{"id":2088,"date":"2025-04-14T13:14:25","date_gmt":"2025-04-14T13:14:25","guid":{"rendered":"https:\/\/gerey.hu\/EU\/?p=2088"},"modified":"2025-04-14T13:17:47","modified_gmt":"2025-04-14T13:17:47","slug":"new-hungarian-cybersecurity-act","status":"publish","type":"post","link":"http:\/\/gerey.hu\/EU\/new-hungarian-cybersecurity-act\/","title":{"rendered":"New Hungarian Cybersecurity Act"},"content":{"rendered":"\n

The new Hungarian “Cybersecurity Act”, which entered into force in 2025, brought significant changes to the regulation of cybersecurity in Hungary.<\/p>\n\n\n\n

In accordance with the relevant provisions of the Cybersecurity Act, any legal person or unincorporated entity may be subject to the obligations set out in the Cybersecurity Act. For each legal entity, it is the responsibility of the directors of that legal entity to identify whether that legal entity is subject to the Cybersecurity Act. If the answer to this question is yes, then it is also the responsibility of the directors of that legal entity to determine whether the entity qualifies as an \u201cessential\u201d or “important” entity under the Act.<\/p>\n\n\n\n

Entities are classified as \u201cessential\u201d in particular:<\/p>\n\n\n\n

    \n
  1. each major economic entity under majority state control,<\/li>\n\n\n\n
  2. legal entities which, by virtue of the services they provide, are considered critical to the functioning of the state, society and the economy,<\/li>\n\n\n\n
  3. qualified trust service providers, regardless of their size (these providers provide and store digital certificates that enable the creation and validation of electronic signatures) and top-level domain name registries,<\/li>\n\n\n\n
  4. DNA-providers, as well as<\/li>\n\n\n\n
  5. legal entities that carry out an activity under Annex 2 of the Cybersecurity Act (e.g., in the subsector of electricity, public transport or water utilities) – and are at least a medium-sized enterprise.<\/li>\n<\/ol>\n\n\n\n

    The entities that are classified as “important” by law include legal persons that:<\/p>\n\n\n\n

      \n
    1. are service providers and organisations operating in high-risk or risky sectors whose disruption of service could have a significant impact on public order, public safety or public health,<\/li>\n\n\n\n
    2. processing for an essential or important organisation; furthermore<\/li>\n\n\n\n
    3. they are engaged in an activity listed in Annex 3 of the Cybersecurity Act (for example, in the food production, waste management or chemical manufacturing sectors).<\/li>\n<\/ol>\n\n\n\n

      The \u201cessential\u201d or \u201cimportant\u201d entities concerned must notify the Authority for the Supervision of Regulated Activities (hereinafter: \u201cthe Authority<\/strong>\u201d) and apply to the Authority for registration. Entities that were already registered by the Authority under the previous Cybersecurity Act in 2024 do not need to make a new notification. However, all entities registered with the Authority were required to notify the Authority by 15 February 2025 of the list of EU Member States in which the said entity provides services.<\/p>\n\n\n\n

      Entities subject to the Cybersecurity Act are also required to classify the data they handle and to classify the electronic information systems they use to ensure that the information system and the data and services it handles are protected in a manner commensurate with the risks.<\/p>\n\n\n\n

      Any entity that is subject to the Cybersecurity Act must enter into an agreement with a cybersecurity auditor listed in the Authority’s register within 120 days of registration. If the entity concerned has already started its operations before 1 January 2025, it must carry out its first cybersecurity audit by 31 December 2025. A covered entity that commences operations after that date shall conduct a cybersecurity audit within 2 years of its registration. The cyber security audit shall be repeated every two years.<\/p>\n\n\n\n

      In the event of non-compliance with the obligations laid down in the legislation, the Authority is entitled to impose the following sanctions on the body concerned which has committed the infringement:<\/p>\n\n\n\n

        \n
      • the Authority first issues a warning to the offending organisation and sets a deadline for corrective action,<\/li>\n\n\n\n
      • but may also appoint an information security officer at the organisation’s expense,<\/li>\n\n\n\n
      • if these measures fail to achieve their objective, the Authority may also impose a fine.<\/li>\n<\/ul>\n\n\n\n

        *<\/em><\/p>\n\n\n\n

        This summary is intended to raise awareness and does not constitute legal advice.<\/em><\/p>\n\n\n\n

        If you have any questions or need further information in connection with the above, please do not hesitate to contact us.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

        On January 1, 2025, the new Cybersecurity Act entered into force, which put the cybersecurity compliance obligations of companies registered in Hungary on a new basis. The new Cybersecurity Act primarily aims to transpose the provisions of the NIS 2 Directive of the European Parliament and of the Council (Directive (EU) 2022\/2555 of the European Parliament and of the Council) into Hungarian law, thus ensuring the cyber protection of electronic information systems used by organisations of importance for the secure operation of the state.<\/p>\n","protected":false},"author":1,"featured_media":2089,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-2088","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/posts\/2088"}],"collection":[{"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/comments?post=2088"}],"version-history":[{"count":5,"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/posts\/2088\/revisions"}],"predecessor-version":[{"id":2094,"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/posts\/2088\/revisions\/2094"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/media\/2089"}],"wp:attachment":[{"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/media?parent=2088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/categories?post=2088"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gerey.hu\/EU\/wp-json\/wp\/v2\/tags?post=2088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}