cybersecurity - KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019

Interplay Between the Data Act and the GDPR: A Practical Guide for Businesses

jakub — Wed, 13 May 2026 10:56:58 +0000

Publication date: May 13, 2026

The entry into application of the EU Data Act on 12 September 2025 marks one of the most significant developments in European data regulation since the adoption of the General Data Protection Regulation (GDPR). While the GDPR established a comprehensive framework for the protection of personal data, the Data Act introduces a new legal regime designed to improve access to and use of data generated by connected products and related digital services.

For businesses operating in the European Union, the key challenge is not understanding each regulation in isolation, but determining how they interact in practice. Many organizations already have mature GDPR compliance frameworks, but the Data Act creates additional obligations that require them to share data with users and third parties. Where those datasets contain personal data, compliance with the Data Act must be reconciled with the GDPR.

This article explains the relationship between the Data Act and the GDPR in practical terms. It highlights the main legal issues and outlines the steps businesses should take to prepare.

What Is the Data Act?

The Data Act, Regulation (EU) 2023/2854, is part of the European Union’s broader strategy to build a single market for data. Its purpose is to ensure that users of connected products and related services can access the data they generate and, in certain circumstances, require that such data be shared with third parties.

The regulation is intended to rebalance the relationship between manufacturers, service providers and users. In many industries, companies that design connected products control large volumes of data generated through use of those products. The Data Act seeks to ensure that users are able to benefit from this data rather than being locked into a single ecosystem.

The regulation applies to both personal and non-personal data, which is one of the key differences from the GDPR.

Examples of products and services covered by the Data Act include smart watches, connected vehicles, industrial machinery, medical devices, smart home appliances, agricultural equipment and software applications that process the data generated by such products.

What Is the GDPR?

The GDPR governs the processing of personal data relating to identified or identifiable natural persons. Its objective is to protect privacy and ensure that personal data is processed lawfully, fairly and transparently.

The GDPR applies whenever data relates to an individual and a controller or processor carries out an operation such as collecting, storing, sharing or analyzing that data.

Unlike the Data Act, the GDPR does not grant a broad right of access to all data generated by products. It focuses solely on personal data and establishes rights such as access, rectification, erasure and portability.

The Relationship Between the Data Act and the GDPR

The Data Act expressly states that it is without prejudice to EU and national laws on personal data protection, privacy and confidentiality of communications. In practical terms, this means that the Data Act does not override the GDPR. If a company is required to provide data under the Data Act and the dataset contains personal data, the GDPR continues to apply in full.

This principle has several important consequences.

First, the Data Act does not create a new legal basis for processing personal data. A company cannot rely on the Data Act alone to justify collecting, disclosing or otherwise processing personal data.

Second, organizations must continue to comply with all GDPR principles, including purpose limitation, data minimization, storage limitation and security.

Third, where there is a conflict between the two regulations, the GDPR prevails in relation to personal data.

Why This Matters in Practice

Most data generated by connected products is not purely personal or purely non-personal. Instead, businesses often deal with mixed datasets.

A connected vehicle, for example, may generate information on speed, fuel consumption, component performance, geolocation and driver behavior. Some of this information clearly relates to an identifiable person and therefore qualifies as personal data. Other elements may be technical or operational in nature.

Where personal and non-personal data are inextricably linked, organizations should assume that the GDPR applies to the dataset as a whole unless the data can be effectively separated.

This means that compliance with the Data Act often requires a GDPR analysis before any disclosure can take place.

Practical Example: Smart Watch Data

A consumer uses a smart watch that collects heart rate, sleep patterns, exercise metrics and location information. The consumer wishes to transfer the data to a third-party health application.

Under the Data Act, the user may request access to the data generated by the device and ask the manufacturer to transmit the data to another provider.

Because the dataset contains information relating to an identifiable person, the GDPR applies.

In this scenario, the manufacturer must verify that the request is valid, ensure the transmission is secure and process the data in accordance with the GDPR. The Data Act creates the obligation to provide the data, but the GDPR determines how the transfer must be carried out.

Practical Example: Industrial Equipment

A manufacturing company leases connected machinery that generates data concerning temperature, output, wear and maintenance cycles. The company wants to share this data with an independent maintenance provider.

The Data Act allows the user to request access to the data and to require the data holder to share it with a third party.

If the dataset contains no personal data, the GDPR may not apply.

