The deadline for NIS2 adoption is fast approaching!

In recent years, the European Union has placed special emphasis on cybersecurity. In 2022, three pieces of legislation were adopted to strengthen the defense of organizations against cyberattacks. The Dora regulation prepares the financial sector for resilience, while the CER directive concerns the resilience of critical organizations, and the NIS2 directive outlines measures to ensure high-level cybersecurity.

Why is this important for certain organizations? Because the NIS2 directive, along with Act XXIII of 2023 on cybersecurity certification and supervision, which implements it, imposes numerous obligations on organizations that fall under its scope, along with the threat of severe sanctions.

The law establishes a dual criteria system for its scope, defining both so called high-risk and particularly high-risk sectors. Additionally, a certain minimum size is required for an organization to fall under its scope. Sectors classified as particularly high-risk include energy, transportation, healthcare, water utilities, and telecommunications, while high-risk sectors include postal and courier services, food production, product manufacturing, and chemical production and manufacturing. Companies in the above sectors with over 50 employees or annual net revenues exceeding 10 million euros fall under the regulation’s scope. Additionally, their suppliers must also comply with the requirements.

According to the law, affected organizations must register with the Regulated Activities Supervisory Authority, appoint a person who’s responsible for information system security within the organization, and classify their IT systems into security classes as defined by the law. Although the final version of the legislation, which details the tasks for each class, has not yet been adopted, the draft indicates that affected organizations will have to complete hundreds of tasks to ensure compliance.

Organizations must complete a self-identification by June 30, 2024, to determine whether the relevant legislation applies to them or not. If it does, they must register with the Authority and classify their IT systems into security classes. The NIS2 directive sets an October 18, 2024 deadline for organizations to apply the required protective measures for NIS2 compliance and to pay the supervisory fee to the competent authority by this date. By December 31, 2024, firms must contract an auditing firm to verify compliance, which must be completed by December 31, 2025.

The stakes are high. Without compliance, affected organizations are more both more vulnerable to cyberattacks and also face significant penalties: up to 10,000,000 EUR or 2% of total annual worldwide turnover for particularly high-risk sector organizations, and up to 7,000,000 EUR or 1.4% of the previous year’s turnover for high-risk sector organizations. Furthermore, a new sanction option allows the suspension of both the organization and its senior executives from the relevant activities in severe cases.

Don’t wait any longer. Contact our office at +36 1 700 4750, or send an email to nis2@rvdpartners.com. Our team of experienced legal and IT security experts is ready to help you successfully implement the NIS2 directive. Prepare for future challenges with us and ensure the cybersecurity of your business or organization!

Earth heat – is a hot topic

Hungary’s Recovery and Resistance Plan, put into social debate by the government, Chapter REPowerEU (the “Draft”) also contains ideas for geothermal energy in order to ensure the share of geothermal energy in the country’s energy mix, especially in district heating.

The “Reform 12 – in the Draft Development of the Geothermal Regulatory Framework” intends to improve the legal framework primarily from a research / mining point of view, based on the experience gained in the meantime, while the Draft “Investment 11: In the utilization of ground heat” part intends to provide variable intensity support to reduce the risk of drilling for geothermal production, on the one hand, and a preferential credit line for ground-based equipment and power plant construction for the utilization of earth heat, on the other.

The neuralgic point is that although the Draft supports the investments, it does not take into account that after the completion of the investment, the district heat producer can sell its product at an official price, operating under regulated market conditions, where, in today’s circumstances, there is a return that is not even modest, with a profit factor of 4.5% on the gross asset required by law, so this is not an attractive area for investors at all today.

The current situation in the energy market, which is not very rosy anyway, has a benefit that it would now be worthwhile, even for fiscal reasons, to encourage the extraction of geothermal energy more strongly than before, as it could take some of the natural gas’ place, which 4 times more expensive in district heat production than before. The question can therefore also be asked which is the more fiscally rational decision, with a better focus on energy sovereignty: to maintain support for expensive, foreign exchange-accounted and uncertain import natural gas use, or would it be better to spend on domestic, weather-independent, decarbonisation-friendly geothermal heat, that can be produced significantly cheaper than heat from natural gas and in HUF, through district heating regulation?

