NIS2 Directive
The NIS2 Directive (NIS2 Directive - Network and Information Systems Directive 2) marks a new milestone in cybersecurity. NIS2 establishes a unified high-level cybersecurity framework across the European Union aimed at strengthening the preparedness of member states and affected organizations to defend against cyber threats.
Cybersecurity is one of the most critical challenges today and the NIS2 Directive is a key step in protecting digital infrastructure. The NIS2 cybersecurity audit is the final step in the preparation process, when the system's security measures and protection mechanisms are assessed to ensure that they meet the requirements of the NIS2 Directive.
Who is affected?
In Hungary thousands – some estimates put the number at 5-6000 – of organisations are affected by the new cybersecurity regulation. Please note, however, that the NIS2 Directive does not apply directly to Hungarian companies but Hungary must adopt it into its own national legal system.
At the heart of Hungarian cybersecurity regulation is Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision (hereinafter: “Cybersecurity Act”),Appendix I and II of which define which companies in critical and highly critical sectors are subject to the NIS2 Directive.
The NIS2 Directive applies only to medium-sized and large companies with at least 50 employees or a revenue of 10 million euros. Size rules do not apply to electronic communications companies, trust service providers , DNS service providers, top-level domain name registrars or domain name registration service providers.
Is your company affected by the new NIS2 Directive? Check your NIS2 involvement with the help of RSM’s NIS2 calculator
NIS2 registration – approaching deadline
One of the requirements for NIS2 compliance is that the organisations concerned must register from 1 January 2024.
Companies that started their activities before 1 January 2024 will have to complete NIS2 registration by 30 June 2024.
For all other organisations the 30-day deadline is applicable under Section 26 (2) of the Cybersecurity Act. Companies subject to the Cybersecurity Act are required to file their application for registration using the SZTFH 420 form .
The detailed rules for keeping the NIS2 register are set out in the SZTFH Decree no. 23/2023 on the register of the entities concerned, kept by the cybersecurity supervisory authority.
NIS2 registration
In the NIS2 registration process, which takes place through the Client Portal (Cégkapu),NIS2 affected companies are required to provide the following information:
- company data,
- contact details,
- certain technical details,
- contact details of the person responsible for IT security.
Is my company affected by NIS2?
The final decision on NIS2 involvement is made by the supervisory authority SZTFH.
Contrary to former concerns, it may not happen that a company not subject to the NIS2 Directive files a NIS2 registration by accident and once registered, it becomes an affected company.
All NIS2 registration applications are thoroughly reviewed by the authority, with two possible outcomes: either the NIS2 registration is accepted or rejected.
If you are not sure whether your organisation is affected by NIS2, you can contact SZTFH or submit the form and the authority will decide whether you are affected.
NIS2 deadlines - what to pay attention to?
Compliance with the NIS2 Directive does not end with NIS2 registration. Companies subject to the Cybersecurity Act have a number of other tasks to perform, at the end of which the selected cybersecurity auditor will conduct the first cybersecurity audit.
NIS2 deadlines:
- By 30 June 2024: All organizations affected by NIS2 must self-identify and apply for registration by completing the SZTFH 420 form.
- From 18 October 2024: Organizations affected by NIS2 should implement security measures in accordance with the appropriate security class of their electronic information systems and pay the supervisory fee to SZTFH.
- By 31 December 2024: NIS2 affected organizations must sign a contract with a selected auditor.
- By 31 December 2025: The selected auditor conducts the first cybersecurity audit.
NIS2 sanctions
If an organization under the NIS2 Directive fails to meet the requirements of the NIS2 Directive in Hungary, it may face significant financial consequences. Failure to register under NIS2 after self-identification may also result in sanctions.
It is true that a legislative package detailing the exact penalties has not yet been published in Hungary, but according to market information, the lowest penalty is HUF 50 million and the highest can be up to HUF 350 million.
Additionally, executives of non-compliant companies may be prohibited from their activities.
Compliance with the regulations is supervised by SZTFH, and they impose the penalties, if necessary.
The aim is to ensure that organizations operating critical infrastructure are better prepared for cyber threats and take timely steps to ensure compliance. Therefore it is crucial for companies to start implementing the necessary measures now.