However, if the data includes operator IDs or logs that can identify employees, GDPR considerations arise. The data holder must assess whether a lawful basis exists for sharing those elements.

Key Roles Under the Data Act and the GDPR

The terminology used by the two regulations differs, but the concepts often overlap. Under the Data Act, the principal roles are the data holder, the user and the data recipient. Under the GDPR, the key roles are the controller and processor. In practice, a data holder will often act as a controller because it determines the purposes and means of processing personal data. A business user receiving data may also become a controller if it decides how the data will be used.

This distinction is important because the recipient of data under the Data Act may inherit independent GDPR obligations.

Data Portability: How the Data Act Expands Existing Rights

The GDPR grants individuals a right to data portability, but this right is limited to personal data provided by the data subject and processed on the basis of consent or contract. The Data Act significantly broadens this concept.

It applies to data generated through the use of connected products and related services, regardless of whether the data is personal or non-personal.

For businesses, this means that existing GDPR portability procedures will usually not be sufficient. Organizations may need entirely new technical and contractual frameworks to handle Data Act requests.

Trade Secrets and Confidential Information

One of the most common concerns raised by businesses is the protection of proprietary information. The Data Act recognizes that data may contain trade secrets and allows data holders to implement safeguards such as confidentiality agreements, access controls and contractual restrictions. However, trade secret protection is not an automatic ground for refusing access. A refusal is permitted only in exceptional circumstances where disclosure would likely cause serious economic harm and where protective measures are insufficient.

In practice, businesses should assume that most requests will need to be fulfilled, subject to appropriate safeguards.

Smart Contracts

The Data Act introduces specific requirements for smart contracts used to automate data sharing.

Where businesses use blockchain-based or automated systems to execute data-sharing arrangements, those systems must meet standards relating to security, integrity and the ability to terminate or interrupt execution where necessary. Although this aspect of the regulation may not affect all organizations, it is highly relevant to businesses deploying decentralized or automated contractual technologies.

Cloud Switching and Digital Assets

The Data Act also addresses switching between providers of data processing services, including cloud providers. Customers must be able to move digital assets such as applications, configuration files, metadata and access credentials to another provider more easily. Organizations that offer cloud or platform services should review their contractual and technical arrangements to ensure that customers can migrate without undue barriers.

Legal Basis for Processing Personal Data

A recurring misconception is that the Data Act itself authorizes disclosure of personal data. This is incorrect. Whenever personal data is involved, a valid legal basis under the GDPR remains necessary. The applicable legal basis will depend on the circumstances. In some cases, processing may be necessary for the performance of a contract. In others, consent or legitimate interests may be relevant. Where the user requesting the data is a business rather than the individual to whom the data relates, the requesting party may need to demonstrate that it has an independent lawful basis for processing the personal data.

What Businesses Should Do

Organizations should begin by identifying whether they fall within the scope of the Data Act. Businesses that manufacture connected products, provide related services, control access to product-generated data or offer cloud services are the most likely to be affected. The next step is to map the data generated by products and services. This exercise should identify what data is collected, whether it includes personal data, who controls it and with whom it may be shared.

Once the data landscape is understood, businesses should review the legal bases for processing any personal data contained in those datasets.

Policies and procedures should then be updated to address Data Act requests. Existing GDPR processes will rarely be sufficient because they are designed primarily for requests from individuals, not business-to-business data sharing.

Contracts with customers, partners and recipients should be revised to address data use restrictions, confidentiality obligations, trade secret protections and security measures.

Technical teams should ensure that systems can provide data in accessible formats, authenticate requesters, record disclosures and protect sensitive information.

Finally, legal, compliance, IT and customer support teams should be trained so that they understand how to manage requests consistently.

Common Pitfalls

Businesses preparing for the Data Act frequently make several mistakes. The first is assuming that the Data Act overrides the GDPR. In reality, the GDPR remains fully applicable whenever personal data is involved. The second is underestimating the complexity of mixed datasets. The third is relying too heavily on trade secret arguments to resist disclosure. The fourth is failing to update contracts and operational procedures.

The fifth is treating compliance as a purely legal issue rather than a multidisciplinary project involving legal, IT, security and commercial teams.

Enforcement and Business Risk

Failure to comply with the Data Act may result in regulatory investigations, disputes with customers and partners, and reputational damage. Where personal data is mishandled, GDPR enforcement risks also arise, including potentially significant administrative fines. For this reason, businesses should approach the Data Act as a strategic compliance project rather than a narrow contractual exercise.

