On 31 January 2025, Hungary published two highly anticipated cybersecurity decrees under the Hungarian Cybersecurity Act, which transposes the NIS2 Directive. The decrees include SZTFH Decree 1/2025 (I. 31.), which contains the procedures for conducting a cybersecurity audit and the maximum fee for a cybersecurity audit; and SZTFH Decree 2/2025 (I. 31.), which details the amount and payment of the yearly cybersecurity supervision fee.
Scope of cybersecurity audits
SZTFH Decree 1/2025 (I. 31.) lays down detailed rules on audit methodology, related examination methods, and the criteria for evaluating the requirements applicable to each security class. The cybersecurity audit examines risk management, security measures, internal controls, information and communication technology (ICT) service provider expectations, staff responsibilities, and the practical implementation of security procedures.
Maximum amount of cybersecurity audit fee
The maximum fee for a cybersecurity audit, excluding VAT, is the result of a complex calculation including the multiplication of three varying multipliers and a fix base of HUF 1.75 million (EUR 4,282). The three varying multipliers depend on the net sales of the entity for the previous financial year, the number of its electronic information systems and the security classes of its electronic information systems.
Amount and payment of yearly cybersecurity supervision fee
The amount of the yearly cybersecurity supervision fee is calculated in two ways: one way if the entity’s annual net sales for the prior year do not exceed HUF 20 billion (EUR 48 million); another way will be employed if the entity’s annual net sales for the prior year exceed HUF 20 billion (EUR 48 million).
Entities must also pay the annual cybersecurity supervision fee for the years 2024 and 2025. The cybersecurity supervision fee for 2024 is prorated from 18 October 2024 to 31 December 2024.
The full text of SZTFH Decree 1/2025 (I. 31.) on the Procedures for Conducting a Cybersecurity Audit and the Maximum Fee for a Cybersecurity Audit is available here (only in Hungarian). The full text of SZTFH Decree 2/2025 (I. 31.) on the Cybersecurity Supervision Fee is available here (only in Hungarian).
For a detailed summary on the new comprehensive Hungarian Cybersecurity Act transposing the NIS2 Directive, read our previous article.
The article was co-authored by János Bálint.
For more information on the Hungarian Cybersecurity Act and the implementation of the NIS2 Directive, contact your CMS client partner or these CMS experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.