CLVPartners

CLV-02
Menu

News

The essence and functioning of European Works Councils

Employment, labour law, News / / , , , , ,

Reading time: 7 minutes

The role of works councils regulated by the Labor Code is well known to many domestic companies, as employees are entitled to elect a works representative or works council if the number of employees reaches a certain threshold. The works council is a kind of representative body for employees, whose main task is to monitor compliance with the rules governing employment relationships. In performing this task, the works council is entitled to request information and consultation, and in certain cases (e.g., TUPE, collective redundancies, other employer measures affecting a larger group of employees), the employer is obliged to involve the works council, provide it with appropriate information and, where appropriate, seek its opinion.

Many companies operate not only in one but in several European Union countries. In order to ensure that the role and importance of local works councils is not diminished, the EU has provided for the establishment of so-called European works councils in cases where companies have a certain level of presence in the EU.

In the following article, we provide a comprehensive overview of the concept and purpose of European works councils, when companies are required to ensure the election of a European works council for their employees, and the basic functioning of such councils. We will also discuss future, already known changes to the regulations governing European works councils.

The concept and purpose of the European Works Council

The essence of the European Works Council is to ensure the right of employees of Community-level companies (or groups of companies, hereinafter collectively referred to as “companies”) to information and consultation on so-called transnational, international issues. In this context, it is important to note that a Community-level company is defined as a company which

employs at least 1,000 employees through its companies in the Member States and

has employees in at least two Member States

it employs at least 150 employees in each Member State.

Any issue that affects a Community-scale company as a whole, or at least two of its establishments or undertakings belonging to its group of companies in two different Member States, is considered transnational (and furthermore, under Hungarian law, any issue that has a significant impact on employees, regardless of the number of Member States concerned). It is clear, for example, that a reorganization affecting several organizations of a group of companies operating in the European Union, or, for example, (group-level) collective redundancies, may be considered a transnational issue, in which case the European Works Council must be informed and consulted in accordance with the law before specific decisions are taken.

Initiating the establishment of a European Works Council

If a company operating within the European Union qualifies as a Community-scale company on the basis of the above, on the initiative of the central management or at the request of at least 100 employees employed in at least two undertakings or establishments in at least two Member States or at the request of the bodies representing these employees, negotiations must be initiated to establish a European Works Council or to set up negotiations for the purpose of informing and consulting employees.

The role and prominent position of the special negotiating body

In order to initiate and conduct negotiations, a special negotiating body must first be established, whose task is to consult and reach agreement with the central management on the procedure for informing and consulting with the works council or employees.

Both the European Union directive on European works councils and the Hungarian law transposing it lay down rules for the election and functioning of the special negotiating body, which, although they leave many questions unanswered, are very similar to those for the election of local works councils.

The mission of the special negotiating body is therefore to agree with the central management on the tasks, powers, composition and term of office of the European Works Council, or to establish a procedure other than the establishment of a European Works Council that allows for the information and consultation of employees.

Functioning of the European Works Council

The functioning of the European Works Council is determined by a written agreement concluded by the parties following successful negotiations between the central management and the special negotiating body.

It should be noted that in many cases negotiations often fail to produce results. However, unsuccessful negotiations must not result in infringement of employee’s rights. For this reason the legislation contains rules on the functioning of the European Works Council.

The model rules governing the operation of European works councils do indeed bear many similarities to the rules governing Hungarian works councils (method of election, active and passive voting rights, termination of mandate, meetings, etc.).

Review

Over the years, a number of difficulties of interpretation and regulatory gaps have arisen in the practice of law enforcers in relation to the rules currently in force for European works councils, as confirmed by the European Commission.

For those of our clients who are in the process of electing members to the special negotiating body, we see that there are a number of practical issues that are not covered by either EU or domestic regulations. In such cases, we strive to provide advice on the specific implementation, keeping in mind the general purpose of the regulations.
Of course, practical challenges have also been identified in other Member States, which is why the directive has been revised and supplemented.

Under the new regulations, the concept of transnational issues has been defined more broadly (similar to Hungarian legislation), the legislation seeks to ensure gender balance through specific provisions, and the special negotiating body will be able to involve experts (e.g. legal and economic experts) if necessary, furthermore, Member States must introduce effective provisions to enforce the rules on European Works Councils and to sanction violations thereof.

As a result of the review, Member States will have to transpose and implement the necessary amendments by 1 January 2028. However, given that, based on our practical experience, the establishment of a European Works Council requires significant coordination on the part of all Member States and member companies involved, it may be advisable to take the amendments to the directive into account in the meantime in order to ensure adequate preparation and proper functioning.

Photo source: pexels.com, Jonas Horsch

The essence and functioning of European Works Councils Read More »

General information on the legal regulation of group of companies

Corporate law, News / / , , , , , ,

Reading time: 6 minutes

In modern economic life, in order to increase efficiency and share resources and market risks, companies are increasingly forming close cooperation systems, known as groups of companies (or conglomerates). However, this process often proves to be contrary to the basic principles of classical corporate law, which is based on the independence and separate liability of legal entities. Act V of 2013 on the Civil Code (“Civil Code”) offers a structured solution to this dilemma with the institution of recognized groups of companies, providing a legal framework and a strict warranty system for the responsible economic and legal operation of corporate groups.

Given that the regulation of group of companies will change this spring, our article presents the regulatory system for group of companies in order to provide greater clarity on the background to the changes.

The recognized corporate groups

In order for close cooperation between companies to qualify as recognized corporate groups, three conceptual elements must be present:

there must be a controlling member that is required to prepare consolidated annual accounts;

there must be at least three different legal entities controlled by the controlling member;

a uniform business policy must be established, which is laid down in the control contract itself.

The group of companies is established by drawing up a draft control contract and obtaining the approval of a three-quarters majority of the members (subject to the successful fulfilment of the relevant disclosure obligations). The controlling member must apply for registration in the commercial register within 60 days of the final approval.

The control contract

The control contract is the central regulatory instrument for the operation of the group of companies, as it contains the uniform business policy that forms the basis for cooperation. In addition to the most important identifying details of the members, the contract must also specify the form of their cooperation and its essential elements.

It is important that the contract only restricts the independence of the controlled members to the extent necessary to achieve the uniform business objective. Under the rules of the Civil Code, the management of the controlling member may instruct the management of the members within the framework of the control agreement. In this case, the rules on the exclusivity of decisions of the supreme body do not apply either.

In order to ensure transparent operation, the management of the members of the group of companies (including the controlling member) is obliged to report to the supreme bodies at least once a year on the activities related to the performance of the agreement. The management of the controlling member also has an additional obligation to inform creditors with significant claims. If the latter fails to do so, the creditor may apply to the court of registration.

