Hungary has transposed the EU’s NIS2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148) into national law by way of Act XXIII of 2023. Under the Hungarian rules, the deadline for registration of entities falling under the scope of the legislation was 30 June 2024, but a grace period ensured that no sanctions would be applied until 18 October 2024.
However, according to the overwhelming majority of lawyers and other professionals, the Hungarian implementation of the NIS2 Directive was far from beyond reproach.
Multinational groups especially had reason to criticize the Act, stating that it had been drawn up with only Hungarian entities in mind, leading to many difficulties in interpretation. Strikingly, Article 26 of the NIS2 Directive on jurisdiction and territoriality has not been made part of the Hungarian implementing act for reasons unknown, and the question of the (potential) direct effect of the NIS2 Directive is not something businesses would like to base their models on.
In any case, based on the current wording of the Hungarian implementing act, for example, local subsidiaries of foreign digital service providers or platforms that are actually not engaged in IT were burdened with a number of obligations.
Hence, the only way out is to rely on the exemption available for micro-and small enterprises if the factual conditions thereof are met (and even in this case, certain service providers such as trust service providers are still entangled by the legislation).
However, an imminent change in legislation is expected. A new act is in the works which would result in the proper implementation of the jurisdictional and territorial rules of the NIS2 Directive. That is,
- DNS service providers,
- TLD name registries,
- entities providing domain name registration services,
- cloud computing service providers,
- data centre service providers,
- content delivery network providers,
- managed service providers,
- managed security service providers,
- and providers
of online marketplaces, of online search engines or of social networking services platforms,
would not be entrapped by the Hungarian rules (in intra-EU relations) provided
- decisions related to the cybersecurity risk-management measures are predominantly taken outside Hungary; or if such decisions are not taken,
- cybersecurity operations are not carried out in Hungary; or if such cannot be determined;
- if the entity has more employees in another EU member state.
Stay tuned to PETERKA & PARTNERS for more details on this widely-awaited change in legislation.
