It’s not just about big companies anymore: who is now subject to cybersecurity rules?

These amendments are expected to affect businesses and institutions that have not previously considered themselves directly subject to cybersecurity regulations. That is why a key issue in the coming period will be a rapid assessment of whether a given organization is affected and, if so, what obligations it must prepare to fulfill.

Changes in scope, not only the “big ones” affected

The legislator expanded the scope of organizations covered by the scope along economic and operational indicators that clarify the conditions for inclusion. One of the most important elements of the amendments is that the law will automatically apply to organizations whose annual net sales exceed the equivalent of EUR 10 million in forints and whose balance sheet total, as an organization required to prepare reports, also exceeds this threshold.

In addition, the scope also extends to organizations that fall within the scope of Annexes 2 or 3 of the law and are classified as medium-sized enterprises, or employ at least 50 people, or have a significant (exceeding EUR 10 million) sales or budget (hereinafter: “medium-sized enterprises subject to the law”).

Notification obligation

The amendments also place great emphasis on the notification obligation related to registration. The organizations concerned must provide data to the national cybersecurity authority within 30 days of the entry into force in order to be registered.

The legislation also specifies when certain economic organizations under majority state control and medium-sized enterprises subject to the law should be considered to be subject to the law. As a general rule, the law must apply from the first day of the year following the occurrence of the condition establishing the entry into force, but the organization may request that the rules apply to it earlier, from the date of final registration. This option may be particularly relevant for those who want to start the compliance process in a planned and controlled manner.

What should you do now if you are affected?

• Check your organization’s turnover and number of employees
• Check whether you are listed in Annex 2 or 3
• Calculate the 30-day notification deadline
• Appoint a person responsible for information security
• Start preparing compliance documentation

Publicly trusted registers: greater legal certainty for the market as well

One ​​of the most significant innovations of the amendments is that the Some of the official registers are being expanded with a public authority. The essence of public authority is that the data included in the register is considered by the legal system to be true and authentic until proven otherwise.

This is also of paramount importance from a business perspective. The public authority register becomes a data source on which contracts, procurements, official procedures and legal decisions can be safely based.

Expanding registers at the SZTFH and the national cybersecurity authority

The Regulated Activities Supervisory Authority (SZTFH) keeps a register of economic entities authorized to perform audits. According to the changes, the register will be supplemented with the date of registration of the auditor and the related identification number, which will be included as public authority data. This may simplify the verification of auditors’ authorization in practice.

The register kept by the national cybersecurity authority will also become more detailed. It covers, among other things, electronic information systems, their security classification, protection measures, and the data of persons responsible for information security. At the same time, the regulation also takes into account national security considerations, which is why the elements of the register are not public for 30 years.