Minority protection

The operation of a group of companies requires specific minority protection rules, as members with a small shareholding must adapt not only to the majority owner within their own company, but also to the majority owner of the controlling member. For this reason, the law provides for special minority protection guarantees both at the time of the formation of the group of companies and during its operation:

upon the formation of the group of companies: members of legal entities joining as controlled members who do not wish to participate in the group of companies may request, within 30 days of the second publication of the announcement of the formation, that the controlling member purchase their shares at market value;

during the operation of the group: if the controlling member substantially or repeatedly breaches the control agreement, members holding at least 5% of the votes of the controlled member, as well as the management of the controlled member, may initiate the convening of the supreme body of the controlling member. This creates an opportunity to bring the breach of contract before the highest decision-making forum of the controlling member. If the management of the controlling member does not comply with the request, the court may also convene the meeting or authorize the applicants to do so.

Creditor protection and underlying liability

One of the fundamental objectives of the establishment and operation of a group of companies is to protect the interests of creditors.

The main security provided by the system is the underlying liability of the controlling member. If any of the controlled members is liquidated, the controlling member is obliged to cover the unsatisfied debts. The controlling member may be exempted from liability if it can successfully prove that the insolvency was not a consequence of the implementation of a uniform business policy.

Supervision by the Court of Registry

The Court of Registry, which is responsible for registration, supervises the legality of the group of companies. In the event of a material or repeated breach of the control agreement, any legally interested party (e.g. a member or creditor) may request that the Court of Registry conduct a legality supervision procedure against the group of companies.

De facto groups of companies

A de facto group of companies exists when uniform management or close economic cooperation has been in place for three years without the parties complying with the formal requirements (control contract, registration). According to long-standing rules, at the request of any legally interested party, the court may oblige the group of companies to conclude a control agreement or to apply the relevant provisions in the absence of such an agreement, thereby creating both underlying liability and the possibility for minority members of controlled subsidiaries to exit.

Regarding actual groups of companies, the amendment, which will enter into force on March 1, 2026, clarified the concept of a legally interested party: in the future, anyone to whom the controlling member would be liable (i.e., typically the creditor of the controlled member) will be considered to have a legal interest. The amendment prioritizes creditor protection by directly linking the existence of an actual group of companies to the obligation to pay, thus making the underlying liability of the controlling member enforceable for aggrieved creditors despite the lack of a formal framework.

Summary

The regulation of groups of companies is based on the balance of ‘power and responsibility’. The institution of acknowledged group of companies offers legal certainty by ensuring the right to uniform management and instruction, while at the same time protecting economic actors with strict guarantees. It is in the fundamental interest of company managers to ensure that the group operates in compliance with legal guarantees and within a transparent contractual framework, thereby avoiding unexpected underlying liabilities and legal disputes.

Photo source: pexels.com, Fauxels

General information on the legal regulation of group of companies Read More »

Changes to Occupational Safety Rules at the Beginning of the Year

Employment, labour law, News / / , , , , , ,

Reading time: 7 minutes

As we reported in our extraordinary newsletter, Act XCIII of 1993 on Labour Safety (“Labour Safety and Health Act”) introduces new rules as of 1 January 2026 for employer organizations regarding the provision of conditions for occupational safety and health. In this article, we summarize the requirements necessary to comply with these obligations.

Principles and requirements

The Labour Safety and Health Act sets out in detail the requirements that employers must take into account to ensure occupational safety and health. In this context, employers must strive to avoid hazards, assess risks that cannot be avoided, and combat hazards at their source. Furthermore, undertakings are required to take human factors into consideration when designing workplaces and selecting work equipment and work processes, to apply the achievements of technical progress, to replace hazardous solutions with less hazardous ones, and to provide appropriate instructions to employees. Companies must develop a coherent and comprehensive prevention strategy covering work processes, technology, work organization, working conditions, social relationships, and the effects of workplace environmental factors.

The role of risk assessment

One of the employer’s most important obligations is the preparation and maintenance of a risk assessment, including risk management and the determination of preventive measures. The assessment is carried out by a specialist, who identifies the hazard sources, determines the group of employees exposed to risks, and assesses the nature of the hazards and the extent of exposure. The risk assessment must be carried out before the commencement of the activity and reviewed when justified—at least every five years. Justifiable cases include changes in technology, work equipment, the method of work, or the scope of the employer’s activities. A risk assessment is likewise justified and required if a work accident or occupational disease occurs in connection with deficiencies in the applied activity, technology, work equipment, or method of work. These tasks qualify in all cases as occupational safety and occupational health professional activities and may only be performed by persons with the prescribed qualifications.

Persons authorized to carry out risk assessments

The Labour Safety and Health Act also contains differentiated rules regarding the qualifications required to carry out risk assessments and to define the occupational safety and occupational health content of the prevention strategy, with particular regard to the hazard class and the number of employees. The detailed rules are set out in Decree 5/1993. (XII. 26.) MüM (hereinafter: “MüM Decree“), which classifies employers into hazard categories and stipulates the qualifications required to perform the tasks accordingly.

In the case of employers classified in hazard class III with a maximum of 50 employees (e.g., labour market service providers, IT infrastructure providers, and wholesale and retail trade in general), there has been no change since 1 July 2025, in accordance with the MÜM Decree, the activity may also be carried out by a person holding a specialist medical qualification in occupational medicine, industrial medicine, occupational hygiene, public health and epidemiology, preventive medicine and public health, or by a person holding a qualification as a public health or epidemiological inspector or supervisor.

As of 1 January 2026, a new rule provides that, for employers employing at least 50 employees, the occupational safety content of the prevention strategy must be developed by a person with higher-level occupational safety qualifications in the case of activities classified under Hazard Classes I and II pursuant to the MüM Decree, such as paper manufacturing, pharmaceutical manufacturing, machinery manufacturing, computer, electronic and optical product manufacturing, and tobacco product manufacturing.

Also introduced as of this year is the rule that, for activities classified under Hazard Class I pursuant to the MüM Decree—such as paper manufacturing, pharmaceutical manufacturing, and machinery manufacturing—the preparation of the risk assessment at employers employing at least 50 employees must be carried out by a person with higher-level occupational safety qualifications.

Special rules for teleworking

In the case of teleworking, the employee performs work for part or all of their working time at a location separate from the employer’s premises. In such cases, work may be performed using equipment provided by the employer or, by agreement, by the employee. Where equipment is provided by the employee, the employer must, as part of the risk assessment, ensure that the work equipment is in a safe condition that does not endanger health, while maintaining this condition is the employee’s responsibility.

If work is not performed using IT equipment, it may only be carried out at a remote workplace that has been preliminarily assessed by the employer as appropriate from an occupational safety perspective, and the employer must regularly monitor working conditions and compliance with the applicable rules.

