The Scope of the NIS2 Directive and the Cybersecurity Act – Determining Involvement in Practice
Reading time: 6 minutes
The rapid advancement of digitalisation has brought new opportunities but also new types of risks. In business operations, the reliability of electronic information systems plays an increasingly important role, and ensuring the confidentiality, integrity, and availability of managed data and information has become a fundamental requirement. To address this, the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (the “NIS2 Directive”), was adopted. Its national transposition in Hungary resulted in Act LXIX of 2024 on Cybersecurity (the “Cybersecurity Act”). These instruments aim to reduce risks to electronic information systems and ensure the continuity of services in key sectors such as energy, healthcare, transport, digital infrastructure, and manufacturing. Depending on their activities, size, and role, organisations are subject to different obligations. Each organisation must determine whether it falls within the scope of the Cybersecurity Act and which specific requirements apply to it. This article outlines the key aspects of self-identification, helping organisations comply with the NIS2 Directive and the Cybersecurity Act.
Who does the Cybersecurity Act apply to?
The Cybersecurity Act covers a wide range of sectors and activities. It applies to designated public administration entities, certain state-influenced enterprises, and defence-related organisations — though these are not detailed here. Beyond these, many private-sector organisations may also be affected. For them, both their activities and their size and turnover must be assessed.
Based solely on activity
Regardless of size, the Cybersecurity Act applies to organisations providing electronic communications services, trust services, DNS services, top-level domain name registry services, or domain name registration services.
These service providers can be identified by the authorities that maintain their registries, so the Cybersecurity Act applies to electronic communications service providers and trust service providers listed in the registry of the National Media and Infocommunications Authority (NMHH), DNS service providers, the top-level domain name registrar (currently the only such organization in Hungary is ISZT Nonprofit Kft.), and domain name registration service providers who are registrars available on the domain.hu website operated by ISZT).
Based on activity and size
The Cybersecurity Act applies to medium-sized and larger organisations — that is, companies with more than 50 employees and an annual net turnover or balance sheet total exceeding EUR 10 million, provided they carry out activities specified under the Cybersecurity Act.
Of the organizations that meet the size criteria, those operating in high-risk sectors, such as healthcare, telecommunications services, digital infrastructure (e.g., cloud service providers, data center service providers), as well as service providers and organizations operating in high-risk sectors, such as food production, processing, and distribution, the manufacture of computer, electronic, and optical products, and the manufacture of machinery and equipment.
Assessing and determining activities
If an organisation does not perform an activity that automatically falls within the scope of the Cybersecurity Act, both its size and its activities must be considered together. When size thresholds are met, the next step is to assess whether it operates within a high-risk or critical sector; this, however, is not always straightforward in practice.
The sector or activity to be examined and, consequently, the involvement in the case of activities subject to authorization, based on the records kept by the competent authorities (e.g., in the case of the transport sector, the Ministry of Construction and Transport as the transport authority; for activities in the food industry sector, the National Food Chain Safety Office; for the pharmaceutical industry and healthcare providers, the National Public Health and Pharmaceutical Center; and for electronic communications, trust and postal service providers, the National Media and Communications Authority).
In other cases — particularly in manufacturing — the relevant activity may be identified using the TEÁOR code (Hungarian equivalent of the NACE code) or similar classification numbers, which may indicate whether the company’s operations bring it under the scope of the Cybersecurity Act.
In most cases, the TEÁOR code makes identification relatively straightforward, for example:
manufacturing of electronic components or measuring instruments (computer, electronic, or optical products sector),
manufacturing of household electrical appliances (electrical equipment sector),
manufacturing of engines, turbines, or special-purpose machinery (machinery and equipment sector),
manufacturing of motor vehicle parts and accessories (road vehicle sector).
However, identification may be influenced by the interpretation of which sector the activities actually carried out belong to. For instance, an organisation engaged in IT consultancy and systems operation could qualify as a cloud service provider, thus falling within the scope of the Cybersecurity Act.
Furthermore, determining involvement may be complicated by the interpretation and practical application of the legal definitions of certain activities. For instance, in the case of a business engaged in the manufacture of plastic packaging materials or plastic products, the classification is not always clear-cut. According to the Cybersecurity Act, an organization is considered to be in a high-risk sector if it is classified as a food business within the food (i) production, (ii) processing, and (iii) distribution sector and is engaged in wholesale activities, industrial production, and processing. These criteria raise the need to clarify several concepts, namely whether such a manufacturing organization qualifies as a food business and whether the activities actually carried out qualify as activities related to any stage of food production, processing, or distribution.
The Limits and Risks of Self-Identification – Recommended Actions
It is clear that self-identification is not always straightforward. The TEÁOR code alone may not precisely reflect the organisation’s real activities, which may lead to misclassification under the Cybersecurity Act. In Hungary, it is common for companies to retain outdated or inaccurate TEÁOR codes in their official records. In such cases, the authority may still assess the company as falling under NIS2 obligations, resulting in unnecessary compliance burdens and administrative costs.
Incorrect or incomplete self-identification can also lead to fines and subsequent enforcement measures. Therefore, it is crucial that businesses regularly review their registered activities and maintain only those TEÁOR codes that accurately represent their actual operations.
Conclusion
Accurate self-identification is not only a legal obligation but also in the best interest of the organisation. Retaining inaccurate or unnecessary TEÁOR codes may result in misinterpretation by authorities and potential sanctions. Proper self-identification and conscious management of registered activities are not merely administrative tasks — they are essential elements of business security. Those who act proactively and with awareness can not only avoid sanctions but may also gain a competitive advantage through enhanced trustworthiness and compliance.
Photo source: pexels.com, Markus Spiske