Directive („NFRD”);

(2)       from the 2025 financial year in the 2026 annual report: All other large corporations that meet at least two of the following three criteria: (1) at least 250 employees on an annual average, (2) total assets of at least EUR 20 million, (3) turnover of at least EUR 40 million;

(3)       from the 2026 financial year in the 2027 annual report: Listed SMEs as well as small and non-complex credit institutions and captive insurance companies; and

(4)       from the 2028 financial year in the 2029 annual report: third-country companies with subsidiaries or branches in the EU. This only applies if the threshold of EUR          150 million net sales in the EU is exceeded over a period of two years.

IV. Structure of the ESRS

The ESRS requires companies to analyse their sustainability performance in depth, in some cases right through to the supply chain and the end of the product life cycle. Mandatory ESRS indicators of a qualitative and quantitative nature, as well as reliable information on the development of a company’s own sustainability performance, make companies much more accountable than before. The ESRS are divided into three categories that complement and interact with each other:

a)         Cross-cutting standards that cover general concepts and principles for the preparation of sustainability statements and contain overarching disclosure requirements.

b)         Topical standards, each of which covers a specific and clearly defined sustainability topic, i.e. disclosure requirements in relation to sustainability-related impacts, risks and opportunities that are considered material for all companies regardless of specific sectors.

c)         Sector-specific standards that cover the disclosure of information on sustainability-related impacts, risks and opportunities that are considered material for all companies in a particular industry (not yet published).

V. ESRS: Overarching standards

ESRS1 General requirements

ESRS 1 prescribes binding concepts and principles that apply to the preparation of sustainability statements in accordance with the CSRD. All material information on sustainability-related impacts (effects of business activities on the environment and society), risks and opportunities should be disclosed in the sustainability statements in accordance with the applicable ESRS. The ESRS prescribe reporting in accordance with standardised, sector-independent and sector-specific disclosure requirements, supplemented by company-specific disclosures that are to be developed in accordance with the principles set out in ESRS 1.

ESRS2 General disclosures

ESRS 2 builds on the content of the requirements in ESRS 1 General Requirements and contains overarching disclosure requirements for the sustainability statement.

VI. ESRS: Thematic standards on environmental issues

E1 Climate change

This standard provides disclosure requirements that enable the addressees of a company’s sustainability statements to understand the following aspects (non-exhaustive list): The company’s plans and ability to adapt its strategy and business model in line with the transition to a sustainable economy and to contribute to limiting global warming to 1.5 degrees Celsius.

E2 Environmental pollution (Pollution)

This standard provides disclosure requirements to enable users of an organisation’s sustainability disclosures to understand the following aspects (non-exhaustive list): All measures taken to prevent, mitigate or remedy actual or potential negative impacts and to manage risks and opportunities and the results of these measures.

E3 Water and marine resources

The standard provides for disclosure requirements that are intended to enable users of a company’s sustainability statements to understand whether, how and to what extent the company contributes to the following points:

a)         Ambitions of the European Green Deal for fresh air, clean water, healthy soil and biodiversity and to ensure the sustainability of the blue economy and the fisheries sector,

b)         EU Water Framework Directive,

c)         EU marine strategy framework,

d)         EU directive on maritime spatial planning (EU maritime spatial planning directive),

e)         UN Sustainable Development Goals (SDGs) 6) Clean water and sanitation and 14) Life below water.

E4 Biodiversity and ecosystems

The standard provides for disclosure requirements that should enable the addressees of a company’s sustainability statements to understand the following aspects (non-exhaustive list): The nature, type and extent of the company’s material risks, dependencies and opportunities related to biodiversity and ecosystems, and how the company manages them.

E5 Resource use and circular economy

The standard stipulates disclosure requirements that should enable the addressees of a company’s sustainability statements to understand the following aspects (non-exhaustive list): The financial implications for the company of the material risks and opportunities arising in the short, medium and long term from the company’s impacts and dependencies in relation to resource use and the circular economy.

VII. ESRS: Thematic standards on social issues

S1 Own workforce

The financial impact on the company of the main risks and opportunities arising in the short, medium and long term from the company’s impacts and dependencies in relation to its own workforce.

