Governmental Regulation of Cybersecurity in the EU and Hungary after 2000 1

The term information security evolved to cybersecurity nowadays, which emphasises the interdependence of information assets and the importance of cyber-physical systems. Parallel to this, the need for appropriate management of the EU and government strategies and new public administration tasks also appeared. In the European Union, the first measure concerning this issue was the establishment of the European Union Agency for Network and Information Security (ENISA) in 2004, mostly with consultative tasks. The first official cybersecurity strategy in the EU, called the Open, Safe and Secure Cyberspace, was accepted in 2013. Afterwards, ENISA’s role has been strengthened as well as its range of tasks were broadened. Beside the critical infrastructure protection efforts, the Network Information Security (NIS) directive and related legislation were a giant leap towards a common level of cybersecurity in the community. The formation of an EU Cybersecurity Act and filling NIS with more practical guidance is an ongoing process nowadays. being a is the first of legislation on cybersecurity in the there 2009 the the information security of some governmental services. the National Security the National Cybersecurity Strategy 2013. The the first information security act applicable to all government, local government, governmental data processing and critical infrastructure service providers has force. The alignment of the National Cybersecurity Strategy to NIS directive happens these days. Thus, the regulation of cybersecurity in the EU and in Hungary are heading in the right direction, but the practical implementation today is far away from the strategic objectives. The community is lagging far behind the United States of America and China, just to mention the most important players in the field.


Introduction
. Legal regulations about cybersecurity in the EU and Hungary.
[Edited by the author.] The new National Security Strategy Technological development, as I have already pointed out, made local system security improvements indispensable. [3] In case of e-government systems, a higher level of the problem also exists: attack against multiple systems or against a full infrastructure. This can be part of a conventional war, as cyberwar, or may be an unconventional event, called cyberterrorist attack; they all concern cybersecurity. Thus, a major part of cybersecurity can be only managed on governmental or supranational level, with cybersecurity strategies, legal regulation, and dedicated authorities. [4] Table 1 shows parallelly the changes in the EU and Hungary, which will be detailed in this article.

