Add a bookmark to get started

Abstract geometric building
26 June 20246 minute read

NIS2 Directive: The deadline for the registration of entities in Hungary is 30 June 2024

In Hungary, the NIS2 Directive was transposed in May 2023 following the adoption of Act 23 of 2023 on cybersecurity certification and cybersecurity supervision. Under the Hungarian legislation transposing the NIS2 Directive, domestic entities have until 30 June 2024 to register.

As the title of the new Hungarian legislation indicates, the Act, in addition to transposing the NIS2 Directive, lays down the necessary provisions for the implementation of the EU Regulation on ENISA and on information and communications technology cybersecurity certification (the Cybersecurity Act).

 

Affected entities

The Hungarian rules transposing the NIS2 rules shall apply to the electronic information systems of service providers and organisations operating in the high-risk sectors listed in Annex 1 of the Act along with providers and organisations operating in the at-risk sectors listed in Annex 2 (the so called affected entities). The list is similar to that of in Annex I and II of the NIS2 Directive.

The rules do not apply to micro and small undertakings (those with less than 50 employees and with no more than EUR10 million annual turnover). There are some exceptions, e.g. electronic communications service providers. Additionally, the law does not apply to electronic information systems and networks for defence purposes or to the protection of electronic information systems contributing to system elements designated as European or national critical infrastructure involved in critical activities.

 

Jurisdiction

The Hungarian legislation does not transpose the jurisdiction rules of the NIS2 Directive. Pursuant to the Directive, the entities covered by it are subject to the jurisdiction of the Member State in which they are established. If the entity provides services or is established in more than one Member State, it must be subject to the jurisdiction of each Member State concerned, separately and simultaneously.

There are, however, exceptions, such as electronic communications service providers providing publicly available electronic communications services are subject to the jurisdiction of the Member State(s) where they provide their services. Alternatively DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or social networking service platforms which are subject to the jurisdiction of the Member State in which their main establishment is located.

An entity is to be considered to have its main establishment in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken. If such a Member State cannot be determined or if such decisions are not taken in the EU, the main establishment shall be considered to be in the Member State where cybersecurity operations are carried out. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the entity concerned has the establishment with the highest number of employees in the EU.

These jurisdiction provisions have not been transposed into Hungarian law, which may be problematic, as the provisions of the EU Directives can only be invoked by means of specific transposing acts of the Member States, except in a few very rare cases. Affected entities carrying out the activities above and established in more than one Member States are therefore recommended to conduct a risk analysis to assess whether they wish to register in Hungary if they would not necessarily be subject to Hungarian jurisdiction under the above rules.

 

Measures

In line with the NIS2 rules, the Hungarian legislation aims to protect the electronic information systems of affected entities and the physical environment of those systems from any event that could compromise the confidentiality, integrity and availability of the data, information stored, transmitted or processed, as well as the confidentiality, integrity and availability of the services provided by or through the electronic information systems.

To this end, affected entities must put a number of risk management measures in place, such as the establishment of an information security governance system, risk identification and analysis, and prevention, detection, management and mitigation of security incidents. Measures should also cover business continuity and the procurement of electronic information systems and the software and hardware products used by electronic information systems.

Where an entity uses a contractor for the creation, operation, maintenance, or repair of the electronic information system, the contractor is bound by these conditions as well.

The executive head of affected entities must designate an individual responsible for security and define their responsibilities. They must also provide information security training for employees, they must ensure users are aware of the rules that are applicable to them.

Affected entities must register with the Hungarian Supervisory Authority for Regulated Affairs (SARA) by 30 June 2024.

 

Security classification

Affected entities must classify their electronic information systems into security classes (basic, significant or high security class). A ministerial decree published on 24 June 2024 lays out the criteria for the classifications and the specific requirements applicable to each security class.

As part of risk analysis and risk management, threats to the confidentiality, integrity, and availability of the electronic information systems must be identified and documented by examining the contents of the threat catalogue included in the ministerial decree.

 

Audit

Affected entities are required to have an audit conducted every two years to demonstrate they are implementign the appropriate security measures in line with the security classification of their electronic information systems. The audit must be conducted by a registered auditor who meets the requirements determined by the regulator. The result of the audit are directly sent to the regulator, and in case of serious threats auditors must inform the regulator even during the audit.

 

Report a cybersecurity incident

If a security incident has occurred or is imminent in the electronic information system where it

  • causes serious disruption or damage to the operation or provision of services by the supervised entity, or
  • causes significant material or non-material damage to other natural or legal persons,

the affected entity must notify the computer security incident response team (National Cyber Security Center operating within the Special Service for National Security) within 72 hours.

 

Important deadlines

The deadline for the first obligation for affected entities is approaching: they have until 30 June to register on the online platform designated by SARA to be included in the register.

Supervisory tools

The SARA will have a number of supervisory tools to ensure compliance with the law. This includes maintaining records, ordering extraordinary audits, requesting documentation, issuing warnings, requiring the implementation of specific measures and prohibiting unsafe activities, and ultimately imposing fines.