October 12, 2015

ODI`s managing partner, Uroš Ilić, attended the International Bar Association (IBA) annual conference in Vienna from 4 to 9 October 2015. The IBA`s annual conference is the world`s largest and most prestigious international gathering of lawyers each year, attracting around 6,000 individuals representing over 2,700 law firms, corporations, governments and regulators worldwide.  This unique mix of viewpoints provides a rich environment for discussion, debate and learning more about how the legal profession shapes the political, economic and social climate worldwide.

Over a 5 day period, the conference featured around 200 sessions covering most sectors and practice areas, and sessions on a wide range of topics such as the challenges of law firm management and international relationships, ethics, the future of the legal profession, and the rule of law and human rights.

At the opening ceremony, both the IBA president, David W Rivkin, and the former president of the European Commission, José Manuel Barroso, addressed the challenges posed by Europe’s migrant crisis.

Photo: Uroš Ilić with IBA President, David W Rivkin


October 9, 2015

Despite his busy London business schedule, managing partner, Uroš Ilić, attended the IR Global Annual Conference dinner at the UnderGlobe on 29 September 2015. He was pleased he could join in on the festivities as he sees great importance and benefits in attending events of this calibre. Mr Ilić believes that in order ˝to handle the clients’ most challenging cross-border transactions and to keep delivering superior client service in today`s climate, it is important to expand the global reach˝.

Photo: Neisha Shepherd-NLS Law, Natasha Pryngler-neolaw, Violet French-Torkin Manes and Mr Ilić


October 7, 2015

Aleksandar Zavišić graduated from University of Belgrade, Faculty of Law in 2001.  He gained Master’s degree in European legal stuidies (MA) in 2002 at College of Europe, Belgium, Natolin campus.  Before joining ODI team, he served as a legal expert for World Health Organization.  He worked as a legal advisor with Deloitte Consulting LLP on USAID-funded projects in Serbia, Armenia and Croatia.  He is a certified investment advisor since 2007, and passed the Bar exam in 2012.  Aleksandar is fluent in Croatian, English, French, Italian and Serbian.

With eight years of experience in financial sector reforms, he will be mainly focusing on the fields of corporate and commercial law, banking and financial matters, and taxes.

Throughout his career, he has extensively lectured on a variety of topics, which included EU law and institutions, patients’ rights & personal data protection, the functioning and mechanics of financial markets, institutions and services, financial literacy programs, public procurement etc.


October 6, 2015

ODI Law has a firm-wide commitment to pro bono work. We believe that we have a professional responsibility to contribute time, skills and other resources to provide necessary legal services to members of the public who could not otherwise afford them. ODI Law is dedicated to public service in non-legal settings as well and to prove the dedication, we have ventured into art, providing pro bono legal services to emerging artist Milan Andov.

Milan is an inspirational artist with a unique and distinctive style, producing breathtaking art in themes relating to the subconscious and the unconscious extremities of love, rage, hate, and characters displaying their deep psychological state. Milan has received numerous awards for his work which has been described as “art where you feel the soul, heart and mindful interpretations of emotion and sensuality leap from the canvas and draw you into the depths of the composition”.

October 6, 2015

On 1 and 2 October 2015, ODI managing partner, Uroš Ilić attended the NPL Europe 2015 conference in London.  This major pan-Europe event brought together Banks, Investors and Servicers from around the European region to discuss the latest trends in the European Distressed Debt Market, how to reduce NPL ratios, what and where the new investment opportunities are, and which business partners and resources are readily available in the market.  The special focus was on six key markets; Italy, Netherlands, Spain, Romania, Hungary, Slovenia.

Mr Ilić was one of the panelists for the Slovenian block to address questions of what problems banks have experienced to workout distressed portfolios in Slovenia, what the proportion is of NPLs and what types of Assets are represented and how Slovenian banks can attract NPL investors.

September 24, 2015

ODI managing partner, Uroš Ilić, yesterday attended the International SME conference in Ljubljana, organised jointly by the Bank of Slovenia and European Commission.

The two main topics of discussion were deleveraging of NPLs and bank financing of SMEs.

The governor of the Bank of Slovenia, Boštjan Jazbec, in the opening statement talked about the findings of recent research by the Bank of Slovenia which indicated that small and young firms were more sensitive to the cyclical downturn than large and old firms and that small and medium-sized firms are more prone to deleveraging since the onset of the financial crisis.

A number of senior officials of international institutions, bankers, policy makers, academics, and diplomats attended the conference on an issue that is very critical for Slovenia.

