Cybersecurity and new technologies

The latest EU Directive on network and information security (NIS2) significantly expands the range of entities subject to cybersecurity obligations. It covers not only critical infrastructure operators but also many medium and large companies in sectors such as transport, finance, healthcare, digital infrastructure, and digital services. NIS2 imposes a number of requirements — from regular risk assessments and the implementation of adequate technical measures to the obligation to report serious incidents within 24 hours. Importantly, the directive introduces severe financial penalties for non-compliance (up to EUR 10 million or 2% of global turnover). We help companies determine whether they fall under NIS2 and how to meet the new obligations (training, audits, documentation) before the directive is transposed into national law (scheduled for 2024/2025).

The Artificial Intelligence Act is a pioneering EU regulation introducing comprehensive legal frameworks for AI. It follows a risk-based approach, classifying AI systems into four categories: unacceptable risk (prohibited, e.g., citizen social scoring systems), high risk (e.g., AI in healthcare, transport, employee recruitment — permitted but under strict conditions), limited risk, and minimal risk. The AI Act sets out obligations for AI providers and users — for high-risk systems, these include requirements for technical documentation, data management, algorithm transparency, registration in a dedicated EU database, conformity assessments, and human oversight of AI.

Providers will be required to conduct conformity assessments of their solutions before they enter the market, while users (e.g., companies implementing AI internally) must follow operational guidelines and monitor system performance. The AI Act foresees very high penalties for violations (up to EUR 30 million or 6% of global turnover).

Our team is already advising clients on how to prepare for these changes: we identify the AI systems they use, assign them to the relevant risk categories, and develop an adaptation plan for the new regulations (AI policies, oversight procedures, impact assessments, etc.).

The Data Act is a recent EU regulation set to revolutionise the approach to non-personal data in the economy. Its goal is to ensure fair access to data and support a data-driven economy. Among other provisions, the Data Act establishes rules granting users of devices and services the right to access the data they generate — for example, the owner of an intelligent industrial machine will gain access to its sensor data, which until now was available only to the manufacturer.

The regulation will also facilitate data sharing between companies (B2B) and between companies and the public sector (B2G) in exceptional situations (e.g., natural disasters — public authorities will be able to request data relevant to crisis response). The Data Act prohibits the abuse of contractual advantage in data-sharing agreements — so-called unfair clauses (which strip the weaker party of data rights) will be null and void by law.

Another key element is the facilitation of switching cloud service providers — the regulation requires providers to make it easier to transfer customer data to another cloud (portability) and to gradually phase out exit fees. Our team helps businesses understand the new obligations under the Data Act and turn them into opportunities — for instance, we advise IoT device manufacturers on preparing to share data with users, and advise users on how to effectively exercise their new rights.

The General Data Protection Regulation (GDPR) has been in force since 2018, yet it still poses challenges for many companies. In the era of rapidly expanding technologies (AI, Big Data, profiling, online marketing), ensuring GDPR compliance requires ongoing effort. We support clients in maintaining continuous compliance — from data protection audits and preparing required documentation (privacy policies, records of processing activities) to responding to incidents (data breaches) and liaising with supervisory authorities.

We provide guidance on complex issues such as data transfers to third countries (e.g., following the Schrems II ruling), the use of cloud computing, employee monitoring, and data retention. We also assist in training staff on information security principles. With us, you can be confident that your company remains up to date with regulatory interpretations and the guidelines of the Polish Data Protection Authority (UODO), thereby minimising the risk of fines (which, it should be remembered, can reach up to EUR 20 million or 4% of annual turnover, whichever is higher).

Smart contracts, or “intelligent agreements,” are computer programs that automatically execute certain actions once specific conditions are met, most often operating on blockchain technology. Their potential is vast — they can automate contract execution in industries such as fintech (e.g., automatic insurance claim payouts), logistics (tracking and confirming deliveries), or energy (settlements in smart grid networks).

However, smart contracts also present legal challenges: traditional contract law struggles to keep pace with the lack of a single, physical jurisdiction for blockchain — making it difficult to determine which legal system governs a globally operating, self-executing contract. Enforceability issues arise — what if the code contains an error, or one party claims that the self-executing contract is invalid?

Our team analyses the use of smart contracts in the context of existing law — advising on how to ensure compliance (e.g., integrating an “oracle” mechanism for dispute resolution or clauses enabling human intervention). We support projects based on smart contracts by preparing hybrid agreements that combine elements of traditional contracts with automated code execution. This ensures that our clients’ technological innovations can operate safely within the legal framework.

We also offer services at the intersection of law and digital forensics. Cyber investigations involve identifying the perpetrators and circumstances of computer incidents — such as system intrusions, data leaks, online fraud, or cryptocurrency theft. We work with experienced digital forensics experts to secure digital evidence (system logs, disk images, online traces) in a manner compliant with procedural requirements.

We also assist in recovering lost data and conducting post-incident reviews to draw conclusions and strengthen security for the future. Our activities may include close cooperation with law enforcement authorities to hold cybercriminals accountable. For business clients, we conduct internal investigations in cases of suspected employee misconduct or IT sabotage. All of this is carried out with the utmost discretion and in full protection of the client’s legal interests.

We assist bankruptcy trustees and creditors in tracking debtor assets hidden in cryptocurrencies. Thanks to our network of contacts and analytical tools, we can identify cryptocurrency wallets linked to the debtor, trace transaction histories, and pinpoint locations (exchanges, brokers) where these assets may be liquidated.

In cooperation with an international network of partners, we are able to assist in locating bank accounts and other financial assets of debtors abroad. We prepare requests for legal assistance to foreign authorities and advise on how to effectively secure assets discovered overseas (including recovery from tax havens).

In cases where there is suspicion that a debtor has diverted assets through cybercrime (e.g., theft of funds from their own company, ransomware attacks on corporate data), we assemble specialised teams combining lawyers and forensic IT experts. Their task is to determine what happened, secure the evidence, and identify legal avenues for recovering the lost assets.