Cybersecurity 2024

Last Updated March 14, 2024

Hungary

Law and Practice

Authors



PROVARIS Varga & Partners is a Hungarian independent law firm including six partners and more than 20 lawyers with a prominent international clientele. The lawyers are highly qualified legal experts with outstanding business and academic backgrounds and specialised knowledge in the fields of dispute resolution, technology and digitalisation, data protection, intellectual property, projects and energy, life sciences, public procurement, corporate and commercial law, real estate, European and constitutional law, tourism and sports law. The firm’s clients cover a broad spectrum of sectors, and it is very proud that its services are widely recognised by them. The team continues to attract domestic and international clients by providing outstanding legal services.

There are no centralised, unified legislation for cybersecurity requirements in Hungary. Different requirements and regulatory approach may apply to organizations in different sectors.

General

In general, requirements regarding the cybersecurity related protection and processing of personal data are laid down in the EU’s General Data Protection Regulation and in general, organizations processing personal data must comply with privacy-by-design, privacy-by-default and data security requirements laid down by Art. 32 GDPR.

State

State actors, government bodies and municipalities must adhere to the Act no. L. of 2013 on the Electronic Information Security of State and Local Government Bodies (“InfoSec Act”). The InfoSec Act is not limited to personal data, but all types of data. Lower-level pieces of legislation define further and detailed cybersecurity requirements such as the Government Decree 270/2018. (XII. 20.) on the Supervision of Electronic Information Security in Relation to Services of the Information Society and the Procedures Related to Security Incidents, Government Decree 187/2015. (VII. 13.) on the Authorities Responsible for the Security Supervision of Electronic Information Systems, the Duties and Powers of the Information Security Supervisor, and the Definition of Closed-Purpose Electronic Information Systems, Ministry of Interior Decree 41/2015. (VII. 15.) on the Technological Security Requirements, as well as Requirements for Secure Information Tools, Products, and the Classification into Security Classes and Security Levels, as Defined in the 2013 Act L. on Electronic Information Security of State and Local Government Bodies and Ministry of Public Administration and Justice Decree 26/2013. (X. 21.) on the Content of Training and Further Training for Leaders and Persons Responsible for the Security of Electronic Information Systems, as Defined in the Law on Electronic Information Security of State and Local Government Bodies.

NIS1

Hungary implemented the Directive (EU) 2016/1148 (NIS Directive) in various laws, including the Act CVIII of 2001 on Certain Issues of Electronic Commercial Services and Information Society Related Services (E-commerce Act). Detailed rules regarding cybersecurity event management and supervision are laid down in Government Decree 270/2018. (XII. 20.) on the Supervision of the Electronic Information Security of Information Society Services and the Procedure on Security Events. Further to this, critical assets and pieces of critical infrastructure are defined in Act CLXVI of 2012 on the Identification, Designation and Protection of Critical Systems and Facilities.

NIS2

The Hungarian Parliament adopted the Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision (“CyberCert Act”), that transposes the provisions of the NIS2 Directive into Hungarian law. The act defined a very broad range of sectors in which companies are subject to the new legislation. Detailed rules and technical provisions are yet to come in 2024. “Essential” and “important” entities must register themselves with the Supervisory Authority of Regulated Activities (“Szabályozott Tevékenységek Felügyeleti Hatósága”, “SzTFH”) and must implement an internal information security management system, conduct risk assessments and classify IT systems and data. “Essential” and “important” entities must undergo regular, mandatory audits performed by auditors registered with the SzTFH.

Electronic Communications

Regarding the electronic communications sector, Section 156 of Act C of 2003 on

Electronic Communications as well as NMHH Decree No. 4/2012 (I.24) lays down the rules relating to IT security. The Act C of 2003 on Electronic Communication regulates data protection, cooperation with intelligence services and lawful interception of electronic communications. This Act also transposed the ePrivacy Directive 2009/136 into Hungarian law. The Act limits the scope of the mandatory data breach notification to providers of electronic communication services in Hungary. The supervision of data breach cases is assigned to the Hungarian Media and Infocommunications Authority [“NMHH”] which shall, within its competence, cooperate with the Data Protection and Freedom of Information Authority [“NAIH”]. Once the service provider reports a data breach and it did not provide a notice on data breach to its customers, the Authority may—upon consideration of the risk of possible detrimental consequences of the security breach–impose an obligation on the service provider to notify its customers after the Authority has obtained the opinion of the NAIH.

Financial sector

Cybersecurity related requirements, including the mandatory and regular audit of relevant systems and procedures are laid down in the Government Decree 42/2015 (III. 12.) on the Protection of the IT Systems of Financial Institutions, Insurance and Reinsurance Companies, as well as Investment Companies and Commodity Exchange Service Providers. Further to this, EU level legislation applies such as the PSD2 Directive which was implemented into Hungarian law by modifying several financial sectorial pieces of legislation.

Criminal law

The Act C of 2012 on the Criminal Code defines the penalised behaviour regarding cybersecurity related acts, such as interception of electronic communication, computer abuse, fraud committed with computer devices etc.

Enforcement environment and penalties

The enforcement of cybersecurity and data security requirements vary from sector-to-sector and greatly depends on the powers of the actual supervision authority being in charge for the given sector.

The Hungarian Data Protection and Freedom of Information Authority [“NAIH”] supervises data protection related matters. The NAIH is one of the most numerously staffed data protection authorities in EU Member States and data protection enforcement in Hungary is rigorous and stringent. However, investigations usually initiated upon individual complaints and ex officio inspections are fairly rare. Penalties that the NAIH may apply are defined by the Information Act, the GDPR and the Hungarian Sanctions Act. The GDPR imposes two tiers of fines for non-compliance: lower-level penalties up to €10 million or 2% of worldwide annual turnover, for issues like data security and cooperation with authorities, and upper-level penalties up to €20 million or 4% of annual turnover, for serious infringements like violating data subjects' rights and unlawful data transfers. These fines are discretionary, considering factors like the infringement's nature and any mitigating actions taken by the organization.

The Hungarian National Bank [“MNB”] supervises entities within the financial sector, including banks, insurance companies, payment providers etc. The MNB also has a very rigorous and stringent approach regarding compliance with applicable financial regulations and laws. The MNB is notorious with their several pieces of written guidance that also cover cybersecurity requirements, cloud services and outsourcing within the financial sector and acts as actual “soft-law” and represents the MNB’s legal interpretation of applicable laws. The MNB regularly conduct audits on actors within the financial sector, which also include thorough IT audits and reviews. During an audit the MNB assess if a financial institution follows the MNB’s guidance, has the required documentation in place that can confirm compliance with applicable cybersecurity requirements [e.g., conducting penetration tests on banking systems, software, consumer facing applications, conducting regular user access reviews, holding the necessary information security trainings and awareness campaigns etc.] The MNB enforces financial regulations by imposing fines, restricting banking operations, and in severe cases, suspending or revoking licenses. It can also mandate corrective actions, issue public warnings affecting an institution's reputation, and initiate legal proceedings. These measures ensure compliance and stability in Hungary's financial sector, with penalties based on the severity of violations, impact on the financial system, and the institution's past conduct. Further to this, the MNB has the powers to impose fines on leaders of the inspected organization, as well as on a person classified as a senior position according to applicable laws, The amount of fines varies on several circumstances and different ranges may apply.