Photo: Mag. Uroš Ilić and Dr. Imre Balogh, CEO of Probanka d.d. and Non-Excecutive Board member of DUTB

September 16, 2015

ODI Serbia has extended its deadline to 1 October 2015 for a job opening for a lawyer (m/f).

For further information, please click on the link below:

ODI Serbia Lawyer

September 11, 2015

We are pleased to announce that our Partner, Branko Ilic, has been admitted to the Croatian Bar Association earning himself a title of a dual-qualified lawyer. Branko is now licensed to practice in Slovenia as well as Croatia, effective from 1 September 2015. ODI’s clients will now have the benefit of Branko’s representation in cross-border projects and international disputes.

Congratulations to Branko for being one of the first Slovenian lawyers to be admitted to the Croatian Bar.


September 8, 2015

In ODI’s effort to continue inspiring a culture of professional development and learning, Ivo Grlica is participating in this year’s  AmCham Young Professionals Program which commenced in June 2015 and runs for one year.  The program, in its 6th year of running, is intended for the young, active generation of professionals between 25 and 35 years of age who are employed by AmCham Slovenia members’ organisations. The main goal of the program is to develop a new generation of promising young leaders, with an emphasis on the importance of role models, and on the introduction of the significance of a leadership mindset into the Slovenian business environment.

A special program of interactive workshops, training, education, lectures, meetings with business leaders, etc. has been organised for the young potentials in order to help with their personal and professional development, and at the same time to enable them to integrate into the AmCham Slovenia business environment with a valuable network that will help them at work in the future and in their career.  The participants have to proactively participate in meetings that are organised once a month and fulfill the appointed tasks.

Ivo, along with 112 other participants, will be vying for the title AmCham Top Potential of the Year. The special AmCham Leadership and Talent Development Committee chooses top five candidates of the program, from which group then one candidate is awarded the title AmCham Top Potential of the Year, offering that person a great experience and reputation within his/her organisation, as well as the wider business community.

The winner will be announced in June 2016.

August 26, 2015

Information and communication technologies (“ICTs”) have radically changed the way of communication and the way of doing business across the European Union. As ICTs and the Internet became the main driver of innovation and economic growth of the European Union, it is important to highlight the importance of the reliability and the security of the networks and information systems used by European governments, businesses and citizens. The network and information security is not just of key importance for the protection of the rights of the European citizens, but also for the functioning of the single digital economy. On one hand, governments and businesses now heavily rely upon the reliable and safe functioning of their network and information systems to provide daily services that are of critical importance to European citizens (e.g. finance, education, healthcare, transport, energy etc.), on the other hand, they have become a vehicle for political and social inclusion and the exercise of the fundamental rights and freedoms of the European citizens.

Network and information security is exposed to various threats that are effectively undermining citizens’ trust and confidence in electronic transactions and are hampering the growth of the digital economy in the European Union. The most recent survey on cyber security in the European Union indicates that cybercrime is the greatest threat to network and information security:

  • a staggering 87% of Europeans still avoid disclosing personal information online;
  • 70% of Europeans are concerned that their online personal information is not kept secure by websites; and
  • 64% of Europeans agree that they are concerned that information is not kept secure by public authorities

European governments and businesses have already deployed certain security measures for the prevention of network and information security incidents; however, most recent statistical data indicate that the levels of cybercrime in Europe are increasing. As a result, the economic losses, which may be attributed to cybercrime attacks and activities, are estimated at a bewildering USD 500 billion at a global level.

2. Proposal for NIS Directive

The prevalence of cybercrime has prompted the European Union to undertake various initiatives for the implementation of measures for the protection of network and information security incidents, especially in relation to critical services. These initiatives included the establishment of the European Network and Information Security Agency (“ENISA”) in 2004, the establishment of the European Programme for Critical Infrastructure Protection (the “ECI Directive”) in 2008, the enactment of the Directive 2013/40/EU (the “Infosys Attacks Directive”) in 2013 (aimed at tackling the increasingly sophisticated and large-scale forms of attacks against information systems11) and other initiatives.

The most recent EU initiative is the proposal for a Directive on Network and Information Security (the “Proposal for NIS Directive”), concerning measures to ensure a high common level of network and information security across the Union. The Proposal for NIS Directive is central to the first European Union Cyber Security Strategy (“EU Cyber Security Strategy”), which foresees the implementation of measures aimed at inter alia drastically reducing cybercrime and establishing a coherent international cyberspace policy for the EU. The Proposal for NIS Directive is a result of the lack of overarching legislation or regulatory requirements covering all Member States and different regulations implemented by different Member States, which ultimately leads to regulatory fragmentation. The European Commission considers that there is a need of regulation of the minimum requirements for capacities building and planning requirements, information sharing and coordination of actions and common security requirements for all market operators and public administrations concerned to be able to respond effectively to challenges of the security of network and information systems.

