The EU’s NIS2 Directive entered into force in January 2023 and seeks to achieve a high common level of cybersecurity protection across the Union. The Directive must be implemented by Member States by 17 October 2024 and Hungary has been one of the earliest movers, with its first substantive obligations already in effect: covered entities were required to register with the national authorities by 30 June 2024.
You can find more information on the Hungarian cybersecurity requirements in this detailed article. The key practical learnings from implementation in Hungary are set out below.
- Determining whether a multinational organisation is in scope of national implementing legislation can be complex, and will require a jurisdiction-by-jurisdiction analysis: covered sectors and definitions of key concepts are not consistent between the Hungarian implementing legislation and the Directive.
- Identifying the right individual(s) to take responsibility for compliance may be a challenge, particularly when ICT services are outsourced or managed by an affiliate outside the jurisdiction.
- Local regulatory processes developed with domestic companies in mind may not work well in practice for multinationals. However, there is still scope to engage with local regulators to influence how NIS2 is implemented and embedded in national law and practice.