The digital defence line: Hungary adopts comprehensive cybersecurity law

Cybersecurity in the global context

According to the International Data Corporation (IDC), the world's data volume will reach 175 Zettabytes by 2025. Due to this unprecedented amount of data, proper handling and protection are crucial. Cybercriminals quickly adopt technological advancements, not just legitimate users. Between June 2023 and July 2024, ENISA, the EU's cybersecurity agency, registered over 11,000 incidents, including distributed denial-of-service (DDoS) attacks, ransomware attacks and data theft/leakage.

The European Union pays great attention to increasing cyber defence in Member States, as evidenced by the activities of the aforementioned agency and its attempt to comprehensively regulate cybersecurity. The Network and Information Security Directive, introduced in 2016, was updated by the NIS2 Directive that came into effect in 2023. Its goals included modernising existing legal frameworks and extending the scope of cybersecurity rules to new sectors and organisations. Among other things, the NIS2 Directive requires a competent national authority for network and information systems (NIS).

Main innovations of the Hungarian law

Hungary transposed the measures of EU Regulation 2019/881 in 2023. The related Act XXIII of 2023 on cybersecurity certification and supervision already partially addressed certain provisions of NIS2. In addition to full implementation, Hungary's Cybersecurity Act will become a code-like legislation for cybersecurity. It includes the basic rules of cybersecurity, the distinction and obligations of essential and important organisations, guidelines for handling cybersecurity incidents, and detailed rules for the certification system.

In line with the NIS2 Directive, organisations subject to regulatory activity have been categorised into essential and important organisations.

Innovations have also been introduced in the conceptual system. For example, the concepts of interpretative provisions have been clarified (e.g. vulnerability assessment) or expanded. The concept of electronic information system now clearly includes cyber-physical systems (also known as industrial systems). The previous types of event management are replaced by a multi-component scale due to the requirements of the NIS2 Directive and based on the experiences of recent years.

The types of security classes are reduced from the previous five to three: "basic", "significant" and "high" classes. The "basic" security class applies to systems whose damage could cause limited harm. The "significant" class includes systems which, if compromised, could have serious consequences, while "high" class systems are part of critical infrastructure. In addition, the review period for security classification is modified from three years to two years.

The law uniformly uses the term national cybersecurity authority, but in practice:

•  the Authority for Regulated Activities (Szabályozott Tevékenységek Felügyeleti Hatósága) remains the authority over market players affected by the NIS2 Directive;
•  the National Security Service (Nemzetbiztonsági Szakszolgálat) oversees the civil side of the state sphere, while for organisations or systems with defence implications, the Military National Security Service (Katonai Nemzetbiztonsági Szakszolgálat) may be the authority designated in a separate government decree;
• the Hungarian National Bank (Magyar Nemzeti Bank) is designated as the authority for the banking and financial sector by the directly applicable EU DORA regulation, which does not need to be transposed into national law.

Legal consequences and sanctions

The system of legal consequences is explained in more detail in the law. It includes warnings, notices, obligations, turning to the supervisory body or the owner's rights practitioner, appointing an information security supervisor, or imposing fines of up to HUF 15m (approx. EUR 36,300). In the case of non-administrative essential organisations, the NIS2 Directive prescribes the possibility of applying stricter legal consequences, which is also reflected in the law. However, these temporary suspensions and disqualifications should be applied as a last resort, only after exhausting other measures, and remain in effect until the affected organisation takes the necessary actions.

Based on the cybersecurity authority's declaration, the court of registration must disqualify the executive officer of an organisation for up to five years if their responsibility for the  organisation's failure to comply with the authority's order regarding the cybersecurity of the organisation's electronic information systems within the specified deadline has been established by a final decision of the cybersecurity authority.

Summary

The law significantly transforms cybersecurity supervision and certification in Hungary. It introduces several innovations to cybersecurity supervision and certification, particularly regarding organisational categories and risk management, the authority's powers and the conceptual system. These changes aim to increase national security and ensure EU compliance, i.e. to modernise national regulations based on the NIS2 Directive. To comply with the law, businesses should inform themselves about the new provisions and compliance with the cybersecurity requirements.

author: Adrián Menczelesz