HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
1.2 Cybersecurity Laws General
The 2024 Cybersecurity Act, along with its Exe - cution Decree and the MK Decree, harmonised requirements for both private and public sector entities. These include administrative bodies, state-owned enterprises, entities designated as essential or important but not covered under the 2024 Cybersecurity Act or the EU Digital Operational Resilience Act (DORA), NIS2 enti - ties qualifying as at least medium-sized enter - prises, and entities covered by NIS2 regardless of their size. The 2024 Cybersecurity Act also introduced changes to the scope of entities cov - ered by the 2023 Cybersecurity Act. While the 2023 Act applied to all food businesses, includ - ing retailers, the 2024 Act limits its scope to food businesses involved in wholesale distribu- tion, industrial production, and food processing. Additionally, holders of pharmaceutical whole - sale distribution authorisations under Article 79 of Directive 2001/83/EC are excluded from the new legislation, though pharmaceutical whole - salers remain covered. The 2024 Cybersecurity Act does not apply to electronic information systems handling clas - sified data, operational electronic information systems, programmable systems covered by the government decree on physical protection and related licensing, reporting, and inspection in the application of nuclear energy, and cyber - security services provided by entities designated in a separate government decree. Furthermore, the 2024 Cybersecurity Act did not implement Annex I, Section 3 (banking sector) and Annex I, Section 4 (financial market infrastructures) of the NIS2 Directive, as these fall within the scope of DORA.
In general, requirements regarding the cyberse - curity-related protection and processing of per - sonal data are laid down in the EU’s General Data Protection Regulation and in general, organisa - tions processing personal data must comply with privacy by design, privacy by default and data security requirements laid down by Article 32 GDPR. NIS2 Regulations As opposed to the legislative landscape in 2024 and previous years, the 2024 Cybersecurity Act, its executive regulation, the Government Decree 418/2024 (XII. 23.) on the Implementation of the 2024 Cybersecurity Act (“Execution Decree”) and the MK Decree harmonised requirements for both private and public sector entities falling within the scope of the 2024 Cybersecurity Act. According to the justification to the draft of the 2024 Cybersecurity Act, the Act “uniformly reg - ulates the legal framework for defense against cyberattacks and harmonizes it with European Union legislation. At the same time, it estab - lishes a new and effective defense structure that simplifies the protection of state informa - tion systems and provides guidance for market players as well.” According to the justification for the proposal, “[t]he transposition of the NIS2 Directive into Hungarian law was initiated by Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision (hereinafter: Cyberse - curity Act). However, considering the increasing number of cyberattacks and incidents affecting various sectors across Europe, the state organ - izational framework dealing with cybersecurity has been reviewed, and it has become expedient to unify the fundamental cybersecurity rules in a single law.”
95
CHAMBERS.COM
Powered by FlippingBook