EU NIS2 in Hungary
In Hungary, NIS2 is implemented by the Law on Cybersecurity Certification and Cybersecurity Supervision In addition, there are many government decrees that regulate further details. The supervisory authority for regulated activities (SZTFH) takes on the role of national cybersecurity authority in Hungary. There are some differences in the Hungarian NIS2 implementation.
The Hungarian NIS2 implementation commenced in May 2023, followed by many government decrees setting out further details of the regulation. A draft decree on specific security measures has passed consultation and is expected to be finalised in 2024.
EU NIS2 Implementation in EU Member States
Discussion on NIS2 implementations: CZ, FI, FR, DE, HU, PL
Webinar ∙ Register on LinkedIn ∙ English ∙ August 29, 2024
Implementation in Hungary
Current status
In Hungary, NIS2 implementation (2023. évi XXIII. törvény a kiberbiztonsági tanúsításról és a kiberbiztonsági felügyeletről) commenced on May 23, 2023, after the draft law underwent its consultation phase in February. This was followed by additional government decrees and a draft outlining the specific security measures, which underwent consultation in February 2024.
Further sections of the NIS2 implementation will become effective by October 2024.
For affected entities, there are some deadlines in 2024, starting with registration in June.
NIS2 Requirements
National differences
The Hungarian implementation of NIS2 is characterized by the following aspects:
- Many documents: The Hungarian NIS2 implementation regulates many details in separate government decrees. These include aspects such as penalty levels, required registration data, specific security measures, and reporting requirements. Section 28 lists all regulations that may be added.
- Softer deadlines for incident reporting: The Hungarian NIS2 implementation establishes reporting obligations in Section 27, referring to the Law on Electronic Information Security of State and Local Authorities. However, the requirement to submit a detailed report within 72 hours and 30 days is missing.
Entities
All companies that exceed the Hungarian definition of small businesses are affected. §22 (5) This includes companies with at least 50 employees or an annual turnover exceeding 3.9 Billion HUF (10 Million EUR).
Hungary does not differentiate between essential and important entities. Instead, companies must classify their electronic information system into security levels Basic, Significant or High. Masures that companies must implement follow from these security levels. Both the criteria for classification and the specific security measures are defined in a government decree (draft).
Sectors
The Hungarian NIS2 implementation adds some subsectors to the original NI2 sectors:
- Sector Public transport (
Tömegközlekedés
) added to Transportation sector. This includes public transport services as defined in EU Regulation 1370/2007 Article 2d. - The subsector Manufacture of cement, lime and plaster (
Cement-, mész-, gipszgyártás
) was added to the Manufacturing sector. - The sectors Digital Infrastructure (
Digitális infrastruktúra
) and electronic communications services (Hírközlési szolgáltatás
) form the EU NIS2 sector Digital Infrastructure. - Water and wastewater have been combined in the sector water utility services.
- The sectors of banking, financial market infrastructures, and public administration are not listed in the Hungarian NIS2 implementation.
Obligations
Affected entities in Hungary will be subject to specific obligations already starting in 2024:
- Registration deadline end of June 2024: Registration must be submitted to SZTFH by June 30, 2024. §26 (1) §30 (4) Entities that have commenced activities from 2024 onwards must submit data to SZTFH within 30 days of being affected. Since January 1, 2024 the SZTFH decree has been in force, specifying the details for registration with the SZTFH.
- Security measures: From October 2024, entities must implement specific security measures outlined in a separate decree. §20 (3) §30 (2) There is a draft available that went through the consultation process until February 2024.
- Reporting obligations: Section 27 will commence October 18, 2024, and regulates the reporting of cybersecurity incidents.
- Audit agreement with auditors: Affected entities must conclude an audit agreement with an authorized auditor by December 31, 2024. A period of 120 days from registration applies to companies that only commence their activities after October 18, 2024. §26 (3a) §30 (4)
- Audit completion: Entities must complete their first cybersecurity audit by December 2025, subsequent audits must be conducted every two years. §23 §30 (5) Entities that only started activities from 2024 have a deadline of two years from registration. §26 (3b)
Further Information
Sources
- Hungarian NIS2 Implementation Act (official English translation), website of the Hungarian Legal Archive, January 02, 2024
- Hungarian NIS2 Implementation Act (Hungarian), website of the Hungarian Legal Archive, n.d.
- SZTFH decree with a list of the required registration data, website of the Hungarian Legal Archive, n.d.
- Law on electronic information security for state and local authorities, website of the Hungarian Legal Archive, n.d.
- Consultation draft on the requirements for security classification and the specific security measures, website of the Hungarian Legal Archive, n.d.
- Government decree on the amount of cyber security fines, website of the Hungarian Legal Archive, n.d.
- Law on small and medium-sized enterprises and their development promotion, website of the Hungarian Legal Archive, n.d.