Hungarian companies affected by the Cybersecurity Certification Act have only until 31 December to comply with their obligation to enter into an agreement with an auditor to conduct a cybersecurity audit. Read this short article to find out who shall engage an auditor and who affected organizations can choose as an auditor.
Smartlegal Schmidt&Partners reports from Hungary:
- Affected organizations
As a reminder, companies operating in “high-risk” or “risky” sectors except for small and medium size enterprises are considered as affected organizations under the Cybersecurity Certification Act.[i]
The affected organizations were obligated to register with the Regulated Activities Supervisory Authority (“Authority”) until 30 June 2024 at latest.
- Obligations prior to engaging an auditor
Organizations shall classify their electronic information systems into certain security classes, namely „Basic”, „Significant” or „High” security class. The details of the classification are regulated by the applicable ministerial decree[ii].
The companies need to carry out the necessary security measurements which shall be applicable as of 18 December 2024.
The classification of the electronic information systems is critical, because this classification will be the basis for the audit and will influence who can be the auditor conducting the cybersecurity audit.
- Who shall engage an auditor?
All affected organizations that started their operations before 18 October 2024 shall enter into an agreement with an auditor conducting the cybersecurity audit until 31 December 2024.
This means that not only companies operating in “high-risk” sectors or organizations with systems of “high” security classification, but all affected organizations are obligated to find an auditor and sign a contract until the end of 2024.
- Who can be the auditor?
The list of the companies who are registered as auditors is available in the below link:
https://sztfh.hu/nyilvantartasok/auditorok/
The Authority has established requirements[iii] for companies conducting cybersecurity audits based on security classes.
In the registry, each auditor is classified in a security class, indicating the highest security class of electronic information systems they are authorized to audit. For example, an auditor classified under the “Significant” security class is permitted to audit electronic information systems categorized as “Basic” or “Significant”.
- Further upcoming obligations
Companies who started their operation until 1 January 2024, shall conduct the first NIS2-compliant cybersecurity audit until 31 December 2025.
Besides, affected organisations shall pay cybersecurity monitoring fee. The annual fee shall not exceed 0,015% of the affected organization’s net sales revenue for the previous financial year, or in the absence of revenue, the pro-rata annualized portion of the current year’s revenue, with a maximum limit of 10 million HUF.
The above-mentioned amounts are only the maximum fee, the decree of the Authority about the exact fees will probably be adopted in the upcoming months.
- Summary
To summarize, the most important thing at the moment is for the affected organizations to find a suitable auditor and to sign a contract with them before the end of the year.
Written by Anita Vereb
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at Smartlegal.hu