HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
response centre and overseeing recovery efforts; • notify affected parties promptly about cyber - security incidents and potential threats; • implement recommendations and guidelines from the cybersecurity authority and incident response centre; • strive to execute tasks outlined in the legisla - tion as quickly as possible; • allocate at least 5% of the organisation’s annual IT development budget to cyberse - curity improvements for applicable organisa - tions; and • take any additional necessary measures to safeguard electronic information systems. Organisations must classify their electronic information systems as “basic”, “significant”, or “high” security classes to ensure proportional protection for their systems, data, and services. Classification is based on the risks to system integrity and availability, as well as the confiden - tiality, integrity, and availability of the data pro - cessed. The organisation’s head is responsible for making the classification decision, ensuring compliance with regulations, and verifying the completeness and timeliness of the data used. The classification results must be documented in the organisation’s system registry or internal policies. The security classification must be reviewed at least every two years or promptly following any legally defined changes affecting the system’s security, with the review process documented. Further details are set out in the MK Decree. The head of the entity must appoint an individual responsible for the security of electronic infor - mation systems or enter into an agreement with an external party to fulfil these responsibilities. This includes operating the risk management framework, reporting cybersecurity incidents,
and liaising with the cybersecurity incident response centre. For certain organisations, the mandatory elements of such agreements are specified in the Execution Decree. Even when outsourcing, a designated individual must be named as the responsible person. The role can only be performed by someone who is legally competent, has a clean criminal record, and, for specific organisations, meets the qualifications, certifications, or experience requirements out - lined by the decree of the minister responsible for IT. Enterprises under majority state ownership that exceed the thresholds defined for medium-sized enterprises and entities covered by Annex 2 and Annex 3 of the 2024 Cybersecurity Act (whose scope corresponds to Annex I and Annex II of the NIS2 Directive) must conduct a cybersecuri - ty audit every two years to demonstrate compli - ance with the 2024 Cybersecurity Act’s require - ments. Additionally, audits may be mandated by the competent cybersecurity authority. Organi - sations are required to enter into an agreement with an auditor listed in the supervisory author - ity’s registry within 120 days of their registration and conduct their first cybersecurity audit within two years of their registration. The related audit methodology and auditor fee regulation is not yet published. Requirements regarding risk management, risk assessment methodology, security classification and technical and organisational controls are detailed in the MK Decree, while the Execution Decree sets out procedural and detailed require - ments regarding entities falling within the scope of the 2024 Cybersecurity Act. Financial Sector Cybersecurity-related requirements, including mandatory and regular audits of relevant sys -
97
CHAMBERS.COM
Powered by FlippingBook