HUNGARY Trends and Developments Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
under educational institutions remain excluded from the scope of the 2024 Cybersecurity Act. The 2023 Cybersecurity Act did not regulate main establishment, territorial scope, or repre - sentatives, and its scope did not cover public sector entities. The new law aimed to fill this gap. Under the 2024 Cybersecurity Act, the new law applies to: • organisations established in Hungary or rep - resented by an established representative in Hungary; • electronic communications service providers offering services in Hungary; and • entities such as DNS service providers, top- level domain registries, domain name reg - istration providers, cloud service providers, data centre service providers, content deliv - ery network providers, managed service pro - viders, managed security service providers, as well as providers of online marketplaces, online search engines, and social media plat - forms whose main establishment of business is in Hungary. According to the 2024 Cybersecurity Act, an organisation’s main establishment of business is in Hungary for entities if: (i) decisions related to cybersecurity risk management measures are predominantly made in Hungary; (ii) cyber - security operations related to the organisation’s electronic information systems are conducted in Hungary; or (iii) the organisation’s site with the largest number of employees is in Hungary. These new provisions ensure clarity regarding the jurisdiction and establish criteria for entities operating in or offering services within Hungary’s regulatory framework. The 2024 Cybersecurity Act incorporates the provisions of the NIS2 Directive regarding the
appointment of a representative into Hungarian law. Accordingly, an operator of an electronic information system falling under the scope of the 2024 Cybersecurity Act that is not registered in Hungary must appoint a representative oper - ating within Hungary in writing. This representa - tive is responsible for ensuring compliance with the law and bears responsibility under the same rules applicable to the head of the organisation. Cybersecurity supervision and applicable monetary fines The 2024 Cybersecurity Act designated different regulators for different sectors according to the types of entities, including the Special Service for National Security ( Nemzetbiztonsági Szaks- zolgálat , or NBSZ); the SZTFH and the Hungar - ian Minister of Defence acts as the cybersecurity authority for the military sector. The Special Service for National Security ( Nemzetbiztonsági Szakszolgálat , or NBSZ) is the national cybersecurity authority responsible for supervising the cybersecurity of administrative bodies of the public administration sector (as defined by Annex 1 of the 2024 Cybersecurity Act), enterprises under majority state ownership that exceed the thresholds defined for medium- sized enterprises, and “essential” or “important entities” identified as such by the NBSZ. The SZTFH continues to supervise entities covered by Annex 2 and Annex 3 of the 2024 Cybersecurity Act which correspond to Annex I and Annex II of the NIS2 Directive. The scope includes entities classified as medium-sized enterprises or those exceeding the thresholds for medium-sized enterprises. Regardless of organisational size, entities that are electronic communications service providers, trust ser - vice providers, DNS service providers, top-level domain name registrars, and domain name reg -
117 CHAMBERS.COM
Powered by FlippingBook