Hungary proposes widening scope of financial entities under DORA Regulation

Hungary

On 10 April 2024, the Hungarian Parliament adopted a new law on the detailed rules implementing the DORA Regulation – Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act – DORA). The following article summarises the main differences between the scope of DORA and the Implementing Law.

Scope of DORA in general

DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities (FEs). In particular, FEs must manage risks associated with information and communication technologies (ICT) through policies and procedures that manage, classify and report ICT-related incidents and cyber threats; performance of digital operational resilience testing, and taking measures to ensure the sound management of ICT risk in the event of outsourcing to third parties.

Altogether 20 types of FEs fall under the scope of DORA. These include credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, managers of alternative investment funds, management companies, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement provision and credit rating agencies.

Scope of the Implementing Law

The scope of FEs falling under the above requirements of the Implementing Law is wider than the personal scope of DORA. In addition to FEs listed above, the Implementing Law also applies to:

  • all financial enterprises;
  • all stock exchanges;
  • all insurance and reinsurance undertakings, irrespective of size.

Financial enterprises provide one or more financial services (e.g. credit and loan operations, financial leasing, providing surety facilities and guarantees, financial intermediation services, safe custody services, safety deposit box services and purchasing receivables), operate payment systems or are qualified as a financial holding company. Most financial enterprises must only comply with the simplified ICT risk management framework prescribed by Article 16 of DORA (i.e. the Mini DORA). The financial enterprises operating payment systems, or which are subject to prudential regulation equivalent to that of a credit institution or which are subject to supervision on a consolidated basis, however, must comply with the full ICT risk management framework prescribed by Article 6 of DORA.

Another Hungarian specificity of the Implementing law is that the DORA does not apply to the MFB Hungarian Development Bank and the Hungarian Export-Import Bank.

Interplay between DORA and NIS2 in Hungary

Based on the Article 19 of DORA Regulation, the Implementing Law prescribes that all FEs reporting major ICT-related incidents to the competent authority under DORA must also report the major ICT-related incident simultaneously to the Hungarian computer security incident response team (CSIRT) under the NIS2 directive. The Implementing Law also mandates FEs to notify CSIRT of significant cyber threats when voluntarily reporting significant cyber threats to the competent authority under DORA. In practice, the Hungarian CSIRT is the Special Service for National Security National Cybersecurity Centre.

Hungarian Central Bank, DORA and TLPT Authority

The Implementing Law appoints the Central Bank of Hungary (MNB) as the competent authority to ensure the FEs’ compliance with DORA and the Implementing Law. In the future, the MNB is expected to enter into cooperation agreements with the CSIRT and the competent authority under the NIS2 Directive (Supervisory Authority for Regulatory Affairs, SARA) to facilitate information sharing. We also expect that MNB will be appointed as TLPT authority under DORA.

Next Steps

The Implementing Law has been adopted by the Hungarian Parliament. After its official publication, the Implementing Law will go into effect on 17 January 2025, aligned with the applicability date of DORA. The full text of the Implementing Law is available here (only in Hungarian).

The article was co-authored by János Bálint.

For more information on the Implementing Law and its potential impacts on your business, contact your CMS client partner or your local CMS experts.