Obviously, this issue is poetic, as the Draft also states that the increase in geothermal energy „is in line with the National Energy and Climate Plan, which set a target of 50% of the share of natural gas reduction in district heating production.” However, in this case, it is not enough to support the implementation of the investments at some level, because this does not provide the investor with sufficient benefits. In short, in a regulated district heating market, a market-like return must be ensured for this area to be attractive, however, in addition to current natural gas prices, this would be much more worthwhile for the state than ever before, as the total cost of geothermal energy has been a tenth in the last heating period, the total cost of district heating from natural gas. And there is no need to think about big things about changing the regulation either, as it would be enough to change the statutory profit factor specifically for geothermal district heat producers, for example, that the profit factor is variable per year and exceeds the weighted average yield on long-term government securities (10 and 15 years) denominated in EUR at a given balance sheet date with the normal business risk premium (6 percentage points). This would result in the benefits available on the regulated market already being attractive, but no extra profit could be made.

I also dare to risk that ensuring a return at market level in this regulated market is only necessary but not sufficient to allow investment to start because it has not yet been mentioned, how many additional conditions (drill, availability of specialist) also depends on the implementation of the investments. However, we can safely say that if a geothermal investment is not able to benefit the investor from the outset through official district heating prices, that investment will not be realized, even though it is, that, at the moment, the earth heat that can increase our energy sovereignty is also the cheapest, a lucky combination that could easily achieve a win-win situation in terms of business interest and the public good. The value of energy sovereignty is invaluable, it is worth all the money in the first place, and if, in addition, we even generate fiscal savings with the help of geothermal energy, we cannot put the little it costs in a better place.

Whistleblowing

In 2019, the EU adopted the Whistleblowing Directive, which entered into force on 17 December 2021. Based on this Directive, Parliament has adopted the new law on public interest complaints, abuse reporting and rules on abuse reporting. Companies with more than 250 employees have 60 days from the date of the law’s publishing to set up an abuse reporting system. Companies employing 50-249 people have until 17 December 2023 to comply. Compliance with the obligations related to the abuse reporting system, including the investigation of individual reports, will be monitored by the labor supervisory authority. The establishment of an abuse reporting system is mandatory for businesses in certain higher risk areas, regardless of the number of employees, in particular:

  • Credit institutions and insurance companies
  • Merchants accepting cash payments of HUF three million or more
  • Dealers in specified works of art and antiques
  • Operators of ships and aircrafts
  • Service providers within the meaning of the Act on the Prevention and Combating of Money Laundering and Terrorist Financing (e.g. auditors, accountants, tax advisers, lawyers, registered seat service providers)

The system may be operated by an internal, but not instructed, impartial person or organization, but in exceptional cases it may also be operated by a trusted abuse-report protection lawyer or other external body. Reporting may be done in writing or orally and, with some specific exceptions (e.g., anonymous whistleblowing), the report must be investigated thoroughly as soon as possible. The investigation must involve the whistleblower, who may also be represented by legal counsel. The whistleblower shall be informed in writing of the investigation of the report, the outcome of the investigation and the planned measures as a result. The operation of the system must ensure adequate protection of personal data. In addition to the GDPR, the act also contains provisions on the rules for data processing and data transfer. Clear and easily accessible information should be provided on the operation of the abuse reporting system, the reporting procedure and other procedures provided for in the act. The whistleblower should also be informed of the requirements for the protection of personal data.

The NIS2 Directive on cybersecurity

On 23 May 2023, Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision entered into force, based on the NIS2 Directive, which was published by the EU on 27 December 2022. The aim of the legislation, which implements the Directive – for the time being only partially – is to require companies to comply with high IT security standards and to establish a system of authorities to certify and monitor this compliance. Full implementation of the Directive is due by 17 October 2024.