Compliance with state related cybersecurity requirements and the implementation of the NIS Directive’s implementation into Hungarian law by the E-Commerce Act is supervised by the National CyberSecurity Center (“Nemzeti Kibervédelmi Intézet”, “NKI”) and they may impose a monetary fine against service providers who neglect certain obligations. These obligations include registering in a government-mandated registry, reporting security incidents in their network and information systems, complying with basic requirements set by the Hungarian government, and adhering to the official decision regarding the management of reported incidents. The range of fines may vary between 50 000,- HUF [approx. 130 EUR] to 5 000 000,- HUF [approx. 13 000 EUR].

The penalties under the InfoSec Act are rather moderate and may range up to from HUF 100 000 to HUF 10 million, whereas under the NIS2 requirements, maximum fine level can be €10,000,000 or 2% of the global annual revenue.

The NMHH is in charge of the enforcement of e-privacy related data security requirements applicable to public electronic communication service providers and can audit service providers in an administrative procedure.

Personal data: the NAIH is the supervisory authority over public and private organizations processing personal data and supervises personal data breach related events. The NAIH may initiate its procedure ex officio or based on a complaint. The NAIH also has the powers to notify other regulatory bodies, such as the Hungarian National Bank or the Hungarian Competition Office [“HCO”].

The National CyberSecurity Center (“Nemzeti Kibervédelmi Intézet”, “NKI”) is the supervisory authority for state and local government bodies as set out by the InfoSec Act and for operators of essential services and digital service providers as defined by the NIS Directive. Further to this, various sector specific authorities have powers for supervision of operators of essential services and digital service providers regarding critical infrastructures, assets and facilities as defined by the Detailed rules regarding cybersecurity event management and supervision are laid down in Government Decree 270/2018. (XII. 20.) on the Supervision of the Electronic Information Security of Information Society Services and the Procedure on Security Events.

The MNB exercise powers over the organization in the finance industry in Hungary, including conducting audits and investigations.

The National Police Headquarters hosts specialised staff at the Department of Counter-cybercrime focusing on most common cybercrimes such as phishing, online fraud etc.

The NMHH is an autonomous regulatory body in charge of supervising media and the markets for electronic communications, postal, and information technology services. The NMHH determines sectorial rules for supervising and monitoring electronic information system security in relation to media services and electronic communication activities. The NMHH operates the Internet Hotline platform for reporting of online content, that is unlawful or detrimental to minors, registers security incidents of electronic communication networks, and operates a sectorial incident management centre in relation to electronic communication services. The monitoring of personal data breach cases by electronic communication service providers is also assigned to the NMHH, which shall cooperate with the NAIH in the performance of its tasks. Data breaches shall be notified by electronic communication service providers within 24 hours to the Authority, and the service provider must make a follow-up notification within 72 hours. If the service provider has not initiated breach notification, the Authority may impose an obligation on the service provider to notify customers and users.

The NAIH can initiate an investigation in several ways. Firstly, it may start proactively based on information received from various sources, including media reports, complaints, or notifications of data breaches. Individuals or organizations can file complaints directly with NAIH if they believe their data protection rights have been violated. Additionally, the authority can act on referrals from other regulatory bodies or European Union institutions. Investigations may also begin as part of regular audits or follow-ups on previous cases. During these investigations, NAIH assesses compliance with data protection laws and regulations, ensuring the protection of personal data. In official proceedings the NAIH must adhere to the rules of the Act on the General Administrative Procedure and may impose any sanction defined by the GDPR and the Hungarian Sanctions Act.

The NKI is the custodian of checking compliance with the requirements set forth in the electronic information security laws regarding DES and OES entities and state or local, municipal bodies. If the organization does not cooperate with the NKI, in the case of a budgetary body, the authority has the right to appoint an information security supervisor. In more serious cases, it also has the option to impose a fine of up to five million forints. The NKI must also adhere to the rules of the Act on the General Administrative Procedure.

The MNB enforces financial regulations through various sanctions. Key measures include imposing fines, with amounts varying based on the severity of the violation; issuing cease and desist orders to halt non-compliant activities; and revoking licenses of financial institutions in serious cases. Additionally, the MNB can restrict operations, issue public notices, and mandate settlements that usually involve fines and corrective actions. To ensure ongoing compliance, increased reporting and monitoring may be required. These sanctions are tailored to maintain the stability of Hungary's financial system and protect consumers, with the nature and severity of the violation influencing the specific sanction and fine amount.

The NMHH is in charge of the enforcement of data security requirements applicable to public electronic communication service providers, postal services providers, providers of trust services and can audit service providers in an administrative procedure.

Hungary has implemented the NIS Directive and the NIS2 Directive, too. The CyberCert Act transposes the provisions of the NIS2 Directive. The Act defined a very broad range of sectors in which companies will be subject to the new legislation. Detailed rules and technical provisions are yet to come in 2024. “Essential” and “important” entities must register themselves with the SzTFH and must implement an internal information security management system, conduct risk assessments and classify IT systems and data. “Essential” and “important” entities must undergo regular, mandatory audits performed by auditors registered with the SzTFH. Auditors will have reporting duty to the SzTFH, which have powers to investigate the entity and broad means from ordering the investigated entity to solve the related audit finding to imposing a monetary fine. The act set several deadlines for organisations to prepare for compliance in 2024, with 18 October 2024 being the final deadline for implementing the relevant measures.

In Hungary, the HunCERT team is based at the Hun-REN Institute for Computer Science and Control (HUN-REN SZTAKI), functioning under the guidance and support of the Council of Hungarian Internet Providers (ISZT). This group's mission is to assist in identifying, examining, and handling network incidents among ISZT's member organizations. HunCERT aims to aid service providers in establishing effective processes for managing risks and addressing incidents within computer networks.

Hungary, as part of the EU, has adopted comprehensive cybersecurity laws and regulations. Authorities such as the NAIH, NKI, and MNB focus on ensuring compliance with cybersecurity and data security standards. This involves organizations using advanced technologies and establishing strong organizational governance for effective cybersecurity management, encompassing both organizational and technical measures. Hungarian cybersecurity laws are generally technology-neutral, promoting a risk-based approach rather than prescribing specific controls.

The EU's introduction of the GDPR set the stage for 'privacy by design' and 'privacy by default', along with general data security requirements that emphasize confidentiality, integrity, availability, and resilience.

Specific sector regulations also exist, such as Government Decree 42/2015 (III. 12.) for financial, insurance, and investment entities, mandating robust IT security and cybersecurity practices. These include detailed organizational and technical standards, as interpreted in MNB's guidelines like Guidance 8/2020, which advocate for measures like penetration testing and vulnerability scanning.

The InfoSec Act imposes similar obligations on public sector entities.

Furthermore, laws implementing the NIS Directive, like Act CLXVI of 2012, identify and protect critical systems and facilities. This is expanded upon in Government Decree 270/2018. (XII. 20.), which details cybersecurity event management and supervision for relevant organizations in the information society services sector.

Refer to section 1.1.

