CLVPartners

CLV-02
Menu

Commercial Law

Cybersecurity – new regulations, new tasks

News, Commercial Law / / , ,

On January 1 this year, Act LXIX of 2024 on cybersecurity in Hungary (the “Cybersecurity Act“) came into force, which was adopted in accordance with Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (“NIS2 Directive”) which aims to mitigate threats to electronic information systems due to threats to the information society and to ensure the continuity of services in key sectors. The Cybersecurity Act and related legislation impose strict requirements and provide for serious legal consequences in the event of non-compliance.

As we support many companies in preparing for compliance with the NIS2 Directive and the Cybersecurity Act, the purpose of this article is to draw the attention of all potentially affected companies to the provisions of the Cybersecurity Act that will become relevant in the near future, namely the obligations and deadlines related to contracting and conducting cybersecurity audits.

Scope of affected organizations

The Cybersecurity Act broadly defines the organizations that are required to monitor the security of their electronic systems and audit them. Private sector companies that reach a certain size and engage in activities classified as high-risk or risky fall into this category, as follows:

  • In terms of size, the companies concerned are those that qualify as medium-sized enterprises or exceed the thresholds set for medium-sized enterprises, i.e. those with a total workforce of more than 50 and an annual net turnover or balance sheet total exceeding the equivalent of EUR 10 million in Hungarian forints.
  • The condition relating to the scope of activity is that the enterprises operate in (highly) risky sectors, such as healthcare, telecommunications services, digital infrastructure (cloud service providers, data center service providers), food production, processing and distribution, computers, electronics, optical product manufacturing, or machinery and equipment manufacturing.

If it is unclear whether the obligations under the regulation apply to a given company, it is recommended to clarify this as soon as possible by reviewing the legislation.

Cybersecurity obligations

  • Audit contract:

The current obligation of the enterprises concerned is to enter into a contract with an independent economic operator authorized to perform cybersecurity audits registered by the Supervisory Authority for Regulatory Affairs of Hungary (SZTFH) in order to verify the cybersecurity of their electronic systems. The SZTFH is already sending out notifications to potentially affected parties, requiring them to provide proof of the conclusion of such a contract by September 15, 2025. Failure to comply with this obligation may result in a fine of between HUF 1 million and HUF 15 million being imposed on the company.

  • Cybersecurity audit:

Following the conclusion of the contract with the auditor, a cybersecurity audit must be carried out by June 30, 2026, during which the security classification of electronic information systems and the adequacy of protective measures according to the security classification will be checked. Failure to perform the audit may result in severe penalties, including fines of up to 2% of the previous year’s turnover, but at least HUF 1 million and up to HUF 150 million.

A cybersecurity audit may take longer depending on the size of the business and the technological and organizational complexity of its activities. For this reason, it is advisable to plan the timing and schedule of the review in advance so that the process not only serves the purpose of compliance, but also actually identifies areas where further action or deficiencies may exist. Examples include reviewing data protection compliance, updating information security policies, or fine-tuning risk management procedures.

The importance of compliance

Due to stricter cybersecurity regulations and the risk of high fines, compliance is not only a legal obligation but also a key business interest. Available benefits:

  • Reduced financial and reputational risk;
  • Strengthened cybersecurity protection and digital stability for the business;
  • With the right contract, the content, schedule, and definition of tasks and responsibilities of the audit become predictable;
  • At the same time, data protection aspects can be reviewed and, if necessary, data protection impact assessment documents can be revised, thus fulfilling the NAIH’s expectation of compliance with the principle of accountability.

Image source: Brian Penny, pixabay.com

Clarification on trusts

News, Commercial legal advice / / ,

The institution of trusts came into force more than 10 years ago, and the new Civil Code has designated them as a type of contract and introduced a separate law with detailed rules.

Fiduciary trusts are a responsible but also a great option for natural persons with large private assets, as they can offer tax advantages, and solve management, succession, matrimonial property, private property protection, succession challenges or even provide as a preparation for a sale. A well-constructed contract can plan the fate of the assets for years, or even decades, with regular review. We find that our clients who opt for this structure are at first reluctant, but then increasingly brave, to address issues during the provisions that affect their fundamental life situations:

  • How can I ensure the successful future of a company built up over many years of work, and the predictable future of employees?
  • What role can individual family members play in the fate of the company?
  • Do they want to be involved in management at all and is there a Plan B if I cannot hand over the running of the company to the person I care most about?
  • What happens to all the assets I have built up from my own resources after my death?
  • How can I ensure that my family members can live their own lives in peace and prosperity after I am no longer able to help them?

To consult on these issues is a matter of great trust for us, and we approach such trust with the same care and respect.

At the same time, however, we often come across offers and opinions on the market which identify the tax advantage of asset management – which is otherwise welcome – as the most important objective and which make everything subject to this – but, in our view, the goal does not justify the means in this case either.

The recent joint statement of the Tax and Information Department of the Tax Authority and of the Ministry of National Economy clarifies a position we have previously held under the Civil Code, the Accounting Act and the Income Tax Act, that dividend claims to be placed in trust (which can be done at the time of the conclusion of the trust deed or at a later date), does not alter the liability to pay public tax under the public law, i.e. if the dividend has already been declared in the concerned tax year, it is taxable as a dividend regardless of whether it is paid or placed in trust.

The fact that the Ministry-Tax Authority have published their position paper and that the audit of trusts is a priority in the 2025 audit plan means three things in our view:

  • those who have not assigned the assets in the above manner, based on the combined interpretation of the Civil Code, the Accounting Act and the Tax Act, are expected to be subject to self-audits;
  • those who have not paid due attention to the “substance principle” in the process of disposing of their assets are recommended to review their contracts and adapt the relevant provisions;
  • those who plan to set up a trust this year should take into account that there are different tax consequences for dividends already declared and amounts placed in the profit and loss reserve.

We believe that if we know the rules of the game well, it is possible to win by playing the game cleanly, even collectively.

Image source: Leeloothefirst, Pexels.com

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.