S2 Workers in the value chain

The nature, type and extent of the company’s material risks and opportunities relating to labour impacts and dependencies in the value chain, and how the company manages them.3S2 Workers in the value chain

S3 Affected communities

Significant positive and negative actual or potential impacts of the organisation on communities in areas where impacts are most likely and severe.

S4 Consumers and end-users

All measures taken to prevent, minimise or eliminate actual or potential impacts and deal with risks and opportunities as well as the results of these measures.

VIII. ESRS: Topic related standards on governance topics

G1 Business conduct

The standard provides disclosure requirements to enable the recipients of a company’s sustainability statements to understand the company’s strategy and approach, its processes and procedures, and its performance in relation to corporate policy.

IX. Outlook

In addition to the development of the first twelve ESRS as „Set 1”, the CSRD also envisages further work packages for EFRAG. The first sector-specific ESRSs are to be developed for a total of around 40 different industries. The development of specific listed SME ESRSs is also planned for the future reporting obligations of capital market-oriented small and medium-sized enterprises (SMEs) within the scope of application. Voluntary guidelines are to be developed for non-capital-market-oriented SMEs. Specific third-country ESRS are also to be developed for the reporting of third-country companies outside the EU. However, a timetable for the publication of these drafts has not yet been set.

Please do not hesitate to contact us if you have any questions. We specialise in the realisation and implementation of compliance-related IT projects in the financial regulatory environment.

DORA is coming – early implementation is advisable

With the Digital Operational Resilience Act („DORA” for short), the European Union has created a regulation for cyber security, ICT risks and digital operational resilience for almost all supervised financial institutions – we strongly recommend starting early implementation. As this regulation is intended to address the digital transformation and the increasing dangers posed by cyber threats, we strongly advise companies to start implementing it at an early stage. But what exactly is it about?

I. Introduction and subject matter

1. Introduction and implementation effort

Against the background of the very contract- and IT-heavy regulatory content, a considerable implementation period is to be expected. IT projects must be implemented in accordance with Banking supervisory requirements for IT („BA-IT”) – it remains to be seen whether DORA will replace or completely „overhaul” these – but this will not save implementation in accordance with their (current) requirements. Furthermore, financial institutions are likely to have numerous internal guidelines that must be observed during implementation. Negotiations with Information and communication technology („ICT”) service providers are also likely to take a considerable amount of time, as not only the financial institutions but also their ICT service providers will have to adapt to the DORA changes.

We therefore strongly recommend starting the implementation process at an early stage and not only involving the IT and compliance departments, but also seeking internal and external regulatory advice.

2. Further legal acts

DORA is flanked by numerous other legal acts:

  1. EU Directive 2022/2556 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience in the financial sector of 14 December 2022 
  2. EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive) of 14 December 2022 
  3. EU Directive on the resilience of critical facilities and repealing Council Directive 2008/114/EC of 14 December 2022
  4. Drafts of RTS, ITS, guidelines, etc., which (in some cases) still need to be finalised and implemented.

3. Regulatory content, focal points

All legal acts deal with regulations on the digital operational resilience of financial organisations. This refers to the ability to keep all information and communication technologies („ICT„) used by a financial organisation operational and to protect them from attacks. DORA aims to strengthen the digital operational resilience of the entire European financial sector in these six key areas: 

  1. ICT risk management
  • Reporting serious ICT-related incidents and – on a voluntary basis – significant cyber threats to the competent authorities; 
  • Reporting of serious payment-related operational or security incidents by certain listed financial organisations to the competent authorities; 
  • Tests of digital operational resilience;
  • Sharing information and intelligence on cyber threats and vulnerabilities; 
  • Measures for the sound management of ICT third party risk; 
  1. Reporting of ICT incidents and significant cyber threats
  2. Testing digital operational resilience including threat-led penetration testing (TLPT) 
  3. Establishment of requirements in relation to contractual agreements between ICT third-party service providers and financial organisations; 
  4. Rules on the establishment and implementation of the monitoring framework for critical third-party ICT service providers in the provision of services to financial organisations; 
  5. information sharing and cyber crisis and emergency exercises, in particular rules on cooperation between competent authorities and rules on the supervision and enforcement by competent authorities of all matters covered by this Regulation. 

