NIS 2 (Network and Information Security Directive 2)
In full: Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive)
The digital transformation of society has led to an expansion of the cyber threat landscape, bringing about new challenges, which require adapted and innovative responses. As a result, the European Parliament and the Council published the NIS 2 Directive on 27 December 2022, which entered into force on 16 January 2023.
The NIS 2 Directive sets out a number of requirements for the cybersecurity and information security of EU Member States. In Hungary, Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision clarifies the basic issues of national cybersecurity certification and supervision, and implements the provisions of the NIS 2 Directive.
Supervision is carried out by the Hungarian Supervisory Authority for Regulated Activities (SZTFH).
The NIS 2 Directive extends cybersecurity requirements and sanctions to harmonise and improve Member States’ levels of cybersecurity, setting stricter requirements for different sectors. Companies and organisations need to address a number of important aspects, including managing, controlling and monitoring cyber risks, handling incidents efficiently, and ensuring business continuity. In addition, the Directive extends the scope of the entities subject to the Directive, and imposes stricter liability rules for the management bodies of the entities concerned.
Registration deadline
Publishment of the directive
Deadline for conducting an audit contract
Conducting the first audit
Upon request, we will provide you with a full legal interpretation and assess whether you are affected by the NIS 2 Directive, after which we will lay the foundations for preparing for NIS 2.
Important: The authorities will not assess whether the Directive applies to you, nor will they notify you if it does. Your company or institution must self-assess on the basis of criteria that include both sectoral elements and size considerations and notify the authorities in a timely manner. For example, even if your business falls into the micro- or small business category, it may still be engaged in a “high-risk” sectoral activity that falls within the scope of the Directive.
If your company does not have a proper business impact analysis or risk management framework, we will assist you.
We will assess the current level of maturity and identify the organisational and technological gaps that need to be filled for compliance.
Our team of experts, who have extensive industry experience, will propose ways to address gaps and assist in the implementation of a complex action plan.
As required by law, the companies concerned must establish and operate a risk management framework under which they identify, assess, manage and monitor security risks.
As required, we support our clients during implementation projects for each improvement or provide tailored professional advice during the NIS 2 audit to help make the audit easier and ensure its successful completion.
PwC’s team of information and cybersecurity experts has comprehensive knowledge and wide-ranging expertise to assist clients across Europe in meeting the requirements of the NIS 2 Directive.
The NIS 2 Directive is a legislative act on the security of network and information systems across the EU that entered into force on 16 January 2023. The new Directive will significantly increase the number of businesses affected, and will impose stricter requirements on them. Pressure to comply with the Directive is also increasing, as evidenced by stricter sanctions and accountability at the management level.
Our short impact analysis will help you find out whether your company is subject to the NIS 2 Directive. (Contact us now!)
The NIS 2 Directive distinguishes between “sectors of high criticality” and “critical sectors”. Entities in critical sectors are subject to lower fines and are under the reactive supervision of the competent authorities, as opposed to proactive supervision reserved for entities in sectors of high criticality.
The purpose of a uniform set of rules is to ensure that ceilings are the same across the EU, and that a “uniform criterion” is used to determine the entities falling within the scope of the Directive. Medium-sized and large enterprises should be subject to such regulation.
Entities in sectors of high criticality may be subject to fines of up to EUR 10 million or 2% of the annual turnover. For companies in critical sectors, fines may be up to EUR 7 million or 1.4% of the annual turnover. In both cases, the higher of the two amounts will be imposed.
The businesses and institutions concerned should take appropriate measures in areas such as cybersecurity risk management, supply chain security, business continuity, encryption, access control, as well as reporting and corrective measures.
NIS 2 goes far beyond well-known critical infrastructures. For example, in the energy sector, NIS previously applied only to companies that produced, transported or regulated energy in the electricity and gas sectors. However, NIS 2 requirements cover the entire supply chain, e.g. manufacturers of wind turbines or operators of charging stations for electric vehicles.
food businesses within the meaning of the Act on the food chain and its authority supervision
manufacturers and distributors within the meaning of Article 3 of Regulation (EC) No 1907/2006 of the European Parliament and of the Council of 18 December 2006
research organisations
The list is for information purposes only; you can find more detailed information in Annexes 1 and 2 to Act XXIII of 2023.
