Current status of implementation

"Pre-Implementation" Phase. Only one sectoral Act has been modified so far: Act 209 of 2011 on Water Suppliers. The NIS Directive has been partially implemented into the Hungarian legal system.

Implementation Act

The Hungarian Implementing Act is "Act 134 of 2017 on modifying certain interior related tasks and corresponding laws" that amends several other Acts including Act CVIII of 2001 on e-commerce and informational society services, Act CLXVI of 2012 on identifying and protecting essential systems, etc.

Determination of operators of essential services (Art. 5 NIS)

In accordance with Art. 5 of the NIS Directive, the Hungarian regulator has identified the following sectors: (i) energy, (ii) transportation, (iii) agriculture, (iv) health, (v) social security, (vi) finance, (vii) infocommunication technologies, (viii) water, (ix) legal system/governmental activities, (x) public security/defence, (xi) military
Reporting obligations

Providers of registration- obliged services (digital services pursuant to Act CVIII of 2001 on e-commerce and informational society services) must immediately report significant incidents in relation to network and information systems that have significant effects on their services offered within the EU to the General Directorate for Disaster Management of the Ministry of Interior (Directorate).

Whether the incident is significant must be determined based on several aspects including the number of affected users, the duration and geographical scope of the incident, the level of disruption in the services and its economical/ social effects (in line with Art 16 (4) of NIS)).

Sanctions regime

Annex 1 of Government Decree 410/2017 (XII.15) on registration obligedservices provides for administrative fines to providers of registration- obliged services in case of breaching the obligations specified by the Annex of the Government Decree including the failure to notify the Directorate about significant incidents.

The amount of the imposed fine depends on the type of breach of obligation and varies between HUF 50,000 (~ EUR 165) and HUF 5,000,000 (~ EUR 16,500). The amount of fine cannot exceed HUF 5,000,000 even in case of multiple breaches of obligations, however fines can be imposed for the same breach of obligations as well.

Competent authorities

The General Directorate for Disaster Management of the Ministry of Interior is responsible for receiving incident reports and for ensuring that providers of registration-obligated services comply with applicable regulations.
Jurisdictional applications

The provisions on providers of registration- obliged services apply only to business entities registered in Hungary that offer digital services pursuant to Annex 3 of NIS and do not qualify as a small and medium-sized business entity.
Remarks (if any)

We note that only a few sections of Act 209 of 2011 have been modified. The aim of the modification is to harmonize certain provisions of the Act with Article 14 (1) and (2) of the NIS Directive. By calling the relevant authorities we found that the publication of an implementation Act and the modifications of the relevant sectoral acts are scheduled for "the second half of 2017", however no exact deadline has been communicated to us. We note that not all aspects of the implementation on operators of essential services is entirely clear but we intend to seek informal advice from the Directorate orally.

Last reviewed 28.02.2018