This House – Implemented Legislation
Poland’s In Person Only PESEL
Wolf Theiss Poland Senior Associate Anna Panek highlights recent changes to Poland’s PESEL procedure impacting non-EU foreigners. She stresses that a PESEL number “is essential for many administrative and corporate processes, including filing financial statements in RDF, transfer pricing reporting, submitting withholding tax statements or other tax declarations, and obtaining a trusted profile. Although having a PESEL number is not formally mandatory, in practice, its absence makes it difficult to fulfill many obligations.”
“Starting January 1, 2026, certain groups of foreigners will be required to appear in person at a municipal office to obtain a PESEL number,” she notes. “This change significantly restricts the current, more flexible procedure that allowed applications to be submitted by mail or through a proxy. The new rules will particularly affect foreign board members of Polish companies, who will need to travel to Poland to obtain a PESEL number.”
According to Panek, “the obligation to appear in person applies to individuals who are not citizens of EU Member States, citizens of EFTA countries – parties to the Agreement on the European Economic Area, citizens of the Swiss Confederation or their family members, or citizens of the United Kingdom of Great Britain and Northern Ireland or their family members (as defined in the Withdrawal Agreement). The obligation does not apply to children born in Poland.”
“Until now, an application for assigning a PESEL number could be submitted by mail or through a proxy,” Panek adds. “Starting in 2026, this will change for certain groups of foreigners mentioned above, who will be required to appear in person at the municipal office to obtain a PESEL number. Companies will need to organize visits to municipal offices for foreign management board members, which will result in additional costs and logistical challenges.” She also points to further changes on the horizon: “in November 2025, the Ministry of Digital Affairs announced further amendments to the regulations governing the issuance of PESEL numbers, which will include limiting the assignment of PESEL numbers to foreigners who indicate only the need to create a trusted profile.”
Bulgaria’s Change of Terms for Energy License Fees
CMS Sofia Managing Partner Kostadin Sirleshtov points to recent amendments that have practical implications for licensed entities. “The recent amendments of the Bulgarian Energy Act (EA) changed the terms of payment for the annual license fee in the energy sector, and the payment of the license fee must now be made by March 31 of the respective year in one payment only,” he explains. “In case of lack of payment, Bulgaria’s State Energy Regulatory Commission (EWRC) may initiate a proceeding to terminate a license. All licensees under the EA should review outstanding obligations to EWRC not later than November 30, 2025, and the annual information lists on license fees will be required in January/February 2026.”
Hungary’s Cybersecurity Act Headaches
DLA Piper Hungary Partner Zoltan Kozma reports on the ongoing implementation challenges surrounding Hungary’s Cybersecurity Act. “Despite being in force for nearly a year, Hungary’s Cybersecurity Act (Act 69 of 2024) remains problematic for foreign companies, particularly those providing telecom or digital services with significant operations in the country,” he notes. “According to the law, foreign companies need to comply if they are offering electronic communications services to Hungary, or if their main establishment is in Hungary (determined by where cybersecurity decisions are made, where cybersecurity operations are actually conducted, or where the largest workforce is located – the three-step waterfall test). This triggers obligations such as registration with Hungarian authorities and regular cybersecurity audits. However, the practical implementation of these requirements is still uncertain.”
“Registration procedures are designed for entities with a local presence, making it difficult for foreign companies without a Hungarian establishment or tax number to fulfill this obligation,” Kozma explains. “The audit requirement is even more problematic, as Hungarian-accredited auditors are not authorized to conduct audits abroad, and there is no established framework for recognizing foreign audit standards or facilitating cross-border audits. Additionally, compliance extends to cybersecurity training for management and staff, which can be logistically challenging for organizations operating outside Hungary.” The situation, he says, “is further complicated by a recent (non-binding) guidance of the regulator, which suggests that foreign entities without Hungarian establishment or representation are exempt from these obligations – a stance that appears to contradict the wording of the law. This contradiction creates further legal uncertainty and operational risk for foreign companies, as they may be exposed to regulatory action if the authorities or courts interpret the law differently in the future. Ultimately, this situation highlights an opportunity to develop clearer, more practical rules for cross-border cybersecurity regulation, not just in Hungary, but across the EU. Given that Hungary’s legislation is rooted in the NIS2 Directive, refining these requirements would strengthen the regulatory framework for everyone involved.”
