HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
The 2024 Cybersecurity Act is applicable to the following entities: • organisations established in Hungary or rep - resented by a local representative; • electronic communications service providers offering services in Hungary; and • DNS providers, top-level domain registries, domain name registration providers, cloud service providers, data centre service provid - ers, content delivery network providers, man - aged service providers, managed security service providers, online marketplace opera - tors, online search engines, and social media platforms, whose main business establish - ment is in Hungary. An organisation’s main business establishment is considered to be in Hungary if: • decisions regarding cybersecurity risk man - agement measures are predominantly made in Hungary; • cybersecurity operations for the organisa - tion’s electronic information systems are conducted in Hungary; or • the organisation’s largest workforce is based in Hungary. Non-Hungarian organisations operating elec - tronic information systems under the 2024 Cybersecurity Act must appoint a Hungarian- based representative responsible for compli - ance, without affecting the organisation’s or its head’s liability. The head of the entity must establish and oper - ate a risk management framework for protect - ing electronic information systems, adhering to applicable EU laws or national regulations where EU laws do not apply. Periodic reviews, includ -
ing security classifications, must occur at least every two years. Key responsibilities include: • registering and assessing all electronic infor - mation systems, central services, and sup - porting systems used by the organisation; • assigning roles, responsibilities, and appoint - ing a person responsible for system security; • conducting risk assessments, impact analy - ses, and security classification of systems; • implementing proportional protective meas - ures and ensuring compliance with EU and national cybersecurity regulations; • regularly reviewing protective measures and addressing identified deficiencies; • overseeing internal cybersecurity assess - ments and ensuring system security through periodic evaluations; and • deciding on system usage and complying with cybersecurity authority mandates. To ensure the protection of electronic informa - tion systems, the head of the entity must, among other duties: • provide training on cybersecurity responsibili - ties for themselves and staff, including man - datory and continuing education as specified by the responsible minister; • ensure participation in mandatory national cybersecurity exercises or conduct independ - ent exercises; • maintain traceability of events within elec - tronic information systems; • ensure third-party service providers comply with cybersecurity requirements through con - tractual obligations when involved in system creation, operation, auditing, maintenance, or incident handling; • respond swiftly and effectively to cyber threats, incidents, or near-incidents, includ - ing reporting to the cybersecurity incident
96
CHAMBERS.COM
Powered by FlippingBook