The anticipated surge in AI adoption is expected to continue in Hungary, with numerous businesses integrating Large Language Model (LLM) based AI solutions to enhance efficiency in everyday operations. Additionally, the Hungarian Competition Authority (HCO) currently conducts a market analysis examining AI's impact on competition and consumer rights. Use of AI has its own cybersecurity risks and new, emerging threats.

AI's integration poses a risk to market fairness, as it's currently a resource-heavy and innovative field dominated by large tech companies. These companies' access to extensive resources and advanced technology allows them to gain a significant competitive advantage. This could lead to market domination by a few industry giants, potentially disrupting competition in digital markets.

Moreover, the rise of AI technologies increases consumer vulnerabilities, particularly in data collection and advertising. With AI, companies can more effectively gather and use consumer data, applying strategies like 'dark patterns' and tailored advertising. This is especially concerning in scenarios like chatbot interactions, where consumers might not discern if the information provided is reliable or influenced by sponsored content. These developments highlight the need for careful consideration of AI's broader implications on market dynamics and consumer protection.

In 2024, organizations subject to the NIS2 requirements under the CyberCert Act are anticipated to dedicate the year to preparing for compliance. Once the lower-level regulations are officially published and enforced through the official journal, practical implementation efforts will commence.

The Digital Operational Resilience Act (DORA), an EU regulation, entered into force on January 16, 2023, and will be applicable from January 17, 2025. We also expect that financial institutions will spend resources to meet compliance requirements, such as establishing effective ICT risk management frameworks, promptly reporting significant ICT incidents, conducting regular resilience testing, managing third-party ICT risks, and overseeing critical third-party service providers. Financial entities are encouraged to share cyber threat information, and compliance is crucial, with penalties for non-compliance. DORA aims to bolster the financial sector's cybersecurity, ensuring it can withstand and recover from ICT disruptions and threats, thus safeguarding its operational continuity and stability.

Also, we expect that the EU will adopt the Cyber Resilience Act [“CRA”] in 2024, which will trigger further legislative measures and preparations from market actors in Hungary as well.

Refer to Section 1.1

Refer to Section 1.2

The ENISA, the European Union Agency for Cybersecurity, is a pivotal institution in the EU's efforts to enhance cybersecurity. Established in 2004, the ENISA serves as a central hub for cybersecurity expertise, facilitating cooperation among EU member states and various stakeholders. Its roles encompass providing cybersecurity guidance, fostering standardization and certification, analyzing threat intelligence, coordinating responses to cross-border incidents, and supporting research and innovation. The ENISA also plays a critical role in capacity building, educating citizens and organizations about cybersecurity risks and best practices. Furthermore, it offers policy advice to EU institutions and member states, helping shape effective cybersecurity policies and legislation. In summary, ENISA's multifaceted responsibilities contribute to creating a more secure and resilient digital environment within the European Union by promoting cooperation, knowledge sharing, and the development of cybersecurity standards and best practices.

Local Hungarian cybersecurity agencies include the NKI and the SzTFH, responsible for enforcing compliance with the NIS Directive and NIS2 Directive, respectively. The NKI also serves as the supervisory authority for organizations regulated by the InfoSec Act.

The NAIH plays a pivotal role in safeguarding data security and privacy. NAIH enforces data protection laws and regulations, overseeing regulatory compliance, conducting in-depth investigations and audits, monitoring data breach notifications, and providing extensive guidance and educational resources to promote data security best practices. Importantly, the NAIH has the authority to impose sanctions and legal actions against organizations found in violation of data security and privacy laws. By diligently carrying out these functions, NAIH ensures the lawful and secure processing of personal data within Hungary, thus fostering a robust data security landscape in the country.

The MNB plays a multifaceted role in IT security within the financial sector. This includes regulatory oversight through the establishment and enforcement of cybersecurity regulations and guidelines. The MNB conducts risk assessments to identify vulnerabilities and ensure the stability of the financial system. In the event of cybersecurity incidents, it coordinates responses and investigations. Payment system security is a priority, overseeing protection against cyber threats and fraud. Facilitating information sharing among financial institutions and government agencies enhances collective defence. The MNB ensures compliance with IT security standards, conducts audits, invests in research and development, and engages in international cooperation to stay updated on best practices and emerging threats.

The NMHH holds the responsibility for enforcing data security regulations applicable to public electronic communication service providers, postal services providers, providers of trust services residing, or possessing a registered seat or location in Hungary, organisations certifying the compliance of tools generating qualified electronic signatures and electronic timestamps, as well as the tools generating qualified electronic signatures and electronic stamps that have been certified in Hungary.

NKI

The NKI operates within the framework of the Special Service for National Security (“SSNS”), overseen by the Cabinet Office of the Prime Minister. Serving as the Hungarian government's hub for network and information security, NCSC Hungary plays a crucial role in safeguarding the entire governmental administration and local municipalities. The centre is integral to protecting Hungary's critical information infrastructure. Additionally, NCSC Hungary functions as a knowledge repository for IT professionals and the general public.

The NKI is responsible for the supervision of state and local municipal entities under the InfoSec Act. The NKI is responsible for supervising and deciding on the classification and security levels of electronic information systems and organizations, ensuring compliance with legal requirements. This includes ordering and verifying the rectification of identified security gaps, conducting risk analyses, investigating security incident reports, and making relevant recommendations. It collaborates with national security services, coordinates with incident management centres, checks compliance in EU-funded projects, participates in cybersecurity working groups, and manages an official registry. Further to this, the NKI’s involves overseeing organizations' adherence to legislated security requirements and procedures, requiring and reviewing supporting documentation, and assessing security classifications and protective measures. It includes ensuring compliance in EU-funded development project planning, organizing national cyber-defence drills, representing Hungary in international cyber exercises, and providing input on inter-sectoral security event protocols drafted by the government incident management centre.

HunCERT Team

The HunCERT team, functioning under the Hun-REN Institute for Computer Science and Control (HUN-REN SZTAKI), was founded and functions with the backing of the Council of Hungarian Internet Providers (ISZT). The primary functions of HunCERT encompass detecting and analysing incidents, handling incidents, conducting security and communication exercises, and promoting security awareness. Cert-HU, or the Computer Emergency Response Team of Hungary, plays a vital role in enhancing the country's cybersecurity posture. Its primary task is to prevent, detect, respond to, and mitigate cybersecurity threats and incidents in Hungary. Cert-HU provides expert guidance, shares threat intelligence, and collaborates with various stakeholders, including government agencies, critical infrastructure providers, and private-sector organizations. It helps organizations strengthen their cybersecurity defences, offers incident response support, and conducts cybersecurity awareness campaigns. Cert-HU also facilitates information sharing on emerging threats, contributing to the overall resilience of Hungary's digital landscape and ensuring the protection of critical systems and sensitive data against cyberattacks.

In Hungary, several internationally recognized standards are widely adopted and serve as de facto soft law, guiding organizations in various aspects of cybersecurity and data protection.

PCI DSS 4.0 (Payment Card Industry Data Security Standard): This comprehensive framework is crucial for entities involved in credit card transactions, such as merchants, payment providers, and banks. It focuses on protecting cardholder data through stringent security measures, enhancing risk assessment, and offering flexible authentication. The standard emphasizes continuous monitoring and adapting to emerging threats, incorporating practices like encryption, access controls, and regular security testing. This standard is vital in ensuring data breach prevention and maintaining customer trust in card transactions.

