New law regulates cybersecurity

The law, which is expected to enter into force on 1 January after the President of the Republic signs it and publishes it, aims to more fully transpose the European Union’s NIS2 Directive into national law and to unify the basic legislation on cybersecurity in a single piece of legislation. The NIS2 Directive, which entered into force in 2023, updated the European Union rules introduced in 2016 in order to keep pace with digitalisation and constantly changing threats.

The Cybersecurity Act creates a comprehensive framework, but does not contain all the rules – the details will be determined by government, ministerial and SZTFH presidential decrees issued on the basis of the law.

The Cybersecurity Act partially adopts the jurisdictional regulation of NIS2, but in some cases, the transposition does not fully follow NIS2 – for example, for DNS, cloud, data center service providers, managed security service providers, online marketplaces, search engines and social media platforms. This may even lead to legal interpretation problems in determining the main place of business, which can only be resolved later, based on the currently unknown position of the legislator and the Regulatory Activities Supervisory Authority (SZTFH), which supervises cybersecurity.

“The Act categorizes the organizations subject to the scope of Hungarian cybersecurity legislation on the basis of NIS2. Based on this, the companies concerned may be classified as essential or important organizations, depending on their size and if the service they provide is critical to the functioning of the state, society or economy,”

said Dr. Csaba Vári, Head of the IPTech practice at Baker McKenzie.