2024. Jun. 3. | news, technology
In recent years, the European Union has placed special emphasis on cybersecurity. In 2022, three pieces of legislation were adopted to strengthen the defense of organizations against cyberattacks. The Dora regulation prepares the financial sector for resilience, while the CER directive concerns the resilience of critical organizations, and the NIS2 directive outlines measures to ensure high-level cybersecurity.
Why is this important for certain organizations? Because the NIS2 directive, along with Act XXIII of 2023 on cybersecurity certification and supervision, which implements it, imposes numerous obligations on organizations that fall under its scope, along with the threat of severe sanctions.
The law establishes a dual criteria system for its scope, defining both so called high-risk and particularly high-risk sectors. Additionally, a certain minimum size is required for an organization to fall under its scope. Sectors classified as particularly high-risk include energy, transportation, healthcare, water utilities, and telecommunications, while high-risk sectors include postal and courier services, food production, product manufacturing, and chemical production and manufacturing. Companies in the above sectors with over 50 employees or annual net revenues exceeding 10 million euros fall under the regulation’s scope. Additionally, their suppliers must also comply with the requirements.
According to the law, affected organizations must register with the Regulated Activities Supervisory Authority, appoint a person who’s responsible for information system security within the organization, and classify their IT systems into security classes as defined by the law. Although the final version of the legislation, which details the tasks for each class, has not yet been adopted, the draft indicates that affected organizations will have to complete hundreds of tasks to ensure compliance.
Organizations must complete a self-identification by June 30, 2024, to determine whether the relevant legislation applies to them or not. If it does, they must register with the Authority and classify their IT systems into security classes. The NIS2 directive sets an October 18, 2024 deadline for organizations to apply the required protective measures for NIS2 compliance and to pay the supervisory fee to the competent authority by this date. By December 31, 2024, firms must contract an auditing firm to verify compliance, which must be completed by December 31, 2025.
The stakes are high. Without compliance, affected organizations are more both more vulnerable to cyberattacks and also face significant penalties: up to 10,000,000 EUR or 2% of total annual worldwide turnover for particularly high-risk sector organizations, and up to 7,000,000 EUR or 1.4% of the previous year’s turnover for high-risk sector organizations. Furthermore, a new sanction option allows the suspension of both the organization and its senior executives from the relevant activities in severe cases.
Don’t wait any longer. Contact our office at +36 1 700 4750, or send an email to nis2@rvdpartners.com. Our team of experienced legal and IT security experts is ready to help you successfully implement the NIS2 directive. Prepare for future challenges with us and ensure the cybersecurity of your business or organization!
2023. Sep. 30. | energy, environmental protection, news, technology
Hungary’s Recovery and Resistance Plan, put into social debate by the government, Chapter REPowerEU (the “Draft”) also contains ideas for geothermal energy in order to ensure the share of geothermal energy in the country’s energy mix, especially in district heating.
The “Reform 12 – in the Draft Development of the Geothermal Regulatory Framework” intends to improve the legal framework primarily from a research / mining point of view, based on the experience gained in the meantime, while the Draft “Investment 11: In the utilization of ground heat” part intends to provide variable intensity support to reduce the risk of drilling for geothermal production, on the one hand, and a preferential credit line for ground-based equipment and power plant construction for the utilization of earth heat, on the other.
The neuralgic point is that although the Draft supports the investments, it does not take into account that after the completion of the investment, the district heat producer can sell its product at an official price, operating under regulated market conditions, where, in today’s circumstances, there is a return that is not even modest, with a profit factor of 4.5% on the gross asset required by law, so this is not an attractive area for investors at all today.
The current situation in the energy market, which is not very rosy anyway, has a benefit that it would now be worthwhile, even for fiscal reasons, to encourage the extraction of geothermal energy more strongly than before, as it could take some of the natural gas’ place, which 4 times more expensive in district heat production than before. The question can therefore also be asked which is the more fiscally rational decision, with a better focus on energy sovereignty: to maintain support for expensive, foreign exchange-accounted and uncertain import natural gas use, or would it be better to spend on domestic, weather-independent, decarbonisation-friendly geothermal heat, that can be produced significantly cheaper than heat from natural gas and in HUF, through district heating regulation?
Obviously, this issue is poetic, as the Draft also states that the increase in geothermal energy „is in line with the National Energy and Climate Plan, which set a target of 50% of the share of natural gas reduction in district heating production.” However, in this case, it is not enough to support the implementation of the investments at some level, because this does not provide the investor with sufficient benefits. In short, in a regulated district heating market, a market-like return must be ensured for this area to be attractive, however, in addition to current natural gas prices, this would be much more worthwhile for the state than ever before, as the total cost of geothermal energy has been a tenth in the last heating period, the total cost of district heating from natural gas. And there is no need to think about big things about changing the regulation either, as it would be enough to change the statutory profit factor specifically for geothermal district heat producers, for example, that the profit factor is variable per year and exceeds the weighted average yield on long-term government securities (10 and 15 years) denominated in EUR at a given balance sheet date with the normal business risk premium (6 percentage points). This would result in the benefits available on the regulated market already being attractive, but no extra profit could be made.
I also dare to risk that ensuring a return at market level in this regulated market is only necessary but not sufficient to allow investment to start because it has not yet been mentioned, how many additional conditions (drill, availability of specialist) also depends on the implementation of the investments. However, we can safely say that if a geothermal investment is not able to benefit the investor from the outset through official district heating prices, that investment will not be realized, even though it is, that, at the moment, the earth heat that can increase our energy sovereignty is also the cheapest, a lucky combination that could easily achieve a win-win situation in terms of business interest and the public good. The value of energy sovereignty is invaluable, it is worth all the money in the first place, and if, in addition, we even generate fiscal savings with the help of geothermal energy, we cannot put the little it costs in a better place.