ISO 27001 Standard Family (including MSZ ISO/IEC 27001:2014 that is the official Hungarian language version of the standard): This internationally recognized framework is instrumental in managing and safeguarding sensitive information. It covers risk assessment, security policies, and controls, facilitating organizations in identifying and mitigating information security risks. Compliance signifies a strong commitment to data security, focusing on the confidentiality, integrity, and availability of information assets. The standard is versatile, suitable for various industries and organizational sizes, providing a structured approach to information security management.

NIST SP 800-53 Framework: Influencing Hungarian legislation, including the InfoSec Act and Government Decree 42/2015, this comprehensive cybersecurity framework is renowned for its guidelines and controls. Its latest version, Revision 5, adopts a dynamic and adaptive approach, emphasizing continuous monitoring and threat intelligence integration. The framework categorizes controls into critical areas like access control, data protection, and incident response, aiding organizations in enhancing their resilience against evolving cyber threats.

OWASP Framework: This standard is pivotal in software development, particularly in web application security. The OWASP Top Ten, a list of critical web application vulnerabilities, is a key focus in penetration tests and vulnerability scans. It provides developers and organizations with essential guidance, tools, and best practices for building secure web applications and conducting thorough security testing.

Sector-specific standards, such as the ISO/SAE 21434 in the automotive industry, which is significant in the Hungarian economy, also play a crucial role.

In the financial sector, the MNB has issued several guidelines on IT security, particularly concerning cloud service providers and outsourcing IT services. These guidelines, such as Recommendation No. 8/2020. (VI.22.), Recommendation No. 7/2020. (VI.3.), and Recommendation No. 4/2019. (IV.1.), are interpretations of applicable laws and function as actual "soft law," setting standards for the protection of IT systems, utilization of external service providers, and the use of community and public cloud services. These diverse standards and guidelines collectively contribute to a robust cybersecurity ecosystem, tailored to meet the unique challenges and requirements of various sectors in Hungary.

While there are no explicitly stated legal requirements in Hungarian cybersecurity laws to adhere to specific standards, the ISO 27001 standards family, the NIST SP 800-53 framework, OWASP, and PCI DSS-related requirements are commonly regarded as standards that can facilitate compliance with the concept of 'reasonable security.' However, actual implementations may vary among different organizations, and there may be cases where adherence to an information security standard alone does not suffice to meet specific legal cybersecurity requirements.

Applicable cybersecurity requirements in the financial sector and the public sector are very detailed and stringent in Hungary. Different, higher level security requirements apply in other sectors and generic requirements, such as the GDPR’s data security requirements apply to business in non-regulated industries.

Financial Sector

Applicable regulation in the financial sector in Hungary mandates comprehensive measures for IT system security based on risk analysis. This includes identifying critical system components, ensuring robust IT security defences, regular user administration audits, and maintaining a secure environment for logging and evaluating critical processes. It emphasizes the importance of data transmission security, secure data carrier management, and adequate protection against viruses and malicious programs. Institutions must also have documented procedures for IT system operation and development, secure data storage systems, backup and recovery plans, and solutions for authenticating and archiving electronic documents to guarantee long-term authenticity. The regulation emphasizes the need for continuous service provision, including plans for handling extraordinary events that could disrupt service continuity. Financial institutions are required to maintain thorough documentation and systems for their IT infrastructure. This includes detailed descriptions and models for IT systems they develop or commission, data syntactic rules and storage structures, a classification system for IT system elements, access controls. Legal documentation for software compliance and a comprehensive registry of software tools are also necessary. The software must enable the institution to securely record operational data, financial assets, and connect to national IT systems, including legal reporting requirements. It should also facilitate data verification and ensure proportional physical and logical security, safeguarding the integrity of the system and data. Further to this, financial institutions must define in its internal regulations the information technology knowledge required for each position. 

IT systems in the financial sector must meet comprehensive security requirements to ensure the integrity and protection against unauthorized access or modification. This includes well-documented and regulated operational processes, change management, backup, and recovery procedures. User access must be controlled and audited regularly. The system must be protected against viruses and malicious programs, with data communications ensuring confidentiality, integrity, and authenticity. A disaster recovery plan should be in place and regularly tested. The procurement and maintenance of systems must comply with security standards. There should be a focus on integrity, adequate protection of the system, secure remote access, and physical security. The organization must manage security events effectively, provide regular security training for staff, and use systems for remote work and digital customer service that secure and authentically manage data.

Public Sector

In the public sector, lower-level pieces of legislation define further and detailed cybersecurity requirements such as the Government Decree 270/2018. (XII. 20.) on the Supervision of Electronic Information Security in Relation to Services of the Information Society and the Procedures Related to Security Incidents, Government Decree 187/2015. (VII. 13.) on the Authorities Responsible for the Security Supervision of Electronic Information Systems, the Duties and Powers of the Information Security Supervisor, and the Definition of closed-Purpose Electronic Information Systems, Ministry of Interior Decree 41/2015. (VII. 15.) on the Technological Security Requirements, as well as Requirements for Secure Information Tools, Products, and the Classification into Security Classes and Security Levels, as Defined in the 2013 Act L. on Electronic Information Security of State and Local Government Bodies and Ministry of Public Administration and Justice Decree 26/2013. (X. 21.) on the Content of Training and Further Training for Leaders and Persons Responsible for the Security of Electronic Information Systems, as Defined in the Law on Electronic Information Security of State and Local Government Bodies.

Such legislation requires state and local municipal bodies to meet stringent cybersecurity requirements that are very similar to those in the financial sector detailed above. The InfoSec Act mandates that organizations must have their electronic information systems to ensure the confidentiality, integrity, and availability of data throughout their lifecycle. This includes the application of post-quantum cryptography, especially in government networks and public internet interfaces, offering advanced protection beyond traditional cryptographic methods. Organizations are required to establish specific logical, physical, and administrative protective measures. These measures should facilitate prevention and early warning, detection of threats, timely response to incidents, and effective management of security events, ensuring a comprehensive and adaptive security posture throughout the system’s lifecycle. 

The InfoSec Act requires electronic information systems and their data to be classified into security classes based on confidentiality, integrity, and availability to ensure risk-proportionate protection. These systems are rated on a scale of 1 to 5, with higher numbers indicating stricter protective measures. The classification process, which must be approved by the organization’s head, ensures compliance with legal and risk requirements, and must be documented in the information security policy. The specific protective measures to be implemented for each system are determined by their assigned security class, as outlined the law. 

Organizations are required to classify themselves into specific security levels based on their readiness to protect electronic information systems, adhering to legally defined criteria. This classification aims to create a proportionate and cost-effective defence mechanism. Different organizational units, such as those responsible for development, operation, management, or information security of these systems, may be assigned different security levels based on their preparedness. The overall security level is influenced by the organization’s overall preparedness for protection and is further defined by how the electronic information systems are utilized, following legal guidelines. The organization’s leader is tasked with ensuring the protection of electronic information systems. This involves adhering to legal requirements for the system’s security class and the organization’s security level, appointing a responsible security person, setting clear responsibilities and rules, and maintaining an information security policy. Regular risk analyses, checks, and audits are required to verify compliance with laws and risk management. The leader must ensure event traceability, effective response to security incidents, and the fulfilment of legal obligations in collaborations involving the system’s creation, operation, maintenance, or repair. Prompt communication regarding security events and threats, along with implementing necessary protective measures, is also part of their responsibility.

