HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
ing their criticality. However, details have not yet been communicated to the public. 3.3 Key Operational Resilience Obligations DORA mandates all financial enterprises in Hungary to enhance their ICT risk management frameworks, with particular emphasis on third- party risk management. Before 17 January 2025, and at the time of writing, existing sector-specif - ic laws, notably Government Decree 42/2015 (III. 12.) on the Protection of the IT Systems of Finan - cial Institutions, Insurers, Reinsurers, Investment Firms, and Commodity Exchange Service Pro - viders, already require financial enterprises to maintain a robust, closed, trusted, and secure IT environment, including considerations for physi - cal security and business continuity. The Government Decree mandates financial institutions to establish robust IT security frame - works to ensure resiliency and business conti - nuity. These include regular risk assessments, proportional protective measures for IT systems, and secure operations supported by independ - ent monitoring and robust controls. Institutions must implement comprehensive data back-up and recovery plans, maintain redundancy for critical services, and ensure the secure sepa - ration of development, testing, and production environments. Compliance with national cybersecurity stand - ards is required, along with the use of secure digital archiving solutions to preserve electronic records. Vulnerability assessments and mitiga - tion plans are mandatory for high-security sys - tems, with logging and monitoring mechanisms in place for incident management. Business con - tinuity plans must address extraordinary events to minimise disruption and ensure service con - tinuity. These measures collectively strengthen
operational stability and align with national and international cybersecurity standards. The MNB has issued guidance on outsourcing requirements (MNB Guidance No. 7/2020 (VI. 3.)), emphasising the importance of conduct - ing preliminary risk assessments, maintaining documented and tested exit strategies, and performing annual audits of outsourced service providers. Additionally, the MNB issued guid - ance on IT system security (MNB Guidance No. 8/2020 (VI. 22.)), which provides further details on the requirements established by the above- mentioned Government Decree. DORA will expand the scope of these require - ments, mandating financial enterprises to assess all ICT service providers. These providers must now be classified based on the criticality of their services concerning confidentiality, integrity, availability, and authenticity, thereby introduc - ing a significant new element to the legislative framework. 3.4 Operational Resilience Enforcement The MNB has extensive authority to enforce effective regulations in Hungary, including con - ducting regular audits of financial institutions. As part of these audits, the MNB also oversees technical and organisational compliance with its issued guidance, particularly on outsourcing, the use of public cloud services, and IT system security. Additionally, the MNB audits compli - ance with Government Decree 42/2015 (III. 12.) on the Protection of IT Systems of Financial Insti - tutions, Insurers, Reinsurers, Investment Firms, and Commodity Exchange Service Providers. In practice, this includes a comprehensive IT and IT security audit that evaluates the effectiveness of technical and organisational controls and ensures alignment with the institution’s own risk assessment.
109 CHAMBERS.COM
Powered by FlippingBook