2023. Jun. 5. | news, technology
On 23 May 2023, Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision entered into force, based on the NIS2 Directive, which was published by the EU on 27 December 2022. The aim of the legislation, which implements the Directive – for the time being only partially – is to require companies to comply with high IT security standards and to establish a system of authorities to certify and monitor this compliance. Full implementation of the Directive is due by 17 October 2024.
The issue is particularly topical as cyber-attacks by cybercriminals have become more frequent, sophisticated and lucrative, most strikingly in the wake of the recent widespread and successful ransomware attacks that have affected several of our own clients. In addition, the coronavirus pandemic has accelerated digitalisation in almost all sectors, but simultaneously, this has brought new threats, more security incidents and new dependencies. In addition, the Russia-Ukraine conflict is also taking place in cyberspace, which has also highlighted many vulnerabilities within the EU.
If a company fails to comply with the directive, the maximum fine that can be imposed is EUR 10,000,000 or up to 2% of the company’s global annual turnover, whichever is higher. It is important to underline that under the directive, even the management can be held liable and, in serious cases, managers can be temporarily prohibited from future management activities if the organisation concerned does not comply with the cybersecurity requirements of NIS2.
Who is concerned by NIS2?
Primarily, medium and large enterprises are affected, more specifically organisations with at least 50 employees or an annual net turnover of 10 million euros.
Regardless of their size, businesses in the following priority sectors in particular must comply with NIS2 requirements:
- energy (electricity, district heating and cooling, oil, gas, hydrogen)
- transport
- banking and financial services and the infrastructure providers for these services
- health care
- drinking water services
- Wastewater management
- digital infrastructure providers (e.g., internet service providers, DNS providers, cloud providers)
What to do?
Compliance with NIS2 can be certified and audited by organisations accredited by the competent authority and verified by said authority. However, whether for certification or for an audit, it is advisable to prepare in-house, in particular by:
- Implementing an information security management system (ISMS) or reviewing the existing system based on a risk analysis.
- Implementing proactive security measures (incident prevention, incident management).
- Implementing an incident management protocol to mitigate the impact of an incident should it occur.
- Introduction of business continuity management (BCM) or review of existing systems (e.g., management of backup systems and disaster recovery and crisis management).
- Appointing an Information Technology Security Officer (ITPO).
- Identification of possible GDPR interfaces in the event of an incident involving personal data and completion of data management documentation (e.g., processes) as necessary.
- Implementing measures to ensure supply chain security (including aspects related to the security of relationships between individual organizations and their direct suppliers or service providers).
by Urbán Márton | 2024.06.03. | news, technology | 0 Comments
In recent years, the European Union has placed special emphasis on cybersecurity. In 2022, three pieces of legislation were adopted to strengthen the defense of organizations against cyberattacks. The Dora regulation prepares the financial sector for resilience, while...
by Urbán Márton | 2023.09.30. | energy, environmental protection, news, technology | 0 Comments
Hungary's Recovery and Resistance Plan, put into social debate by the government, Chapter REPowerEU (the “Draft”) also contains ideas for geothermal energy in order to ensure the share of geothermal energy in the country's energy mix, especially in district heating....
by Urbán Márton | 2023.06.05. | corporate, data protection, news | 0 Comments
In 2019, the EU adopted the Whistleblowing Directive, which entered into force on 17 December 2021. Based on this Directive, Parliament has adopted the new law on public interest complaints, abuse reporting and rules on abuse reporting. Companies with more than 250...
by Urbán Márton | 2023.06.05. | news, technology | 0 Comments
On 23 May 2023, Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision entered into force, based on the NIS2 Directive, which was published by the EU on 27 December 2022. The aim of the legislation, which implements the Directive – for the time...
by Urbán Márton | 2023.02.27. | labor law, news | 0 Comments
The new changes to labor law, which came into effect on 1 January 2023, are based on EU Directive 2019/1152 on transparent and predictable working conditions in the European Union and EU Directive 2019/1158 on work-life balance for parents and carers. The changes to...
by Urbán Márton | 2023.02.23. | news | 0 Comments
Artificial Intelligence (AI) is rapidly transforming many industries, including intellectual property. As AI becomes more capable of creating original works, it raises complex legal questions about ownership and protection of these creations. One of the most...
by Urbán Márton | 2022.12.22. | news | 0 Comments
As end of the year is approaching, we have summarized below this year’s amendments relevant to legal entities. As of 1 January 2022, the rules for legal entities have undergone some relevant changes. These amendments to the third book of Act V of 2013 on the Civil...
by Urbán Márton | 2022.12.22. | miscellaneous, news | 0 Comments
A new possibility for the termination of common ownership is the so-called "incorporation". Although, the rules of the related Act LXXI of 2020 on the liquidation of undivided common ownership of land and on the settlement of data in the land register of the holders...
by Urbán Márton | 2022.07.04. | civil law, commercial, news | 0 Comments
Authorities with the appropriate authorization and certain service providers will are able to request data from the registry since 1 February 2022. On top of that third parties will also be able to request data from 1 July on with certain restrictions. After lengthy...
by Urbán Márton | 2021.09.08. | civil law, commercial, news | 0 Comments
In 2019 the Directive (EU) 2019/1023 of the European Parliament and of the Council (Restructuring Directive) has become effective. The legislation transplanting the directive into Hungarian law was ratified on 1 July 2021, but the practical use of the various...