Hungary sets cybersecurity fines in decree


A Hungarian government decree (Government Decree 305/2023 (VII. 11.) on the amount of cybersecurity fines, detailed rules of procedure for the imposition and payment of fines) has set down the minimum and maximum fines imposed by the competent authority under the new Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision. The Decree specifies the infringements that are punishable by fines and adapts the amount of each fine.

Infringements and fines

Under the Decree, the competent authority issuing the certification will impose fines for breaches of EU and Hungarian legislation, ranging from a minimum of HUF 50,000 up to a maximum of HUF 50 million, depending on the type of infringement.

The infringements are defined by the EU law and the Cybersecurity Act as follows:

  • The fine ranges from HUF 50,000 to HUF 100,000 (approximately EUR 130 to EUR 260) for non-compliance with the Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA and also in the case of non-compliance with the obligation to send to the certification authority the documents related to the compliance self-assessment required by the Cybersecurity Act;
  • The fine ranges from HUF 1 million to HUF 50 million (approximately EUR 2,600 to EUR 130,000) for a non-compliant organisation's compliance assessment under the Cybersecurity Act;
  • A fine of HUF 300,000 to HUF 50 million (approximately EUR 780 to EUR 130,000) for the unauthorised use of a compliance marking under the Cybersecurity Act;
  • A fine of HUF 50,000 to HUF 5 million (approximately EUR 130 to EUR 13,000) for failure to provide data to the competent authority for registration purposes under the Cybersecurity Act;
  • A fine of HUF 300,000 to HUF 5 million (approximately EUR 780 to EUR 13,000) for failure to comply with the obligation to report vulnerabilities or anomalies as defined in the Cybersecurity Act to the competent authority,
  • In case of failure to implement the necessary amendments and measures based on the deficiencies identified by the certification authority in accordance with the Cybersecurity Act, the fine ranges from HUF 200,000 to HUF 10 million (approximately EUR 520 to EUR 26,000).

Procedural aspects and entry into force

The fine must be paid within eight days of the date of imposition.  In the case of several infringements, the maximum amount of the fine will be the sum of the maximum fines for each infringement. The fine may be reimposed for the same facts after the expiry of the time limit set by the competent authority without result.

The duties of the authority are carried out by the Supervisory Authority for Regulated Activities (Szabályozott Tevékenységek Felügyeleti Hatósága), which was set up in autumn of 2021, except in the military industry sector for which the Hungarian government has designated a separate authority.

For more information on this decree and cybersecurity regulations in Hungary, contact your CMS client partner or local CMS experts.

The article was co-authored by Mária Góth.