On 20 December 2024, the Hungarian Parliament adopted Act LXIX of 2024 on Cybersecurity in Hungary ("Cybersecurity Act"), which repealed the partial NIS2 transposition Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision. The new Cybersecurity Act, which went into effect on 1 January 2025, and Government Decree 418/2024 (XII. 23.) on the implementation of Hungary’s Cybersecurity Act transposes the EU’s NIS2 Directive, introduces additional network and information security requirements and establishes related supervisory and procedural rules.
What entities and sectors are covered by Hungary’s new Cybersecurity Act?
The purpose of the Cybersecurity Act is to create a unified cybersecurity regulatory framework by:
- transposing the NIS2 Directive into Hungarian law, while deviating in terms of certain the scope of entities and extending the scope of obligations compared to the NIS2 Directive;
- repealing the previous Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision, which partially transposed the NIS2 Directive; and
- incorporating the repealed Act L of 2013 on the Electronic Information Security of State and Local Government Bodies applicable for public sector entities.
The Cybersecurity Act applies to:
- essential or important entities in critical and high-criticality sectors as defined by the NIS2 Directive;
- public-sector entities, including public administration entities at the local level, in addition to those at the regional and central levels;
- entities falling under specific designation criteria, such as entities under majority state influence, sole providers of a service essential for maintaining critical social or economic activities, entities providing services to at least 20,000 persons in critical and highly critical sectors, services necessary for the functioning of the state, entities providing services to at least five entities falling under the scope of the Cybersecurity Act, and entities performing data processing activities for an essential or important entity.
The Cybersecurity Act’s scope does not extend to the sectors of banking and financial market infrastructures, in these sectors, the DORA Regulation (EU) 2022/2554 remains applicable.
What is new under the Cybersecurity Act?
As a significant deviation from the NIS2 framework, the new Cybersecurity Act requires all concerned entities to classify their electronic information systems into “basic”, “significant”, or “high” security classes, based on the risks to the integrity and availability of the relevant electronic information system, and the confidentiality, integrity, and availability of the data they process with increasingly stringent protective requirements. Concerned entities are required to prepare an impact assessment and asset mapping of their electronic information systems and environments, maintain a comprehensive risk management framework, which includes identifying (e.g. by means of vulnerability testing), implementing, periodically evaluating (at least every two years), operating, and monitoring protective measures proportional to the risks. Concerned entities must also designate a person responsible for electronic information systems security.
In addition, entities that fall under the extended scope of the Cybersecurity Act based on the specific criteria listed above are also required to classify the data processed in their electronic information systems in case of foreign data processing (i.e. outside of Hungary) and using non-private cloud services, which could impose a significant burden on the reliance on public cloud offerings.
It is crucial that the cybersecurity authority, in its supervisory role, has the power to review the security class classification and data classification conducted by the organisation and may require reclassification if it differs from the organisation's self-assessment.
If an entity engages a contributor for the creation, operation, auditing, maintenance, or repair of an electronic information system, for handling cybersecurity incidents, or for performing data processing activities related to the electronic information system, the cybersecurity requirements necessary for the contributor’s activities as defined by the entity must be stipulated in a contract.
What deadlines apply?
As a transitional provision, an entity already registered with the Supervisory Authority for Regulatory Affairs (SARA) as of 31 December 2024 is not required to re-register, but must submit the list of EU member states where it provides services by 15 February 2025. Additional deadlines include:
- 31 January 2025 or 30 days after commencement of activities: registration with SARA.
- 120 days after the registration or 1 May 2025 for previously registered entities: entering into contracts with auditors. The SARA Decree setting the maximum allowed fee for cybersecurity audits has not been published yet, which prevents the negotiation of these contracts at this point.
- 31 December 2025 or 31 December 2027: depending on the commencement date of its relevant activities, concluding the first cybersecurity audit.
There is no specific deadline for carrying out the security class classification, but this must be carried out as a prerequisite for contracting with the auditor since not all auditors are qualified to audit all security classes.
What to expect?
It is important to note that the Cybersecurity Act mandates SARA to establish supplementary rules regarding the amount of cybersecurity supervisory fee, registration of auditors, and the procedures and maximum fee for conducting cybersecurity audits. SARA has already adopted some of these decrees under previous legislation, such as SARA Decree 23/2023 (XII. 19.) on the regulatory register of concerned entities subject to cybersecurity supervision and SARA Decree 7/2024 (VI. 24.) on the register of auditors and the requirements applicable to auditors. It is not certain, however, whether these decrees will remain unchanged.
The Cybersecurity Act empowers the Cabinet of the Prime Minister to define the requirements for security classification and the specific protective measures applicable to each security class. These requirements are outlined in MK Decree 7/2024 (VI. 24.) and it is currently unclear whether new regulations on this matter will be forthcoming.
Until new decrees are announced, concerned entities must adhere to existing decrees and regulations defining their obligations, including decrees on security class classification, risk management frameworks and necessary protective measures.
For more information on the Hungarian Cybersecurity Act and the implementation of NIS2, contact your CMS client partner or these CMS experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.