Hungary: Unified Information Security Standards in the Public Sector
→ Dániel Varga
A set of new pieces of legislation introduced unified information security standards into the public sector, which affects private companies offering IT services to the public sector.
Public entities and authorities falling under the scope of the new Hungarian Information Security Act must inspect their electronic information systems by 1 July 2014 to assess whether those systems meet the security criteria laid down by the new act and a ministerial decree by the National Development Ministry (NFM).
The unified information security standards in the public sector were introduced by a new act as of 1 July 2013 (Information Security Act). The Information Security Act applies to most governmental, administrative, and municipal authorities and entities.
The Information Security Act introduces a new a concept of integrated and unified protection of electronic information systems (ie, hardware and software necessary for data and information management) in the public sector. On the basis of the Information Security Act, a new authority, the National Electronic Information Security Authority (NEISA) was established and operates under the control of NFM.
As of 2010, a new set of legislation was introduced in Hungary to implement unified information security standards in the public sector. The system of unified security standards is established on the notion of “national data asset”, introduced by a new act on the enhanced protection of data registers (eg, commercial register, land registry, etc.), falling under the category of national data asset in 2010. According to its legal definition, all personal and public data and information of public interest managed by entities responsible for public functions qualify as data falling under the scope of national data asset.
Integrated and unified protection
NEISA, being responsible for the supervision of the security of the information systems, verifies the findings of the respective public sector entities and ensures that the electronic information systems comply with the relevant security requirements. Should a public entity fail to comply with the applicable security requirements, a fine may be imposed by NEISA for public entities not belonging to the central budgetary system. Alternatively, NFM appoints an information security officer who is responsible to take every measure necessary to comply with applicable information security requirements.
Actual security incidents that threaten the secrecy, integrity, authenticity, or functionality of the information stored in the electronic systems of public sector entities are dealt with by a governmental incident-handling centre.
Effect on private service providers
Unreasonable limitations for private IT service providers
Prior to the implementation of the Information Security Act, Hungary lacked comprehensive legislation data security managed by public entities. Therefore, the introduction of the above unified security standards is more than welcomed. However, the below security measures may seem to restrict to an unreasonable extent the activities of private IT service providers offering services to public sector entities.
- The vast majority of authorities and public entities (eg, governmental offices and ministries) identified by the Information Security Act may manage information only on electronic information systems that are located in Hungary. Alternatively, the electronic information systems of these authorities and public entities may be operated in the EU on the basis of (i) a separate permission issued by the NFM or (ii) an international treaty.
- Likewise, entities appointed as the exclusive processors of data stored in national data registers (eg, the commercial register) may manage public information, information of public interest, and personal data only on electronic information systems located in Hungary. The above alternative regarding EU locations does not apply to these kinds of entities.
- Electronic information systems supporting the operation of assets qualified by law as national or European critical infrastructure (irrespective of whether these assets are privately or publicly owned) will also need to be located in the EU.
Private IT service providers that handle the data of public authorities or entities will also fall under the scope of the new legislation. The above requirements applicable to the location of the servers clearly restrict the rendering of several IT services hosted by servers located outside of Hungary (eg, cloud-based services). These measure will likely result in several companies having to take extensive measures to relocate the servers, computers, and other IT devices hosting services that they provide to public authorities and entities. It is also expected that the penetration of up-to-date IT services will slow down in the public sector due to the newly introduced and extensive security requirements.