Before forming any exact strategy, Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 th March 2004 establishing the European Network and Information
Security Agency [5] came into force. The regulation established ENISA, with the following objectives (Article 2): • "the Agency shall enhance the capability of the Community, the member states and, as a consequence, the business community to prevent, address and respond to network and information security problems; • the Agency shall provide assistance and deliver advice to the Commission and the member states on issues related to network and information security falling within its competencies as set out in this Regulation; • building on national and Community efforts, the Agency shall develop a high level of expertise. The Agency shall use this expertise to stimulate broad cooperation between actors from the public and private sectors; • the Agency shall assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of network and information security." It is important to remark the verbs used: enhance, provide, develop, and update. They show us an intention to form a soft agency without policy-making power. The exact plans with ENISA were also unclear. [6] The tasks aligned with the objectives above were the followings: • collect appropriate information to analyse current and emerging risks; • provide advice to stakeholders; • enhance cooperation between different actors; • facilitate cooperation between the Commission and the member states; • contribute to raise awareness; • assist the Commission and the member states in their dialogue with industry; • track the development of standards; • advise the Commission on research; • promote risk assessment activities; • contribute to Community efforts to cooperate with third countries; • express its own conclusions independently.
As we see from the list above, the tasks are supportive functions. There are no regulatory, standardisation or audit functions dedicated to ENISA. In contrast, in the field of data protection, the European Data Protection Supervisor has authority to audit EU organisations. February 2013. It states that "the borderless and multi-layered Internet has become one of the most powerful instruments for global progress without governmental oversight or regulation. While the private sector should continue to play a leading role in the construction and day-to-day management of the Internet, the need for requirements for transparency, accountability and security is becoming more and more prominent." [7] The first statement is: "The EU's core values apply as much in the digital as in the physical world, the same laws and norms that apply in other areas of our day-to-day lives apply also in the cyber domain." [8] According to Tallinn Manual 2.0, most of the physical world international law rules can be applied on the cyberspace conflicts, but there are some unregulated issues. For those new points, additional rules are required. But cybercrimes are typically a field where all real-life legislation can be used, only the context, the device and the methodology changed.
The strategy defined five strategic priorities, which address the challenges: • "achieving cyber resilience; • drastically reducing cybercrime; • developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP); • develop the industrial and technological resources for cybersecurity; • establish a coherent international cyberspace policy for the European Union and promote core EU values." [7] In the first strategic priority-achieving cyber resilience-the need to modernise and strengthen ENISA was articulated. [9] After nine years of ENISA's operation and providing nearly 300 publications-with focus topics incident and risk management, critical infrastructure protection, trust services and computing cloud-a new regulation came into force. Regulation ( • "the Agency shall develop and maintain a high level of expertise; • the Agency shall assist the Union institutions, bodies, offices and agencies in developing policies in network and information security; • the Agency shall assist the Union institutions, bodies, offices and agencies and the Member States in implementing the policies necessary to meet the legal and regulatory requirements of network and information security under existing and future legal acts of the Union, thus contributing to the proper functioning of the internal market; • the Agency shall assist the Union and the Member States in enhancing and strengthening their capability and preparedness to prevent, detect and respond to network and information security problems and incidents; • the Agency shall use its expertise to stimulate broad cooperation between actors from the public and private sectors." [10] The tasks were also changed according to the objectives (Article 3): • "support the development of Union policy and law, by advising, providing preparatory work, and analysing; • support capability building by supporting the member states, promoting voluntary cooperation, assisting by the operation of a Computer Emergency Response Team (CERT); • support the raising of the level of capabilities of national/governmental and Union CERTs promoting dialogue and exchange of information, with a view to ensure that, with regard to the state of the art, each CERT meets a common set of minimum capabilities and operates according to best practices; • support voluntary cooperation; • cooperate with Union institutions, bodies, offices and agencies; • contribute to the Union's efforts to cooperate with third countries and international organisations." [10] The most important change in the tasks was the establishment of CERT-EU, as a new service, and also a part of Computer So a future change was foreseeable with the 2017/0225 (COD) Proposal for a Regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and the repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification ("Cybersecurity Act"). The voting was forecasted to June 2018. Furthermore, on 13 th September 2017, the President of the European Commission, Jean-Claude Juncker announced an implementation toolkit for the Network and Information Security Directive; and a report to ensure an effective response in case of cyber-attacks in the member states.
As the topic is in the focus of general interest and even had many political debates, the acceptance lasted for a while. The new act is Regulation (EU) 2019/881 of the European

Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act). [12]
The objectives of ENISA changed slightly: • the Agency shall be a centre of expertise on cybersecurity by virtue of its independence, the scientific and technical quality of the advice and assistance it delivers and the information it provides, the transparency of its operating procedures and methods of operation, and its diligence in carrying out its tasks; • the Agency shall assist the Union institutions, agencies, and bodies, as well as the member states, in developing and implementing policies related to cybersecurity; • the Agency shall support capacity building and preparedness across the Union, by assisting the Union, member states and public and private stakeholders in order to increase the protection of their network and information systems, develop skills and competencies in the field of cybersecurity, and achieve cyber resilience; • the Agency shall promote cooperation and coordination at Union level among the member states, Union institutions, agencies and bodies, and relevant stakeholders, including the private sector, on matters related to cybersecurity; • the Agency shall increase cybersecurity capabilities at Union level in order to complement the action of member states in preventing and responding to cyber threats, notably in the event of cross-border incidents; • the Agency shall promote the use of certification, including contribution to the establishment and maintenance of a cybersecurity certification framework at Union level in accordance with Title III of this Regulation, with a view to increasing transparency of cybersecurity assurance of ICT products and services and thus strengthen trust in the digital internal market; • the Agency shall promote a high level of awareness of citizens and businesses on issues related to the cybersecurity.
The tasks improved heavily: the task list consists of 60 elements, grouped into the following seven articles: • Tasks relating to the development and implementation of Union policy and law; • Tasks relating to capacity building; • Tasks relating to operational cooperation at Union level; • Tasks relating to the market, cybersecurity certification, and standardisation; • Tasks relating to knowledge, information and awareness raising; • Tasks relating to research and innovation; • Tasks relating to international cooperation.
Another focus is the forming of new European cybersecurity certification schemes (see Article 46): "The European cybersecurity certification framework shall be established in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes." [12] Those schemes, with the additional national schemes defined in Article 57, may provide a higher level of IT security interchangeability within the EU.

