NIS2 Implementation in the EU |
|
Hungary |
|
|
(Europe)
Firm
Lakatos Köves & Partners
Contributors Updated 07 Feb 2025 |
|
| Status | Enacted |
| Status of the NIS2 Implementation Act | Hungary implemented the NIS2 Directive into Act LXIX (“Cybersecurity Act”) in 2024. This new act repealed the previous implementing act (i.e. Act XXIII which came into force back in 2023) and it aims to regulate market participants, government entities and municipalities, along with cyber certification, comprehensively and in more detail, in contrast to its predecessor and consolidate the Hungarian respective legislation into one act to comply with the NIS2 Directive and CER Directives, as well as the ENISA and DORA Regulations. The Cybersecurity Act introduces significant changes, as previously left out provisions were implemented therein (e.g., in cases of non-compliance, the authority may request that the managing director of the service provider be banned from their position and also prescribed the obligation to appoint a representative in certain cases). However, the most significant requirements of the NIS2 Directive—such as registering with the competent authority, implementing security measures, engaging auditors, and preparing audits on the company’s electronic information systems—remain unchanged under the new regime. |
| If available, foreseeable significant deviations of the National Implementation Act from the NIS2 Directive | In general, there are no significant deviations, with one exception regarding the main establishment principle under Article 26 of the NIS2 Directive. Unlike the sequential conditions set out under Article 26(2) of the NIS2 scope provision, the Cybersecurity Act simply establishes an alternative relationship between the conditions. |
| Expected date of entry into force of the Implementation Act | The main provisions are already in force. |
NIS2 Implementation in the EU
Enacted
Hungary implemented the NIS2 Directive into Act LXIX (“Cybersecurity Act”) in 2024. This new act repealed the previous implementing act (i.e. Act XXIII which came into force back in 2023) and it aims to regulate market participants, government entities and municipalities, along with cyber certification, comprehensively and in more detail, in contrast to its predecessor and consolidate the Hungarian respective legislation into one act to comply with the NIS2 Directive and CER Directives, as well as the ENISA and DORA Regulations. The Cybersecurity Act introduces significant changes, as previously left out provisions were implemented therein (e.g., in cases of non-compliance, the authority may request that the managing director of the service provider be banned from their position and also prescribed the obligation to appoint a representative in certain cases). However, the most significant requirements of the NIS2 Directive—such as registering with the competent authority, implementing security measures, engaging auditors, and preparing audits on the company’s electronic information systems—remain unchanged under the new regime.
In general, there are no significant deviations, with one exception regarding the main establishment principle under Article 26 of the NIS2 Directive. Unlike the sequential conditions set out under Article 26(2) of the NIS2 scope provision, the Cybersecurity Act simply establishes an alternative relationship between the conditions.
The main provisions are already in force.