The NIS2 Directive on cybersecurity

On 23 May 2023, Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision entered into force, based on the NIS2 Directive, which was published by the EU on 27 December 2022. The aim of the legislation, which implements the Directive – for the time being only partially – is to require companies to comply with high IT security standards and to establish a system of authorities to certify and monitor this compliance. Full implementation of the Directive is due by 17 October 2024.

The issue is particularly topical as cyber-attacks by cybercriminals have become more frequent, sophisticated and lucrative, most strikingly in the wake of the recent widespread and successful ransomware attacks that have affected several of our own clients. In addition, the coronavirus pandemic has accelerated digitalisation in almost all sectors, but simultaneously, this has brought new threats, more security incidents and new dependencies. In addition, the Russia-Ukraine conflict is also taking place in cyberspace, which has also highlighted many vulnerabilities within the EU.

If a company fails to comply with the directive, the maximum fine that can be imposed is EUR 10,000,000 or up to 2% of the company’s global annual turnover, whichever is higher. It is important to underline that under the directive, even the management can be held liable and, in serious cases, managers can be temporarily prohibited from future management activities if the organisation concerned does not comply with the cybersecurity requirements of NIS2.

Who is concerned by NIS2?

Primarily, medium and large enterprises are affected, more specifically organisations with at least 50 employees or an annual net turnover of 10 million euros.

Regardless of their size, businesses in the following priority sectors in particular must comply with NIS2 requirements:

  • energy (electricity, district heating and cooling, oil, gas, hydrogen)
  • transport
  • banking and financial services and the infrastructure providers for these services
  • health care
  • drinking water services
  • Wastewater management
  • digital infrastructure providers (e.g., internet service providers, DNS providers, cloud providers)

What to do?

Compliance with NIS2 can be certified and audited by organisations accredited by the competent authority and verified by said authority. However, whether for certification or for an audit, it is advisable to prepare in-house, in particular by:

  • Implementing an information security management system (ISMS) or reviewing the existing system based on a risk analysis.
  • Implementing proactive security measures (incident prevention, incident management).
  • Implementing an incident management protocol to mitigate the impact of an incident should it occur.
  • Introduction of business continuity management (BCM) or review of existing systems (e.g., management of backup systems and disaster recovery and crisis management).
  • Appointing an Information Technology Security Officer (ITPO).
  • Identification of possible GDPR interfaces in the event of an incident involving personal data and completion of data management documentation (e.g., processes) as necessary.
  • Implementing measures to ensure supply chain security (including aspects related to the security of relationships between individual organizations and their direct suppliers or service providers).

Whistleblowing

In 2019, the EU adopted the Whistleblowing Directive, which entered into force on 17 December 2021. Based on this Directive, Parliament has adopted the new law on public interest complaints, abuse reporting and rules on abuse reporting. Companies with more than 250...

The NIS2 Directive on cybersecurity

On 23 May 2023, Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision entered into force, based on the NIS2 Directive, which was published by the EU on 27 December 2022. The aim of the legislation, which implements the Directive – for the time...

Changes in labor law from 1 January 2023

The new changes to labor law, which came into effect on 1 January 2023, are based on EU Directive 2019/1152 on transparent and predictable working conditions in the European Union and EU Directive 2019/1158 on work-life balance for parents and carers. The changes to...

AI and intellectual property law

Artificial Intelligence (AI) is rapidly transforming many industries, including intellectual property. As AI becomes more capable of creating original works, it raises complex legal questions about ownership and protection of these creations. One of the most...

What changes have legal persons undergone in the past year?

As end of the year is approaching, we have summarized below this year’s amendments relevant to legal entities. As of 1 January 2022, the rules for legal entities have undergone some relevant changes. These amendments to the third book of Act V of 2013 on the Civil...

Incorporation or settlement of undivided common property

A new possibility for the termination of common ownership is the so-called "incorporation". Although, the rules of the related Act LXXI of 2020 on the liquidation of undivided common ownership of land and on the settlement of data in the land register of the holders...

Utlimate beneficial owner registry and what you should know about it

Authorities with the appropriate authorization and certain service providers will are able to request data from the registry since 1 February 2022. On top of that third parties will also be able to request data from 1 July on with certain restrictions. After lengthy...

What will change with the new law on corporate restructuring?

In 2019 the Directive (EU) 2019/1023 of the European Parliament and of the Council (Restructuring Directive) has become effective. The legislation transplanting the directive into Hungarian law was ratified on 1 July 2021, but the practical use of the various...

Changes in Hungarian copyright law

As of July 1, this year maybe the most fundamental amendments of Hungary’s Act LXXVI of 1999 on copyright has finally entered into force. According to the Hungarian Intellectual Property Office the new law will be able to handle questions of intellectual property in a...

The strict rules of processing health related data

It has almost been 3 years since regulation (EU) 2016/679 of The European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)...