Conclusion

The Data Act and the GDPR are complementary regulations that pursue different objectives. The GDPR protects individuals and their personal data. The Data Act promotes broader access to data generated by connected products and services. When those datasets contain personal data, organizations must apply both regimes simultaneously. The Data Act creates the obligation to make data available, while the GDPR determines the conditions under which personal data may be processed and shared.

Businesses that rely on connected products, IoT ecosystems, industrial data or cloud services should begin preparing well in advance.

Organizations that invest now in data mapping, contractual updates, technical controls and internal governance will be best positioned to comply with the new rules and to leverage data as a strategic asset.

Client Alert

EU Data Act Applies from 12 September 2025: Is Your Business Ready?

The EU Data Act introduces a new framework governing access to data generated by connected products and related services. It applies from 12 September 2025 and will affect manufacturers, software providers, cloud providers and businesses that rely on connected technologies.

The regulation grants users the right to access data generated by products they use and to request that such data be shared with third parties.

Where the data includes personal data, the GDPR remains fully applicable.

For many organizations, the Data Act will require updates to contracts, technical systems and operational procedures.

Businesses should begin by identifying whether they control product-generated data, determining whether datasets include personal data, and assessing whether existing systems can support secure and compliant data sharing.

Organizations should also review trade secret protections and update agreements with customers and business partners.

Companies that prepare early will be better positioned to meet legal obligations and capitalize on new opportunities arising from increased data portability.

Data Act Implementation Checklist

An effective implementation project should begin with a governance assessment to determine which internal teams will be responsible for legal analysis, technical implementation and operational oversight.

The organization should then conduct a comprehensive data mapping exercise covering all connected products, related services and cloud environments. This exercise should distinguish between personal data, non-personal data and mixed datasets.

A legal review should be undertaken to confirm the GDPR legal bases for processing personal data and to identify any restrictions arising from confidentiality obligations or trade secret protections.

Customer terms, data-sharing agreements, cloud contracts and internal policies should be revised to reflect Data Act requirements.

Technical teams should ensure that systems are capable of exporting data in usable formats, authenticating requesters, logging disclosures and protecting confidential information.

Operational procedures should be established for receiving, reviewing and responding to requests.

Training should be delivered to legal, compliance, IT, security and customer-facing teams.

The EU Data Act Meets the GDPR: What Businesses Need to Know

With the EU Data Act becoming applicable from 12 September 2025, we’re entering a new era of data regulation in Europe — one that doesn’t replace the GDPR, but fundamentally reshapes how it operates in practice.

For many organizations, the challenge is no longer GDPR vs. Data Act, but how both frameworks work together when data is shared, accessed, and reused.

The key reality?
Most data generated by connected products is mixed — personal and non-personal at the same time. And that changes everything.

Key takeaway:

The Data Act creates obligations to share data, but the GDPR still governs how personal data can be processed and transferred. The Data Act never overrides GDPR requirements.

What this means in practice:

No new legal basis for processing personal data under the Data Act
GDPR principles (minimization, purpose limitation, security) still fully apply
Trade secrets don’t automatically block access requests
Data portability rights are significantly expanded beyond GDPR scope
Cloud and IoT ecosystems will need major technical and contractual updates

The real challenge for businesses

Compliance is no longer just legal — it’s operational and technical.

Organizations will need to:
Map all product-generated data
Identify where personal data is involved
Update contracts and data-sharing frameworks
Build secure, auditable data access systems
Align legal, IT, and compliance teams

Bottom line:

The Data Act doesn’t replace the GDPR — it adds a new layer of complexity on top of it. Companies that prepare early will not only reduce compliance risk but also gain a competitive advantage in the emerging EU data economy.

Artykuł Interplay Between the Data Act and the GDPR: A Practical Guide for Businesses pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Unauthorized Transactions and Consumer Protection in Modern Banking

jakub — Mon, 11 May 2026 13:17:00 +0000

Publication date: May 11, 2026

An unauthorized transaction is a financial transaction made without the consent of the account or cardholder, for example, as a result of data theft. In such a situation, the bank is obligated to return the funds unless it can prove the customer’s intentional act or gross negligence.