The issue is particularly topical as cyber-attacks by cybercriminals have become more frequent, sophisticated and lucrative, most strikingly in the wake of the recent widespread and successful ransomware attacks that have affected several of our own clients. In addition, the coronavirus pandemic has accelerated digitalisation in almost all sectors, but simultaneously, this has brought new threats, more security incidents and new dependencies. In addition, the Russia-Ukraine conflict is also taking place in cyberspace, which has also highlighted many vulnerabilities within the EU.

If a company fails to comply with the directive, the maximum fine that can be imposed is EUR 10,000,000 or up to 2% of the company’s global annual turnover, whichever is higher. It is important to underline that under the directive, even the management can be held liable and, in serious cases, managers can be temporarily prohibited from future management activities if the organisation concerned does not comply with the cybersecurity requirements of NIS2.

Who is concerned by NIS2?

Primarily, medium and large enterprises are affected, more specifically organisations with at least 50 employees or an annual net turnover of 10 million euros.

Regardless of their size, businesses in the following priority sectors in particular must comply with NIS2 requirements:

  • energy (electricity, district heating and cooling, oil, gas, hydrogen)
  • transport
  • banking and financial services and the infrastructure providers for these services
  • health care
  • drinking water services
  • Wastewater management
  • digital infrastructure providers (e.g., internet service providers, DNS providers, cloud providers)

What to do?

Compliance with NIS2 can be certified and audited by organisations accredited by the competent authority and verified by said authority. However, whether for certification or for an audit, it is advisable to prepare in-house, in particular by:

  • Implementing an information security management system (ISMS) or reviewing the existing system based on a risk analysis.
  • Implementing proactive security measures (incident prevention, incident management).
  • Implementing an incident management protocol to mitigate the impact of an incident should it occur.
  • Introduction of business continuity management (BCM) or review of existing systems (e.g., management of backup systems and disaster recovery and crisis management).
  • Appointing an Information Technology Security Officer (ITPO).
  • Identification of possible GDPR interfaces in the event of an incident involving personal data and completion of data management documentation (e.g., processes) as necessary.
  • Implementing measures to ensure supply chain security (including aspects related to the security of relationships between individual organizations and their direct suppliers or service providers).

The deadline for NIS2 adoption is fast approaching!

In recent years, the European Union has placed special emphasis on cybersecurity. In 2022, three pieces of legislation were adopted to strengthen the defense of organizations against cyberattacks. The Dora regulation prepares the financial sector for resilience, while...

Earth heat – is a hot topic

Hungary's Recovery and Resistance Plan, put into social debate by the government, Chapter REPowerEU (the “Draft”) also contains ideas for geothermal energy in order to ensure the share of geothermal energy in the country's energy mix, especially in district heating....

Whistleblowing

In 2019, the EU adopted the Whistleblowing Directive, which entered into force on 17 December 2021. Based on this Directive, Parliament has adopted the new law on public interest complaints, abuse reporting and rules on abuse reporting. Companies with more than 250...

The NIS2 Directive on cybersecurity

On 23 May 2023, Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision entered into force, based on the NIS2 Directive, which was published by the EU on 27 December 2022. The aim of the legislation, which implements the Directive – for the time...

Changes in labor law from 1 January 2023

The new changes to labor law, which came into effect on 1 January 2023, are based on EU Directive 2019/1152 on transparent and predictable working conditions in the European Union and EU Directive 2019/1158 on work-life balance for parents and carers. The changes to...

AI and intellectual property law

Artificial Intelligence (AI) is rapidly transforming many industries, including intellectual property. As AI becomes more capable of creating original works, it raises complex legal questions about ownership and protection of these creations. One of the most...

What changes have legal persons undergone in the past year?

As end of the year is approaching, we have summarized below this year’s amendments relevant to legal entities. As of 1 January 2022, the rules for legal entities have undergone some relevant changes. These amendments to the third book of Act V of 2013 on the Civil...

Incorporation or settlement of undivided common property

A new possibility for the termination of common ownership is the so-called "incorporation". Although, the rules of the related Act LXXI of 2020 on the liquidation of undivided common ownership of land and on the settlement of data in the land register of the holders...

