Hungary was one of the quickest in the EU to begin implementing Directive (EU) 2022/2555 (NIS2) and one of those few EU member states that met the deadline for implementation. Nevertheless, the Hungarian NIS2 implementation is still incomplete, and the current implementing laws have caused some practical and interpretational issues for various companies.
In this article, we briefly summarize the past, present, and potential future of Hungarian cybersecurity laws.
Hungarian Cybersecurity Laws before NIS2
Hungary has had a relatively sophisticated cybersecurity law since 2013. The Information Security Act (Act L of 2013 on the Information Security of State and Municipal Bodies), despite its name, applies not only to the electronic information systems (EIS) of state and municipal bodies but also to operators of critical infrastructures (including private-sector companies) and certain IT suppliers of these organizations.
The Information Security Act requires entities subject to it to categorize their EISs into security classes and identify their organization’s required security level. Based on such security classes and levels, the organization concerned must take appropriate physical, logical, and administrative measures to protect its EISs and handle security events.
NIS2 Implementing Laws
The first Hungarian NIS2 implementing law, the Cyber-Certification Act (Act XXIII of 2023), has been applicable since January 2024. The scope of the Cyber-Certification Act is very similar to the scope of NIS2, but there are some alterations from the list of the in-scope entities: for example, Hungarian pharmaceutical wholesalers are concerned entities if they meet the relevant thresholds. Similarly to NIS2, deciding on whether an entity is subject to the Cyber-Certification Act might be challenging in certain cases because the Hungarian law refers to other legal areas (e.g., concerning food businesses and waste management activities).
Concerned entities must register in the Hungarian Cybersecurity Authority’s (SZTFH) relevant registry within 30 days after they begin their activity subject to the Cyber-Certification Act. If the concerned entity was already performing its regulated activity before 2024, it had to register by June 30, 2024.
Since October 18, 2024, concerned entities must take appropriate measures to ensure the security of their EISs and the physical environment thereof. A part of such measures is specified by a related law. Similarly to entities subject to the Information Security Act, concerned entities must also categorize their EISs (and the data processed in them) into security classes and choose security measures accordingly.
Each concerned entity must conclude a contract with one of those cybersecurity auditors authorized by the SZTFH within 120 days after registration and have cybersecurity audits every two years (noting that there are special interim rules applicable to most entities that had to register already). Concerned entities must pay a supervisory fee to the SZTFH (the specific amount has not been determined at the time of writing).
Despite the fast implementation, based on our experience, there have been some considerable practical and interpretational issues relative to the Cyber-Certification Act. For example, based on the Cyber-Certification Act, concerned entities must include in their contracts with various IT service providers that the service provider undertakes to comply with the Cyber-Certification Act. Compliance with such a rule might cause challenges to multinational company groups where IT services are procured centrally and shared based on intracompany agreements. Furthermore, the Cyber-Certification Act is not clear on whether the IT service provider of the concerned entity must comply with the Cyber-Certification Act relative to all of its EISs or only concerning those that are used for the provision of services to the concerned entity (which is a crucial question in terms of expenses).
In addition, the Cyber-Certification Act does not include provisions based on Article 26 of NIS2, which stipulates special jurisdictional rules. Therefore, it is not settled at a legislative level whether, for example, providers of public electronic communications networks and/or services established in another EU member state must register and pay supervisory fees in Hungary.
Potential Future Changes
On October 29, 2024, the Hungarian government submitted to the Hungarian Parliament draft legislation that would replace both the Cyber-Certification Act and the Information Security Act. Based on the current draft, the new legislation might improve on the Cyber-Certification Act’s current issues and bring Hungarian cybersecurity laws closer to NIS2. On the other hand, in our view, the current draft is still not fully in line with Article 26 of NIS2, which might cause some confusion over its interpretation. Naturally, time will tell whether the new legislation’s final version will stand the test of practice.
By Csaba Vari, Head of IPTech, and Andras Gaal, Attorney, Baker McKenzie
This article was originally published in Issue 11.11 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
