Outsourced IT Solutions and Cybersecurity Responsibility

What is an ICT service provider?

An ICT (Information and Communication Technology) service provider is an organization or business that offers IT and communication-related services to other organizations. These services typically include the installation, operation, and maintenance of ICT systems (such as computer networks, servers, and applications), as well as the management of related cybersecurity risks.

Hungary’s Cybersecurity Act of 2024 (Act LXIX of 2024) officially defines the concept of an outsourced (managed) ICT service provider. According to the law, such a provider directly affects the security of the client’s electronic information systems, and is therefore also subject to cybersecurity requirements.

What services do ICT providers offer?

ICT service providers may offer a wide range of services, depending on the type and size of the client. Common services include:

Design and operation of computer networks: setup and maintenance of LANs, firewalls, VPNs

Server and data center management: provision and maintenance of owned or rented infrastructure

Software installation and maintenance: operating systems, business applications, email systems

Cloud-based services: e.g., Microsoft 365, Google Workspace, AWS, or other cloud platforms

IT system monitoring and security: data backups, antivirus protection, access control, event logging, support for IT audits

IT outsourcing: full management of corporate IT infrastructure by an external provider

Why is cybersecurity particularly important?

ICT providers have direct access to their clients’ IT systems and confidential data. Any failure, oversight, or cyberattack can significantly impact business operations. Therefore, managed or outsourced ICT service providers are also subject to cybersecurity regulations under both Hungarian law (Act LXIX of 2024) and the EU NIS2 Directive. This includes:

• Implementation of risk-based security measures
• Development of incident response procedures
• Ensuring auditability and logging
• Obligations for staff training and awareness

Examples from practice

Example 1: A local municipality does not have an in-house IT team, so it contracts a company to manage its administrative system, internal network, and mail server. This external partner qualifies as an ICT service provider and plays a critical role in ensuring cybersecurity.

Example 2: A manufacturing plant outsources the operation of its SCADA system and associated data network to an IT company. In this case, the service provider is not only a technical partner but also essential to operational reliability—and thus qualifies as an ICT provider under the law.

The role of ICT providers under NIS2 and Hungarian cybersecurity legislation

The NIS2 Directive and its Hungarian implementation categorize ICT providers as high-risk entities—especially those operating in critical or highly important sectors (e.g., healthcare, transport, energy). These providers are required to:

• Conduct risk assessments and implement risk mitigation strategies
• Document technical and organizational protection measures
• Report incidents to the competent authority
• Perform regular internal audits and compliance checks

The aim is to ensure the security of the entire supply chain, not just the client organization.

Back to the glossary