The NAIH works in conjunction with the European Data Protection Board, emphasizing the harmonization of data security practices, adherence to EU regulations, and the promotion of unified data security standards across the EU. 

The NKI collaborates with ENISA, enhancing cybersecurity expertise, information sharing, and policy alignment, contributing to a more secure and resilient digital environment within the European Union. The NKI also cooperates with CERT-EU, sharing cybersecurity insights, threat intelligence, and best practices, contributing to the overall security of the European Union’s digital landscape.

Regarding IT security, the MNB aligns with the European Central Bank (ECB) within the European System of Central Banks (ESCB). This collaboration involves sharing cybersecurity information, ensuring secure financial operations, and enhancing overall IT security within Hungary’s financial sector.

In the European Union (EU), stringent data security measures are mandated by the GDPR. Organizations are obliged to implement robust data security practices, including encryption, access controls, timely data breach reporting, and regular data protection impact assessments. 

The GDPR emphasizes a privacy-by-design approach, underscoring the importance of integrating privacy protections into processes and systems. Some organizations appoint Data Protection Officers (DPOs) to liaise with authorities. Compliance with GDPR demonstrates a commitment to data security and privacy protection, ensuring that personal data is well-protected and secure within the EU.

Financial Sector

Applicable regulation in the financial sector in Hungary mandates comprehensive measures for IT system security based on risk analysis. This includes identifying critical system components, ensuring robust IT security defences, regular user administration audits, and maintaining a secure environment for logging and evaluating critical processes. It emphasizes the importance of data transmission security, secure data carrier management, and adequate protection against viruses and malicious programs. Institutions must also have documented procedures for IT system operation and development, secure data storage systems, backup and recovery plans, and solutions for authenticating and archiving electronic documents to guarantee long-term authenticity.

Entities in the financial sector in Hungary are required to undertake a mandatory certification audit. Certificates issued by the auditor have a validity of one year. Prior to their expiration, the financial institution must initiate the renewal process with the certifying auditor at least six months in advance. The auditor is required to start the certification process in a timely manner, ensuring it can be completed, including the issuance of a new certificate, within the existing certificate’s validity period. This process aims to prevent any lapse in certification. The auditor must evaluate if an information technology system meets specific security requirements. This includes ensuring comprehensive, continuous, and risk-proportionate protection for both the data managed and the system’s components. Key aspects of this protection involve strict role-based access for users, continuous monitoring of changes to protected information, controlled external interfaces, and maintaining the system’s security level through regular updates and effective operation. These measures are designed to safeguard the confidentiality, integrity, and availability of data and system components throughout the IT system’s lifecycle. Upon completing the certification process, the certifying organization is required to report the outcomes to the MNB. If the MNB identifies any errors or shortcomings in the institution’s IT system, particularly in the mechanisms ensuring risk-proportionate protection, it has the authority to take appropriate measures against the institution. This process ensures that the institution’s information system adheres to the required standards of risk management and protection.

Public Sector

The InfoSec Act requires electronic information systems and their data to be classified into security classes based on confidentiality, integrity, and availability to ensure risk-proportionate protection. These systems are rated on a scale of 1 to 5, with higher numbers indicating stricter protective measures. The classification process, which must be approved by the organization’s head, ensures compliance with legal and risk requirements and must be documented in the information security policy. The specific protective measures to be implemented for each system are determined by their assigned security class, as outlined the law. 

NIS1

NIS1 relevant service providers under the scope of the E-commerce Act are obliged to report and must immediately notify the NKI’s incident management centre about significant incidents in their network and information systems. Reports should detail the incident, its impact on service operations, and the designated contact person. The assessment of an event's significance should consider the number of affected users, the event's duration and geographic scope, and its impact on service operation and broader economic and social activities. Reporting is primarily done electronically, but phone reports are also accepted if severe system damage prevents electronic communication. Additional technical data may be required to effectively manage the security event.

NIS2 – Cybersecurity Certification

The CyberCert Act incorporates the ITC certification schemas of the EU’s Cybersecurity Act. The Hungarian cybersecurity certification system is designed to ensure comprehensive protection and management of data throughout the lifecycle of ICT products, services, and processes. This includes safeguarding against unauthorized actions, ensuring data integrity, and maintaining data availability. The system requires documentation of vulnerabilities, verification of authorized access, and resilience in the face of security incidents. It also mandates that ICT products, services, and processes are secure by design, regularly updated, and free from known vulnerabilities. The certification system includes detailed requirements for scope, goals, standards, reliability levels, compliance evaluation, and the issuance of cybersecurity certificates, ensuring a robust and systematic approach to cybersecurity. Organization has the discretion to ensure compliance with essential security domains by utilizing ICT products, services, or processes that have been certified by an EU or national certification body. However, there is no legal requirement to obtain cybersecurity certifications, but for organization under the scope of the CyberCert Act, “essential” and “important” business may be obliged by the President of the SzTFH, through presidential decree, to use certain certified ICT products, services, and processes. This mandate is likely to apply to the company and could influence its IT procurement strategies.

NIS2 – Cybersecurity requirements

Basic cybersecurity measures within a company are designed to protect both digital information systems and their physical infrastructure, tailored to the potential damage posed by cyber threats. These comprehensive security strategies cover the defence against incidents that could impact data, information, or the confidentiality, integrity, and availability of services provided by these digital systems. This encompasses data in all forms: stored, in transmission, or being processed. Key components of this cybersecurity framework include the establishment of an Information Security Management System (ISMS) with integrated controls, development of internal risk management procedures specifically for electronic information systems, and implementation of various internal controls. These controls, both administrative and technical, are aligned with the risk level identified for each IT system to effectively reduce associated risks. Additionally, procedures and tools for incident management are crucial, focusing on the prevention, detection, and mitigation of security incidents. Ensuring business continuity forms another vital element, with measures in place to maintain operational resilience. Operational procedures for acquiring, developing, and managing electronic information systems, along with their software and hardware, are also emphasized. Under the NIS2 framework, entities classified as “essential” or “important” must extend these cybersecurity standards to third-party service providers involved in system development, operation, maintenance, or repair, ensuring these requirements are contractually binding. This holistic approach ensures a robust defence against the evolving landscape of cyber threats.

“Essential” and “important” entities must categorize their electronic information systems and associated data following the criteria set by the forthcoming decree from the Minister in charge of managing national civil security services. This decree, which is pending implementation, will stipulate the security measures for each classification level. Organizations must adhere to these measures by no later than October 18, 2024. The classification process should consider the risks to confidentiality, integrity, and availability, categorizing systems and data into "basic," "significant," and "high" security levels. The Minister responsible for civilian national security services will detail specific controls in a future decree.