The situation differs when work is performed using IT equipment. In such cases, the employer is not required to conduct a risk assessment; it is sufficient for the employer to inform the employee of the rules for ensuring safe and healthy working conditions and to oblige the employee to comply with these rules, and the employer may obtain a declaration from the employee acknowledging this obligation. The employer may keep a register of work equipment. The employee is required to select the place of remote work in compliance with these conditions. Compliance with the rules may, of course, be monitored remotely by the employer through the use of IT tools. Although an individual risk assessment is not required in this case, proper employee information and regular monitoring remain part of the employer’s occupational safety obligations.

Employer obligations and liability

The employer’s ongoing responsibility does not end with the preparation of documentation. Employers must ensure proper information and instruction for employees, regularly monitor working conditions and compliance with regulations, provide safe work equipment, and promptly investigate irregularities and reports. In addition, employers must ensure the proper usability and condition of personal protective equipment, as well as the lawful investigation of work accidents and occupational diseases.

Compliance with occupational safety regulations is also of outstanding importance from the perspective of employer liability for damages, as under Act I of 2012 on the Labour Code the employer bears objective liability for damage caused to employees in connection with the employment relationship. To be exempted from liability, the employer must prove that the damage was caused by a circumstance beyond its control that it could not have foreseen and that it was not reasonably expected to prevent or mitigate. Under this strict regulatory framework, any failure to comply with occupational safety regulations is necessarily assessed to the detriment of the employer. For these reasons, it is particularly important that employers always have up-to-date occupational safety measures in force and that these are properly and verifiably documented.

Summary

Occupational safety regulations make it clear that ensuring occupational safety and health is not merely a formal obligation, but one of the most important elements of employer responsibility. Failure to properly prepare and regularly review the risk assessment and prevention strategy, as well as failure to actually comply with occupational safety requirements, entails not only regulatory sanctions but also significant compensation risks, given the employer’s objective liability. Our firm is pleased to assist in preparing for regulatory changes and in establishing operations that comply with applicable legislation.

Photo source: pexels.com, suntorn somtong

Changes to Occupational Safety Rules at the Beginning of the Year Read More »

Data protection considerations related to the development of AI models

Data protection, News / / , , , , , , , ,

Reading time: 5 minutes

Artificial intelligence (“AI“) is a rapidly evolving family of technologies that contributes to a wide range of economic, environmental, and social benefits across all sectors and social activities. By improving predictive accuracy, optimizing operational processes and the allocation of resources, and enabling the personalization of digital solutions available to individuals and organizations, the use of AI can confer a decisive competitive advantage on businesses while also delivering beneficial social and environmental outcomes.

The use of artificial intelligence, alongside its potential benefits, is also associated with certain risks. In order to mitigate these risks, Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (“AI Act”) has been adopted, several provisions of which have already entered into force. At the same time, the development of many AI models involves the use of personal data, which raises the question of how the AI Act affects data processing activities related to AI systems.

The relationship between the AI Act and the GDPR

The AI Act makes it clear that it does not amend the application of existing EU rules on the processing of personal data, including the requirements set out in the GDPR. Accordingly, organizations falling within the scope of the AI Act must, in the course of their data processing activities, comply fully with the provisions of the GDPR.

Through the enforcement of the right to the protection of personal data, the GDPR also supports the effective exercise of other fundamental rights, including, inter alia, freedom of thought and expression, the right to information and education, and the freedom to conduct a business. On this basis, it can be concluded that the GDPR establishes a legal framework that facilitates responsible innovation, including the responsible development and deployment of AI-related technologies.

Data protection considerations in relation with the development of AI Models

In connection with the development of AI models, the European Data Protection Board (“EDPB”) adopted a standalone opinion on data protection aspects arising in relation to the processing of personal data in the context of artificial intelligence models (“Opinion”).

The Opinion examines how personal data may be used in the development of AI models and highlights the issues requiring particular attention when placing on the market AI systems developed using personal data.

Lifecycle of AI Models

The EDPB divides the lifecycle of AI models into two stages, emphasizing that data processing may occur in either of them. The first stage covers the processes preceding the deployment of the model (including e.g. its creation, development, the training, the fine-tuning). The second stage relates to the deployment phase, encompassing the use of the model following its development.

Existence of a legal basis for data processing by data controllers

One of the cornerstones of data protection regulation is that personal data may only be processed where a specific legal basis exists. The Opinion reiterates the general expectation that data controllers must determine the appropriate legal basis for their processing activities.

However, the EDPB found that, as a general rule, an AI model developer may rely on legitimate interest as a legal basis, provided that the existence of such legitimate interest is duly substantiated. For this purpose, a three-step test – already familiar to those with experience in data protection compliance practice – serves to properly assess whether a legitimate interest genuinely exists.

The EDPB emphasizes that the balancing test must take into account whether the data subjects can reasonably expect their personal data to be used. The Opinion is significant in this regard because it sets out several criteria intended to assist data protection authorities in assessing the “reasonably foreseeable” criteria

The Opinion also recalls that, where it appears that the interests, rights, and freedoms of data subjects override the legitimate interests of the data controller or of a third party, all is not lost. Namely, the data controller may consider the implementation of mitigating measures to limit such adverse effects. These may include, for example, pseudonymization, or measures aimed at masking personal data or replacing them with fictitious personal data within the training dataset. The introduction of appropriate data protection measures can make data processing lawful again.

Anonymity

The GDPR classifies as personal data any information relating to an identified or identifiable natural person, whether directly or indirectly. According to the position of the EU institution, in the context of AI model development, personal data may only be used where they are properly anonymized, such that even in the event of a potential reverse engineering of the model, the identification of data subjects is not possible. With regard to anonymization, the EDPB emphasizes that the competent data protection authorities must assess, on a case-by-case basis, whether the organization developing the AI model has complied with this requirement. The body also sets out several recommended technique that may be suitable for preserving anonymity (e.g. prevent or limit the extraction of personal data used for training purposes).

Summary

The EU body emphasizes in its Opinion that compliance with data protection requirements governing the processing of personal data must be ensured throughout both the development and deployment of AI models. It is evident that the expansion of AI and its potential risks are being treated and monitored as a priority in law enforcement, and therefore numerous regulatory guidelines from authorities can be expected in the near future.

Photo source: pexels.com, Tara Winstead

Data protection considerations related to the development of AI models Read More »

The foundations of artificial intelligence regulation in the European Union

Artificial Intelligence, News / / , , , , , , , ,

Reading time: 4 minutes

In 2024, the European Union adopted its Artificial Intelligence Regulation (the “AI Regulation“), which established the world’s first comprehensive regulatory framework for artificial intelligence. The provisions of the AI Regulation will gradually become mandatory until August 2, 2027. The AI Regulation refers certain implementation and supervisory tasks to the Member States, as a result of which a domestic regulatory framework for the use of artificial intelligence (“AI“) was also promulgated in Hungary in the fall of 2025.