Serbia’s Electronic Waybills Rolls Out
Zivkovic Samardzic Partner Slobodan Kremenjak describes the roll-out of Serbia’s Law on Electronic Waybills. The law “introduces a mandatory electronic system for issuing, exchanging, and storing waybills in Serbia. Its main goal is to digitalize the monitoring of goods in transport, increase transparency, and reduce the grey economy. The law requires all participants in the transport and supply chain – senders, carriers, and recipients – to issue and process waybills through a centralized electronic platform. This ensures real-time data availability for authorities, improving the traceability of goods. Key obligations include the timely submission of electronic waybill data, accurate reporting of transport details, and compliance with system technical standards. Non-compliance may result in penalties. Overall, the law modernizes logistics operations and strengthens regulatory oversight.”
“As of January 1, 2026, the scope of mandatory electronic waybill obligations expands significantly across the public and private sectors,” Kremenjak continues. “Public sector entities are required to issue and receive electronic waybills for all movements of goods, including exchanges between two public authorities and any other transport of goods, regardless of the type of goods involved. Carriers engaged in these movements must be able to present the corresponding electronic waybill during inspections.”
“In the private sector, including senders and carriers, beginning on the same date, electronic waybills become mandatory, specifically for the movement of excise goods,” he notes. “Private entities sending and transporting excise products must issue an electronic waybill, while recipients must be able to receive it. Additionally, from January 1, 2026, private sector entities must issue electronic waybills when delivering goods to public sector entities, and carriers involved in these deliveries must be prepared to present such waybills during inspections.” Complete application of the law “in relation to the private sector and in relation to all other goods is expected to enter into force as of October 1, 2027.”
North Macedonia’s Brace for CBAM
AK Law Partner Ana Kolevska focuses on the looming impact of the EU’s Carbon Border Adjustment Mechanism (CBAM) on North Macedonia. “As January is approaching, the final implementation phase of the EU’s CBAM is becoming an immediate and rapidly rising concern for the North Macedonian economy,” she notes. “The aim of the CBAM is to prevent ‘carbon leakage’ and support global climate action by putting a carbon price on certain imports into the EU, so that foreign producers face a similar carbon cost as EU producers. Established under the Regulation (EU) 2023/956, the CBAM applies to high-carbon commodities: cement, iron and steel, aluminum, fertilizers, electricity, and hydrogen.”
“In the absence of implementation acts, in particular calculation methodologies, CBAM Certificate adjustments, third-country carbon price deductions, and verifier accreditation, the application of the mechanism to products originating from North Macedonia is unclear,” Kolevska explains. “The playing field in export markets may thus be expected to become unlevelled. The impact of the measure in these circumstances may prove to be very significant. Industries have reacted through various associations, to no avail in respect to postponing the application of the CBAM.” She stresses that, despite staying active in engaging with regulators, “businesses should consider diligently monitoring regulatory developments, undertake to prepare financially for the potential impact of the mechanism, and carefully consider collection and verification of data pertaining to their production processes.”
Greece’s FDI Mechanism Activates
As for Greece, “on November 11, 2025, Joint Ministerial Decision 64260 (JMD) was published in the Government Gazette, activating Greece’s FDI screening mechanism,” Drakopoulos Senior Associate Sofia Angelakou points out. Introduced earlier in 2025, it aims “to protect national security and public order through monitoring of FDI in strategic sectors.”
“As the JMD’s provisions are effective immediately, foreign investors must now notify the B1 Division of the Ministry of Foreign Affairs of any intended FDI that falls within the screening mechanism’s scope,” Angelakou adds. “The JMD details the notification process and required supporting documentation. Failure to notify an FDI that falls within the scope of Law 5202, or notification after the fact, may result in the FDI being reversed or other mitigating measures being taken. Failure to submit information or submission of false information constitutes grounds for prohibiting the investment. Additionally, administrative sanctions may be imposed in the form of fines ranging from EUR 5,000 to EUR 100,000 (another ministerial decision is expected to be issued in this regard).”