To verify compliance with cyber security regulatory requirements, affected entities must enter into a service agreement with an independent auditor from the closed list of the SzTFH by 31 December 2024 and must conduct the biennial audit by 31 December 2025 at the latest. The auditor shall conduct internal security checks, remote vulnerability scans, and penetration tests for systems classified as "significant" and "high." They are also responsible for verifying cryptographic technical compliance and performing security code reviews for custom-developed software critical to these high-classification systems. At the end of the audit, the auditor must report their findings to the SzTFH. If the audit uncovers issues that could severely disrupt the company's operations, indicate criminal activity or legal breaches, or constitute a serious violation (or suspicion thereof) of the company's internal policies, the auditor must inform the SzTFH in writing of such events. Maximum net audit fees will be set by Decree of the President of the SzTFH.

Entities subject to the CyberCert Act must report to the NKI security incidents or the imminent threat of such incidents that cause serious disruption or material damage to the affected entity's business continuity or service delivery or cause significant material or non-material damage. All external parties that may be involved in the management of such incidents must hold a certification as defined in the SzTFH President's Decree.

Refer to Sections 3.3 and 4.2 above.

Refer to Sections 3.3 and 4.2 above.

Refer to Sections 3.3 and 4.2 above.

Refer to Sections 3.3 and 4.2 above.

A data security event refers to any occurrence or situation that has the potential to affect the security of data, without confirming whether it resulted in a breach. A data security incident is a confirmed breach of data security protocols or unauthorized access to data, though not necessarily involving personal data. A personal data breach is a specific type of data security incident, where there is unauthorized access, loss, alteration, or disclosure of personal data. Personal data breaches are significant as they pertain to information that can identify individuals and often require reporting to authorities and affected parties, while data security events and incidents may have varying levels of impact.

Hungarian laws defined personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The InfoSec Act defines a security event as “an unwanted or unexpected unique event or series of events that induces unfavourable changes or a previously unknown situation within the electronic information system, resulting in the loss or compromise of the confidentiality, integrity, authenticity, functionality, or availability of the information carried by the electronic information system.”

Cybersecurity requirements in Hungary does not differentiate between types of data elements and specific requirements apply in the financial sector and in the public sector that requires the confidentiality, integrity and availability classification of data and IT systems.

Further to this, the generic data security requirements apply as set out by the GDPR regarding personal data.

Refer to Section 5.2

In Hungary there are no further legal requirements in terms of cybersecurity compliance than that are set out in the EU’s Medical Device Regulation (MDR).

There is no OT [Operational Technology] specific regulations and please refer to Sections 3.3 and 4.2.

There is no IoT specific regulations (other than those generally applicable to public electronic communication services under the NMHH Decree Nr 4/2012. (I. 24.). Please refer to Sections 3.3 and 4.2.

Refer to Sections 3.3 and 4.2.

Refer to Sections 3.3 and 4.2.

Refer to Sections 3.3 and 4.2.

Network monitoring and the implementation of cybersecurity defences like anti-DDoS tools, load balancers, CDNs, or WAFs require a prior IT security risk assessment and adherence to data protection requirements under applicable legislation. Sector-specific laws, as detailed in Sections 3.3. and 4.2, mandate organizations to maintain a certain level of cybersecurity, but they are not obligated to use specific technical controls. Organizations have the flexibility to choose from various cybersecurity solutions, except for those under the scope of the CyberCert Act. Additionally, these organizations must respect the data protection rights of individuals like employees, contractors, and others. This entails conducting a prior data protection impact assessment, documenting, and providing transparent information about the cybersecurity measures in place. They must also ensure the protection of data subject rights as outlined in the GDPR, balancing cybersecurity needs with privacy and data protection obligations.

The Hungarian Criminal Code outlines various cyber-related offenses and their respective penalties. Intercepting messages transmitted through electronic communication networks, including information systems, is classified as a restricted practice. Additionally, committing fraud using IT systems, such as unlawfully inputting, altering, deleting, or making data inaccessible, or otherwise influencing the operation of an information system, is punishable by up to three years in prison if it causes damage.

Unlawfully acquiring knowledge of personal, private, trade, or business secrets is also penalized. This includes secretly searching or observing someone's residence or associated premises using technical devices, covertly opening or acquiring postal or closed shipments and recording their contents, intercepting communication content, and secretly investigating data in an information system.

Unlawfully entering an information system by bypassing security measures or staying beyond authorized access is punishable by up to two years' imprisonment. This also extends to anyone who commits crimes specified in Sections 375, 422 (1) d), or 423 of the Code. Producing, transferring, making accessible, acquiring, or distributing passwords or computer programs necessary for committing these crimes, or providing knowledge related to their production, also attracts a similar penalty of up to two years' imprisonment. These comprehensive legal provisions aim to safeguard information systems and personal data against unauthorized access and exploitation.

Refer to Section 6.1

Refer to Sections 3.3 and 4.2

Cert-HU, or the Computer Emergency Response Team of Hungary, plays a vital role in enhancing the country's cybersecurity posture. Its primary task is to prevent, detect, respond to, and mitigate cybersecurity threats and incidents in Hungary. Cert-HU provides expert guidance, shares threat intelligence, and collaborates with various stakeholders, including government agencies, critical infrastructure providers, and private-sector organizations. It helps organizations strengthen their cybersecurity defences, offers incident response support, and conducts cybersecurity awareness campaigns. Cert-HU also facilitates information sharing on emerging threats, contributing to the overall resilience of Hungary's digital landscape and ensuring the protection of critical systems and sensitive data against cyberattacks.

Refer to Section 8.2.

The NAIH in 2020 fined DIGI Kft, a telco company in Hungary for 100 million HUF, marking the highest fine since GDPR's enforcement in Hungary. This was due to DIGI's significant data breach, originating from a known vulnerability in their systems, which remained unaddressed for over nine years. The breach publicly exposed clients' personal data, including sensitive information, stored unencrypted in a database accessible from the internet. This highlighted the need for robust IT security and GDPR compliance, emphasizing the importance of protecting personal data against unauthorized access. Later the court reduced the fine’s amount to 80 million HUF.

Another notable case before the NAIH regarding the breach of data security obligations was published last year. According to the NAIH’s decision, a customer contacted the data controller's customer service seeking reimbursement for expenses. The data controller requested the customer to submit their bank statement in a password-protected compressed file, along with the password sent separately through another e-mail, but on the same communication channel to the customer service. The NAIH found that the data controller transferred the its obligation of securing data security onto data subjects, violating the GDPR’s data protection by design and by default principles and data security requirements. In that case the NAIH imposed a 40 million HUF fine.

Another significant data security related case before the NAIH was related to a data breach in Hungary that was associated with the website operated by the Democratic Coalition political party. A user database containing the personal data of the party’s potential voters, such as email addresses, names, and encrypted passwords for login was leaked and was publicly accessible on the internet due to insufficient data security measures. The exposure of the database occurred when an attacker, exploiting the vulnerabilities of the website, gained unauthorized access and uploaded the data to another webpage. In 2019, the NAIH imposed an 11 million HUF data protection fine on the political party.

The NAIH also imposed fines in a notable case that involved an IT service provider, who was fined 27 million HUF for not pathing and updating their systems, leading to a SQL injection attack, violating the GDPR’s data security requirements.

