Cyber ​​protection: careless domestic companies can be sanctioned within days

The aim of the NIS2 directive is to enable the member states of the European Union to effectively combat the ever-increasing cyber threats. The regulations apply to companies employing at least 50 people or with an annual turnover exceeding EUR 10 million, as well as to all organizations that perform a critical function in terms of the economic and social development of the EU.

The regulation will enter into force on October 18, 2024, which will start the monitoring and control activities. “The official deadline for mandatory registration has already expired on June 30, but companies that fail to register can complete the necessary documents until October 17 without being sanctioned. This is the last chance for the affected domestic companies to enter the register at the Regulatory Authority for Regulated Activities without sanction,” emphasized Mihály Zala, head of cyber protection services at EY.

Based on the law, companies covered by NIS2 must sign a contract with an auditor by December 31 at the latest, or within 120 days after registration. The companies have until December 31, 2025 to conduct the independent investigation. Those who fail to do so or miss the deadline can pay up to two percent of their annual sales as a penalty and even managers can be banned from working.

“Companies must perform a number of tasks in order to comply with NIS2 requirements, including GAP analysis revealing cyber security gaps, phishing and cyber attack simulations, building and auditing the information security management system. In addition, only a few companies, including EY, can do the latter in Hungary, so it’s worth starting the preparations as soon as possible and even concluding a contract in time,”

stressed Mihály Zala.