The deadline is approaching to complete the registration required by the CyberCert Act

With the entry into force of the CyberCert Act on cybersecurity certification and cybersecurity supervision, the transposition of the new NIS 2 (Network Information System v2) Directive of the EU into Hungarian law has started. These information security requirements cover a wider range of companies than ever before, with preliminary estimates suggesting 2,500-3,000 organizations directly covered. Affected companies have less than two months until 30 June 2024 to register with the Supervisory Authority for Regulated Activities (Hungarian acronym: SZFTH).

Legal background

The set of requirements set out in the NIS 2 Directive was adopted as Directive 2022/2555 of the EU Parliament and Council, which entered into force in 2023. It is important to note that, as a directive, NIS 2 is not directly applicable, but that all Member States have to carry out local legislative work with a view to its transposition into national law. In Hungary, compliance with the requirements of NIS 2 is regulated by Act XXIII of 2023 (Act on Cybersecurity Certification and Cybersecurity Supervision, or in short, the CyberCert Act).

Which companies are affected?

The NIS 2 Directive and the CyberCert Act define a wide range of industries covered, also including many that have not previously had to focus so much on information security for legal compliance reasons. The organizations concerned fall into two categories according to the level of criticality:

Those in the “highly critical” category include service providers and companies in the energy, transport, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration and space sectors.
Companies in the “other critical” category are those operating in the postal and courier services, waste management, production, manufacture and distribution of chemicals, food production, processing and distribution, manufacturing, digital service providers and research sectors.

Important deadlines for the preparation

The NIS 2 Directive entered into force on 3 January 2023 and the CyberCert Act was promulgated on 23 May 2023. The deadline for compliance with the law is 28 October 2024, and it will be the task of the SZTFH to monitor and impose sanctions in case of non-compliance.

If, based on the abovementioned levels of criticality, the organisation is deemed to be subject to the CyberCert Act, it must register by 30 June 2024 at the latest, in accordance with the Decree 23/2023 (XII. 19.) SZTFH.
By 18 October 2024, a well-functioning information security governance framework commensurate with the risks must be in place.
Also by 18 October 2024 at the latest, or within 120 days of registration, the organisation must have an audit contract in place.
Companies have until 31 December 2025 to conduct an independent audit.

Currently, the next deadline of 30 June 2024 to apply for registration is the most important for the companies concerned, with just over one month left until then. The application for registration can be easily done by completing the form available on the website of SZTFH, with the use of the “Cégkapu” companies’ portal service. However, in addition to providing administrative and technical details on the company, the registration form must also include the details and contact details of the Information Systems Security Officer (ISSO). The legislation itself does not set out any specific expectations or requirements regarding the person designated as responsible for this function. However, in view of the regular audits by public authorities and the mandatory reporting of cybersecurity incidents in the future, the role carries real and serious responsibilities and needs to be given real substance. It is therefore a favourable provision of the law that it allows for the outsourcing of the information security officer role, which can be of great help to those who currently do not have the necessary competences or resources in-house. In many cases, IT administrators are either not qualified to do this or cannot fit these tasks into their working hours in addition to their existing responsibilities.

What is the ISSO responsible for?

The primary tasks of the ISSO are:

reducing the risk of cybersecurity incidents, and
shortening the time needed to detect such incidents.

It is also important for the ISSO to ensure that mandatory information security measures are designed in line with the threats and within the available budget. But in principle all security measures are overseen and approved by the ISSO.

Why is compliance essential?

For those organisations that do not comply, the NIS 2 Directive and the CyberCert Act also set out penalties:

for highly critical organisations, up to a maximum of EUR 10,000,000 or 2% of the total amount of their global annual turnover in the previous financial year;
for other critical organisations, up to a maximum of EUR 7,000,000 or 1.4% of the total annual global turnover of the previous financial year.

The exact penalty amounts to be imposed in Hungary are set out in Annex 1 of Government Decree No. 305/2023 (VII. 11.) on the amount of cybersecurity fines, the detailed procedural rules for their imposition, and the payment of fines.

Fortunately, the Annex prescribes much lighter penalties than the EU Directive: under Section 14 (5) of the CyberCert Act, the authority may impose fines ranging from HUF 50,000 to HUF 5,000,000. However, failure to implement the necessary modifications and measures based on the deficiencies identified by the authority may result in a fine of between HUF 200,000 and HUF 10,000,000.

Should you have any questions in connection with the above, please do not hesitate to reach out us using any of our contact details.