New Hungarian Cybersecurity Act

14/Apr/2025

New Hungarian Cybersecurity Act

The new Hungarian “Cybersecurity Act”, which entered into force in 2025, brought significant changes to the regulation of cybersecurity in Hungary.

In accordance with the relevant provisions of the Cybersecurity Act, any legal person or unincorporated entity may be subject to the obligations set out in the Cybersecurity Act. For each legal entity, it is the responsibility of the directors of that legal entity to identify whether that legal entity is subject to the Cybersecurity Act. If the answer to this question is yes, then it is also the responsibility of the directors of that legal entity to determine whether the entity qualifies as an “essential” or “important” entity under the Act.

Entities are classified as “essential” in particular:

  1. each major economic entity under majority state control,
  2. legal entities which, by virtue of the services they provide, are considered critical to the functioning of the state, society and the economy,
  3. qualified trust service providers, regardless of their size (these providers provide and store digital certificates that enable the creation and validation of electronic signatures) and top-level domain name registries,
  4. DNA-providers, as well as
  5. legal entities that carry out an activity under Annex 2 of the Cybersecurity Act (e.g., in the subsector of electricity, public transport or water utilities) – and are at least a medium-sized enterprise.

The entities that are classified as “important” by law include legal persons that:

  1. are service providers and organisations operating in high-risk or risky sectors whose disruption of service could have a significant impact on public order, public safety or public health,
  2. processing for an essential or important organisation; furthermore
  3. they are engaged in an activity listed in Annex 3 of the Cybersecurity Act (for example, in the food production, waste management or chemical manufacturing sectors).

The “essential” or “important” entities concerned must notify the Authority for the Supervision of Regulated Activities (hereinafter: “the Authority”) and apply to the Authority for registration. Entities that were already registered by the Authority under the previous Cybersecurity Act in 2024 do not need to make a new notification. However, all entities registered with the Authority were required to notify the Authority by 15 February 2025 of the list of EU Member States in which the said entity provides services.

Entities subject to the Cybersecurity Act are also required to classify the data they handle and to classify the electronic information systems they use to ensure that the information system and the data and services it handles are protected in a manner commensurate with the risks.

Any entity that is subject to the Cybersecurity Act must enter into an agreement with a cybersecurity auditor listed in the Authority’s register within 120 days of registration. If the entity concerned has already started its operations before 1 January 2025, it must carry out its first cybersecurity audit by 31 December 2025. A covered entity that commences operations after that date shall conduct a cybersecurity audit within 2 years of its registration. The cyber security audit shall be repeated every two years.

In the event of non-compliance with the obligations laid down in the legislation, the Authority is entitled to impose the following sanctions on the body concerned which has committed the infringement:

  • the Authority first issues a warning to the offending organisation and sets a deadline for corrective action,
  • but may also appoint an information security officer at the organisation’s expense,
  • if these measures fail to achieve their objective, the Authority may also impose a fine.

*

This summary is intended to raise awareness and does not constitute legal advice.

If you have any questions or need further information in connection with the above, please do not hesitate to contact us.

Please be informed that cookies are applied on the website for the purposes of redounding the operation of our firm and the website. More information

A cookie is a piece of information, which is sent by the website server to the browser and then the browser sends it back to the website server at every request directed to the website's server. By visiting our website, you give your consent to place cookies on your computer or your other devices, which provide us information about the sites visited by you in our website. Cookies are an anonymized form for obtaining information about the visitors' interests, particularly on which services are the visitors mostly interested in, therefore we may obtain information on which of our services should be developed in the future. Without voluntary consent, you will not be identified individually. We kindly draw your attention that you may set your browser to accept or decline all cookies, or to notify you when your computer or other device receives a cookie. For the appropriate settings, please use the browser's "Help" menu. Please note that if you decline all cookies, some functions of the website may not work properly.

Close