The MNB during a supervision of a bank flagged various issues in 2022, including incomplete records for hardware, software, and IT licenses, gaps in antivirus and malicious software protection, deficiencies in vulnerability management, and the use of outdated supported systems. These findings resulted in a fine of 11.5 million forints. Further to this, the MNB fined a bank 87 million HUF for IT and cybersecurity failures, including understaffing in security, misalignments in IT risk assessment, and inadequate regulatory reporting due to weak internal control processes.

Refer to Sections 1.1 and 3.1

There are no known major private enforcement cases yet.

The Code of Civil Procedure recognizes two types of collective actions: actions in the public interest and associated class actions (joint process). Public interest actions can be initiated as outlined in specific legislative acts like the Civil Code, focusing on areas such as consumer rights and unfair commercial practices. These actions are brought by designated parties in favour of a defined beneficiary group, who can then claim performance based on the judgment. If direct performance claims are unviable, declaratory actions are permitted.

Associated class actions require at least ten plaintiffs with identical claims based on the same facts, subject to court approval. The court assesses the prerequisites for such actions and may deny approval if deemed inefficient. These actions are limited to specific subject areas like consumer contracts, labour law issues, and environmental health damages. In these cases, one plaintiff represents all associated plaintiffs.

The Directive (EU) 2020/1828 on representative actions for consumer protection interests has been transposed into national law, impacting how collective actions are pursued.

Additionally, multiple plaintiffs can jointly sue a defendant when their claims share a legal relationship or basis, provided the same court has jurisdiction. This can lead to multiple actions across different regional courts despite having the same cause and defendants.

Refer to Sections 3.3 and 4.2

In Hungary, there is a limited amount of specific case law directly addressing due diligence processes. Due diligence in corporate transactions requires strict compliance with the GDPR and local legislation. This process includes verifying the lawful processing of personal data, closely examining data handling practices, especially for sensitive information, and ensuring compliance with data subjects' rights. Under NAIH case law, legitimate interest is generally accepted as a legal basis for the transfer or disclosure of client personal data in asset transfer transactions, provided that such data transfer is ancillary to the asset transfer itself. In addition, the merging of databases between the target and the acquirer in a transaction may require a data protection impact assessment.

There is no regulation in Hungary that would require disclosure for cybersecurity risk profile or experience.

N/A

PROVARIS Varga & Partners

H-1053 Budapest
Károlyi street 9
Central Palace 5th Floor
Hungary

+36 70 605 1000

info@provaris.hu www.provaris.hu
Author Business Card

Trends and Developments


Authors



PROVARIS Varga & Partners is a Hungarian independent law firm including six partners and more than 20 lawyers with a prominent international clientele. The lawyers are highly qualified legal experts with outstanding business and academic backgrounds and specialised knowledge in the fields of dispute resolution, technology and digitalisation, data protection, intellectual property, projects and energy, life sciences, public procurement, corporate and commercial law, real estate, European and constitutional law, tourism and sports law. The firm’s clients cover a broad spectrum of sectors, and it is very proud that its services are widely recognised by them. The team continues to attract domestic and international clients by providing outstanding legal services.

Understanding the NIS2 Directive and Its Impact on Cybersecurity in the EU and Hungary

Introduction to the NIS2 Directive

The NIS2 Directive, enacted by the European Union, represents a significant advancement in EU-wide cybersecurity legislation. With effect from 16 January 2023, this Directive extends the scope of cybersecurity regulations to encompass a broader range of sectors and entities. It mandates that EU member states integrate these provisions into their national laws by 17 October 2024. The Directive’s primary goal is to bolster organisational cybersecurity across various industry ecosystems throughout the EU, requiring entities to adopt robust measures to secure their networks and information systems.

NIS2 implementation in Hungary

Hungary was a forerunner in adopting the NIS2 Directive, which was implemented through the Act XXIII of 2023, known as the Cybersecurity Certification and Cybersecurity Supervision Act (“CyberCert Act”). The Act, in line with the NIS2 Directive, defined a very broad range of sectors in which companies will be subject to the new legislation. Detailed rules and technical provisions are yet to come in 2024. “Essential” and “important” entities must register themselves with the Supervisory Authority of Regulated Activities (“Szabályozott Tevékenységek Felügyeleti Hatósága”, “SzTFH”) and must implement an internal information security management system, conduct risk assessments and classify IT systems and data. “Essential” and “important” entities must undergo regular, mandatory audits performed by auditors registered with the SzTFH. Auditors will have reporting duty to the SzTFH, who will have powers to investigate the entity and broad powers: from ordering the investigated entity to solve the related audit finding to imposing a fine. The CyberCert Act set several deadlines for organisations to prepare for compliance in 2024, with 18 October 2024 being the final deadline for implementing the relevant measures. However, companies must finish their first audits by the end of 2025 giving some leeway on the verification of compliance.

A very broad scope of organisations will have the obligation to register with the SzTFH until 30 June 2024, including organisations from the energy sector (electricity, oil and gas), transport (air, rail, water and road), healthcare providers, hospitals, drinking water supply and distribution providers, digital infrastructure providers (internet exchange points and Domain Name System (“DNS”) service providers), space industry businesses (satellite operations), online marketplaces, search engines, social media, postal and courier services, waste water treatment providers, chemical producers (production and distribution), food businesses (production and distribution), manufacturers (of critical products such as pharmaceuticals, electronics and vehicles) and research sites.

Basic cybersecurity measures and obligations under the NIS2

Basic cybersecurity measures and obligations involve safeguarding the company’s digital information systems and their physical surroundings in a way that corresponds to the potential level of harm from cyberthreats. This security encompasses defence against any incidents that might jeopardise data, information, or the confidentiality, integrity, and availability of services offered by, or available through, these digital information systems, whether that data is stored, in transmission or being processed. Requirements for basic controls include the below

  • ISMS: establish controls as part of the information security management system.
  • Risk management: develop internal procedures to evaluate and handle risks associated with electronic information systems.
  • Internal controls: implement administrative, logical, and physical measures that align with the security classification determined by the company’s risk assessment for each IT system, aiming to reduce risk.
  • Incident management: create procedures and tools to prevent, detect, manage and mitigate the impact of security incidents.
  • Business continuity: put in place measures for maintaining business continuity.
  • Operations: establish internal procedures for acquiring, developing, and operating electronic information systems, including the associated software and hardware.

Management of third-party vendors

Under the NIS2 implementation, “essential” and “important” entities are required to enforce the above-mentioned standards on their third-party service providers where these are involved in the development, operation, maintenance, or repair of specific systems. Additionally, the company must ensure these obligations are legally binding in contracts with these service providers.

Electronic information systems security classification

“Essential” and “important” entities must categorise their electronic information systems and associated data following the criteria set by the forthcoming decree from the Minister in charge of managing national civil security services. This decree, which is pending implementation, will stipulate the security measures for each classification level. Organisations must adhere to these measures by no later than 18 October 2024. The classification process should consider the risks to confidentiality, integrity, and availability, categorising systems and data into “basic”, “significant” and “high” security levels. The Minister responsible for civilian national security services will detail specific controls in a future decree.

Verification of security compliance

The company has the discretion to ensure compliance with essential security domains by using ICT products, services, or processes that have been certified by an EU or national certification body.

