Cybersecurity 2025

HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

for compliance with content and format require - ments. General sections are reviewed by the general authority, while sector-specific sections are assessed by the relevant sectoral or energy authorities. The resilience plan must include: • a description of the critical organisation, infra - structure, and essential services; • the rules, organisational structures, and tools ensuring service continuity and operational resilience; and • risk assessments, resilience matrices, and measures to maintain and restore operations. The plan must undergo regular annual reviews and immediate updates following significant changes, extraordinary events, or regulatory findings. Updates follow the same procedures as the initial submission. Sector-specific criteria are outlined by the sectoral authorities and updated as needed. For nuclear facilities, sector-specific requirements apply only to components related to electricity transmission. Furthermore, critical organisations must estab - lish the position of chief resilience officer (CRO) within 90 days of a designation decision. This individual shall report directly to the organisa - tion’s leadership and ensure compliance with resilience-related tasks. The organisation must submit details about the leader’s qualifications, appointment, and any changes to the registry authority within eight days. This person is respon - sible for co-ordinating with authorities, conduct - ing risk assessments, updating resilience plans and matrices, and evaluating the organisation’s resilience. They organise co-ordination among units impacting resilience and regularly report to organisational leadership.

Each critical infrastructure and essential service operated by the organisation must have a des - ignated CRO, who must meet qualification and background requirements. For nuclear facilities, the CRO must operate under senior manage - ment, adhering to specific nuclear requirements. The CRO may also join the advisory commit - tee for CROs or register independently with the authority if not employed by a critical organisa - tion. Individuals failing to meet required qualifi - cations, training, or background checks cannot be registered. Resilience Exercises Critical organisations must conduct resilience exercises to evaluate the effectiveness of their resilience plans and capabilities. These include: • Regular Resilience Exercises: These are held annually from the year following designation, addressing extraordinary event management at all sites and specific risks at at least one site. • Complex Resilience Exercises: These are conducted in collaboration with the designa - tion authority, focusing on the suitability of organisational and operational systems and cooperation with other entities during emer - gencies. • Stress Tests: These are participated in upon request by the designation authority. The organisation’s CRO evaluates and docu - ments exercise results, ensuring compliance with legal and regulatory obligations. Exercises may lead to updates of the resilience plan. Des - ignated personnel must participate in all exer - cises and tests, with notifications sent at least 14 days in advance. For nuclear facilities, other exercises specified by the OAH (Hungarian Atomic Energy Authority)

103 CHAMBERS.COM

Powered by