Utlimate beneficial owner registry and what you should know about it

Authorities with the appropriate authorization and certain service providers will are able to request data from the registry since 1 February 2022. On top of that third parties will also be able to request data from 1 July on with certain restrictions. After lengthy...

What will change with the new law on corporate restructuring?

In 2019 the Directive (EU) 2019/1023 of the European Parliament and of the Council (Restructuring Directive) has become effective. The legislation transplanting the directive into Hungarian law was ratified on 1 July 2021, but the practical use of the various...

Changes in labor law from 1 January 2023

The new changes to labor law, which came into effect on 1 January 2023, are based on EU Directive 2019/1152 on transparent and predictable working conditions in the European Union and EU Directive 2019/1158 on work-life balance for parents and carers. The changes to the Labor Code are presented below.

As of the beginning of the year, in employment claims based on a breach of the prohibition of the abuse of rights, the claimant is the one who must prove the underlying fact, circumstance and prejudice. While the right holder (the other party) proves that there is no causal link between the fact, circumstance and prejudice proposed by the claimant.

In addition, the amendment extends the deadline for filing statements, which can now be duly filed even if they are posted no later than the last day of the deadline.

With regard to employment contracts, according to the amendment, unless otherwise agreed upon, the employment relationship shall in all cases be deemed to be of indefinite duration and the place of work shall, as a general rule, be the place where the employee habitually works, unless stated otherwise.

A major change is in the employer’s obligation to inform the employee, whereby the employer has less time to inform the employee from the beginning of the employment relationship – 7 days instead of 15 days. In addition, the information to be given to the employee has been extended to include the following: the rules relating to the termination of employment; the employer’s training policy; and the name of the authority to which the employer pays public charges. In addition, if the employee is expected to work abroad for more than 15 days, the employer has further obligations to inform the employee.

The amendment extended the rules on the amendment of the employment contract, under which employees with children may request a change in the place of work, working hours, remote-work or part-time work up to the age of 8 of the child. The employee must provide reasons for the request in writing and indicate the date of the change that constitutes the legal basis. The employer must respond to this request in writing within 15 days, giving reasons if it refuses. If the employer’s refusal is unlawful or the statement is not made, the court may reproduce the employer’s statement.

The amendment requires employers to provide the reason, at the request of the employee, for terminating the employment relationship of an employee who is exempt from the obligation to work. This applies if the employee is absent for (i) personal care of a relative or a person living in a shared household for serious health reasons; or (ii) paternity leave; (iii) parental leave; or (iv) unpaid leave to care for a child; or (v) the employee’s request to terminate their employment contract due to a change in the employment contract.

The amendment has extended the prohibitions on termination of employment, under which an employer may not terminate an employment relationship during paternity leave, parental leave or when the employee is absent for serious health reasons to care for a relative or to provide personal care for a person living in the same household.

Under the amended law, in the event of termination of employment, the employer shall issue a certificate – in addition to the previously required certificates – on paternity and parental leave, indicating the leave previously granted.

The January amendment to the Labor Code extends the court’s powers to decide when the employment relationship can be restored, at the request of the employee. A new possibility is introduced if the termination was in breach of the prohibition of the abuse of rights.

Under the amendment, employers must specify in writing and publish the starting and finishing dates of the allocated working-hours period and the duration of the work-time required.

The amendment introduces changes for certain categories of employees (e.g. pregnant workers, workers with children up to 3 years old, workers raising children alone, young workers). Thanks to the amendment, there are certain prohibitions for employers for these groups of workers, for example, no extraordinary work or night work can be assigned. As an exception, if the child is over 3 years old and with the consent of the worker, the law allows for such assignments.

The amendment introduced new regulations to paternity leave. Instead of the previous 5 working days, fathers will be able to take 10 working days off until the end of the second month after the birth or finalization of the adoption process. For the first 5 days of paternity leave, the father will be entitled to 100% of the absentee-wage, while for the second 5 days only 40% of the absentee-wage will be paid. Importantly, the full cost of the first 5 days’ absentee-wage will be recoverable from the Treasury, while the cost of the second 5 days will be borne by the employer. In addition, all employees will be entitled to 44 working days of parental leave up to age 3 of the child, subject to a 1-year employment relationship. Parental leave is granted at the rate of 10% of the absentee-wage. These leaves are not affected if the employee’s employment started or ended during the year.