Given that the AI Regulation will have to be applied almost in its entirety from August this year, CLVPartners is launching a series of newsletters on artificial intelligence to help with preparations. The aim of the series of articles is to present the legal issues related to the use of artificial intelligence in a practical yet easy-to-understand way. In the first part of the series, we will outline the basic concept of the current EU and Hungarian regulatory framework and its main objectives.

Purpose of the AI Regulation, concept of its regulation

AI is one of the fastest-growing areas of technology, and according to some forecasts, its application could bring significant benefits across a wide range of economic and social activities. At the same time, the European Union has recognized that the use of AI also carries a number of risks, such as the risk that its inappropriate use could jeopardize the fundamental rights and freedoms protected by EU law.

The purpose of the AI Regulation is to ensure that the development and use of AI systems takes place within a responsible framework. It is important to note that the AI Regulation applies not only to manufacturers, importers, distributors, and service providers operating in the European Union, but also to companies outside the EU if their products or services are available on the EU market or have an impact on EU citizens. To this end, the AI Regulation imposes obligations on developers and users of AI systems and establishes a uniform regulatory system for their authorization on the EU market. The AI Regulation stipulates that its regulatory framework serves to strengthen transparency and accountability and to promote the spread of human-centered and reliable artificial intelligence. It also aims to eliminate discrimination and bias, while ensuring that EU fundamental values and rights are upheld and providing effective protection against the risks posed by AI systems.

The AI Regulation takes a risk-based approach, classifying AI systems into four risk categories and assigning different rules and obligations to each category. The use of so-called prohibited AI systems that pose an unacceptable risk, such as cognitive behavioral manipulation or emotion recognition in the workplace, is already prohibited in the European Union. High-risk AI systems are subject to strict requirements, in particular testing, transparency, and human oversight obligations, and may only be placed on the market once these requirements have been met. These include, among others, systems used in medical diagnostics, self-driving vehicles, or biometric identification. For low-risk AI systems, such as chatbots, transparency obligations are the main requirement, while the AI Regulation does not set out specific rules for minimal or risk-free AI systems.

The AI Regulation is directly applicable in all EU Member States and, due to its nature as a source of law, cannot be transposed into national law and does not need to be promulgated separately. As a result, the AI Regulation creates a uniform legal framework for the regulation of artificial intelligence throughout the European Union.

Hungarian regulations

In addition to creating a uniform EU regulatory framework, the AI Regulation also imposes several obligations on Member States. Accordingly, Member States, including Hungary, have begun to develop the institutional and legal frameworks necessary to ensure the effective implementation and supervision of the provisions of the AI Regulation.

Under the AI Regulation, the supervision of compliance with the requirements for AI systems classified in each risk category will be the responsibility of the Member States. Accordingly, Member States are required to designate a market surveillance authority and a notifying authority responsible for assessing technical compliance. In addition, each Member State must establish regulatory test environments to support the development of safe and lawful AI.

To ensure compliance with these requirements, in the fall of 2025, the Hungarian Parliament passed Act LXXV of 2025 on the implementation of the European Union’s Artificial Intelligence Regulation in Hungary (“AI Act“), which lays the foundations for the domestic regulatory and institutional structure. The AI Act is also implemented by Government Decree 344/2025 (X. 31.) on the implementation of Act LXXV of 2025 on the implementation of the European Union’s regulation on artificial intelligence in Hungary, which lays down detailed rules on the operation of authorities performing tasks related to artificial intelligence. (X. 31.) on the implementation of Act LXXV of 2025 on the implementation of the European Union’s regulation on artificial intelligence in Hungary (“AI Government Decree“), which lays down detailed rules on the functioning of authorities performing tasks related to artificial intelligence.

Under the AI Act, the reporting authority tasks are performed by a single body, the AI reporting authority. This authority is responsible for designating conformity assessment bodies that examine and certify the technical conformity of high-risk AI systems in advance. Under the provisions of the AI Government Decree, the National Accreditation Authority performs this task.

Under the AI Act, market surveillance tasks are also performed by a single authority. The market surveillance authority is responsible for examining the lawful use of AI systems after they have been placed on the market. The Act also requires the AI market surveillance authority to establish and operate an AI regulatory test environment from August 2026 and to act as a point of contact. Under the provisions of the AI Government Decree, the Minister for National Economy is responsible for performing these tasks.

The AI Act also establishes the Hungarian Artificial Intelligence Council, which acts as a coordinating and advisory body. The task of the Hungarian Artificial Intelligence Council is to promote the uniform interpretation of the AI Regulation in Hungary through guidelines and position statements.

Summary

In summary, it can be said that in 2024, the European Union was the first in the world to adopt a comprehensive regulatory framework whose primary objectives are to promote the spread of human-centered, transparent, and reliable artificial intelligence, protect EU fundamental values and rights, and adequately address the risks arising from AI systems. The AI Regulation applies a risk-based regulatory approach, setting differentiated requirements according to the risk posed by each AI system.

The AI Regulation is directly applicable in all Member States, but leaves the implementation and supervisory tasks to national authorities. As a result, in the fall of 2025, Hungary enacted the AI Act and the related AI Government Decree to ensure the domestic implementation of the AI Regulation.

Photo source: pexels.com, Dušan Cvetanović

The foundations of artificial intelligence regulation in the European Union Read More »

New developments in the regulation of energy cooperatives

Commercial Law, Corporate law, News, sustainability / / , , , ,

Reading time: 6 minutes

The Hungarian Act X of 2006 on Cooperatives (“Cooperatives Act”) has been amended with effect from 1 January 2026 with provisions governing energy cooperatives (“Amendment”). The purpose of this article is to briefly present the background to the Amendment, introduce the concept and key characteristics of energy cooperatives as a new legal institution, and provide an overview of the most important rules applicable to energy cooperatives.

The background of the Amendment

Legal basis and purpose of energy communities

In order to mitigate the adverse effects of climate change and promote the achievement of climate neutrality, the European Union adopted in 2019 the Directive (EU) 2019/944 on common rules for the internal market for electricity and amending Directive 2012/27/EU. This Directive introduced the legal framework for citizen energy communities within the EU.

An energy community is a voluntary association of energy producers and energy consumers. Its operation is based on open and voluntary participation, and it is governed by its members or shareholders, who may be natural persons, small enterprises, or local authorities.

Under EU regulation, energy communities may be established in various legal forms. For example, they may operate as associations, cooperatives, or non-profit companies.

The primary purpose of an energy community is not to generate financial profit, but to provide environmental, economic, and social benefits to its members, shareholders, or the area in which it operates. These benefits may be achieved, inter alia, through the generation, distribution, supply and consumption of energy, as well as through aggregation, energy storage and the provision of services aimed at improving energy efficiency. The activities of an energy community may also extend to solutions related to electric vehicle charging and to the provision of other energy-related services to its members or shareholders.