II. Timetable and consultations

The implementation of DORA is subject to an ambitious timetable for the implementation of EU Directives 2022/2555 and 2022/2557 (by 18 October 2024) and 2022/2556 (by 17 January 2025). Implementation in Germany is essentially carried out by the Financial Market Digitisation Act (FinmadiG). The FinmadiG aims to transpose the European Markets in Crypto-Assets (“MiCA”) Regulation, the revised version of the EU Funds Transfer Regulation and the DORA package into national law. The BMF published the draft bill for the FinmadiG on 23 October 2023.

1. Timetable

2. Completed consultations

The joint consultation of the ESAs on the first tranche of the technical regulatory and implementation standards for DORA from 19 June 2023 to 11 September 2023 contains the following drafts

  1. Consultation on RTS on ICT risk management framework (Art. 15) and RTS on simplified ICT risk management (Art. 16)
  2. Consultation on RTS on criteria for the classification of ICT related incidents (Art. 18.3)
  3. Consultation on ITS to establish the templates for the register of information (Art. 28.9)
  4. Consultation on RTS to specify the policy on ICT services performed by ICT third party service providers (Art. 28.10)) 2022/2554 with public consultation from 26 May 2023 to 23 June 2023.
  5. The public consultation for the opinion of the ESAs (EBA, ESMA and EIOPA) for the European Commission on the delegated acts under the European supervisory framework in accordance with Articles 31 and 43 of Regulation (EU) 2022/2554 took place from 26 May 2023 to 23 June 2023.

3. Ongoing consultations

The public consultation of the European Supervisory Authorities EBA, ESMA and EIOPA on the following drafts will take place from 8 December 2023 to 4 March 2024:

  1. Consultation of the RTS on Threat Led Penetration Testing (Art. 26.11)
  2. Consultation of the RTS on the specification of elements in the subcontracting of critical or important functions (Art. 30.5)
  3. Consultation of the RTS to determine the reporting of serious ICT incidents (Art. 20.a)
  4. Consultation of the ITS to determine the details of reporting on major ICT-related incidents (Art. 20.b)
  5. Consultation of the GL for cooperation between the ESAs and the CAs regarding the structure of supervision (Art. 32.7)
  6. Consultation of the RTS on harmonisation of the conditions for carrying out monitoring activities (Art. 41)

III. Focus of DORA

DORA essentially focusses on (1) ICT risk management and (2) the monitoring of critical ICT third-party service providers. These are implemented in Germany by the FinmadiG. Implementation takes place through amendments to numerous laws and ordinances, which is why we have referred to the provisions and structure of DORA in the following brief summary for the sake of clarity:

1. Focus: ICT risk management

  1. Art.5 DORA – Responsibility of the management:
    Management is responsible for ICT risk management. Management must actively keep abreast of ICT risks and attend regular ICT-specific training sessions.
  2. Art.6 DORA – ICT Risk Management Control Function
    The function of the ICT Risk Management Control Function must be set up by the management. The tasks are similar to those of the Information Security Officer (ISO). Strict separation of the control function and first line (IT). Strong regulatory expectation to keep the ISB in-house.
  3. Art.8 DORA – Knowledge of own information and systems
    ICT systems and information used in business functions must be identified and classified. This also applies to information that is not held in centralised systems (such as Office documents or IDVs).
  4. Art.6 DORA – Stricter requirements for encryption
    Data must be encrypted in all states (at rest, in transit & in use). Internal as well as external network traffic must be encrypted. Lifecycle management must be set up for cryptographic keys.
  5. Art.10 DORA – Prioritising the elimination of vulnerabilities
    Requirements for automated vulnerability scans and the elimination of vulnerabilities have increased. Automated vulnerability scans at least weekly. Supply chain risk is moving into focus. Elimination of vulnerabilities through patches has top priority.
  6. Art.11 DORA – Detailed safety requirements
    Only use authorised software and storage media. Security must also be in place in the home office and when working remotely. Special training for employees who administer cloud access. Special protection for cloud access.
  7. Art. 16 DORA – Testing the source code
    Authorisation must be obtained from specialist departments and asset owners for security measures, among other things. Test environments should adequately reflect the production environment. The integrity of the source code must be protected. Source code and software from third parties must be analysed and tested.
  8. Art.13 DORA – Strengthening network security
    Creation of a visual network plan. Internal and external protection of network traffic. Regular testing and certification of firewall rules. Annual review of the network architecture. Creation of the option to temporarily isolate subnets, network components and devices.
  9. Art.21 DORA – User identification
    Each natural person should be given a unique identity, which should also be retained in the event of reorganisation and after the end of the collaboration. Access and access management requirements remain largely the same.
  10. Art.27 DORA – Test scenarios for cyber attacks
    Comprehensive specifications for emergency management. RTS focusses on the minimum content of recovery plans and on testing them. Minimum test scenarios increase from four (MaRisk) to nine.
  11. Art.6 para.5 DORA – Regular review of the ICT framework
    Formal documentation of the current status of the ICT risk framework must be prepared. This must be made available to the supervisory authority upon request.

2. Focus: Monitoring of critical ICT third-party service providers

Financial companies may only use critical ICT third-party service providers from third countries if they establish a registered office in the EU within twelve months of being categorised. However, there is no obligation to store data only within the EU (although there may be data protection problems if this is not the case).

In particular, the supervisory authorities have the following powers vis-à-vis ICT service providers:

  1. Request for information and documentation: relevant business or operational records, contracts, policies and guidelines, documentation, ICT security audit reports, ICT-related incident reports, and any information about parties to whom the critical third-party ICT service provider has outsourced operational functions or activities;
  2. Investigations and inspections at the premises of the ICT third-party service provider in relation to: records, data, procedures, etc.; summoning representatives of the critical ICT third-party service provider, including making oral or written statements; interviewing any other natural or legal person who consents to such interview for the purpose of obtaining information about the subject matter of an investigation; transmitting recordings of telephone conversations and data transmissions;
  3. to make recommendations that the supervisor considers relevant in relation to the following:
  • the application of specific ICT security and quality requirements or procedures, in particular in relation to the issuance of patches, updates, encryption and other security measures necessary to ensure the ICT security of services provided to financial organisations;
  • the use of conditions, including their technical implementation, under which the critical third party ICT service providers provide ICT services to financial entities in order to prevent the occurrence or amplification of sporadic failures or to minimise potential systemic impact in the Union financial sector in the event of ICT concentration risk;
  • under certain conditions: any planned subcontracting that the critical third-party ICT service providers intend to enter into with other third-party ICT service providers or with ICT subcontractors established in a third country and which may entail risks for the provision of services by the financial undertaking or risks for financial stability;
  1. Request reports detailing the actions taken or remedial measures implemented by the critical third party ICT service providers in relation to the issues referred to in point (2). 2) recommendations referred to in point (2).

The monitoring of critical ICT third-party service providers by the supervisory authority does not release financial companies from their obligation to monitor the service provider. The supervisory authorities examine how the financial companies take into account the risks identified in the recommendations for the critical ICT third-party service provider as part of their third-party risk management. If the risks are not or not sufficiently taken into account by financial undertakings, the supervisory authority shall notify the financial undertaking of its assessment and may, within 60 days of this notification, as a last resort, require financial undertakings to suspend the use of the critical third-party ICT service provider in whole or in part until the risks have been eliminated or to terminate the contracts with the critical third-party ICT service provider in whole or in part. 

Feel free to contact us at any time if you have any questions. We specialise in the realisation and implementation of compliance-related IT projects in the financial regulatory environment.

We can help you prepare for the new requirements of DORA.

We advise our clients to familiarise themselves with the regulation and the consultation versions of the RTS/IST/Guidelines, including the recitals.