Cybersecurity Organisation in Hungary
The first comprehensive security and The Act on Electronic Public Service (accepted in 2009) was the first act-level regulation dealing with information security in governmental organizations. [13] In sum, we may say that a relatively low awareness of the legislator and the business was observable in the usage of international IT security standards, despite its significance and the high risk in some areas. [14] No obligations were found in acts of the Hungarian Parliament for enforcement of standards in IT security. There have been built-in selfcontrol procedures in some acts, but in practice, those procedures actually did not work efficiently. [15] In 2009 a small change was commenced with the adoption of Act LX of 2009 on electronic public services. It has highlighted the requirement of security as a basic principle.
According to Act LX of 2009 on electronic public services, organisations providing ICT based public services ensure the publicity of data of public interest (according to the Act on data protection and freedom of information) and protection of personal and any other data during the provision of services. [16] IT security-related requirements were detailed in the following regulations: It's scope is slightly broader than just state and local government organisations, but also includes national data processors and critical infrastructure, therefore even private companies might be included (e.g. public utilities). [17] The act is based on international best practices and standards (e.g. ISO/IEC 27001:2013), although does not reference them directly. The law operates with the essential items known in the information security field as the CIA triad (confidentiality, integrity, and availability). The act requires the integrity and the availability of information systems in a closed, complete, consistent way, proportionate to the risks for the electronic system and components. It is important to explicitly include the proportionality of the security control implementation to risks. This enforces the conduction of a risk assessment and decisions based on that. This changes the malpractice of implementing security measures in an ad hoc manner, and is to minimise security budgets. [18] The act established the National Electronic Information Security Authority under the control of the Ministry of National Development. The new task of vulnerability testing and log analysis was dedicated to the National Security Authority and the long before established Government Computer Emergency Response Team (GovCERT) was moved to the Special Service for National Security, which is a secret service in Hungary.
Afterwards the field of cybersecurity, including the organisations above, was handed over to the Ministry of Interior with Government Decree 187/2015. (VII. 13.). Thus, the National Cyber Defence Institute was formed in the Special Service for National Security with the following features: • administration by National Electronic Information Security Authority; • incident management and response by GovCERT-Hungary; • forensic log analysis and vulnerability testing by National Security Authority.
Another change coming into force in the meanwhile was the NIS directive. The National Cybersecurity Strategy has to be aligned with the requirements of NIS, Chapter II (National frameworks on the security of network and information systems) Article 7 (National strategy on the security of network and information systems). This is an ongoing process right

Conclusion
ENISA was established in 2004 as a consultative body. Both the EU and the Hungarian Cybersecurity Strategy was accepted in 2013. The strategies implied changes in the treatment of the field of cybersecurity at the higher level. The objectives and tasks of ENISA have been changed, and the Hungarian authority was formed that year. The next step was the NIS directive and its implementation in the member states' law, which also provides reinforcement to EU legislation to improve ENISA. One of the main objectives and tasks both for ENISA and in the Hungarian regulation is the training. Even in the private sector, there is a huge need for well-trained IT personnel. The required level of training is much higher in the cybersecurity than in classical backoffice processes. In order to provide hands on knowledge, also real-life laboratories shall be used for such training. [19] Another field of cybersecurity is that of military or cyber warfare. Many EU members, including Hungary, is a NATO member, which shapes our defence politics to a greater extent than the EU Common Security and Defence Policy. NATO recognised cyberspace as a "Domain of Operations" at the Warsaw Summit in 8-9 July 2016. In fact, there are no elements which are directly applicable at the member state level. There are many potential threats, like PSYOPS in the social media. [20: 117] Also, Internet of Things (IoT) as a civilian technology may pose risks to the defence sector. [21] But the fact that cyberspace became the fifth domain of operation, and the requirement that all military operations shall include such operations, will have a positive effect on defence.
Several changes happened in the previous years in the European legislation, and therefore preparedness to cybersecurity risk is much better nowadays, but we lag behind the United States of America and behind China. [22] Thus there is a long way to go.