From 1 January 2024, companies operating in Hungary will face new significant cyber security related obligations under the Hungarian legislation implementing the EU NIS2 Directive. In this short article, we describe which companies will be affected by the new regulation and what are the most important tasks in the new year.
As regards to the background, the NIS2 Directive which is the strengthened European cybersecurity legislation entered into force in January 2023. To implement the provisions of the NIS2 Directive to the Hungarian legislation, the parliament enacted Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision (“Cybersecurity Certification Act”).
The companies concerned
Service providers and organisations operating in “high-risk” and “risky” sectors are covered by the new law. High-risk sectors include for example energy, transport, healthcare, digital infrastructure and electronic communication. Among others, postal services, food and chemical manufacturing, electronic product manufacturing and digital services are classified as risky sectors.
As a main rule, the Hungarian Cybersecurity Certification Act does not apply to SMEs, only companies that employ at least 50 employees or have an annual net turnover or a balance sheet total exceeding 10 million Euros.
However, companies electronic communications service providers, trust service providers, DNS service providers, top level domain name registrars and domain name registration service providers are covered by the law regardless of their size.
Major obligations
The Cybersecurity Certification Act requires basic cybersecurity measures for the electronic information systems of the entities covered by the act.
As a part of the basic cybersecurity measures, companies concerned by the law shall classify their electronic information systems. Based on the risk of confidentiality, integrity, or availability being compromised, "basic", "significant" or "high" security class shall be applied.
The specific security measures applicable to each security class will be laid down in a ministerial decree and shall be applicable as of 18 October 2024.
The companies covered by the act have until 30 June 2024 to register with the Regulated Activities Supervisory Authority.
Further, until 31 December 2024 the companies shall appoint an independent auditor who shall conduct the first NIS2-compliant cybersecurity due diligence until 31 December 2025.
Fines
In accordance with the NIS2 Directive, the companies concerned that fail to comply with the cybersecurity related obligations may face administrative fines of a maximum of 10 million euros or 2% of their total worldwide annual turnover.
Based on the above, we advise companies operating in Hungary to check whether they are covered by the new Cybersecurity Certification Act and if yes, to start the preparation of the necessary measurements.
By Anita Vereb, Attorney-at-law, SmartLegal Schmidt & Partners