Hungary has implemented the NIS2 Directive, thus, affected companies need to be aware of the respective deadlines in order to perform their obligations arising from Hungarian Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision in time. The purpose of the Directive is to force the affected companies to take measures to secure their networks and information systems.
The new legislation shall apply to a broad scope of companies operating in the high-risk and at-risk sectors listed in Annex 1 and Annex 2 of the Hungarian Act (e.g., energy, transport, banking, health, digital infrastructure, ICT service management, postal and courier services, chemicals, food, manufacturing, etc.) which are considered at least medium-sized companies.
The first obligation is to register with the competent Hungarian authority (“Szabályozott Tevékenységek Felügyeleti Hatósága” in Hungarian) by 30 June 2024, by filling in the relevant form (SZTFH 420 form) and submitting it through the company gateway of the company.
Affected companies shall provide the basic information and activities of the company, and appoint someone who is responsible for the security of the electronic information systems of the company.
After that, affected companies shall classify their electronic information systems into security classes (basic, significant, or high-security) and apply the respective security measures alongside the payment of a surveillance fee by 18 October 2024 at the latest.