With the entry into force of the Act on cybersecurity certification and cybersecurity supervision, the transposition of the new NIS2 (Network Information System v2) Directive of the EU into Hungarian law has started. These information security requirements cover a wider range of companies than ever before, with preliminary estimates suggesting 2,500-3,000 companies directly covered. Affected companies had until 30 June 2024 to register with the Supervisory Authority for Regulated Activities (SZFTH). However, in addition to providing administrative and technical company details, the identity and contact information of the chief information security officer (CISO) also had to be provided.

Companies established after 30 June 2024 have 30 days from the date of incorporation to register with the Supervisory Authority.

CISO: Who should be the responsible person?

One of the most important issues during the registration process is the designation of the chief information security officer. In our view, this is a difficult decision for companies with an international background even though the CyberCert Act does not contain any specific expectations or requirements regarding the CISO and explicitly allows for the possibility to fill the position even with the involvement of an external expert.

Outsourcing the work of the CISO is only a partial solution for companies with an international background

Outsourcing the tasks of the chief information security officer may at first sight seem a rational solution when the necessary expertise, experience or resources are not available in-house. However, our experience shows that many companies nevertheless register an information security officer from their internal staff on form of SZFTH.

Before we write about the reasons for this, let us consider the tasks and challenges a prospective internal CISO faces when preparing for a NIS2 audit in a Hungarian subsidiary with an international background.

What is the CISO responsible for?

The primary tasks of the CISO are:

• reducing the risk of cybersecurity incidents, and
• shortening the time needed to detect such incidents.

Cybersecurity incidents are typically aimed at acquiring a company’s data assets. The severity of incidents is compounded by the fact that in many cases the attempted data theft can result in a complete or partial service outage or even the suspension of business operations, which in all cases can have at least significant and sometimes catastrophic consequences for a company’s operations.

In addition to reducing the likelihood of cybersecurity incidents, reducing the harm they can cause is in fact a measure of a company’s defensibility and resilience, which can be increased by

• introducing barriers,
• establishing rules,
• deploying tools, and
• providing training.

The novelty of NIS2 lies in its requirement for affected companies to continuously enhance their cyber defence capabilities in line with these principles, while the legislation also seeks to establish a common standard at the EU level.

It is also important for the CISO to ensure that mandatory information security measures are designed in line with the threats and also fit within the available budget.

Cybersecurity measures inevitably slow down the business, and a large part of the company can be expected to actively cooperate in their implementation. The internal CISO needs to consider the business as a whole when thinking about responses to threats and when working with the local IT team, business area managers, legal professionals, the headquarters (abroad) or even the Supervisory Authority.

Hungarian NIS2 for Hungarian companies

Although NIS2 is an EU directive designed to establish a unified cybersecurity framework and level of protection, Member States are incorporating it into their national legislation at varying speeds and with content that is not entirely consistent.

The internal CISO of a Hungarian subsidiary should be familiar with the specificities of the “Hungarian” NIS2 rules, so that he/she can represent them, along with other domestic requirements, in the development and adaptation of a globally managed information security governance system and related policies and procedures.

The compliance of companies established in Hungary will always be assessed based on the Hungarian CyberCert Act, the implementing decrees, as well as the methodological guidelines issued by Hungarian institutions, and the audits will be conducted in Hungarian and by Hungarian auditors.

Thus, preparation in all cases requires the active involvement of the domestic operation and almost certainly cannot be managed solely from abroad using the policies and system elements developed by the headquarters in their unchanged form.

Despite being an obvious choice, it is not advisable to delegate a member of the IT team as compliance manager

In international corporate groups, CISOs face a rather complex set of responsibilities, so fully outsourcing their tasks may not always prove to be an effective solution.

For these companies, it may be advisable to expand the capabilities and resources of the local compliance officer to ensure they can also coordinate preparations for meeting the new compliance requirements set forth by the CyberCert Act. This can be achieved by involving external consultants and experts as needed.

A compliance manager’s local knowledge, existing channels and acceptance by the local IT team, the central IT management, the business areas and management are assets that will be needed during the implementation of the NIS2 information security management system, as it is likely to have a significant impact on most of the company’s current processes and will also shape the organisational culture.

IT will be a key player in the changes but, as in many other areas, will mainly remain in an implementing role, which makes it unfortunate to combine IT and information security management positions.

Professional mentoring can help compliance managers

NIS2 requires companies to continuously improve their cybersecurity capabilities. In doing so, they need to develop an information security system that can be operated effectively and audited robustly. To succeed, a trusted manager must have a good understanding not only of international and domestic rules, but also of the company’s internal processes and operations.

This makes it difficult to fully outsource NIS2 preparation tasks and may push companies towards developing internal competencies instead. Appropriate mentoring can help compliance managers to adapt to the new requirements.

We offer our NIS2 professional mentoring service to compliance officers who wish to become familiar with the NIS2 information security management system established by the Hungarian provisions of law, which will become a requirement from 2025. This service is also aimed at those seeking a supportive partner for covering the role of the chief information security officer with an internal staff member.