Hungary
(a) What is the NIS2 implementation status?
The EU NIS2 Directive entered into force on 16 January 2023 and Member States have until 17 October 2024 to transpose it into their national legislation.
The Hungarian Cabinet Office of the Prime Minister submitted a draft legislation on cybersecurity certification and supervision to Parliament in February 2023. The draft legislation transposes at the same time Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Cybersecurity Agency) and the Cybersecurity Certification of Information and Communication Technologies (Cybersecurity Act) and the NIS2 Directive.
Based on this, Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision, passed by Parliament, was promulgated on 15 May 2023 and entered into force on 23 May 2023.
(b) What is the envisaged NIS2 implementation timeline?
The Act entered into force on 23 May 2023, with the parts relating to requirements (such as Cybersecurity Surveillance, Essential Requirements, Cybersecurity Surveillance Tools) entering into force on 1 January 2024.
The next steps are as follows:
- As of 18 October 2024, the electronic information systems must be classified, specific security measures applied, and an authority fee must be paid, which is a maximum of 0.015 percent of the undertakings net turnover in the previous financial year.
- Until 31 December 2024, the registered auditor chosen by the undertaking must be contracted.
- Until 31 December 2025, the auditor must carry out the first cybersecurity audit.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The NIS2 Directive extends the personal scope of the current NIS Directive. Thus, instead of differentiating between “essential service providers” and “digital service providers”, the NIS2 Directive defines highly “important” and “essential” entities, which are classified as highly critical and other critical sectors, and adds new sectors not yet covered by the regulation.
Highly critical sectors include Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water, Wastewater, Digital Infrastructure Providers, Information and Communication Technology Service Management, Public Administrations and Space. Other critical sectors include Postal and courier services, Waste management, Chemical manufacturing and production, Food production and processing, Manufacturers of specific products such as computers, Vehicle manufacturers, Digital service providers, Research centres.
With the entry into force of the Act, Act L of 2013 on the Electronic Information Security of State and Local Government Bodies has been repealed. The changes entered into force on 1 January 2024, and amended the Act on the Authority for the Supervision of Regulated Activities by adding definitions and establishing powers.
(d) Who will be the supervisory authority and how are they preparing the market?
The Act designates the Regulated Activities Supervisory Authority (RASA) as the national cybersecurity certification authority to be established under the NIS2 Directive, with the duties of the cybersecurity certification authority related to military research, development, production and trade being performed by the authority designated by the Government.
In its capacity as a cyber security supervisor, the RASA has the power to request documents relating to security requirements, classification, carry out official inspections, even order extraordinary audits and, of course, impose fines.
(e) What should you be doing/on the lookout for?
According to the NIS2 Directive, existing organizations are required to provide information to the competent cybersecurity supervisory authority by January 17, 2025. In Hungary, those organizations affected that commenced operations before 1 January 2024, are obliged to submit the data specified in the decree of Regulated Activities Supervisory Authority (RASA) to RASA by 30 June 2024, for registration purposes.
Detailed rules have also been published setting out the cybersecurity tasks and requirements to be carried out by the undertakings concerned. In particular, compliance with these requirements is necessary to identify the risks of cyber security threats and to prevent cyber-attacks and mitigate the potential damage caused by attacks.
Organizations are required to notify Computer Security Incident Response Teams (CSIRTs) designated by Member States or, where applicable, the competent national authority (RASA) of any significant events. An event is considered significant if it caused or is capable of causing serious disruptions in operations or financial losses to the affected organization or resulted in significant financial or non-financial harm to other natural or legal persons.
Contact
Ildiko Szegedi E: szegedi@eversheds-sutherland.hu
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page