The Cybersecurity Act imposes new requirements on many companies regarding the operation of their electronic information systems. Organizations have until the end of 2023 to prepare to comply with the new rules.
Cybersecurity is a high priority today due to technological advances and the digital transformation of businesses. The Act on Cybersecurity Certification and Cybersecurity Supervision aims to strengthen the security of organizations particularly exposed to threats related to IT systems.
The Act only applies to organizations in certain industries or carrying out certain activities, such as car manufacturers, electronics manufacturers, many energy and pharmaceutical companies, cloud service providers, and data center service providers. The full list of industries and activities covered is set out in the annexes to the Act. With some exceptions, the legislation does not apply to micro and small enterprises. It only applies to them if they are, for example, an electronic communications service provider or a trust service provider.
Organizations covered by the Act will have to comply with a number of new rules: They will have to classify their IT systems into security classes and ensure that they are protected at a reasonable level proportionate to the potential risks. In connection with setting up, operating, maintaining and repairing their IT systems, organizations concerned may engage contractors – such as external IT service providers – only if such contractors also meet the requirements of the Act. The organizations concerned must appoint a person responsible for information security, defining their tasks and responsibilities.
Organizations covered by the Act are advised to review their contracts with their IT service providers and, if necessary, initiate contract amendments to comply with the new law. The employment contract and job description of the person responsible for information security may also need to be reviewed and amended as necessary. If there is no such person in the organization, the organization must ensure that the said person is appointed.
In addition to the above, the organizations concerned must establish an information security policy and take the necessary technical measures. It is common that employees have little or no knowledge of the risks associated with IT systems; therefore, the Act also covers training users of IT systems: the organizations concerned must organize regular information security training for their employees.
The new cybersecurity law also entails administrative tasks. Companies subject to the law must register with the Hungarian Supervisory Authority for Regulated Activities (“SZTFH”) - it is advisable to prepare the registration application as soon as possible. In addition, every two years, these firms must have a cybersecurity audit carried out by an independent auditor, the results of which are sent to the SZTFH by the auditor.
If a company's IT system is affected by an event that causes an adverse change or previously unknown situation that results in the loss or corruption of the confidentiality, integrity, authenticity, functionality or availability of information managed in the IT system (a "security incident"), the organization will be required to investigate the security incident and, if necessary, report it to the relevant incident management center, which, in Hungary, is currently the National Security Services.
It is of paramount importance that the organizations concerned have internal, predefined rules in place to enable them to manage security incidents effectively. Security incidents can easily lead to situations where the organizations concerned have to react very quickly. In such situations, it is necessary to prevent or mitigate the adverse consequences of the security incident and to comply with the associated reporting obligations. If the security incident involves personal data, it is also necessary to consider whether the incident should be notified to the data protection supervisory authority.
In the event of noncompliance with the obligations under the Act, the SZTFH may, among other things, impose a fine of up to HUF 50,000,000, which may be repeated in the event of further noncompliance and may be added together in the event of multiple infringements. If the noncompliance also affects the security of personal data, the competent data protection supervisory authority - which, in Hungary, is the National Authority for Data Protection and Freedom of Information - may also impose a fine of up to EUR 20,000,000 or 4% of the concerned undertaking’s worldwide turnover in the previous year (whichever is higher).
By Csaba Vari, Counsel, and Andras Gaal, Attorney, Baker McKenzie