The amendment also affects the rules on the granting of leave, under which an employer may postpone the granting of leave for up to 60 days, except for paternity leave, in cases of exceptional economic interest or for a reason directly and seriously affecting the employer’s operations. In such cases, employers must state their reasons in writing.

The amendment also changes the rules on remuneration in the absence of work. Employees are entitled to 70% of the absentee-wage for the duration of their sick leave. If the employee with the employer’s consent is released from their obligation to be on call, they will be paid according to their mutual agreement. Alternatively, if the employee is entitled to supplementary wage on the basis of their working hours, they are also entitled to a supplementary wage in addition to the absentee-wage.

If a fixed-term contract is renewed or if a fixed-term contract is terminated and a new employment relationship is established for the same scope of employment within 6 months of the termination, a probationary period may not be established by the partties. Furthermore, in the case of an employment contract of a maximum of 12 months, the duration of the probationary period shall be fixed on a pro rata basis. In such a case, a fractional day of half a day shall be considered a full working day.

In case of labor disputes, the statement of claim, in accordance with the new employee’s claim integrated by the amendment, must be submitted within 30 days of receipt of the employer’s statement regarding request for a change to the employment contract or upon receipt of the employers’ statement for a request to state the reasons for a refusal or upon failure to comply with such request on the deadline for such statement.

AI and intellectual property law

Artificial Intelligence (AI) is rapidly transforming many industries, including intellectual property. As AI becomes more capable of creating original works, it raises complex legal questions about ownership and protection of these creations.

One of the most significant legal implications of AI-generated intellectual property is determining who owns the rights to these works. In most cases, copyright law grants ownership to the creator of the work. However, when an AI system generates an original work, it’s unclear who the creator is, and therefore, who has the right to claim ownership. Is it the programmer who created the AI system, the person who provided the data for the AI to learn from, or the AI system itself?

In the United States, the Copyright Office has stated that works produced by a machine or an AI system are not eligible for copyright protection because they lack human creativity. However, this viewpoint is not universal, and other countries may interpret the law differently. For example, the European Union’s Copyright Directive recognizes that AI-generated works may be eligible for copyright protection, but only if the human author “made a material contribution to the creation of the work.”

Additionally, in the case of machine-generated works, there may be multiple parties involved in the creation of the final product. For example, an AI system may be trained on a dataset by one person or company, while another person or company may provide the parameters for the system to generate a specific work. In such cases, it may be challenging to determine who owns the rights to the final product.

Another legal implication is the potential for AI-generated works to infringe on existing intellectual property rights. AI systems can be trained on large datasets that include copyrighted material, which can lead to the creation of works that infringe on someone else’s intellectual property. In such cases, determining liability can be challenging, as it may be unclear whether the infringement was the result of the AI’s actions or the user who trained it.

There is also the issue of fair use in the context of AI-generated works. Fair use is a legal doctrine that allows the use of copyrighted material without permission in certain circumstances, such as for criticism, commentary, news reporting, teaching, scholarship, or research. However, the application of fair use to AI-generated works is still largely untested in the courts.

The use of AI in intellectual property also raises issues related to trade secret protection. AI systems can be used to create algorithms and other proprietary technology that can be considered trade secrets. If an AI system learns this information, it may be challenging to keep it secret, as the AI may use the information to generate its own works or to improve its performance. This raises concerns about protecting trade secrets from reverse engineering, as well as potential cybersecurity threats.

In conclusion, AI-generated intellectual property presents a host of legal implications that require careful consideration. As AI technology continues to advance, lawmakers and courts will need to address these issues to provide clarity on ownership, liability, and protection of these works. It is essential to strike a balance between encouraging innovation and protecting the rights of creators and innovators. The legal system must keep pace with technological advances to ensure that intellectual property law remains relevant and effective in the digital age.

For any readers not convinced about the looming paradigm shift, this article was written and edited entirely by a large language model AI.