Compare the requirements from DORA with the regulatory requirements that already exist (e.g. MaRisk, BAIT, EBA Guidelines on outsourcing arrangements, BaFin Cloud guidance).

act legal Romania promotes two colleagues to Partner

act legal Romania kicks off the new year with good news by announcing the promotion of Andrei Croitoru and Iustina Oblu to Partner.

From the outset, act legal has nurtured legal personalities with an entrepreneurial mindset, and the promotion of Andrei and Iustina reinforces this core value.

Andrei is a Partner in the Compliance, Sensitive Investigations and White-Collar Crime practice of act legal Romania. Andrei advises and represents major domestic and international companies in sophisticated investigations involving corruption, tax evasion, fraud and work-related criminal offenses. Notably, he is the first practicing Romanian lawyer to earn the Certified Fraud Examiner (CFE) credential.

Iustina is a Partner in the Real Estate and Regulatory practices, also deeply involved in environmental matters. Iustina has a notable track record in assets acquisitions and disposals, real estate project development, drafting and negotiation of lease agreements, concessions, regulatory and environmental topics. Iustina’s expertise spans various big real estate projects, including retail, office buildings, industrial and residential properties.

“Even though it was already on the table, I remember Laura (Estrade) returning from Harvard Law School Executive Education’s Leadership in Law Firms program – she was still thinking about a question one of the lecturers asked: Who’s the next person you are going to make a Partner? I was familiar with the question, as I also took the program a while ago, and couldn’t help but smile thinking that she was just given a valuable lesson on how to build an extraordinary legal team – invest in the people you believe in. Give them responsibility. Let them shine. And so, that’s what we did. Andrei and Iustina’s go-getter attitude in complex cases and their seamless management of projects are just pluses to the tremendous confidence we have in them. Congratulations, guys, you fully deserve it and we are proud of you!” – stated Ștefan Botezatu, Managing Partner.

About act Botezatu Estrade Partners (act legal Romania)

act legal Romania is the local office of act legal, a European law firm with presence in 11 countries. act legal is a one-stop shop, providing a full range of cross-border legal services to companies and investors who intend to enter the continental European markets or are already present in the region.

For more updates on the firm’s activity, you can follow us on our LinkedIn page.

Picture showing Andrei Croitoru and Iustina Oblu, act legal Romania

Expansion course: griep Group and Swiss Post AG combine their expertise in construction logistics

Over the past 11 years, the long-established griep Group, based in Wiesbaden, has developed into one of Germany’s leading construction logistics specialists. With around 190 employees, griep covers the entire range of construction logistics services for a wide variety of construction projects – from railway station buildings to high-rise buildings, in city centres or in the countryside.

Win-win: In Swiss Post, the griep Group has found the perfect partner for growth and expansion opportunities in Germany and Switzerland. Swiss Post is successfully active in the field of logistics support for construction projects – from logistics planning and construction site logistics to disposal logistics – and in griep now has an experienced sparring partner for optimising and expanding its construction logistics services.

Subject to the approval of the German Federal Cartel Office, the collaboration is scheduled to begin in January 2024.

Advisor griep Group:
act legal Germany – act AC Tischendorf Rechtsanwälte: Dr Fabian Brocke, LL.M. (Corporate/M&A); Dr Nina Honstetter (Corporate/M&A); Dr Fabian Laugwitz, MBA, LL.M. Eur. (Commercial)

future secured – Investor search successfully completed: The outpatient care service provider DigniCare is looking to the future with the continuation concept of Lamberth Pflege GmbH

Dr Alexander Höpfner: „With the continuation of business operations by the investor, a good solution has been found for the creditors that also takes into account the interests of those in need of care.

In addition, around 180 jobs at the nine operating sites in Hesse, Rhineland-Palatinate, North Rhine-Westphalia, Bavaria, Thuringia, Saxony and Saxony-Anhalt will be taken over.

Advisor/proprietary administration DigniCare: LIESER Rechtsanwälte Partnerschaft mbB – Jens Lieser and Dr Martin Kaltwasser (general representatives)

Administration: act AC Tischendorf Rechtsanwälte – Dr Alexander Höpfner (administrator), Dr Felix Melzer, Maximilian Dieler (both restructuring/insolvency)