2.1 Key features of the Proposal for NIS Directive

The aim of the Proposal for NIS Directive is to ensure a common high level of network and information security (NIS) in the European Union, “by requiring the Member States to increase their preparedness and improve their mutual cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services (e- commerce platforms, social networks, etc.), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.” The key measures foreseen in the Proposal for NIS Directive include imposing a set of requirements on Member States, public administrations and market operators in a view of establishing a trusted network for cyber security information sharing between them. These key measures may be summarised as follows:

  1. Member States are required to adopt a national NIS Strategy (including a national NIS Cooperation Plan) defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security.
  2. Member States are required to establish national NIS authorities with the competence to: (i) monitor the application of the NIS Directive on a national level; (ii) receive reports about security incidents from public administrations and market operators; and (iii) consult and cooperate with the relevant law enforcement and data protection authorities.
  1. Member States are required to establish Computer Emergency Response Teams (CERTs) responsible for handling cyber security risk and incidents with the competence to:
    • monitor cyber security incidents on a national level;
    • provide early warnings and alert announcements and disseminate information to relevant stakeholders about cyber security risk and incidents;
    • respond to cyber security incidents;
    • provide dynamic risk management, incident analysis and situational awareness;
    • build broad public awareness of the risks associated with online activities; and
    • organise campaigns on NIS.
  2. National NIS Authorities are required to inter-connect into a single secure Cooperation Network in order to: (i) circulate early warnings on cyber security risk and incidents; (ii) coordinate responses to cyber security risks and incidents; (iii) regularly publish non- confidential information on early warnings and coordinated response on a common website etc.
  3.  Public Administrations & Market operators are required to (i) take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations; (ii) notify to the competent national NIS authority incidents having a significant impact on the security of the core services they provide.

The above summary of the key requirements of the Proposal for NIS Directive indicates that the European Union is (for the first time in its history) taking a centralised regulatory approach in the tackling of cybercrime – very similar to the US approach. The Presidential Executive Order for Improving Critical Infrastructure Cyber Security 13636 of 12 February 2013 also aims to create a US cyber security information-sharing program between the federal agencies and companies and for this purpose it has ordered the implementation of measures that are similar to the ones proposed in the Proposal for a NIS Directive.

2.2 Establishment of a mandatory security incident information-sharing program

The key differences between the Proposal for NIS Directive and the US Cyber Security Framework are that the latter aims to establish a voluntary information-sharing program between the government and companies, and among companies, opposed to the mandatory reporting requirements between the government and the companies, imposed by the Proposal for NIS Directive. Although there are some suspicions whether the US cyber security information-sharing program is going to be voluntary indeed, it is interesting to look at the reasons for the introduction of a mandatory information- sharing program under the Proposal Directive.

It appears that this introduction of mandatory reporting requirements is rooted in the Proposal for NIS Directive’s objective to promote a culture of risk management and information sharing between the public and the private sector, (companies and public administrations), but at the same time, it poses a risk for promotion of a culture of “naming and shaming” of market operators that have experienced a security incident. It is well accepted that the systematic and continuous reporting of security incidents is beneficial in the context of formulating adequate strategies for a response at a national or supranational level. The Proposal for NIS Directive promotes the reporting of security incident as a vehicle for facilitating a culture of collaboration between the private and the public sector and obtaining of timely information about the occurrence, type and time for response to an incident of particular nature. Moreover, it also provides the possibility for public disclosure of information on security incidents by the competent national NIS authorities, if this would be in the public interest.

It appears that the objectives of the Proposal for NIS Directive are focused on gathering as much as detailed information on cyber security incidents and cybercrime trends and promotion of public- private partnership in coordination of proper responses. Consequently, although there is a risk for that, it does not appear that the mandatory reporting requirements are a “name-and-shame exercise”, in order to incentivize companies to deploy adequate protective measures for security incidents and to share information in order to avoid public disclosure of their “weak” cyber security protection.

Although, the reporting requirements are based on the proportionality of risk (risk-based approach), the broad and unclear scope of the Proposal for NIS Directive leaves plenty of room for the European Commission to make use of delegated and implementing acts for determining the security incidents thresholds and for the free interpretation of those acts by the individual Member States. In this context, it is unclear of how are the reporting requirement related to the Proposal for NIS Directive’s objectives. The Proposal for a NIS Directive introduces an obligation for public administrations and companies to report security incidents to the national NIS authorities, which in turn may disclose, or require companies and public administrations to disclose), the information about a particular incident in the public, if that would be in the public interest. Therefore, the mandatory reporting requirements do not facilitate the exchange of information about security incidents among companies, only between governmental authorities and companies, and the public is only to be informed if a security incident affects their interest.