This House – Reached an Accord
DSA Implementations in Bulgaria and Poland
Boyanov & Co. Partner Nikolay Zisov reports that Bulgaria has completed “the implementation of the EU Digital Services Act (DSA) through amendments to the Electronic Communications Act and related media legislation, establishing a framework for online intermediaries and media services.” He notes that “on November 6, 2025, the Bulgarian Parliament adopted the implementing amendments, confirming the Digital Services Act as directly applicable law and embedding national supervisory and enforcement mechanisms.”
“The Communications Regulation Commission (CRC) is designated as the national Digital Services Coordinator, overseeing compliance by intermediary service providers other than video-sharing platforms,” Zisov explains. “Its mandate covers supervision of hosting providers, online platforms, and cloud services, certification of out-of-court dispute resolution bodies, and granting trusted flagger and vetted researcher status. The CRC may carry out inspections, request information from DNS operators and other intermediaries, and impose urgent interim measures, including temporary restrictions on access to specific digital services where serious harm is likely.”
“The Council for Electronic Media continues to supervise video-sharing platforms and to enforce the Radio and Television Act in line with the Audiovisual Media Services Directive,” he adds. “Its priorities include transparency of ownership and control, protection against harmful content and disinformation, child protection, and accessibility for users with disabilities. The Commission for Personal Data Protection is responsible for monitoring profiling-based advertising, with a particular focus on limiting targeted ads to minors and ensuring lawful bases and transparency.” For businesses, Zisov highlights, “these changes mean a stricter compliance environment, backed by significant administrative fines that can reach up to 6% of a provider’s global annual turnover for serious DSA violations. Companies must reassess their content moderation rules, notice-and-action procedures, internal complaint handling, advertising transparency, and risk management, aligning them with DSA standards.”
According to Addleshaw Goddard Poland Associate Malgorzata Czubernat, “the most significant development in Poland’s TMT landscape in the past month has been the submission of national legislation implementing the DSA to the President and the Senate.” She explains that “following parliamentary approval in late November 2025, the draft law establishes a long-awaited regulatory framework for online platforms, hosting providers, and intermediaries, setting out rules for content moderation and transparency obligations in Poland. The law is expected to be enacted in the near future, marking an important step for compliance in the Polish digital market.”
Czubernat notes that the act strengthens user rights, including “the ability to appeal content removals and request clearer explanations of platform decisions. It also introduces obligations for service providers to process notices of illegal content, maintain transparent moderation rules, and implement internal complaint-handling mechanisms. Importantly, the draft law aims to implement the DSA into the Polish legal system by designating the competent supervisory authority and specifying potential penalties for non-compliance.” From a TMT/IP perspective, she observes that the upcoming implementation of the DSA “is already prompting companies to update their compliance frameworks, internal policies, and contractual arrangements with moderators, content partners, and technology vendors.”
“In the coming months, attention will focus on the practical implementation of the DSA in Poland,” Czubernat adds, as authorities and stakeholders monitor the transposition of EU rules into national law. “For digital platforms, media groups, and marketplaces operating in Poland, the DSA-aligned framework represents a significant compliance step, requiring updates to internal procedures – and its application is expected to evolve as the law is enforced and clarified.” She notes that “in light of the recent fine imposed on X under the DSA, the upcoming implementation in Poland is particularly noteworthy and closely watched by the digital industry.”
The Verdict
Czech Forced Labor Concerns
Peterka & Partners Partner Adela Krbcova highlights a recent decision of the Czech Constitutional Court concerning employee transfers and potential forced labor concerns. The case raised questions such as whether “a cabin crew manager can be reassigned to perform office duties, and what happens if the manager does not consent to such a change, as well as cases where their health condition does not allow them to fly.”