Currently, there is a noticeable increase in unauthorized transactions. This causes payers and banks to lose nearly a billion złoty annually. The Polish Financial Ombudsman is noticing a growing number of requests for intervention regarding unauthorized payment transactions. In the first half of 2020 alone, it received 416 requests. This is more than in all of 2018, when there were 367. In 2019, there were 612 requests, an increase of almost 60%. It is worth noting that in the first half of 2020, requests regarding unauthorized transactions accounted for 80% of all requests related to violations of the Payment Services Act.

Legal definition

The Payment Services Act [1] (which has been harmonized with EU law[2]) lacks a definition of an unauthorized transaction, but it can be derived from Article 40(1) of the Act. A payment transaction is considered authorized if the payer has consented to executing the payment transaction in the manner provided for in the contract between the payer and their payment service provider. Consent may also apply to subsequent payment transactions. In simple terms, an unauthorized payment transaction is one to which the payer has not consented, i.e., has not authorized it. Authorization should be distinguished from authentication, i.e., a technical act involving the provision of payer data, use of an appropriate financial token, etc. An authenticated transaction may remain unauthorized due to the use of various manipulation and social engineering techniques, such as phishing.

Bank account agreement

Pursuant to Article 725 of the Civil Code, through a bank account agreement, the bank undertakes to the account holder, for a specified or unspecified period, to hold their funds and, if the agreement so provides, to conduct monetary settlements on their behalf. The bank is therefore the owner of the funds and should ensure their security.

the funds become the property of the bank
the account holder’s entitlement constitutes a claim against the bank, and its size is indicated by the account balance.

Possibility of receiving a refund

It is possible to obtain a refund from a bank in the event of an unauthorized transaction. The Payment Services Act, in this case, assumes a shift in the burden of proof from the customer to the bank (reversed burden of proof). Article 45, paragraph 1 of the Act states that the user’s provider bears the burden of proving that the payment transaction was authorized and correctly recorded in the provider’s payment transaction processing system and that it was not affected by a technical failure or other defect related to the payment service provided by that provider, including the provider providing the payment transaction initiation service.

Under the Act, the bank is obligated to respond to a complaint within 15 days (and exceptionally within 35 days in particularly complex cases). If the response deadline is extended, the bank must inform the client within 15 days of the extension and the basis for it. Communication is in writing, but with the client’s consent, electronic contact is also possible. If the complaint is upheld, the refund must be made immediately, within one business day of notification to the bank. If the bank disagrees with the client, it must notify law enforcement authorities and may then waive the refund. The payer will be required to return the funds once the bank proves that the client:

himself made the transaction in order to defraud the bank or
has intentionally or through gross negligence violated the user’s obligations.

The user’s obligations are as follows:

immediately report theft of funds or unauthorized third-party access to the account,
using the account in accordance with the contractual terms,
storing individual authentication data with due diligence (in particular not making them available to unauthorized persons).

Accidental transfer and unauthorized transaction

Unauthorized transactions should be distinguished from erroneous transfers. In the case of a transfer, the payer intends to complete the transaction (authorizes) and confirms login details (authenticates), but due to an error, the funds are transferred to the wrong recipient’s bank account. The customer should immediately notify the bank of the error. The bank will contact the recipient of the erroneous transfer within three days, informing them of the consequences of failing to refund within 30 business days. The bank will provide the recipient with a technical account to eliminate the risk of data leaks. The payer receives the refund from the technical account. The recipient remains anonymous and cannot be charged any fees. The bank may, however, pass on the costs of the refund to the payer. If the recipient of the transfer does not transfer the funds to the technical account within 30 days, the bank will share the recipient’s data with the payer, who will then be able to pursue civil claims.

Accidental transfer	Unauthorized transaction
the payer knowingly makes the transfer	a third party interferes in the process
he realizes that he mistakenly made it to the wrong account	lack of payer’s consent, further-reaching rights
authorized and authenticated.	authenticated but unauthorized.

Exceptions to the return obligation

Pursuant to Article 46 of the Payment Services Act: “the payer is liable for unauthorized payment transactions up to (…) the equivalent of EUR 50 (…) if the unauthorized transaction is a result of: using a payment instrument lost by the payer or stolen from the payer, or misappropriation of a payment instrument. The above provision cannot be applied in the event that:

the payer had no possibility of detecting the theft of the payment instrument before executing the payment transaction, except in the case of intentional action by the payer, or
the loss of the payment instrument before the execution of the payment transaction was caused by an act or omission on the part of an employee of the bank’s supplier.

