We are open daily from 9 am to 5 pm
info@lecsoalapitvany.hu
+36 20 770 1746
en
"LECSÓ: Be LE-csuszott (Failed) or CSÓ-ro (Pauper), you can always count us!"

Cyber ​​security

18/10/2024

Mandatory IT security in the EU, NIS2 directive summary

In the European Union, the 2022/2555 NIS2 (Network and Information Systems Directive 2) directive was announced on December 27, 2021, and entered into force shortly after on January 16, 2023.

EU member states have until October 17, 2024 to transpose the NIS2 directive into their own legal system.

The organizations will have to comply with the domestic regulations adopted and announced in this way in order to meet the requirements of the directive. Member States can decide on certain details themselves, so there will certainly be differences between national regulations and implementations. However, the areas of emphasis are the entire EU

will be uniform in All medium and large companies within the affected sectors must comply with the regulations, but there will also be exceptions, as micro and small businesses are also covered by NIS2 if the organization concerned:

a) electronic communications service provider,

b) trust service provider,

c) DNS service provider,

d) you are a top-level domain name registrar

e) domain name registration service provider.

Affected sectors

The NIS2 directive is expected to apply to more than 2,500 medium and large companies in Hungary, but the member states are obliged to compile a list of important and essential organizations. In the organizations concerned, special attention will be paid to continuous official control,

moreover, the security classification performed by auditors will be mandatory every two years.

Particularly critical sectors (core organizations):

  • outer space, space industry
  • outsourced ICT services (ICT = information communication technology)
  • public administration
  • electronic signature trust providers and electronic messaging providers, search engine providers, online marketplaces, social media service platforms, communications, DNS providers, top-level domain name registrars)
  • digital infrastructure providers (internet providers, cloud providers, data centers,
  • drinking water, waste water (according to Act CCIX of 2011, water utility service providers)
  • , organizations dealing with the research / development / production / trade of medicines, as well as organizations that manufacture medical devices)
  • health care (according to the 1997 CLIV. health law: laboratories, blood supply operators
  • banking and financial services (financial market infrastructures)
  • companies that operate or provide transport, transport infrastructure (air, water, rail, road, public transport)
  • energy (electricity, district heating and cooling, petroleum, natural gas, hydrogen)

Other critical sectors (important organizations):

  • research sites
  • digital services
  • manufacturers of specific products (medical and diagnostic devices, computers, motor vehicles and trailers, and other means of transport, electronic devices, optical products, electrical equipment, cement-lime-gypsum production, manufacture of machinery and equipment not elsewhere classified)
  • food production, processing, distribution (organizations affected according to Act XLVI of 2008)
  • manufacturing, production and distribution of chemicals
  • waste management (organization performing waste management according to Act CLXXXV of 2012)
  • postal and courier services (postal service provider according to Act CLIX of 2012)
    • More important deadlines
    • to perform the first cyber security audit.
    • December 31, 2025-
    • An accredited auditor must be contracted between October 18 and December 31, 2024.
    • From October 18, 2024, the organizations concerned will pay the supervision fee determined by NIS2 and apply the mandatory protection measures.
    • registration of the organizations concerned.
    • From January 1 to June 30, 2024
    • From January 1 to June 30, 2024, the relevant organizations must carry out self-identification and classification into a security class (classification into a security class is not a mandatory task until June 30), and they must appoint a person responsible for their security (obligation to provide data to the SZTFH).

    Obligations

    • payment of an annual cyber security supervision fee (up to 0.015% of the net sales of the relevant organization in the previous business year, but no more than HUF 10 million)
    • Mandatory auditing every 2 years (by an auditor registered by SZTFH)
    • sending the data to the SZTFH in order to be registered
    • performing vulnerability tests
    • use of secure emergency communication systems within the organization
    • training of employees and managers
    • monitoring and supervision of the network and the entire system
    • providing secure voice, video and text communication
    • performing security risk assessments
    • multi-factor authentication or continuous authentication solutions
    • application of encryption solutions
    • developing a disaster recovery plan (DRP - Disaster Recovery Plan)
    • development of a business continuity plan (BCP - Business Continuity Plan) - management of reserve systems
    • developing an incident response plan
    • ensuring supply chain security (contributors)
    • development of IT security regulations (IBSZ)
    • development of relevant infrastructures
    • identification of critical incidents
    • ensuring a cyber hygiene policy
    • they must implement the administrative, physical and logical protection measures prescribed for the governing security departments
    • significant, high)
    • must classify their electronic information systems and the data managed in them into a security class (basic,
    • they must carry out a risk analysis of electronic information systems and the data managed in them
    • a comprehensive approach to cyber security
    • the obligation to implement security controls belonging to the given security class
    • a person responsible for information security must be appointed
    • Obligation to submit a final report within 1 month
    • Obligation to report events within 72 hours (attack assessment, severity, impact)
    • in the event of an incident, the first notification obligation to the authorities within 24 hours

    Management's responsibility

    The security measures must be approved and supervised by the management. Management can be held responsible if the organization it manages does not meet the prescribed requirements. Both management and employees must participate in regular cyber security training. Management can be held responsible,

    if the organization he leads does not meet the cyber security requirements of the NIS2 directive, he is basically responsible for the proper design of his IT system and for the cyber security compliance of all his subcontractors and the entire supply chain, i.e. the authority can hold him accountable.

    The extent of the penalty

    Failure to comply with the regulation may result in severe administrative fines:

    Based on the provisions governing basic organizations, a fine of EUR 10,000,000 or 2% of the total annual worldwide turnover can be imposed.

    In the case of important organizations, a fine of EUR 7,000,000 or 1.4% of the company's previous year's turnover can be imposed.

    As an additional legal consequence, the domestic supervisory authority will have the possibility to specifically ban a company from its activities, or to place its executive officer under a ban.

    With this data provision, the European Cyber ​​Security Agency (ENISA) creates a register of these organizations. In Hungary, the Supervisory Authority for Regulated Activities (SZTFH) is the supervisory authority.

We use cookies to enable the proper functioning and security of our website, and to offer you the best possible user experience.

Advanced settings

Itt testreszabhatod a süti beállításokat. Engedélyezd vagy tiltsd le a következő kategóriákat, és mentsd el a módosításokat.