Blog
Blog » NEW HUNGARIAN CYBERSECURITY LAWS INTRODUCE IMPORTANT OBLIGATIONS – THE COUNTDOWN BEGINS
NEW HUNGARIAN CYBERSECURITY LAWS INTRODUCE IMPORTANT OBLIGATIONS – THE COUNTDOWN BEGINS
14 December 2023
From 1 January 2024, companies operating in Hungary will face new significant cyber security related obligations under the Hungarian legislation implementing the EU NIS2 Directive. In this short article, we describe which companies will be affected by the new regulation and what are the most important tasks in the new year.
As regards to the background, the NIS2 Directive which is the strengthened European cybersecurity legislation entered into force in January 2023. To implement the provisions of the NIS2 Directive to the Hungarian legislation, the parliament enacted Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision (“Cybersecurity Certification Act”).
1. The companies concerned
Service providers and organisations operating in “high-risk” and “risky” sectors are covered by the new law. High-risk sectors include for example energy, transport, healthcare, digital infrastructure and electronic communication. Among others, postal services, food and chemical manufacturing, electronic product manufacturing and digital services are classified as risky sectors.
As a main rule, the Hungarian Cybersecurity Certification Act does not apply to SMEs, only companies that employ at least 50 employees or have an annual net turnover or a balance sheet total exceeding 10 million Euros.
However, companies electronic communications service providers, trust service providers, DNS service providers, top level domain name registrars and domain name registration service providers are covered by the law regardless of their size.
2. Major obligations
The Cybersecurity Certification Act requires basic cybersecurity measures for the electronic information systems of the entities covered by the act.
As a part of the basic cybersecurity measures, companies concerned by the law shall classify their electronic information systems. Based on the risk of confidentiality, integrity, or availability being compromised, "basic", "significant" or "high" security class shall be applied.
The specific security measures applicable to each security class will be laid down in a ministerial decree and shall be applicable as of 18 October 2024.
The companies covered by the act have until 30 June 2024 to register with the Regulated Activities Supervisory Authority.
Further, until 31 December 2024 the companies shall appoint an independent auditor who shall conduct the first NIS2-compliant cybersecurity due diligence until 31 December 2025.
3. Fines
In accordance with the NIS2 Directive, the companies concerned that fail to comply with the cybersecurity related obligations may face administrative fines of a maximum of 10 million euros or 2% of their total worldwide annual turnover.
Based on the above, we advise companies operating in Hungary to check whether they are covered by the new Cybersecurity Certification Act and if yes, to start the preparation of the necessary measurements.
-
CJEU DECISION IN A GDPR-RELATED CASE: DOES THE VIOLATION OF THE GDPR AUTOMATICALLY CONSTITUTE NON-MATERIAL DAMAGE?
Does the infringement of the data subjects’ rights by the controller give automatically rise to compensation? Can the controller be exempted from liability solely on the basis that the damage was the result of the fact that its employee did not comply with its instructions? What are decisive criteria to determine the amount of damages? In this article we analyse the fresh decision of the CJEU which addressed the previous questions.
Read more » -
HUNGARY – PERSONAL SCOPE EXTENSION OF JURISDICTION CLAUSE TO NON-SIGNATORY UNDER BRUSSELS IBIS
Does the principle of independence of the choice-of-court agreement require that parties shall expressly transfer the dispute resolution clause in case of transfer of the main contract? When can the personal scope of a jurisdiction agreement be extended to a non-signatory? A Hungarian appellate court decided upon these questions under the Brussels Ibis Regulation in a recent judgment
Read more » -
SETTING ASIDE ARBITRAL AWARDS IN HUNGARY
Given that there is no right of appeal in arbitration proceedings, it is important to be aware of what other legal remedies are available to you against an arbitral award. According to the Hungarian Arbitration Act, the parties may request the competent state court to set aside the award, which is a “mandatory” remedy, which cannot be waived by the parties in advance.
Read more »