Energy community operations in practice

It is a legitimate question how an energy community operates in practice and how it can provide tangible benefits to its members.

An energy community can best be understood as a small-scale system that is partially or fully energy self-sufficient. Within the community, members with different roles cooperate with each other. Some are solely energy generators, others both generate and consume energy, while some participate exclusively as consumers. Energy producers may include, for example, households with their own solar panel systems, as well as biogas plants or even wind turbines. These production units are typically developed through community funding from the shared budget of the energy community.

Energy storage solutions form an integral part of the system, enabling the storage of energy that has been produced but not immediately consumed. The key to operation is the continuous interaction between generation, storage and consumption units. This is ensured by an intelligent management system, the so-called smart grid, which monitors production and consumption and directs energy to where it is needed at any given time.

Ideally, an energy community produces slightly more energy than its members consume, which may allow it to become fully independent from the public grid. However, if the balance between production and consumption cannot be maintained—meaning the community produces either too much or too little energy—the energy community may trade with the universal service provider to balance its energy needs.

In conclusion, it can be stated that by promoting energy communities, the European Union seeks to achieve interconnected short- and long-term objectives. In the short term, energy communities can contribute to alleviating energy poverty and strengthening local communities. In the long term, the EU aims to increase the share of renewable energy sources, establish a decentralized and sustainable energy system, and achieve its climate neutrality target set for 2050.

Regulation of energy communities in Hungary and practical experience

To fulfil its legislative obligations arising from EU law, Hungary established the legal framework for the operation of domestic energy communities through the amendment adopted in 2020 to Act LXXXVI of 2007 on electricity (“Electricity Act”).

According to the Electricity Act., an energy community is a legal entity operating in the form of an association, cooperative or non-profit company, whose purpose is to create environmental, economic and social benefits for its members or for the area of operation defined in its statutes. This purpose may be achieved, inter alia, through the generation, distribution, supply and consumption of energy—including the use of renewable energy sources—as well as through aggregation, energy storage and the provision of services aimed at improving energy efficiency.

In connection with energy communities, it should be noted that registration with the Hungarian Energy and Public Utility Regulatory Authority (MEKH) is a prerequisite for acquiring legal status. In addition, to conduct licensed activities—such as electricity generation, energy trading, aggregation or energy sharing—an energy community must obtain the relevant regulatory permits in the same way as any other market participant. According to the MEKH register, there are currently 17 registered energy communities in Hungary.

Rules applicable to energy cooperatives under the Cooperatives Act

It can be concluded that the concept of energy cooperatives has been present in the Hungarian legal system for several years as one of the possible legal forms of energy communities. Although the Electricity Act allows for the establishment of energy cooperatives, detailed and specific regulation had so far been lacking. This regulatory gap was addressed by the Amendment, as a result of which the Cooperatives Act has been supplemented with a separate chapter dedicated to energy cooperatives.

Cooperatives are legal entities established through the members’ capital contributions, with the objective of lending assistance to its members to satisfy their economic and societal needs. The primary obligations of members consist of making their capital contributions and providing the personal involvement specified in the articles of association. The general rules applicable to cooperatives are set out in Act V of 2013 on the Civil Code and in the general provisions of the Cooperatives Act. It is important to note that these general rules also apply to energy cooperatives, in accordance with the specific provisions applicable to them.

Under the Cooperatives Act, an energy cooperative is one form of energy community within the meaning of the Electricity Act, operating within a cooperative structure and conducting energy-related activities in the interest of its members. Its primary purpose is to improve the economic and social situation of its members, while also providing environmental, community and educational benefits, thereby serving the public interest.

Any natural or legal person who meets the statutory requirements may participate in the establishment and subsequent operation of an energy cooperative. At the same time, the regulation allows the energy cooperative to make membership subject to geographical or technical conditions as set out in its articles of association.

Due to the specific purpose and operation of energy cooperatives, members may contribute different amounts to the cooperative’s assets, but this does not affect the equality of membership rights. In decision-making, each member participates with equal weight, meaning that each member has one vote. The Cooperatives Act also allows for the admission of members who are not required to provide personal participation but support the operation solely through capital contributions; such members are referred by the law as investor members.

The operation of an energy cooperative must be conducted in a manner that is consistent with the interests of its members and is both efficient and sustainable. To ensure this, the Cooperatives Act provides that matters affecting the articles of association fall within the general meeting, thereby guaranteeing the cooperative’s autonomy. The legislation regulates in detail the procedure for transferring cooperative and investor shares and the related notification obligation and grants pre-emptive rights to members and the cooperative itself.

A key rule concerning the fiscal management of energy cooperatives is that the legislation requires the creation of mandatory reserves. In this context, the energy cooperative must establish a reserve fund amounting to 10% of the profit generated. The purpose of the reserve fund is to ensure the long-term financial sustainability of the energy cooperative. The regulation also requires the establishment of an education and information fund, which serves as the financial basis for the continuous training and knowledge-sharing of members. At least 2% of the profit from the previous fiscal year must be allocated to this fund.

Summary

Overall, it can be concluded that the amendment to the Cooperatives Act, in line with EU objectives, establishes the legal framework for the operation of energy communities in cooperative form. As non-profit organisations, energy cooperatives may participate in the energy market while promoting community, environmental and economic interests, thereby contributing to sustainability, energy efficiency and environmental protection. The regulation prioritises democratic decision-making, transparent operation and the protection of members’ interests, while also allowing for the involvement of external investors.

Photo source: pexels.com, Centre for Ageing Better

New developments in the regulation of energy cooperatives Read More »

Data and Information Security: The Relationship Between GDPR and NIS2

Data protection, News / / , , , , ,

Reading time: 6 minutes

With the rise of digitalization and data-driven decision-making, the volume of sensitive information has increased, along with the associated cyber risk. It has become necessary to establish a regulatory framework that provides guidance on managing expectations, responsibilities, and approaches shaped by the technological environment. Its two main pillars are the European Parliament and Council Directive (EU) 2022/2555 (14 December 2022) (general EU cybersecurity directive, hereinafter: “NIS2 Directive”), implemented in Hungary through Act LXIX of 2024 on Cybersecurity (“Cybersecurity Act”), and the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (“GDPR”), which ensures data protection compliance.

The NIS2 Directive, the resulting national cybersecurity regulations, and GDPR apply different perspectives; however, the affected areas often overlap in practice, particularly in electronic information systems that process personal data. Therefore, aligning the requirements of these two regulatory frameworks is essential for the lawful and secure operation of the affected organizations. This article outlines the relationship between the NIS2 Directive and national regulations with GDPR, their overlaps, conflicts, and practical resolutions.

