EU NIS2 in Hungary

Country

In Hungary, NIS2 is implemented by the Law on Cybersecurity Certification and Cybersecurity Supervision. In addition, there are many government decrees that regulate further details. The supervisory authority for regulated activities (SZTFH) takes on the role of national cybersecurity authority in Hungary. There are some differences in the Hungarian NIS2 implementation.

  1. Status of NIS2
  2. NIS2 Requirements
  3. Further information

The Hungarian NIS2 implementation commenced in May 2023, followed by many government decrees setting out further details of the regulation. A draft decree on specific security measures has passed consultation and is expected to be finalised in 2024.

EU NIS2 Webinar

EU NIS2 Implementation in EU Member States

Discussion on NIS2 implementations: CZ, FI, FR, DE, HU, PL
Webinar ∙ Register on LinkedIn ∙ English ∙ August 29, 2024

Implementation in Hungary

Current status

In Hungary, NIS2 implementation (2023. évi XXIII. törvény a kiberbiztonsági tanúsításról és a kiberbiztonsági felügyeletről) commenced on May 23, 2023, after the draft law underwent its consultation phase in February. This was followed by additional government decrees and a draft outlining the specific security measures, which underwent consultation in February 2024.

Further sections of the NIS2 implementation will become effective by October 2024.

For affected entities, there are some deadlines in 2024, starting with registration in June.

up

NIS2 Requirements

National differences

The Hungarian implementation of NIS2 is characterized by the following aspects:

Entities

All companies that exceed the Hungarian definition of small businesses are affected. §22 (5) This includes companies with at least 50 employees or an annual turnover exceeding 3.9 Billion HUF (10 Million EUR).

Hungary does not differentiate between essential and important entities. Instead, companies must classify their electronic information system into security levels Basic, Significant or High. Measures that companies must implement follow from these security levels. Both the criteria for classification and the specific security measures are defined in a government decree (draft).

Sectors

The Hungarian NIS2 implementation adds some subsectors to the original NI2 sectors:

Obligations

Affected entities in Hungary will be subject to specific obligations already starting in 2024:

Territoriality

Hungarian NIS2 implementation currently lacks a provision for implementing Article §26 EU NIS2. As a result, any company affected by Hungary’s NIS2 implementation which provides services in Hungary must possibly register in Hungary, regardless of other territoriality rules in other EU member states.

This also applies to companies affected by Article 26 (1a) and (1b) EU NIS2 including cloud and telco providers, managed service providers, DNS and name providers, and many more.

up

Further Information

Sources

  1. Hungarian NIS2 Implementation Act (official English translation), website of the Hungarian Legal Archive, January 02, 2024
  2. Hungarian NIS2 Implementation Act (Hungarian), website of the Hungarian Legal Archive, n.d.
  3. SZTFH decree with a list of the required registration data, website of the Hungarian Legal Archive, n.d.
  4. Law on electronic information security for state and local authorities, website of the Hungarian Legal Archive, n.d.
  5. Consultation draft on the requirements for security classification and the specific security measures, website of the Hungarian Legal Archive, n.d.
  6. Government decree on the amount of cyber security fines, website of the Hungarian Legal Archive, n.d.
  7. Law on small and medium-sized enterprises and their development promotion, website of the Hungarian Legal Archive, n.d.