05
Sat, Oct
98 New Articles

Focus on Cybersecurity: Preparation for New Requirements is at the Finish Line

Focus on Cybersecurity: Preparation for New Requirements is at the Finish Line

Hungary
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Cybersecurity Act imposes new requirements on many companies regarding the operation of their electronic information systems. Organizations have until the end of 2023 to prepare to comply with the new rules.

Cybersecurity is a high priority today due to technological advances and the digital transformation of businesses. The Act on Cybersecurity Certification and Cybersecurity Supervision aims to strengthen the security of organizations particularly exposed to threats related to IT systems.

The Act only applies to organizations in certain industries or carrying out certain activities, such as car manufacturers, electronics manufacturers, many energy and pharmaceutical companies, cloud service providers, and data center service providers. The full list of industries and activities covered is set out in the annexes to the Act. With some exceptions, the legislation does not apply to micro and small enterprises. It only applies to them if they are, for example, an electronic communications service provider or a trust service provider.

Organizations covered by the Act will have to comply with a number of new rules: They will have to classify their IT systems into security classes and ensure that they are protected at a reasonable level proportionate to the potential risks. In connection with setting up, operating, maintaining and repairing their IT systems, organizations concerned may engage contractors – such as external IT service providers – only if such contractors also meet the requirements of the Act. The organizations concerned must appoint a person responsible for information security, defining their tasks and responsibilities.

Organizations covered by the Act are advised to review their contracts with their IT service providers and, if necessary, initiate contract amendments to comply with the new law. The employment contract and job description of the person responsible for information security may also need to be reviewed and amended as necessary. If there is no such person in the organization, the organization must ensure that the said person is appointed.

In addition to the above, the organizations concerned must establish an information security policy and take the necessary technical measures. It is common that employees have little or no knowledge of the risks associated with IT systems; therefore, the Act also covers training users of IT systems: the organizations concerned must organize regular information security training for their employees.

The new cybersecurity law also entails administrative tasks. Companies subject to the law must register with the Hungarian Supervisory Authority for Regulated Activities (“SZTFH”) - it is advisable to prepare the registration application as soon as possible. In addition, every two years, these firms must have a cybersecurity audit carried out by an independent auditor, the results of which are sent to the SZTFH by the auditor.

If a company's IT system is affected by an event that causes an adverse change or previously unknown situation that results in the loss or corruption of the confidentiality, integrity, authenticity, functionality or availability of information managed in the IT system (a "security incident"), the organization will be required to investigate the security incident and, if necessary, report it to the relevant incident management center, which, in Hungary, is currently the National Security Services.

It is of paramount importance that the organizations concerned have internal, predefined rules in place to enable them to manage security incidents effectively. Security incidents can easily lead to situations where the organizations concerned have to react very quickly. In such situations, it is necessary to prevent or mitigate the adverse consequences of the security incident and to comply with the associated reporting obligations. If the security incident involves personal data, it is also necessary to consider whether the incident should be notified to the data protection supervisory authority.

In the event of noncompliance with the obligations under the Act, the SZTFH may, among other things, impose a fine of up to HUF 50,000,000, which may be repeated in the event of further noncompliance and may be added together in the event of multiple infringements. If the noncompliance also affects the security of personal data, the competent data protection supervisory authority - which, in Hungary, is the National Authority for Data Protection and Freedom of Information - may also impose a fine of up to EUR 20,000,000 or 4% of the concerned undertaking’s worldwide turnover in the previous year (whichever is higher).

By Csaba Vari, Counsel, and Andras Gaal, Attorney, Baker McKenzie

Hungary Knowledge Partner

Nagy és Trócsányi was founded in 1991, turned into limited professional partnership (in Hungarian: ügyvédi iroda) in 1992, with the aim of offering sophisticated legal services. The firm continues to seek excellence in a comprehensive and modern practice, which spans international commercial and business law. 

The firm’s lawyers provide clients with advice and representation in an active, thoughtful and ethical manner, with a real understanding of clients‘ business needs and the markets in which they operate.

The firm is one of the largest home-grown independent law firms in Hungary. Currently Nagy és Trócsányi has 26 lawyers out of which there are 8 active partners. All partners are equity partners.

Nagy és Trócsányi is a legal entity and registered with the Budapest Bar Association. All lawyers of the Budapest office are either members of, or registered as clerks with, the Budapest Bar Association. Several of the firm’s lawyers are admitted attorneys or registered as legal consultants in New York.

The firm advises a broad range of clients, including numerous multinational corporations. 

Our activity focuses on the following practice areas: M&A, company law, litigation and dispute resolution, real estate law, banking and finance, project financing, insolvency and restructuring, venture capital investment, taxation, competition, utilities, energy, media and telecommunication.

Nagy és Trócsányi is the exclusive member firm in Hungary for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+countries worldwide.

The firm advises a broad range of clients, including numerous multinational corporations. Among our key clients are: OTP Bank, Sberbank, Erste Bank, Scania, KS ORKA, Mannvit, DAF Trucks, Booking.com, Museum of Fine Arts of Budapest, Hungarian Post Pte Ltd, Hiventures, Strabag, CPI Hungary, Givaudan, Marks & Spencer, CBA.

Firm's website.

Our Latest Issue