NIS 2 Guide

We would like to inform you with the following brief summary about which organizations fall under the scope of the NIS2 regulation according to Act LXIX of 2024 on the Cybersecurity of Hungary, which is applicable from 1 January 2025 implementing the NIS2 Directive in Hungary, and the deadlines these organizations need to keep in mind.

The aim of the NIS2 regulation is to achieve a high level of cybersecurity protection and to prevent cyberattacks and other threats. The provisions of the European Union Directive 2022/2555 were transposed by Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision. However, from January 1, 2025, the previous legislation has been replaced by Act LXIX of 2024 on the Cybersecurity of Hungary.

I.    Affected organisations

1.   The regulation applies to organizations that qualify as medium-sized enterprises[1] or exceed the threshold prescribed for medium-sized enterprises[2].

The regulation applies to organisations that employs more than 50 people OR has an annual turnover or annual balance sheet total of more than EUR 10 million (approximately HUF 4 billion) AND perform activity in the following areas:

Postal and courier services

Food production, processing and distribution

Waste management

Manufacture and distribution of chemicals

Manufacturing (e.g. medical devices, computers, electrical equipment, transport equipment)

Digital services

  • online marketplace services
  • search engine provider
  • social media service platform provider
  • domain name registration service provider

Research

  • research site

Energy

  • electricity and energy industry
  • district heating and cooling licensee
  • licensee establishing and operating a hydrocarbon transmission pipeline or operator of a petroleum processing and storage facility
  • single window capacity vendor, organised natural gas market licensee, natural gas undertaking with the exception of fixed LPG suppliers
  • an operator of production, storage and transport of hydrogen

Transport

  • an organisation involved in aviation security
  • infrastructure manager
  • railway company
  • railway track capacity allocation organisation
  • Intelligent Road Transport System Operator
  • Organisation performing traffic management
  • Legal person, unincorporated business entity engaged in shipping activities
  • public service operator

Health care

  • healthcare provider
  • operator of high security biological laboratories
  • organisation managing health reserves and blood pools
  • an organisation involved in the research and development of medicines
  • organisation manufacturing basic pharmaceutical products and pharmaceutical preparations
  • wholesale distributor of medicinal products
  • organisation manufacturing a critical medical device on the list of critical medical devices for public health emergencies

Drinking water, waste water

Telecommunications services

  • electronic communications service provider
  • data exchange service provider
  • trust service provider

Digital infrastructure

  • cloud provider
  • top-level domain name registrar
  • DNS service provider
  • data centre service provider
  • content delivery network provider

Outsourced ICT services

  • provider of outsourced (managed) ICT security services
  • provider of outsourced (managed) infocommunications services

2.   The NIS2 regulation also applies to the following organisations, irrespective of whether the conditions in point 1 are met:

electronic communications service providers

trust service providers

a provider of DNS services

top level domain name registrar

domain name registration service provider

a company engaged in an activity in the interests of national defence

3.   In addition to the above, the NIS2 regulation also extends to:

organizations belonging to certain public administration sectors;

certain business entities under majority state control that exceed the threshold for medium-sized enterprises;

organizations identified as essential or important entities by the national cybersecurity authority or the defence cybersecurity authority;

critical entities[3] and organizations significant for national defence, as well as

II.   Deadlines

1.   The Supervisory Authority of Regulated Activities (hereinafter: "SZTFH") maintains a registry of organizations falling under the scope of the NIS2 regulation. Organizations subject to the regulation at the time the previous law came into effect had to request their registration in this registry by 30 June 30 2024. According to the new law, such organizations are required to request their registration in this registry within 30 days of starting their operations or coming under the scope of the law, until 31 March 2025 at the latest. Of course, organizations that were already registered with SZTFH until 31 December 2024, do not need to make a new registration declaration.

In case of failure to submit a registration request to the authority, the company may be fined a minimum of 0.5% of its net turnover of the previous year (minimum HUF 1,000,000), a maximum of 2% of its net turnover of the previous year, and a maximum of HUF 150,000,000. If the company is late in submitting the application for registration, it may be fined a maximum of 0.1% of its net turnover for the previous year, up to a maximum of HUF 15,000,000.

2.   Another important obligation for the affected organizations prescribed by the new legislation is to conclude a contract with an auditor organization authorized to perform cybersecurity audits. Organizations must adhere to the following deadlines regarding the cybersecurity audit process:

  • The affected organizations must be audited every two years;
  • Companies registering from now on will have 120 days after their registration to conclude a contract with an auditor;
  • They must have the first audit conducted within two years of their registration;
  • However, companies that were already operating last year, and thus had to register last year and were registered by SZTFH, still have to adhere to a tighter deadline: they must have their first audit conducted already in 2025.

If you meet the conditions set out in points above, or if you need assistance in interpreting the above conditions and/or have not fulfilled your registration obligations, please contact our law firm.

 

_____________________________________________________________________________________________________
[1]   Medium-sized enterprises are those with 50 or more employees or an annual net turnover or annual balance sheet total of more than 10 million Euro, but with fewer than 250 employees and an annual net turnover does not exceed 50 million Euro or the annual balance sheet does not exceed 43 million Euro.


[2] The threshold for medium-sized enterprises is exceeded for organisations with 250 or more employees OR an annual net turnover of more than 50 million Euro or a balance sheet total of more than 43 million Euro.


[3] Organizations that provide services essential for maintaining vital functions for society, the economy, public health and safety, or the environment.