“The Czech Constitutional Court recently upheld a provision of the Labor Code that allows the transfer to other appropriate work of an employee who, for example, has lost their long-term capacity to work due to a work-related accident; even without the employee’s consent, this cannot be considered forced labor,” she explains. “The court stressed that even if the performance of the new work is not necessarily voluntary, it is not forced by the threat of punishment nor does it place an unreasonable burden on the employee. The court also stated that an employee can only be transferred to new work corresponding to their health condition, abilities, and, to the maximum extent possible, to their qualifications. Once the reason for the transfer disappears, the employee must return to their position as specified in their employment contract. In case of termination, severance pay is not necessarily lost due to the transfer.”
“The court also emphasized that it has not foreseen whether the said legal provision is in line with other constitutional principles and fundamental rights,” Krbcova notes. “There is even one dissenting opinion highlighting potential discrimination of disabled employees.” Therefore, she says, “even though legislators have since replaced severance pay in case of termination for most health reasons with compensation paid from mandatory employer insurance, further amendments to the Labor Code focusing on this provision remain possible. The Supreme Court may also decide to submit a preliminary question to the Court of Justice of the European Union for further clarification.”
In the Works
Geosolar Green Light
Sirleshtov reports that the Bulgarian energy sector continues to see substantial investment activity. “In November 2025, a major renewable energy producer – Geosolar Kamenyak (owner of a 75-megawatt PV project) – put it in operation and obtained permission for electricity generation from the EWRC,” he notes. “In parallel, DSK Bank approved a project-financing package exceeding EUR 160 million for three new battery energy storage system projects in Bulgaria.”
Regulators Weigh In
Ukraine’s Beverage Competition Fines
Redcliffe Partners Partner Denys Medvediev notes that “recent enforcement activity by the Antimonopoly Committee of Ukraine (AMCU) indicates a sustained focus on the beverage sector, addressing a range of issues from unfair competition to gun-jumping.” In recent years, he says, “the AMCU has imposed several notable fines in the beverage segment for deceptive claims. Among the most prominent were the late-2024 decisions penalizing two mineral water producers with EUR 45,000 and 400,000, respectively, for disseminating unverified health claims.” The committee’s focus on identifying misleading health claims “is part of a broader enforcement trend. The AMCU has increasingly positioned itself as a gatekeeper against deceptive health-related marketing across multiple industries, including cosmetics and food additives, meaning the beverage sector is not exceptional in this regard.”
“Earlier this year, in continuation of this trend, several Ukrainian producers were fined for falsely claiming that their bottled waters originated from specific springs and offered health benefits,” Medvediev continues. “The fines were relatively moderate.” However, he notes that some of the AMCU’s recent actions show that its focus “goes far beyond health-related claims. About a month ago, a juice producer was fined over EUR 800,000 for gun-jumping – acquiring four companies without obtaining merger control approvals. Shortly afterward, in early December 2025, another producer was fined EUR 440,000 for packaging flavored alcoholic drinks in designs closely resembling those of a competitor, potentially misleading consumers and creating an unfair competitive advantage.”
“Whether this pattern reflects a deliberate enforcement strategy or coincidental detection of violations, it is clear that certain sectors attract heightened scrutiny from the AMCU,” Medvediev concludes. “Once the committee begins investigating a sector, its information requests can trigger a chain reaction, uncovering additional violations. For businesses operating in these sectors, the key takeaway is to proactively ensure compliance: verify marketing and health-related claims, conduct notifiability analysis, and review product packaging for potential similarities with competitors.”
Turkiye’s Sweeter Competition Take
Actecon Counsel Mustafa Ayna reports on a recent adjustment by the Turkish Competition Authority (TCA) to commitments imposed on Ferrero in the hazelnut market. “In November 2025, the TCA temporarily reduced Ferrero’s minimum hazelnut purchase obligation for September-December 2025 from 45,000 tons to 30,000 tons,” he says. “This modification follows an application by Ferrero citing reduced crop yields and quality problems affecting the 2025 harvest. According to the TCA, this limited revision preserves competitive equilibrium whilst preventing harm to producers and supporting sectoral stability in light of exceptional crop conditions. All other commitments remain unchanged.”
