Press releases

Stay up-to-date with the latest developments and achievemnts

Besides challenges, NIS2 offers opportunities for Hungarian companies

The new requirements of the NIS2 Directive affect many stakeholders in the Hungarian business ecosystem since, in addition to the high-risk sectors, suppliers to these sectors are also indirectly affected - this was said at a full house event organized by CETIN Hungary in cooperation with IVSZ. Companies that do not comply with cybersecurity regulations can face severe consequences: the penalty can be up to 2% of annual revenue. However, NIS2 is not just another regulation, but a tool that can turn cybersecurity compliance into a competitive advantage.

The European Union cybersecurity regulations introduced in 2016 were updated by the NIS2 Directive, which came into force in 2023, to keep pace with digitalization and the constantly evolving cybersecurity threats. The Directive extends the scope of cybersecurity rules to new sectors and organizations. In Hungary, NIS2 was implemented by the Act on Cybersecurity Certification and Cybersecurity Supervision, which entered into force in January this year.

On 18 October, an important milestone was reached: from now on, all relevant organizations must comply with the requirements of the Act.

Dr. Balázs Bencsik, from the Supervisory Authority for Regulated Activities (SZTFH), emphasized that the new requirements imposed by the NIS2 Directive will impose more serious obligations on Hungarian businesses after 18 October 2024. The Directive adapts cybersecurity regulation to increasingly complex digital threats and pays particular attention to companies operating in high-risk sectors with at least 50 employees or an annual revenue of more than €10 million. 

Failure to comply with NIS2 can have serious consequences for a company, with penalties of up to 2% of annual revenue. 

Dr. Balázs Bencsik also explained the auditing process, which starts with the classification of corporate IT systems into security classes and includes several tests, such as vulnerability and intrusion testing. The Authority will introduce a new indicator for the assessment of organizations: a measure of defense compliance and an organizational resilience index will be an indicator for companies that successfully pass a cybersecurity audit, which will reflect favorably on them in the eyes of their business partners. 

Overall, however, it is important to emphasize that, although the tasks related to the EU Directive are challenging, the attitude of Hungarian companies - based on the experience of SZTFH - shows a positive picture, which is an encouraging sign for future compliance.

Csaba Weisz, Senior Security Consultant at CETIN Hungary, emphasized that the new, stricter requirements of the NIS2 Directive now also affect suppliers of organizations operating in high-risk sectors - so even smaller companies have to adapt to the strict requirements, which is a completely new challenge for them. Compliance will also inevitably lead to a culture change, and experienced experts can help to ensure a successful audit. Collaboration between the members of the partner ecosystem - public authorities, NIS2 compliant companies and their suppliers - is key to achieving the goals defined in NIS2. CETIN has successfully completed a number of audits and has the experience to assist partners and suppliers who have not yet participated in audits of such complexity. 

At the end of his presentation, the expert encouraged the representatives of the companies present to treat the NIS2 requirements not only as an obligation, but as an opportunity, which can be an important component of their future business success.

Kamilló Matek, Head of KPMG Cyberlab, ethical hacker, highlighted the importance of continuous security testing by revealing the details of a real hacking attack. In most vulnerability testing, companies usually only test technology systems or user awareness, while the combined testing of processes, systems and human factors is often neglected. 

During the presentation, the expert described a so-called Red Teaming exercise at a customer site, where he successfully utilized the Python component present in the company's system as part of a DLP software. By taking advantage of the vulnerabilities and settings of the component using an old solution, the ethical hacker bypassed Microsoft's defenses and carried out a social engineering attack, successfully gaining remote access to the company's systems without any alert from its defenses.

Kamilló Matek stressed that traditional security tests often fail to detect these deep-lying vulnerabilities, and that security testing that examines a company's systems in their entirety in real-world conditions may be necessary. These exercises are essential not only for large corporations but also for smaller companies to achieve real security.