EY Law News, April 2024

NEW UPDATES AND CHANGES IN THE FIELD OF EMPLOYEE PARTICIPATION IN CROSS-BORDER MERGERS, CROSS-BORDER DIVISIONS, AND CROSS-BORDER RESTRUCTURINGS OF CAPITAL COMPANIES AND THE FIELD OF INFORMATION SECURITY

In this issue of EY Law News, we inform you of the new updates and changes in the field of employee participation in cross-border mergers, cross-border divisions, and cross-border restructurings of capital companies and the field of information security.

ADOPTION OF THE ACT ON EMPLOYEE PARTICIPATION IN CROSS-BORDER MERGERS, CROSS-BORDER DIVISIONS, AND CROSS-BORDER RESTRUCTURINGS OF CAPITAL COMPANIES

On 2 April 2024, the National Assembly adopted a new Act on Employee Participation in Cross-Border Mergers, Cross-Border Divisions and Cross-Border Restructurings of Capital Companies (»ZSDČPKD«), transposing the provisions of the Mobility Directive, which regulates the participation of employees in the management or supervisory bodies of a capital company resulting from a cross-border merger, division, or transformation, into Slovenian law.

The key novelties regulated by the act are:

• In all cross-border operations, the local legislation of the Member state where the company created by the cross-border operation has its headquarters is primarily applied with regard to the rights to participation of employees.
• A commitment to conclude an agreement on participation between employees and company management. In the absence of an agreement, the act lays down minimum rules between the parties on the regulation of employee participation in management and supervisory bodies.
• A deadline of 10 weeks is set for the election of the members of the special negotiating body.
• The right to employee participation is also protected in cases of subsequent cross-border operations, and the time limit for the protection of this right is extended to four years from the date of registration of the company.

PROPOSAL FOR A NEW INFORMATION SECURITY ACT

On 18 March 2024, the public hearing on the proposal for a new Information Security Act (hereinafter "the ISA-1"), prepared by the Information Security Office of the Government of the Republic of Slovenia, was completed. Until now, the field of cyber security has been regulated by the Information Security Act (hereinafter "the ISA"), which was adopted in 2018.

The ISA-1 aims to harmonize Slovenian legislation with European legislation, specifically the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (hereinafter referred to as "NIS 2").

The latest version of the ISA-1 draft proposal contains the following main changes:

• The provider of an essential or important service must be self-identified and no longer determined by the government as has been the case so far.
• High penalties are being introduced for failure to comply with the obligation to ensure information security.
• Liability for gross negligence in cyber risk management is introduced.
• Personal liability is required from management in the event of a cyber incident.
• Management will have to regularly conduct security risk assessments, approve plans for their elimination and mitigation of risk levels and, as a new requirement, receive regular training in this area.
• In the event of a cyber-attack, the subject will have to report to the information centre within 24 hours and prepare a comprehensive report within 72 hours, which must include an assessment of the incident, its severity and impact, and security threat indicators.
• The law defines liable parties and divides them into essential and important subjects.
• Essential subjects include large organizations in the energy, transport, banking, health, drinking water, waste water, digital infrastructure, ICT service management and public administration and space sectors, with at least 250 employees and annual sales of at least EUR 50 million or an annual balance sheet total of at least EUR 42 million.
• Important subjects include medium-sized organisations with at least 50 employees and annual sales or balance sheet total of at least EUR 10 million from aforementioned sectors, as well as medium-sized and large organisations from the sectors postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing, digital providers and research.
• Essential subjects will be subject to regular audits by information security inspectors.
• In the event of a breach of the law, the Supervisory Authority may suspend the essential subject's certification or authorization for part of the relevant services or prohibit the performance of the activity or all of the services or activities provided by the essential subject.
• The Supervisory Authority may require the suspension of the exercise of management functions for all persons performing managerial functions for the essential subject at the level of chief executive officer or legal representative.
• Newly liable subjects will be required to establish an ISO/IEC 27001 information security management system or an ISO 22301 business continuity management system, or whichever is most appropriate for the nature of their business.