EU NIS2 in Hungary

Current status

In Hungary, NIS2 implementation (2023. évi XXIII. törvény a kiberbiztonsági tanúsításról és a kiberbiztonsági felügyeletről) commenced on May 23, 2023, after the draft law underwent its consultation phase in February. This was followed by additional government decrees and a draft outlining the specific security measures, which underwent consultation in February 2024.

Further sections of the NIS2 implementation will become effective by October 2024.

For affected entities, there are some deadlines in 2024, starting with registration in June.

NIS2 Requirements

National differences

The Hungarian implementation of NIS2 is characterized by the following aspects:

• Many documents: The Hungarian NIS2 implementation regulates many details in separate government decrees. These include aspects such as penalty levels, required registration data, specific security measures, and reporting requirements. Section 28 lists all regulations that may be added.
• Softer deadlines for incident reporting: The Hungarian NIS2 implementation establishes reporting obligations in Section 27, referring to the Law on Electronic Information Security of State and Local Authorities. However, the requirement to submit a detailed report within 72 hours and 30 days is missing.

Entities

All companies that exceed the Hungarian definition of small businesses are affected. §22 (5) This includes companies with at least 50 employees or an annual turnover exceeding 3.9 Billion HUF (10 Million EUR).

Hungary does not differentiate between essential and important entities. Instead, companies must classify their electronic information system into security levels Basic, Significant or High. Measures that companies must implement follow from these security levels. Both the criteria for classification and the specific security measures are defined in a government decree (draft).

Sectors

The Hungarian NIS2 implementation adds some subsectors to the original NI2 sectors:

• Sector Public transport (Tömegközlekedés) added to Transportation sector. This includes public transport services as defined in EU Regulation 1370/2007 Article 2d.
• The subsector Manufacture of cement, lime and plaster (Cement-, mész-, gipszgyártás) was added to the Manufacturing sector.
• The sectors Digital Infrastructure (Digitális infrastruktúra) and electronic communications services (Hírközlési szolgáltatás) form the EU NIS2 sector Digital Infrastructure.
• Water and wastewater have been combined in the sector water utility services.
• The sectors of banking, financial market infrastructures, and public administration are not listed in the Hungarian NIS2 implementation.

Obligations

Affected entities in Hungary will be subject to specific obligations already starting in 2024:

• Registration deadline end of June 2024: Registration must be submitted to SZTFH by June 30, 2024. §26 (1) §30 (4) Entities that have commenced activities from 2024 onwards must submit data to SZTFH within 30 days of being affected. Since January 1, 2024 the SZTFH decree has been in force, specifying the details for registration with the SZTFH.
• Security measures: From October 2024, entities must implement specific security measures outlined in a separate decree. §20 (3) §30 (2) There is a draft available that went through the consultation process until February 2024.
• Reporting obligations: Section 27 will commence October 18, 2024, and regulates the reporting of cybersecurity incidents.
• Audit agreement with auditors: Affected entities must conclude an audit agreement with an authorized auditor by December 31, 2024. A period of 120 days from registration applies to companies that only commence their activities after October 18, 2024. §26 (3a) §30 (4)
• Audit completion: Entities must complete their first cybersecurity audit by December 2025, subsequent audits must be conducted every two years. §23 §30 (5) Entities that only started activities from 2024 have a deadline of two years from registration. §26 (3b)

Territoriality

Hungarian NIS2 implementation currently lacks a provision for implementing Article §26 EU NIS2. As a result, any company affected by Hungary’s NIS2 implementation which provides services in Hungary must possibly register in Hungary, regardless of other territoriality rules in other EU member states.

This also applies to companies affected by Article 26 (1a) and (1b) EU NIS2 including cloud and telco providers, managed service providers, DNS and name providers, and many more.

Sources

1. Hungarian NIS2 Implementation Act (official English translation), website of the Hungarian Legal Archive, January 02, 2024
2. Hungarian NIS2 Implementation Act (Hungarian), website of the Hungarian Legal Archive, n.d.
3. SZTFH decree with a list of the required registration data, website of the Hungarian Legal Archive, n.d.
4. Law on electronic information security for state and local authorities, website of the Hungarian Legal Archive, n.d.
5. Consultation draft on the requirements for security classification and the specific security measures, website of the Hungarian Legal Archive, n.d.
6. Government decree on the amount of cyber security fines, website of the Hungarian Legal Archive, n.d.
7. Law on small and medium-sized enterprises and their development promotion, website of the Hungarian Legal Archive, n.d.