HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
can fulfil resilience requirements if they meet rel - evant regulations. Non-compliance may result in mandated revisions to the exercise procedures or the necessity to repeat the exercises. 2.3 Incident Response and Notification Obligations NIS2-Related Security Events Administrative bodies, state-owned enterprises, entities designated as essential or important but not covered by the 2024 Cybersecurity Act or DORA, as well as those covered under the 2024 Cybersecurity Act, must promptly report all threats, near-cybersecurity incidents, and cyber - security incidents, including operational cyber - security incidents, to the NBSZ, which serves as the National Cybersecurity Incident Response Centre (CERT). NIS2-relevant organisations under the 2024 Cybersecurity Act are specifically required to report incidents that significantly disrupt opera - tions or services, cause substantial financial harm to the organisation, or result in significant financial or non-financial damage to others. Additionally, these organisations may voluntar - ily report cybersecurity incidents that fall below the mandatory reporting threshold. All reporting must adhere to the procedures out - lined in the applicable government decree. Organisations must submit an initial cybersecuri - ty incident report without undue delay and within 24 hours of becoming aware of the incident. The report should include the following information, if available: • identification of the affected electronic infor - mation system;
• a brief description of the incident, including whether it qualifies as an operational cyberse - curity incident; • the status, duration, and geographical extent of the incident; • the expected recovery time, if estimable; • details of the affected data type, nature, and user impact; • the extent of service disruption and potential cross-border effects; • contact details of the designated liaison han - dling the incident; • information on intermediary or central service providers involved; • whether the incident is intentional; and • any other relevant information to assess cross-border impacts. Furthermore, organisations must comply with the following reporting requirements for cyber - security incidents: • report infection indicators as soon as such metrics become available; • within 72 hours of becoming aware of the incident, submit an updated notification that includes information from the initial report and provides a preliminary assessment of the incident’s severity and impact; • provide status updates upon request from the NBSZ; • submit a detailed final report within one month of the event notification, including: (a) a comprehensive description of the inci - dent, its severity, and impact; (b) likely causes or threats behind the inci - dent; (c) mitigation measures implemented or ongoing; and (d) cross-border impacts, if applicable;
104 CHAMBERS.COM
Powered by FlippingBook