The companies involved must also develop administrative, logical and physical protection measures related to the information security management system, as well as clearly define the responsibilities of security managers and users.
The operation of thousands of domestic companies is being transformed by NIS2, which came into force this year, i.e. the revised EU cyber protection directive – points out EY. The new regulation, which also covers industries essential to the operation of the EU, may indirectly affect hundreds of thousands of workers in Hungary.
Hungary was one of the first member states of the European Union to implement the NIS2 directive into its own legal system in order to effectively combat the spectacularly growing cyber threats. The regulations apply to companies employing at least 50 people or with an annual turnover exceeding EUR 10 million, as well as to all organizations that perform an essential function for the economic and social development of the EU. These critical sectors include energy, transport, healthcare, drinking water, wastewater and telecommunications services, outsourced ICT services, space research and digital infrastructure. Postal and courier services, food production, processing and distribution, research, waste management, chemical production and distribution, and digital services are also priority activities.
Already at the beginning of the year, the Hungarian companies covered by NIS2 began to be registered. The companies in question must register with the Supervisory Authority for Regulated Activities by June 30 this year, where the inspection process will begin on October 18. Companies must comply with the terms of the regulation by December 31, 2024, and they must appoint an auditor who will conduct the first cyber security due diligence in accordance with the NIS2 regulation by the end of 2025.
“With the tightening of the cyber protection directive, a serious task and responsibility falls on the companies concerned, as they have to prepare for a comprehensive organizational due diligence. Currently, the NIS2 rules may apply to nearly 2,600 companies in this country, which may indirectly affect hundreds of thousands of employees,” emphasized Mihály Zala, head of cyber protection services at EY .
In order to meet the NIS2 requirements, it is necessary, among other things, to conduct a GAP analysis that reveals cyber security gaps, build an information security management system, supplier audits, phishing and cyber attack simulation, which requires a complex approach. The companies involved must also develop administrative, logical and physical protection measures related to the information security management system, as well as clearly define the responsibilities of security managers and users. EU regulations also require companies to guarantee business continuity, monitor suppliers, improve employee awareness with training and simulation exercises, identify and manage IT security risks, report potential incidents and maintain IT systems.