Requirement for certified ICT products, services and processes

The president of SzTFH (Hungarian Cybersecurity Supervisory Authority) holds the authority to mandate, through presidential decree, the use of certain certified ICT products, services, and processes by specified entities. This mandate is likely to apply to the company and could influence its IT procurement strategies.

Cybersecurity supervision in Hungary

Under the NIS2, national authorities are responsible for ensuring compliance with the Directive’s requirements. This involves regular audits, inspections, and where necessary, the imposition of administrative fines or other sanctions for non-compliance. In this context, the SzTFH in Hungary received powers to secure the enforcement of the enhanced cybersecurity rules, including the following measures.

  • SzTFH monitoring tools: The SzTFH will supervise cybersecurity-related operations of affected entities. Detailed regulations of supervision will be set out by the SzTFH president’s decree. The SzTFH have the right to conduct official inspections and to order extraordinary official inspections or extraordinary audits in the case of occurrence of a significant security event or upon suspicion of non-compliance.
  • Regular audit by the SzTFH: In case of “essential entities” the SzTFH will define in a decree an annual audit plan based on a risk assessment to verify compliance with cybersecurity requirements and will audit the company accordingly.
  • Broad inspection rights: The SzTFH have the right to request information and documentation from the company on the topics as follows:
    1. security classifications and internal control compliance reviews;
    2. documents relating to internal IT security audits;
    3. any other relevant information and documentation to verify compliance.

Territorial scope of the SzTFH’s powers

One key element of the SzTFH’s broad supervisory powers is that it appears that the Hungarian implementation of the NIS2 Directive did not implement and follow the territorial scope exemptions set out in Article 26 in the NIS2 Directive. The NIS2 Directive’s Article 26 technically implements a “one-stop-shop” mechanism for DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines and social networking services platforms. Under this “one-stop-shop” mechanism, these service providers may fall under supervision in the EU member state where their main establishment is located. Such a provision seems to be very similar to the GDPR’s “one-stop-shop” mechanism, but with a different approach to determining the relevant member state for main establishment. The Hungarian NIS2 Directive implementation did not follow this approach and the president of the Cybersecurity Supervision Department of the SzTFH informally confirmed at a public professional event that companies having a local establishment in Hungary must adhere to the CyberCert Act locally. In practice this means that these companies must secure resources, including operational, technical and human resources within their establishment in Hungary. It is likely that this interpretation and the lack of implementation may result in court cases, given the applicability precedence of EU laws.

In addition, the provisions that implemented the NIS Directive into Hungarian law formed several pieces of legislation, including the Act CVIII of 2001 on Certain Issues of Electronic Commercial Services and Information Society Related Services (“E-commerce Act”). Detailed rules regarding cybersecurity event management and supervision are laid down in Government Decree 270/2018. (XII. 20.) on the Supervision of the Electronic Information Security of Information Society Services and the Procedure on Security Events. Further to this, critical assets and pieces of critical infrastructure are defined in Act CLXVI of 2012 on the Identification, Designation and Protection of Critical Systems and Facilities, which still remain in effect and unmodified, meaning that organisations under the scope of the NIS Directive are still being supervised by the National Cybersecurity Centre (“Nemzeti Kibervédelmi Intézet”, “NKI”). In practice, this means that it may occur – eg, in the case of online marketplaces – that they are required to register with both the SzTFH and the NKI. The two authorities then may have different enforcement goals and activities, which may result in confusion and conflict of applicable regulatory requirements.

Mandatory independent audits

To verify compliance with cybersecurity regulatory requirements, affected entities must enter into a service agreement with an independent auditor from the closed list of the SzTFH by 31 December 2024 and must conduct the biennial audit by 31 December 2025 at the latest. The affected entity shall have to conduct the first biennial audit. The auditor has the right to perform the following activities.

  • Internal security and remote vulnerability scans; penetration tests in the case of “significant” and “high” classification systems.
  • Verification of cryptographic technical compliance
  • Security code review in the case of custom-developed software performing critical security functions in “significant” and “high” classification systems.

The auditor shall report the results of the audit to the SzTFH at the end of the audit. The auditor must inform the SzTFH in writing if the audit reveals findings that

  • seriously jeopardises the continuity of the company’s business;
  • give rise to suspicion of a criminal offence or breach of law; or
  • may be qualified as a serious breach of the company’s internal policies or the suspicion of such a breach arises.

Maximum net audit fees will be set by decree of the president of the SzTFH.

Cybersecurity supervision fee payment obligation

Each affected entity must pay on group level a cybersecurity supervision fee to be determined by decree of the president of the SzTFH. The amount of the supervision fee is equal to 0.015% of the previous year’s net revenue, subject to a maximum of HUF10 million. In the case of consolidated group companies, the maximum amount is HUF50 million.

Effected entities must pay the supervisory fee in accordance with the decree of the president of the SzTFH and at the same time submit a declaration on the payment of the supervisory fee.

Reporting of cybersecurity incidents

Affected entities must report to the NKI security incidents or the imminent threat of such incidents that

  • cause serious disruption or material damage to the affected entity’s business continuity or service delivery; or
  • cause significant material or non-material damage

All external parties that may be involved in the management of such incidents must hold a certification as defined in the SzTFH president’s decree.

Sanctions under the NIS2 implementing legislation

In the event of non-compliance with cybersecurity and procedural requirements, the SzTFH may take the following sanctioning actions:

  • issue reprimands;
  • order the entity to remedy the non-compliance within a specified period of time;
  • prohibit the entity from engaging in activities that directly jeopardise compliance with cybersecurity requirements;
  • impose an administrative fine on the entity (the amount of the fine is to be determined in a separate government decree, and may range up to EUR10 million or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the relevant entity belongs), which may be imposed repeatedly; and
  • order the affected entity to inform customers of the potential threats to customers and the expected impact of the related preventive measures.
PROVARIS Varga & Partners

H-1053 Budapest
Károlyi street 9
Central Palace 5th Floor
Hungary

+36 70 605 1000

info@provaris.hu www.provaris.hu
Author Business Card

Law and Practice

Authors



PROVARIS Varga & Partners is a Hungarian independent law firm including six partners and more than 20 lawyers with a prominent international clientele. The lawyers are highly qualified legal experts with outstanding business and academic backgrounds and specialised knowledge in the fields of dispute resolution, technology and digitalisation, data protection, intellectual property, projects and energy, life sciences, public procurement, corporate and commercial law, real estate, European and constitutional law, tourism and sports law. The firm’s clients cover a broad spectrum of sectors, and it is very proud that its services are widely recognised by them. The team continues to attract domestic and international clients by providing outstanding legal services.

Trends and Developments

Authors



PROVARIS Varga & Partners is a Hungarian independent law firm including six partners and more than 20 lawyers with a prominent international clientele. The lawyers are highly qualified legal experts with outstanding business and academic backgrounds and specialised knowledge in the fields of dispute resolution, technology and digitalisation, data protection, intellectual property, projects and energy, life sciences, public procurement, corporate and commercial law, real estate, European and constitutional law, tourism and sports law. The firm’s clients cover a broad spectrum of sectors, and it is very proud that its services are widely recognised by them. The team continues to attract domestic and international clients by providing outstanding legal services.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.