Scope of NIS2 and GDPR: Dual obligations

The GDPR applies to all organizations that qualify as data controllers, meaning they determine the purposes and means of processing personal data either independently or jointly with others. The scope of NIS2 is determined based on a complex set of criteria, which may include various enterprises depending on their activities, size, and revenue. Consequently, if an entity falls under both NIS2 and GDPR, it must comply with the rules of both frameworks simultaneously. For example, a medium- or large-sized company in the manufacturing sector may be subject to cybersecurity regulations based on its activities and size, and in the course of its activities, it typically processes at least employee and supplier data as a data controller, thus requiring the application of both the GDPR and NIS2 provisions.

In practice, electronic information systems often process personal data, such as HR systems or customer databases. In the event of an incident, both GDPR and NIS2 impose obligations on the organization. A data protection incident involves a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, whereas a cybersecurity incident refers to an event that threatens the availability, integrity, or confidentiality of data stored, transmitted, or processed in electronic information systems, or the services provided or accessible through such systems. Therefore, if a cybersecurity incident involves personal data—for example, data loss or leakage due to a phishing email or a ransomware attack—it simultaneously constitutes a data protection incident. Consequently, incident handling must comply with both regulations, and notifications to the competent authorities must be made when conditions are met. For this purpose, it is advisable to establish an internal procedure that accounts for the obligations required by both frameworks.

Proper classification of incidents is particularly important, as different types of incidents have distinct notification obligations, content requirements, and deadlines. In a data protection incident, the organization must first assess whether the event poses a risk to the rights and freedoms of natural persons. If such a risk is likely, the incident must be reported to the National Authority for Data Protection and Freedom of Information within 72 hours, and, in case of high risk, the affected individuals must also be notified. Cybersecurity incidents, on the other hand, follow a different procedure: the organization must report the incident within 24 hours based on the available information, submit a detailed report within 72 hours, and, after completing the investigation, submit a final report to the national cybersecurity incident handling center no later than 30 days. Since GDPR and cybersecurity rules define incidents and related obligations differently, situations may arise where an event qualifies as a cybersecurity incident but does not require a data protection incident report.

The practical significance of dual compliance is illustrated by a medium- or large-sized company engaged in “other machinery manufacturing,” which falls under the scope of the NIS2 Directive. If the company suffers an incident as a result of which the attacker gains unauthorized access to a server containing employees’ personal data, the event must be assessed not only from a data protection perspective but also under the Cybersecurity Act. According to the law, any threat, near-incident, or actual incident—including operational cybersecurity incidents—that causes severe disruption or financial loss to the organization or significant material or immaterial harm to others must be reported without undue delay, but no later than 24 hours, to the competent cybersecurity incident handling center. This example highlights that organizations must comply with both legal frameworks simultaneously and design incident handling accordingly.

Aligning processes at the documentation and operational levels

If an organization falls under both GDPR and cybersecurity regulations, the documentation and operational processes required by both frameworks must be aligned for dual compliance. GDPR requires that the organization maintain a data protection policy, provide a privacy notice to data subjects, and, in some cases, conduct a data protection impact assessment. Similarly, cybersecurity rules require the establishment of an information security policy. In addition, both frameworks require regulation of incident management processes and training to raise awareness among relevant staff.

The organization’s leadership is responsible for complying with NIS2 and GDPR requirements, while the data protection officer and the professional responsible for the security of electronic information systems play a key role in ensuring compliance. To avoid parallel, isolated processes, it is essential for information security and data protection officers to collaborate actively on a daily basis. Aligning the requirements of both frameworks is not merely an administrative task: its significance lies in the fact that both areas rely on the same information systems, data flows, and risks, even if they examine them from different perspectives. When an organization designs its processes in a unified, coherent manner, overlaps can be avoided, error risks reduced, and both cybersecurity and data protection requirements can be ensured. Incident management processes should be designed to ensure that any potential event is handled in a way that fulfills the obligations of both frameworks. This approach is not only resource-efficient but also strengthens legal compliance, system security, and the trust of clients, partners, and employees.

NIS2 and GDPR serve different purposes and approach the same events differently. GDPR’s primary objective is to protect the rights and freedoms of natural persons, whereas NIS2 focuses on strengthening information system security, safeguarding service continuity, and increasing resilience against cyber threats. Accordingly, the two frameworks impose different expectations on organizations: GDPR emphasizes data minimization and purpose limitation, while NIS2 specifically requires detailed logging, continuous monitoring, and retention of log files. This often results in NIS2 compliance requiring the storage of large volumes of technically processed personal data, which must be handled carefully from a data protection perspective.

Apparent conflicts between the two regulations can be resolved in practice through a coordinated approach. One key step is integrating information security risk assessments with GDPR data protection impact assessments, as both assess the same systems, data flows, and risk factors from different perspectives. Equally important is designing internal policies that simultaneously comply with mandatory cybersecurity measures and GDPR provisions.

Both NIS2 and GDPR require that organizations properly train all personnel who have access to information systems or process personal data. Therefore, it is advisable to align the strategic planning and content of training programs, considering risk assessment results, previous incidents, regulatory changes, and the professional opinions of the organization’s security experts. True alignment between the two regulatory areas is important not only for legal compliance but also for operational security, risk reduction, and maintaining internal and external trust.

Conclusion

GDPR and the NIS2 Directive serve different purposes but converge on many points regarding information security requirements. Dual compliance therefore requires careful alignment: interpreting the regulations consistently and integrating related procedures can ensure that an organization meets the expectations of both frameworks simultaneously. Coherent revision of professional documentation and operational processes, coordination of internal responsibilities, and alignment of regular training and audits facilitate achieving both GDPR data protection and NIS2 cybersecurity goals. Compliance with these requirements strengthens the organization’s information security and data protection resilience, meeting the relevant EU and national legal obligations.

Photo source: pexels.com, Kevin Ku

Data and Information Security: The Relationship Between GDPR and NIS2 Read More »

Online presence in the shadow of GDPR – rules for consent-based data processing

Data protection, News / / , , , ,

Reading time: 5 minutes

In order to remain competitive, it is no longer merely an advantage for companies to have an online presence, but a fundamental requirement. Websites and newsletters facilitate communication with customers, while providing an opportunity for addressees to learn about the latest services and offers firsthand. At the same time, it is important to note that this may also involve the processing of personal data, which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; „GDPR”). Accordingly, data processing for marketing purposes is only possible with the express consent of the data subjects, in strict compliance with the requirements set out in the GDPR. In this article, we summarize the most important rules relating to consent-based data processing.

When to apply GDPR?

As outlined by the National Authority for Data Protection and Freedom of Information (“NAIH“) in its material on website privacy settings and cookies, processing the personal data of natural persons acting on behalf of the companies (e.g., employees, private person client) falls under the scope of the GDPR. For instance, collecting, recording, storing, and using a customer’s name, phone number, address, email address, or bank account number constitutes data processing. It implies that if a company processes data relating exclusively to legal persons, its activities do not fall within the scope of the General Data Protection Regulation, and therefore compliance with its provisions is not mandatory for it. However, in many cases, the contact details of the legal person (e.g., name, personal email address, position) are essential for communication, which involves data processing.