[1]Act of 19 August 2011 on payment services (consolidated text: Journal of Laws of 2025, item 611, as amended).

[2]Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC, 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ EU L 337, 2015, No. 337, p. 35, as amended)

Unauthorized transactions are becoming an increasingly serious challenge for both customers and financial institutions. Banks are generally required to refund stolen funds unless they can prove intentional misconduct or gross negligence by the customer. It is also important to distinguish unauthorized transactions from accidental transfers, where the payer willingly authorizes the payment but sends it to the wrong account. Growing cyber threats and phishing attacks highlight the importance of financial awareness, data protection, and rapid response to suspicious activity.

UnauthorizedTransactions #CyberSecurity #BankingSecurity #FinancialSafety #FraudPrevention #DigitalBanking #PaymentSecurity #PhishingAwareness #FinancialEducation #RiskManagement #ConsumerProtection #CyberFraud #FinTech #DataProtection #OnlineSecurity

Artykuł Unauthorized Transactions and Consumer Protection in Modern Banking pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

INCIDENT vs. CYBERATTACK – based on current EU provisions

jakub — Thu, 05 Feb 2026 11:24:10 +0000

Publication date: February 2, 2026

According to an analysis by lawyers from KG LEGAL KIELTYKA GLADKOWSKI, legal concepts such as incident and cyberattack are key elements in the EU cybersecurity and data protection law ecosystem. The fragmentation of cybersecurity law into various sectoral legal acts necessitates a comprehensive analysis of the coherence of all the legal acts comprising this ecosystem. This article demonstrates that the legal layer of cybersecurity in an incident is a highly sensitive issue from the perspective of the responsibility to protect, and therefore, responsible entities should examine the differences in the legal scope of application of individual acts. These concepts are intuitively understood but in legal practice are only superficially identical and lead to different regulatory obligations. The following summary is original and creative and can be used by entities to properly analyze their obligations under current EU law.

