NEW BILL ON CYBERSECURITY WAS PUBLISHED IN HUNGARY
On October 29, 2024, Bill No. T/9716 on Cybersecurity in Hungary (“Bill”) was submitted to Parliament. This Bill proposes the repeal of Act L of 2013 on the electronic information security of State and local government bodies (“Ibtv.”) and is also anticipated to repeal Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision (“Cybersecurity Certification Act”). The Bill aims to establish a unified legal framework for protection against cyber-attacks and align Hungary’s cybersecurity regulations with European Union legislation. Additionally, the Bill integrates critical entities designated under the Critical Organizations Resilience Act into the regulatory regime. The Bill consolidates the provisions of the Ibtv. and the Cybersecurity Certification Act into a single legislative act while also introducing new requirements, particularly in response to the NIS2 Directive's clarified standards and the repeal of the Ibtv. If adopted by Parliament, the Bill is set to take effect on January 1, 2025. Under the current Cybersecurity Certification Act, no specific professional or other qualifications are mandated for the individual responsible for the security of the electronic information system (“IBF”), with the Supervisory Authority for Regulated Activities (Hungarian acronym: “SZTFH”) previously communicating that the IBF role carried no additional prerequisites. In contrast, the Bill stipulates that the IBF role must be filled by an individual who is demonstrably qualified, possesses a clean criminal record, and holds the necessary qualifications, professional credentials, internationally recognized accreditations, or relevant experience as specified in the Minister’s Decree for these responsibilities. In light of these enhanced requirements, the Bill provides a two-year transitional period to address potential conflicts of interest. The Bill also introduces a new classification criterion for concerned organizations, categorizing them as “essential” or “important” entities, including those in critical or highly critical sectors, as defined under the Cybersecurity Certification Act. Unlike the current Cybersecurity Certification Act, this Bill imposes differentiated requirements on organizations in these sectors, affecting the scope of measures that SZTFH can implement. This amendment was deemed necessary to ensure full compliance with the NIS2 Directive. Pursuant to the NIS2 Directive, entities classified as medium-sized enterprises under Act XXXIV of 2004 on Small and Medium-sized Enterprises and Support Provided to Such Enterprises, or those exceeding the threshold for medium-sized enterprises, will be designated as “essential organizations” per Annex 2 of the Bill (comprising service providers and entities operating in high-risk sectors). Furthermore, the Bill expands and refines definitions, including provisions to clarify the rules for incident reporting. The scope of organizations mandated to conduct cybersecurity audits remains consistent with those covered under the Cybersecurity Certification Act. Similarly, no modifications are proposed regarding the surveillance fee, with the specifics to be determined by the President of the SZTFH via decree. Organizations classified as “concerned” in the SZTFH registry as of December 31, 2024, in accordance with Section 26(1) of the Cybersecurity Certification Act, are exempt from the notification requirement stipulated in Section 8(5) of the Bill. Additionally, the data of organizations listed in the registry under Section 26(1) of the Cybersecurity Certification Act will be maintained by the SZTFH as part of the current registry. Similarly, data within the registry under Section 14(1) of the Cybersecurity Certification Act, as of December 31, 2024, does not require re-submission. **** If you have any questions, please do not hesitate to contact us.