Similarly, subscribing to a newsletter, targeted requests (also known as asking for a callback), or tools that support the effective functioning of websites—such as the use of cookies or visitor measurement – it is essential for the company to process natural persons’ data, which is why this type of data processing will also fall under the scope of the GDPR.

Consent as a possible legal basis for processing personal data

The fundamental rule of data processing is that, in the absence of a valid legal basis, processing personal data is not considered to be lawful. One of the legal bases for data processing – most commonly required for data processing for marketing purposes – is the consent of the data subject.

Conditions for consent

According to the GDPR, consent is valid if it is freely given, specific, based on adequate information, and unambiguous, indicating that the data subject agrees to the processing of his/her personal data.

Freely given

Consent can be freely given if individuals can refuse and withdraw their consent without risk of external pressure or negative consequences. Therefore, it cannot be considered voluntary if the data subject has no real choice, feels pressured to consent, or faces negative consequences from the data controller if they refuse to consent. This was confirmed by the recent opinion of the European Data Protection Board (“EDPB”), which stated that so-called “pay or consent” models do not meet the requirement of freely given consent. This is due to the fact that such models are based on offering data subjects a choice: either they consent to the processing of their personal data, or they pay a fee to prevent their data from being processed.

The voluntary nature of consent also implies that the data subject has the right to withdraw the consent at any time.

Specific and appropriate information

In order for consent to be valid, the purpose of data processing must also be specific. This condition is closely linked to the condition of informed consent. Therefore, individuals must be informed of the specific purposes in simple and easily understandable language so that they have a clear understanding of the purpose for which their data is being processed. This also means that if the purposes of the data processing operation change or further data processing operations are being added, consent must be obtained from individuals again. Likewise, if a data processing operation has multiple purposes, separate consent must be obtained for each purpose for the processing to be lawful. When providing information, the data subject must also be made aware that they may withdraw their consent at any time.

Unambiguous consent

According to the GDPR, a statement by the data subject or a clear affirmative action is required for the consent to be unambiguous. This in fact means that consent can only be given through active action or statement. The EDPB considers that the comprehensive acceptance of general terms and conditions does not constitute an act of confirmation that is unambiguously expressed. The GDPR also expressly prohibits data controllers from offering pre-ticked boxes or opt-out mechanisms that require the data subject to take action to prevent consent from being given (so called opt out systems).

Duration and demonstration of the contribution

The General Data Protection Regulation does not provide for any limitation on the duration of consent. However, this does not mean that personal data can be processed indefinitely with the consent of the data subject. The duration of consent depends in each case on the context of the data processing in question. In order to determine the duration correctly, it is therefore necessary to assess the circumstances of the data processing.

Furthermore, the GDPR stipulates that during data processing, the data controller must always be able to adequately demonstrate the existence of the consent.

Without claiming to be exhaustive, we merely refer to the fact that the General Data Protection Regulation lays down additional conditions in relation to the consent of children and special categories of data.

Summary

The online presence of companies—for example, through websites and newsletters—is essential to maintaining competitiveness, but it can also involve the processing of personal data, which falls under the scope of the GDPR. Personal data may only be processed on an appropriate legal basis, the existence of which is essential in all cases. When developing and enhancing their marketing strategies, it is crucial for companies to simultaneously establish and review their data processing frameworks to ensure that their data processing activities comply with the GDPR.

Photo source: pexels.com, Tara Winstead

Online presence in the shadow of GDPR – rules for consent-based data processing Read More »

Data Subject Rights and the Importance of Consent in Online Content Creation

Data protection, News / / , , , , , , ,

Reading time: 4 minutes

With the development of digital platforms, anyone can become a content creator today: a smartphone, a good idea, and a few clicks are enough for our messages, videos, or pictures to reach thousands of people. However, online presence carries not only creative opportunities but also legal responsibilities and risk. When sharing various types of content – such as posts or videos – especially if identifiable persons appear in them, the processing of personal data occur.

General applicability of the GDPR

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, serves a dual purpose: it ensures the protection of individuals’ personal data while also providing a framework for the free flow of such data within the European Union. The GDPR sets out in detail the rights of data subjects and the obligations of data controllers.

At the same time, the GDPR does not be applicable in certain exceptional cases; one such exception applies when a natural person processes personal data exclusively for personal purposes. Examples include private correspondence whether on paper or electronically, storage of addresses or contact details, personal notes or diaries, family photographs, communication on social networks, and other online activities. These exceptions must be interpreted narrowly, and data processing only falls outside the scope of the GDPR if it serves a purely private purpose – that is, it has no community, professional, or economic aspect. Thus, if data can be accessed by an indefinite number of persons or is made public, the activity no longer qualifies as private data processing. In the case of data processing carried out by business entities, personal or household use cannot be invoked. Therefore, the publication of any online content containing personal data (such as photographs, audio recordings, or other information) – whether it concerns employees or any other natural person – requires appropriate legal diligence in all cases.

Data processing related to online content creation

Digital platforms widely enable users to create and share photos, videos, or audio recordings – even of other people. The question may arise whether data protection rules apply in such cases. Since uploaded recordings – including images, voices, or other identifiable information – constitute personal data and are made accessible to the public, their processing falls under the GDPR.

One of the fundamental principles of data protection is that any processing of personal data must be based on a valid legal basis. When a data controller undertakes any activity involving the processing of personal data, it must carefully assess which legal basis best suits the intended purpose. In the context of content creation, data processing most commonly relies on the data subject’s consent.

Obtaining consent is crucial, as recording or publishing someone else’s image or voice is only lawful if the data subject has given explicit, informed, and prior consent. Simply tolerating the presence of a camera or answering a question does not constitute valid consent. This demonstrates how strictly the GDPR defines the requirement of a lawful basis: unlike the Hungarian Civil Code (“Civil Code”), which allows certain exceptions for public figures or mass recordings, the GDPR does not provide such derogations. This highlights the coexistence of parallel legal frameworks – compliance with the Civil Code does not necessarily mean compliance with data protection law, thus each legal regime has distinct requirements for lawful conduct.

Consequences of Non-Compliance

Publishing content online without a valid legal basis – such as consent – constitutes a violation of data protection rules. Unlawful data processing can have serious consequences, including regulatory procedures and administrative fines. If a recording is made or published without permission and results in significant harm to an individual’s interests, the act may not only be unlawful under data protection law but could also amount to a criminal offence or establish a claim for non-pecuniary damages under the Civil Code, depending on the circumstances. Liability always lies with the person who created or published the recording.

