New Cybersecurity Act in Hungary
The new act on Hungary’s cybersecurity, Act LXIX of 2024 (hereinafter: Cybersecurity Act), implementing the NIS2 Directive, has been published. It is effective as of 1 January 2025, repealing its two predecessors: Act L of 2013 (hereinafter: Information Security Act) and Act XXIII of 2023 (hereinafter: Cybersecurity Certification Act).
The law ensures compliance with the NIS2 directive by integrating it into the national regulatory framework. Additionally, it supports the secure operation of public authorities and organizations performing activities critical to the state by enhancing the cybersecurity of their electronic information systems.
Check whether your company is affected by nis2 compliance – rsm nis2 calculator
NIS2 Directive and the Cybersecurity Act
The NIS2 Directive does not directly apply to Hungarian businesses; rather, EU member states, including Hungary, must incorporate its regulations into their national legal systems. The previous Cybersecurity Certification Act, which formed the basis of the Hungarian implementation, has been repealed as of 31 December 2024.
In its place, Act LXIX of 2024 on Hungary’s Cybersecurity came into effect as of 1 January 2025. Its scope has been expanded beyond entities subject to NIS2 to also include organisations previously covered by the Information Security Act.
For market players affected by NIS2, the Supervisory Authority of Regulated Activities (SZTFH) remains the responsible oversight body.
New Cybersecurity Act – new deadlines
The new law modified several previously known deadlines and service-based obligations.
Registration
Organisations subject to NIS2 are required to submit their registration request to the SZTFH within 30 days of either commencing operations or becoming subject to this law. However, entities already listed in the Cybersecurity Certification Act’s registry are exempt, except for data specified in Section 29 (1) (a) ae) of the Cybersecurity Act, which includes the list of EU member states where the company provides services. This information must be reported to the SZTFH by 15 February 2025. (Section 89 (1) of the Cybersecurity Act)
Contract with the auditor
Under the previously effective Cybersecurity Certification Act, all entities subject to NIS2 were required to sign contracts for cybersecurity audits by 31 December 2024, but with the act’s repeal, this is no longer relevant.
The effective Cybersecurity Act provides that all affected entities must enter into an agreement with a registered cybersecurity auditor within 120 days of their registration (Section 16 (2) (a of the Cybersecurity Act).
For newly registering entities, the 120-day period starts from the issuance of the registration decision. However, it remains unclear for entities registered before 1 January 2025, when the 120-day period should begin.
Since the entities could not meet the previous 31 December 2024 deadline due to a missing SZTFH regulation, the SZTFH has issued a statement clarifying this issue:
"However, due to the absence of the SZTFH regulation, the affected companies will not be disadvantaged for missing the […] deadline through no fault of their own, and the authority will not impose any sanctions in such cases.”
Cyber security audit
The change suspected in professional circles regarding the cybersecurity audit deadline has not materialised. Companies that commenced operations before 1 January 2025, are required to complete their first cybersecurity audit by 31 December 2025, conducted by a cybersecurity auditor listed in the SZTFH register (Section 89 (2) of the Cybersecurity Act). Companies that began operations after 31 December 2024, must complete their cybersecurity audit within two years of registration (Section 16 (2) b) of the Cybersecurity Act).
Sanctions
The Cybersecurity Act also affects the sanctions imposed by cybersecurity authorities. If an entity fails to comply with the legal regulations and obligations, the authorities may take the following actions:
- As a first step, the cybersecurity authority will issue a warning and, providing a reasonable deadline, request the company’s management to rectify the deficiencies.
- A penalty may be imposed, as defined in Section 42 of Government Decree 418/2024 (XII. 23.).
- If applicable, the authority may refer the case to the supervisory body and may appoint an information security supervisor at the organisation's expense, as specified in a decree issued by the president of SZTFH.