INCIDENT vs. CYBERATTACK

	INCIDENT	CYBER ATTACK	references
Act of 5 July 2018 on the national cybersecurity system (Journal of Laws of 2024, item 1077, as amended).	Article 2 5) incident – an event that has or may have an adverse impact on cybersecurity; 6) critical incident – an incident resulting in significant damage to public security or order, international interests, economic interests, the operation of public institutions, civil rights and freedoms or human life and health, classified by the appropriate CSIRT MON, CSIRT NASK or CSIRT GOV; 7) serious incident – an incident that causes or may cause a serious reduction in the quality or interruption of the continuity of the provision of a key service; 8) significant incident – an incident that has a significant impact on the provision of a digital service within the meaning of ARTICLE 4 OF COMMISSION IMPLEMENTING REGULATION (EU) 2018/151 OF 30 JANUARY 2018 laying down rules for the application of Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to further specifying the elements to be taken into account by digital service providers in managing existing risks to the security of network and information systems and the parameters for determining whether an incident has a significant impact (OJ EU L 26, 31.01.2018, p. 48), hereinafter referred to as “Implementing Regulation 2018/151”; 9) incident in a public entity – an incident that causes or may cause a reduction in the quality or interruption of the implementation of a public task carried out by a public entity referred to in Art. 4 points 7-15; 10) incident handling – activities enabling detection, recording, analysis, classification, prioritization, taking corrective actions and limiting the effects of an incident;	NO DEFINITION OF CYBER ATTACK	Significant incident – reference to Implementing Regulation 2018/151, which has become null and void.
Act of 2 December 2021 on special rules for remunerating persons performing tasks in the field of cybersecurity (Journal of Laws of 2024, item 1662)	No definition	No definition
Act of 24 May 2002 on the Internal Security Agency and the Foreign Intelligence Agency (Journal of Laws of 2024, item 812, as amended).	No definition	No definition
Act of 26 April 2007 on crisis management (Journal of Laws of 2023, item 122, as amended).	No definition	No definition
UN Regulation No. 155 – Uniform provisions concerning the approval of vehicles with regard to cybersecurity and their safety management system [2021/387] (OJ EU L 82, 2021, p. 30).	No definition	No definition
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 2022, p. 80	Article 2 6) “incident” means an event that compromises the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or services offered by or accessible through networks and information systems; (7 ) ‘ large-scale cybersecurity incident‘ means an incident that causes a level of disruption that exceeds the capacity of a Member State to respond to it or that has a significant impact in two or more Member States;	No definition	from the “cybersolidarity act ” “incident”large-scale cybersecurity incident ” From Regulation 2019/881 – “incident”, “large-scale cybersecurity incident” Commission Implementing Regulation 2024/2690
Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 on establishing measures to enhance solidarity and capacity in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 ( Cyber Solidarity Act) (OJ L 38, 2025, item 38, as amended).	Article 2 9) “incident” means an incident as defined in point 6 of Article 6 of Directive (EU) 2022/2555; (10) ‘major cybersecurity incident’ means an incident meeting the criteria set out in Article 23(3) of Directive (EU) 2022/2555; (11 ) ‘serious incident‘ means a serious incident as defined in point 8 of Article 3 of Regulation (EU, Euratom ) 2023/2841 of the European Parliament and of the Council 22; (12) ‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in point (7) of Article 6 of Directive (EU) 2022/2555 ; (13) ‘incident equivalent to a large-scale cybersecurity incident’ means, in the case of Union institutions, bodies, offices and agencies, a major incident and, in the case of third countries associated to the Digital Europe programme, an incident that causes a level of disruption that exceeds the response capacity of the third country associated to the Digital Europe programme;	No definition
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and information and communication technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 2019, p. 15, as amended).	“incident” means an incident as defined in Article 4(7) of Directive (EU) 2016/1148; (repealed) (“incident” means any event that has a real adverse impact on the security of networks and information systems;)	No definition
Regulation 2023/2841 of the European Parliament and of the Council of 13 December 2023 laying down measures for a high common level of cybersecurity in the Union institutions, bodies, offices and agencies (OJ L 2841, 2023).	Article 3 (7)”incident” means an incident as defined in point 6 of Article 6 of Directive (EU) 2022/2555 ; (8) ‘major incident‘ means an incident that causes disruption beyond the response capacity of a Union entity and CERT-EU or that has a significant impact on two or more Union entities; (9) ‘large-scale cybersecurity incident‘ means a large-scale cybersecurity incident as defined in point (7) of Article 6 of Directive (EU) 2022/2555;	No definition	Cyber Solidarity Act – “serious incident”
Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technological and Research Competence Centre and the Network of National Coordination Centres (OJ L 2021, No. 202, p. 1).	No definition	No definition
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ EU L 333, 2022, p. 1, as amended).	Article 3 8) ⁴⁰ “ICT incident ” means a single event or a series of related events, unplanned by a given financial entity, that compromises the security of networks and information systems and has a negative impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by that financial entity; 9) ⁴¹ “payment-related operational or security incident ” means an event or series of related events, unplanned by the financial entities referred to in points (a) to (d) of Article 2(1), whether ICT-related or not, that has a negative impact on the availability, authenticity, integrity or confidentiality of payment-related data or on the payment-related services provided by the financial entity; (10) “major ICT incident” means an ICT incident with a significant negative impact on networks and information systems that support critical or important functions of a financial entity; (11) “major operational or security incident related to payments ” means an operational or security incident related to payments with a significant negative impact on the provision of payment services;	Article 3 14) ⁴² “cyber attack” means a malicious ICT incident triggered by an attempt by any attacker to destroy, disclose, alter, deactivate, steal or gain unauthorised access to or use of a resource;	Commission Delegated Regulation (EU) 2024/1366 – “Cyberattack”
Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe programme and repealing Decision (EU) 2015/2240 (Text with EEC relevance) (OJ L 166, 2021, p. 1, as amended).	No definition	No definition
Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures to combat cyberattacks threatening the Union or its Member States (OJ L 129, 2019, item 129, as amended).	No definition	Article 1 1. This Decision applies to cyber-attacks with a significant effect, including attempted cyber-attacks with a potential significant effect, which constitute an external threat to the Union or its Member States. 2. Cyberattacks that constitute an external threat include cyberattacks that: (a) were prepared outside the territory of the Union or are carried out outside the territory of the Union; (b)use infrastructure located outside the territory of the Union; (c) they are carried out by a natural or legal person, entity or body established or operating outside the Union; or (d) are carried out with the support, at the direction or under the control of a natural or legal person, entity or body operating outside the territory of the Union. 3. Therefore, cyberattacks are activities that include at least one of the following elements: a)access to information systems; b) interference with information systems; c) interference with data; or d) data capture, and provided that such activities are not duly authorised by the owner or any other entity having rights to the system or data or parts thereof or are not permitted under the law of the Union or the Member State concerned. 4. Cyber attacks posing a threat to Member States include cyber attacks on information systems related to, inter alia: (a) critical infrastructure – including submarine cables and objects launched into space – that is essential for maintaining essential societal functions or the health, safety, security and material or social well-being of people; (b) services essential for maintaining basic social or economic activities, in particular in the energy sector (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health (healthcare centres, hospitals and private clinics), drinking water supply and distribution, digital infrastructure, and any other sector that is critical to the Member State concerned; c) critical state functions, in particular in the areas of defence, management and functioning of institutions, including national elections or the voting process, the functioning of economic and civilian infrastructure, internal security and external relations, including through diplomatic missions; d)storing or processing classified information; or e) government crisis response teams. 5. Cyber-attacks constituting a threat to the Union include cyber-attacks conducted against its institutions, bodies, offices and agencies, its delegations in third countries or international organisations, its Common Security and Defence Policy ( CSDP ) operations and missions and its Special Representatives. 6. Where deemed necessary to achieve the objectives of the CFSP as defined in the relevant provisions of Article 21 of the Treaty on European Union, restrictive measures under this Decision may also be applied in response to cyber-attacks against third States or international organisations with a significant effect.
Commission Implementing Regulation (EU) 2024/3143 of 18 December 2024 establishing the circumstances, formats and procedures for notification pursuant to Article 61(5) of Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity ) and information and communication technology cybersecurity certification (OJ L 3143, 2024).	No definition	No definition
Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council with regard to the adoption of a European cybersecurity certification scheme based on common criteria (EUCC) (OJ EU L 2024, item 482, as amended).	No definition	No definition
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 with regard to technical and methodological requirements for cybersecurity risk management measures and further specifying the cases in which an incident is considered to be serious in relation to DNS service providers, TLD name registries, cloud service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking platforms, and trust service providers (OJ L 2690, 2024).	Article 3 Serious incidents 1. An incident shall be considered serious for the purposes of Article 23(3) of Directive (EU) 2022/2555 in relation to the relevant entities where at least one of the following criteria is met: (a) the incident has caused or is likely to cause a financial loss to the relevant entity that exceeds EUR 500 000 or 5% of the total annual turnover of the relevant entity in the preceding financial year, whichever is lower; (b) the incident has caused or may cause a leak of trade secrets, as defined in point 1 of Article 2 of Directive (EU) 2016/943, of the relevant entity; (c) the incident has caused or may cause the death of an individual; d) the incident has caused or is likely to cause significant harm to the health of a natural person; (e) there has been effective, possibly malicious and unauthorised access to networks and information systems that may cause significant operational disruptions; (f) the incident meets the criteria set out in Article 4; (g) the incident meets at least one of the criteria set out in Articles 5-14. 2. Planned service interruptions and planned consequences of planned maintenance work carried out by or on behalf of relevant entities shall not be considered major incidents. 3. When calculating the number of users affected by an incident for the purposes of Article 7 and Articles 9 to 14, the relevant entities shall take into account all of the following: (a) the number of customers who have concluded an agreement with the relevant entity granting them access to the networks and information systems of the relevant entity or to the services offered by or accessible through those networks and information systems; b) the number of natural and legal persons associated with business customers who use the entities’ networks and information systems or the services offered by or accessible through these networks and information systems. Article 4 Recurring incidents Incidents that are not individually considered a serious incident within the meaning of Article 3 shall be considered collectively as a single serious incident if they meet all of the following criteria: a) occurred at least twice within six months; b) have the same apparent root cause; (c) they cumulatively meet the criteria set out in Article 3(1)(a).	No definition
Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the amount of supervisory fees charged by the lead supervisory authority to key external ICT service providers and the manner of payment of those fees (OJ L 1505, 2024).	No definition	No definition
Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council by establishing a network code on sectoral rules on cybersecurity aspects of cross-border flows of electricity (OJ L 1366, 2024, item 1366, as amended).		Art. 3 11) “cyber-attack” means an incident as defined in point 14 of Article 3 of Regulation (EU) 2022/2554;
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, the severity thresholds and details for reporting major incidents (OJ L 1772, 2024).	No definition	No definition

