This year, the most frequently mentioned buzzwords in the IT sector are "cybersecurity" and "compliance." This is due to the NIS2 directive, which is being uniformly introduced across the EU, and the tasks associated with it span the entire year. Moreover, in just a few days, Hungarian businesses must move past the second phase as well.
The First Phase is Supposedly Behind Us
In the first phase of the domestic implementation of the NIS2 directive, Hungarian companies had to assess whether they met the three criteria that would classify them as an affected business. The first criterion is determining whether any of the company's activities fall into one of the 16 sectors identified in the legislation as risky or highly risky (e.g., transportation, healthcare, pharmaceuticals, chemicals, digital services, etc.). The second and third criteria are relatively simpler: the company must be classified as a medium-sized enterprise, meaning it has at least 50 employees, and its annual net revenue or balance sheet total exceeds 10 million euros.
If a company meets these three criteria, it was required to request registration with the cybersecurity supervisory authority by June 30, 2024. Registration is not just an administrative task; even at this stage, it demanded strategic decisions from companies. In addition to providing basic data and activity details, the application also required the appointment of a responsible person for the security of the company's electronic information systems. The company had to list the public services it provides (e.g., customer portals, mobile applications) and identify all service providers involved in the operation of its electronic information systems.
What's Next
While it's possible that many are still assessing the need for registration, in just a few days, another significant milestone under the new regime will be reached: by October 18, 2024, companies must classify their electronic information systems into security levels (basic, high, or significant) and implement the necessary risk and incident management measures. This involves examining the relevant system and its physical environment and taking all necessary steps to ensure the confidentiality, integrity, and continuous availability of the data stored, transmitted, or processed in that system. This is an extremely complex process, with the first step being to determine how many electronic information systems the company has in the first place – for a small food company, this number may be less than ten, while for a large automotive company, it could reach thousands.
The task carries significant stakes. If an authority's investigation finds that a system has been classified into a lower security level than necessary or that inadequate measures have been prescribed, the authority may impose sanctions on the organization. Initially, this will likely be limited to warnings and a requirement to take corrective actions. However, in more severe cases, fines may be imposed, which, though significant, could be secondary to the possibility that, in extreme cases, the authority could suspend the company's activities altogether – not to mention the continuous cyber threats.
What Awaits Companies Under the Christmas Tree
Of course, the year cannot end without further NIS2 obligations. Even if a company has met all the above requirements on time, it still needs an entity to verify that all these steps have been properly completed. The logic of the regulation assigns this role to cybersecurity auditors. So far, the authority has registered five companies that can operate as auditors. However, their activities are limited: their authorization is based on the highest security levels, so they can only carry out inspections in the levels for which they are licensed. The next step for affected companies will be to select and contract a suitable auditor by December 31, 2024.
What Should Those Who Haven't Started Yet Do?
Experience shows that there are still many companies in the market that haven't begun preparations or haven't even realized they may be affected by the regulation. The good news for them is that they will likely still have time to catch up with the field, even if they have to complete both the first and second phases simultaneously. Although missing the registration deadline could result in fines of up to 15 million forints, the authority's frequently stated position is that their primary goal is not to impose fines. However, if someone delays until the middle of next year, they will likely face more serious consequences.