Facebook image

NIS2 Advisory

During our NIS2 advisory services we support your company in preparing to comply with the NIS2 Directive ensuring your company will be ready to meet the cybersecurity regulations.

Do you have any question?
Don't hesitate to contact us!

Zoltán Balogh

IT audit manager

Ádám Mosonyi

Partner, HCA

Phone

What is NIS2?

The NIS2 Directive (NIS2 Directive - Network and Information Systems Directive 2) marks a new milestone in cybersecurity. NIS2 establishes a unified high-level cybersecurity framework across the European Union aimed at strengthening the preparedness of member states and affected organizations to defend against cyber threats.

Cybersecurity is one of the most critical challenges today and the NIS2 Directive is a key step in protecting digital infrastructure.

The NIS2 Directive requires organisations providing essential or digital services to comply with stringent cybersecurity requirements and inform national authorities of cybersecurity incidents.

During RSM's NIS2 advisory services our experienced IT audit specialists - as part of our audit business line - support your preparation to comply with the NIS2 Directive requirements helping your company meet cybersecurity standards.

NIS2 – who falls within the scope?

The NIS2 Directive does not apply directly to Hungarian companies but EU Member States including Hungary must integrate it into their own national legal systems.

In Hungary the implementation centers on the Cybersecurity Act (Act XXIII of 2023) and the supervisory authority (SZTFH). The Cybersecurity Act describes in detail the national regulations of cybersecurity certification and supervision while the authority’s role is to monitor compliance with cybersecurity regulations.

 The companies affected by NIS2 are regulated in Annexes I and II of the Cybersecurity Act which lists critical sectors covered by the act the act.

Based on size criteria the regulation applies only to medium-sized and large companies with at least 50 employees or a revenue of 10 million euros.

Size rules do not apply to electronic communications trust DNS service providers top-level domain name registrars or domain name registration service providers.

NIS2 critical sectors, NIS2 highly critical sectors

Under Act XXIII of 2023 organisations operating in critical sectors are required to implement several security measures including the establishment of an information security management system handling of security incidents and business continuity.

NIS2 involved - NIS2 Calculator

With RSM’s NIS2 calculator you can check your company’s NIS2 involvement.

Check your nis2 involvement with the help of the rsm's nis2 calculator!

Compliance with the NIS2 directive - how can RSM help?

During RSM's NIS2 advisory services our experienced IT audit specialists support your preparation to comply with the requirements of the NIS2 Directive which helps your company to meet cybersecurity requirements.

In relation to RSM’s NIS2 advisory we provide the following services:

GAP analysis:

  • We assess the current operational status of your organization.
  • We identify the differences between your current status and regulatory requirements.
  • We prepare a detailed report on the identified cybersecurity deficiencies.

NIS2 advisory:

  • We assess the current cybersecurity status of the organization.
  • We identify the differences.
  • We assess relevant IT risks.
  • We prepare a risk-based action plan to correct deficiencies.

NIS2 Preparation:

  • Security classification
  • GAP analysis
  • Risk assessment and treatment action plan
  • NIS2 compliant policies
  • Awareness trainings
  • Audit support

RSM NIS2 Services

What are the NIS2 requirements?

Act XXIII of 2023 aims to keep pace with digital transformation and ensure the security of electronic information systems and their physical environments.

The requirements for NIS2-affected organizations are as follows:

1. Registration:

Affected organizations must register from January 1, 2024. Organizations that commenced operations before 1 January 2024 were required to register until 30 June 2024. For all other organizations a 30-day registration deadline applies in accordance with the Cyber Security Act.

2. Security classification of electronic information systems:

Affected organizations must classify their electronic information systems into appropriate security classes.

3. Obligation to pay supervisory fees and implement appropriate protective measures.

4. Contract with an auditor:

Affected organizations must sign a contract with a selected NIS2 auditor.

NIS2 deadlines - what to pay attention to?

  • Until 30 June 2024: All organizations affected by NIS2 had to self-identify and apply for registration by completing the SZTFH 420 form.
  • From 18 October 2024: Organizations affected by NIS2 should implement security measures in accordance with the appropriate security class of their electronic information systems and pay the supervisory fee to SZTFH.
  • Until 31 December 2024: NIS2 affected organizations must sign a contract with a chosen auditor.
  • Until 31 December 2025: The selected auditor conducts the first cybersecurity audit.

NIS2 deadlines

NIS2 sanctions in case of non-compliance with cybersecurity regulations

If an organization under the NIS2 Directive does not meet the requirements of the NIS2 Directive in Hungary it may face significant financial consequences.  The extent of cybersecurity fines and detailed related rules for non-compliancy to the Cybersecurity Act and other Hungarian NIS2 regulations are determined in Appendix I of Decree no. 305/2023. The affected organisation must pay the NIS2 fines within 8 days, and in the case of multiple violations, the penalty is maximised to the maximum fine that can be imposed of the non-compliancies. The fine may be reimposed after the deadline has expired.

If the company does not comply with the requirements of NIS2 set out in the Cybersecurity Act, the certifying authority warns the organisation to correct the deficiency by a deadline. If the organisation still does not meet the requirements after the deadline, the authority may impose a penalty appropriate to the degree of irregularity and may be repeated in case of subsequent non-compliance. Compliance with the regulations is supervised by SZTFH. The aim is to ensure that organizations operating critical infrastructure are better prepared for cyber threats and take timely steps to ensure compliance.

Therefore it is crucial for companies to start implementing the necessary measures now.

MORE INFORMATION


    If you have any question, please don't hesitate to contact our experts!

    Contact our expert directly or send us an offer request!

    Our professionals regularly publish specialist material