Artykuł INCIDENT vs. CYBERATTACK – based on current EU provisions pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Optical Illusions in AI Systems, the Danger of Adversarial Attacks, Biological Technologies, Explainable AI – topics discussed during Futurology Congress 2025

jakub — Tue, 16 Sep 2025 12:29:23 +0000

Publication date: September 15, 2025

On September 12-14, 2025, lawyers from KIELTYKA GLADKOWSKI KG LEGAL participated in the annual Futurology Congress in Krakow.

The participants, among which there was AGH University of Science and Technology’s Artificial Intelligence Center of Excellence discussed aspects of new technologies, including:

• Optical Illusions in AI Systems: The Danger of Adversarial Attacks. Adversarial attacks on vision systems are a topic of growing interest in both science and the technology industry – not only due to autonomous vehicles but also medical systems. The panelists demonstrated how subtle, almost invisible image modifications can completely confuse AI algorithms, leading to situations where the algorithm fails to recognize a STOP road sign or makes an error when analyzing medical images. Examples of such attacks from both transportation and medicine were presented, highlighting their impact on everyday life and safety. There were explained the mechanisms behind these phenomena and their consequences for machine learning-based systems. In this area, there is a constant race between the creators of such attacks and the engineers developing protection methods, and ensuring complete security remains a major challenge for the AI industry.

• The development of the Polish space sector, combining engineering, science, and modern technologies. Domestic entities are among the leaders building Poland’s position in the global space industry supply chain. During the panel, there were discussed the most important achievements and participation of Polish teams in prestigious international missions. Representatives of key companies discussed their projects, challenges, and role in the global space ecosystem. There were also considered barriers to sector development and legislative and financial needs. The panel was an opportunity to look to the future and attempt to answer the question of Poland’s potential role in the exploration and use of space. Participants shared their experiences collaborating with the European Space Agency and other international partners.

• Modern biotechnology. Biotechnology is becoming one of the pillars of modern civilization, offering breakthrough solutions in medicine, diagnostics, agriculture, and environmental protection. Faced with global challenges such as aging societies, the growing number of lifestyle diseases, and the need for sustainable development, the dynamic development of biotechnology is opening up new opportunities to improve the quality of life. The panel discussed the potential of gene and cell therapies, the importance of innovative drugs in the fight against cancer, and the role of collaboration between science, the investment sector, and industry. Guests addressed ethical, regulatory, and social issues related to the implementation of new biological technologies. The discussion explored how biotechnology can truly benefit humanity in the coming decades.

The Congress lectures are related to specific examples and problems that scientists are struggling with in daily lives – for example, how to easily delude artificial intelligence in software in an unmanned vehicle resulting in a failure to recognize a STOP sign

source: https://www.drmalinowski.edu.pl/posts/2824-adwersarialne-ataki-na-sztuczna-inteligencje

Artykuł Optical Illusions in AI Systems, the Danger of Adversarial Attacks, Biological Technologies, Explainable AI – topics discussed during Futurology Congress 2025 pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

KIELTYKA GLADKOWSKI PARTICIPATES IN THE TRAINING DIGITAL TRANSFORMATION OF THE LAW FIRM ORGANISED BY THE POLISH ATTORNEY BAR – 10 JUNE 2021

jakub — Wed, 09 Jun 2021 12:09:04 +0000

On 10 June 2021 KIELTYKA GLADKOWSKI will participate in the training “Digital transformation of the law firm” organised by The New Technologies Committee of the Polish Bar. The training will discuss new technologies used in legal services, technologies as a factor in changing the model of legal services, the application of artificial intelligence in legal tech as well as practical implementation of technologies in law firms.

KIELTYKA GLADKOWSKI has broad experience in legal tech sector, including technologies in document analysis, data set analysis, AI in analyses of case law and legal doctrine, Document Creation Automation, Process Automation, Data Security and Risk Analysis, cybersecurity, compliance, data, document and collaboration platforms, Online Dispute Resolution, Smart contracts, custom legal tech tool development, debt collection and document management.

Artykuł KIELTYKA GLADKOWSKI PARTICIPATES IN THE TRAINING DIGITAL TRANSFORMATION OF THE LAW FIRM ORGANISED BY THE POLISH ATTORNEY BAR – 10 JUNE 2021 pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.