Ayna reminds that the revision stems from binding commitments originally imposed on March 7, 2024, “when the TCA concluded an investigation into Ferrero’s practices in Turkiye’s hazelnut market. The investigation addressed competition concerns arising from Ferrero’s market position as a major purchaser of Turkish hazelnuts. Rather than imposing fines, the TCA accepted commitments offered by Ferrero to ensure fair market conditions for the 2024-2026 period.” Under the March 2024 commitments, Ferrero is required to “refrain from purchasing hazelnuts below the intervention reference price; not exceed 100,000 tons of shelled hazelnut purchases per season; and purchase at least 45,000 tons of shelled hazelnuts during the September-December period each year. These obligations were designed to prevent anti-competitive purchasing practices whilst maintaining market stability for producers and competitors.”
“The TCA will impose daily administrative fines on Ferrero for any period of non-compliance with the revised or existing commitments,” Ayna notes. “This sanction intensifies as non-compliance continues, ensuring that undertakings closing investigations through commitments remain bound by them. This decision demonstrates the flexibility of the commitments mechanism in competition law enforcement, allowing targeted adjustments in response to exceptional market conditions whilst preserving core competitive safeguards. The threat of escalating daily fines ensures compliance remains robust even as specific terms are modified.”
Turkish Data Protection AI Guidelines and Updated Fines
AECO Law Partner Cagri Cetinkaya highlights several recent developments in Turkiye’s data protection field. First, he notes that “the Turkish Data Protection Authority (DPA) has issued a Guideline on Generative Artificial Intelligence and Personal Data Protection (Guideline) on November 24, 2025, which provides an assessment of generative AI technologies from a data protection law perspective.” The Guideline “identifies and evaluates the principal personal data processing activities that may arise during the training, deployment, and output phases of generative AI systems. It further sets out interpretative guidance on how such activities should be addressed in accordance with the provisions of the Turkish Data Protection Law (Turkish DPL). In particular, the Guideline underscores the need for case-by-case assessments when allocating responsibilities between data controllers and data processors. It reiterates the imperative to adhere to data protection principles, including lawfulness, transparency, and accuracy, as set out in Article 4 of the Turkish DPL.” Organizations, he stresses, “should reassess their AI-related data processing activities in line with the Guideline.”
Cetinkaya also points to the annual adjustment of administrative fines. “As published in the Official Gazette dated November 27, 2025, the revaluation rate to be applied for the Year 2026 has been determined as 25.49%. Consequently, administrative fines for the Year 2026 under the Turkish Data Protection Law No. 6698 have been adjusted in line with this rate,” he explains. “Following this update, administrative fines now range from TRY 85,437 to TRY 17,092,242 (approximately EUR 1,725 to EUR 345,000).” Failure to address data protection compliance issues, he warns, “may result in increased financial risks in 2026.”
Turkish Energy Regulator Looks at Cybersecurity
Second, Cetinkaya points to amendments to the Energy Sector Cybersecurity Competence Model Regulation from the Energy Market Regulatory Authority (EMRA). “The EMRA has introduced several revisions to the framework governing cybersecurity competence and audit processes in the energy industry on November 25, 2025,” he explains. “Among others, the amendments tighten the qualification requirements for auditor personnel, such as requiring an ISO/IEC 27001 Lead Auditor certificate or a valid CISA certificate, along with relevant professional experience and other procedural requirements. The updated framework raises the bar for qualifications in cybersecurity auditing within the energy sector. Energy companies should review their current compliance level.”
Turkiye Shares Refugee Data with UNHCR
Third, Cetinkaya notes that “the Presidency of Migration Management under the Ministry of Interior is authorized by the Turkish DPA, on November 11, 2025, to share refugee data with the United Nations High Commissioner for Refugees. This authorization is a unique example of administrative capacity under Article 9 of the Turkish DPL, which authorizes the Turkish DPA to allow data transfers to international institutions. This special authorization serves as a unique example of administrative capacity in Article 9 of the Turkish DPL, which is noteworthy for international organizations transferring personal data from Turkiye.”