The promotion of the culture of risk management is going to heavily rely upon the capacity and the pro-activity of the designated national NIS authorities to process all of the received security incident reports and to cooperate together with companies in order to coordinate a response. If due to various reasons companies would be discouraged to reporting security incidents (because of high costs for implementation of separate systems) or are over-reporting because of the unclear scope of the Proposal for NIS Directive, this would threaten the primary objective of the Proposal for NIS Directive. It would create a regulatory maze for reporting of security incidents where both the companies and the national NIS authorities would be struggling to actively exchange information and cooperate in order to coordinate a response to cyber crime attacks.

Another, potential problem lies in the imposing of security incident reporting requirements to public administrations. Public administrations hold enormous amounts of personal data and they already have in place appropriate security measures that, presumably, exceed the minimum security measures imposed by the Proposal for NIS Directive. It might be argued that the majority of the security incidents which affect the data stored by public administrations would have to be disclosed to the public, as it would be in the public interest for the European citizens to know that their information have been compromised. However, public administrations hold a lot of information which relate to critical infrastructure (e.g. defence, security) and are classified in accordance with the national legislation, hence they are going to be disclosed the public. As far as security incidents, which might be “reportable” i.e., are not classified under the relevant legislation, it is questionable whether the national NIS authority would be inclined to disclose them to the public, as mater of protecting the public administration’s reputation with the public.

2.2 Security incidents reporting thresholds

It is also important to highlight that the Proposal for NIS Directive does not provide any guidance on the thresholds to be applied on the “incidents that have a significant impact on the security of the core services provided” by market operators. The guidance on the assessment of whether a particular security incident is significant, is left upon the European Commission:

“The Commission shall be empowered to adopt delegated acts concerning the definition of circumstances in which public administrations and market operators are required to notify incidents.

The Commission shall be empowered to define, by means of implementing acts, the formats and procedures applicable for the requirements of public administrations and market operators to notify incidents to the competent national NIS Authorities.”

In this context, the European Banking Federation’s (EBF) concerns about the need for an accurate definition of what would constitute a significant incident are fully legitimate and justified:

“Art 14(2) requires reporting by market operators of ‘incidents having a significant impact on the security of the core services they provide’. The word ‘significant’ needs careful definition in order to determine whether this Directive will achieve its aim: If the requirement includes reporting of incidents with minimal impact to the business of the market operator, then it could drive a culture that is encouraged not to identify incidents. This would be counterproductive, as effective cyber security requires identification and investigation of a wide range of incidents, many of which appear to be insignificant at first sight. It is only by catching such incidents early that material incidents are prevented. We would recommend the limitation of mandatory reporting to just incidents with significant and material impact and this needs to be established within the Directive in order to prevent scope creep in the future.”

The Proposal for NIS Directive’s risk-based approach might be compromised by the lack of a precise definition on what would constitute a “significant” security incident and the lack of thresholds for determination of such significance. The fact that the European Commission is empowered to define the thresholds and the Member States are empowered to provide legally binding guidance on how these should be implemented, creates a high level of legal uncertainty and might potentially cause difficulties in the implementation of the Proposal for NIS Directive in the different Member States.

Depending on the European Commission’s input, Member States might provide substantially different guidance and instructions to public administrations and market operators, depending on the stage of development of network and information security infrastructure and best practices in dealing with security incidents. This might ultimately undermine the main objective of the Proposal for NIS Directive to establish a harmonized European legal framework for reporting of cybersecurity incidents and to discourage market operators to report security incidents which are not significant at all or do not affect a critical service.

Another concern related to the (lack of) reporting thresholds in the Proposal for NIS Directive is that a number of security incidents do not target the market operator’s network and information systems; instead they target their customer’s systems. Although it is safe to assume that any such incidents (if significant subject to the delegated and implementing acts by the European Commission and the further guidance provided by individual Member States), would be subject to the reporting requirements imposed by the Proposal for NIS Directive, it is not entirely clear whether there is such a requirement under the Proposal for NIS Directive.

In the above context, it is reasonable to expect that in case of security incidents targeted against the systems of the market operator’s customers, doubts will arise whether such security incidents should be deemed as significant and whether they should be reported, in accordance with the requirements of the Proposal for NIS Directive.

Gjorgji Georgievski, Partner

Back to top