Particularly high-risk situations include cases involving children, healthcare settings, political opinions, or other sensitive personal data. If such content is shared without the data subject’s knowledge or consent, it does not qualify as private activity and is considered full-fledged data processing under the GDPR. In such cases, data subjects have the right to request information, withdraw consent, demand deletion of recordings, and pursue legal remedies.

Summary

Presence in the online space – particularly in the context of corporate communications, marketing, or HR content creation – requires careful data protection practices. What may not entail legal consequences under the Civil Code can still constitute a data protection violation.

Consent is therefore not a mere formality, but one of the fundamental prerequisites for lawful data processing. Organizations – whether content creators or employers – are advised to establish internal procedures, training programs, or policies to manage the data protection risks associated with online content creation.

Respecting data subject rights, properly documenting consents, and complying with GDPR requirements are not only matters of legal compliance, but also essential for maintaining corporate reputation and trust.

Photo source: pexels.com, Plann

Data Subject Rights and the Importance of Consent in Online Content Creation Read More »

The Scope of the NIS2 Directive and the Cybersecurity Act – Determining Involvement in Practice

Commercial Law, News / / , , , , , ,

Reading time: 6 minutes

The rapid advancement of digitalisation has brought new opportunities but also new types of risks. In business operations, the reliability of electronic information systems plays an increasingly important role, and ensuring the confidentiality, integrity, and availability of managed data and information has become a fundamental requirement. To address this, the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (the “NIS2 Directive”), was adopted. Its national transposition in Hungary resulted in Act LXIX of 2024 on Cybersecurity (the “Cybersecurity Act”). These instruments aim to reduce risks to electronic information systems and ensure the continuity of services in key sectors such as energy, healthcare, transport, digital infrastructure, and manufacturing. Depending on their activities, size, and role, organisations are subject to different obligations. Each organisation must determine whether it falls within the scope of the Cybersecurity Act and which specific requirements apply to it. This article outlines the key aspects of self-identification, helping organisations comply with the NIS2 Directive and the Cybersecurity Act.

Who does the Cybersecurity Act apply to?

The Cybersecurity Act covers a wide range of sectors and activities. It applies to designated public administration entities, certain state-influenced enterprises, and defence-related organisations — though these are not detailed here. Beyond these, many private-sector organisations may also be affected. For them, both their activities and their size and turnover must be assessed.

Based solely on activity

Regardless of size, the Cybersecurity Act applies to organisations providing electronic communications services, trust services, DNS services, top-level domain name registry services, or domain name registration services.

These service providers can be identified by the authorities that maintain their registries, so the Cybersecurity Act applies to electronic communications service providers and trust service providers listed in the registry of the National Media and Infocommunications Authority (NMHH), DNS service providers, the top-level domain name registrar (currently the only such organization in Hungary is ISZT Nonprofit Kft.), and domain name registration service providers who are registrars available on the domain.hu website operated by ISZT).

Based on activity and size

The Cybersecurity Act applies to medium-sized and larger organisations — that is, companies with more than 50 employees and an annual net turnover or balance sheet total exceeding EUR 10 million, provided they carry out activities specified under the Cybersecurity Act.

Of the organizations that meet the size criteria, those operating in high-risk sectors, such as healthcare, telecommunications services, digital infrastructure (e.g., cloud service providers, data center service providers), as well as service providers and organizations operating in high-risk sectors, such as food production, processing, and distribution, the manufacture of computer, electronic, and optical products, and the manufacture of machinery and equipment.

Assessing and determining activities

If an organisation does not perform an activity that automatically falls within the scope of the Cybersecurity Act, both its size and its activities must be considered together. When size thresholds are met, the next step is to assess whether it operates within a high-risk or critical sector; this, however, is not always straightforward in practice.

The sector or activity to be examined and, consequently, the involvement in the case of activities subject to authorization, based on the records kept by the competent authorities (e.g., in the case of the transport sector, the Ministry of Construction and Transport as the transport authority; for activities in the food industry sector, the National Food Chain Safety Office; for the pharmaceutical industry and healthcare providers, the National Public Health and Pharmaceutical Center; and for electronic communications, trust and postal service providers, the National Media and Communications Authority).

In other cases — particularly in manufacturing — the relevant activity may be identified using the TEÁOR code (Hungarian equivalent of the NACE code) or similar classification numbers, which may indicate whether the company’s operations bring it under the scope of the Cybersecurity Act.

In most cases, the TEÁOR code makes identification relatively straightforward, for example:

manufacturing of electronic components or measuring instruments (computer, electronic, or optical products sector),

manufacturing of household electrical appliances (electrical equipment sector),

manufacturing of engines, turbines, or special-purpose machinery (machinery and equipment sector),

manufacturing of motor vehicle parts and accessories (road vehicle sector).

However, identification may be influenced by the interpretation of which sector the activities actually carried out belong to. For instance, an organisation engaged in IT consultancy and systems operation could qualify as a cloud service provider, thus falling within the scope of the Cybersecurity Act.

Furthermore, determining involvement may be complicated by the interpretation and practical application of the legal definitions of certain activities. For instance, in the case of a business engaged in the manufacture of plastic packaging materials or plastic products, the classification is not always clear-cut. According to the Cybersecurity Act, an organization is considered to be in a high-risk sector if it is classified as a food business within the food (i) production, (ii) processing, and (iii) distribution sector and is engaged in wholesale activities, industrial production, and processing. These criteria raise the need to clarify several concepts, namely whether such a manufacturing organization qualifies as a food business and whether the activities actually carried out qualify as activities related to any stage of food production, processing, or distribution.

The Limits and Risks of Self-Identification – Recommended Actions

It is clear that self-identification is not always straightforward. The TEÁOR code alone may not precisely reflect the organisation’s real activities, which may lead to misclassification under the Cybersecurity Act. In Hungary, it is common for companies to retain outdated or inaccurate TEÁOR codes in their official records. In such cases, the authority may still assess the company as falling under NIS2 obligations, resulting in unnecessary compliance burdens and administrative costs.

Incorrect or incomplete self-identification can also lead to fines and subsequent enforcement measures. Therefore, it is crucial that businesses regularly review their registered activities and maintain only those TEÁOR codes that accurately represent their actual operations.

Conclusion

Accurate self-identification is not only a legal obligation but also in the best interest of the organisation. Retaining inaccurate or unnecessary TEÁOR codes may result in misinterpretation by authorities and potential sanctions. Proper self-identification and conscious management of registered activities are not merely administrative tasks — they are essential elements of business security. Those who act proactively and with awareness can not only avoid sanctions but may also gain a competitive advantage through enhanced trustworthiness and compliance.

Photo source: pexels.com, Markus Spiske

The Scope of the NIS2 Directive and the Cybersecurity Act – Determining Involvement in Practice Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.