In Related News
NIS Continued Sanction Woes
JPM & Partners Senior Partner Jelena Gazivoda reports that uncertainty surrounding the future of NIS continues to dominate Serbia’s energy sector. “The key energy issue currently facing the Republic of Serbia remains the unresolved status of NIS,” she says. “The company continues to hope for a license to maintain its operations, although it has received no response from OFAC for the extension. Expectations were cautiously renewed when Lukoil’s operating license – covering both the parent company and its subsidiaries – was extended until April 29, 2026. This development has somewhat eased Serbia’s position by allowing continued market supply through that channel.”
“However, time is running out for NIS, since the transfer of ownership must be completed by February 13, 2026,” Gazivoda continues. “The Hungarian company MOL is often mentioned as a potential buyer, given its interest in consolidating its dominant regional position by acquiring NIS. Still, such a transaction appears distant, as the future of NIS will ultimately be determined at a higher, geo-strategic level. As a result, a resolution is unlikely in the near term.” In the meantime, she notes, “efforts are accelerating to establish alternative supply mechanisms, diversify sources, and build up reserves using both domestic and foreign storage capacities. A significant challenge is the uneven geographical distribution of fuel stations operated by suppliers other than NIS. Notably, 51 municipalities in Serbia rely exclusively on NIS stations, meaning there is currently no alternative fuel supply available to them.”
“As of now, financial transactions with NIS are still functioning,” she adds. “However, concerns remain that if the National Bank of Serbia does not remove NIS from the domestic payment system – an action that could almost certainly push the company into bankruptcy – it risks exposure to secondary sanctions. Such sanctions could restrict international payments and potentially block access to the NBS’s foreign currency and gold reserves held abroad, thereby sharply increasing inflationary pressures.” Regarding gas supply, “an issue even more critical for Serbia than oil,” Gazivoda notes that “there are growing indications that the country will secure a new short-term gas purchase agreement at a favorable price. This would ensure stability and security of supply for the remainder of the winter.”
Hungary’s Media Freedom Act Gap
Schoenherr Hungary Partner Kinga Hetenyi draws attention to “a significant regulatory gap in Hungary following the entry into force of the European Media Freedom Act (EMFA) on August 8, 2025.” According to her, “the EMFA, adopted as Regulation (EU) 2024/1083, introduces, among other provisions, a mandatory framework for assessing media market concentrations to safeguard media pluralism and editorial independence. Under Article 22, Member States are required to implement substantive and procedural rules enabling such assessments alongside traditional merger control.”
“However, Hungary has refused to apply most EMFA provisions, including implementing the media pluralism test under Article 22 into national law, having challenged the Regulation’s validity before the Court of Justice of the European Union (CJEU) in case C 486/24,” she notes. “This situation leaves Hungary without any sector-specific mechanism for evaluating media concentrations, relying solely on the general assessment under competition law (but not under a media plurality test). On the other hand, Article 22 cannot be applied directly by the Hungarian Competition Authority, as this would, in accordance with general principles of EU law and the case law of the CJEU, require an equivalent national procedure for the assessment of media pluralism to already exist.”
“The legal implications are noteworthy,” Hetenyi continues. “While the EMFA is binding in its entirety, private parties do not have any legal means to invoke it before Hungarian courts or to compel authorities to conduct assessments. Enforcement will therefore depend on EU-level mechanisms, such as the publication of non-binding opinions from the European Media Board and/or the European Commission under Article 23, and potential treaty infringement proceedings against Hungary under Article 258 TFEU. Nevertheless, even if the CJEU deems that Hungary did violate the EU treaties, this does not create any legal implications for private actors.” As a result, she concludes, “this development effectively results in the EMFA currently not being applied to media transactions in Hungary. While immediate private enforcement risks are limited, reputational and political scrutiny at the EU level may intensify, signaling a complex compliance landscape for media operators.”
This article was originally published in Issue 12.11 of the CEE Legal Matters Magazine.