The 2013 Cyber Strategy and its Implications

Hungary adopted a dedicated cybersecurity strategy in 2013 through Government Decision 1139/2013 (21 March) on Hungary’s National Cybersecurity Strategy (“2013 Cyber Strategy”). The 2013 Strategy aimed to align with constitutional principles and national interests while addressing the challenges of the digital age. It set national goals, strategic directions, and government measures to ensure a free and secure cyberspace, protect national sovereignty, and safeguard economic and societal activities. The strategy emphasised securely adapting technological innovations, fostering international co-operation, and strengthening governmental co-ordination to address cybersecurity threats. It also integrated core values such as freedom, security, and the rule of law, aligning with Hungary’s National Security Strategy, EU and NATO cybersecurity principles, and the Budapest Convention on Cybercrime.

This previous 2013 Cyber Strategy paved the way for the Hungarian Parliament and the government to adopt legislation such as the Act L of 2013 (“Information Security Act”) on the Electronic Information Security of State and Municipal Bodies, and its executive regulation, namely Decree 42/2015 (VII. 15.) of the Ministry of Interior on the Procedure for the Official Registration of Certain Organisations Covered by the Act on Electronic Information Security. The Information Security Act aimed to protect national electronic data assets, critical information systems, and their components, recognising their importance in addressing modern threats. Ensuring the confidentiality, integrity, and availability of data and systems is a societal expectation essential for safeguarding cyberspace.

NIS1 Implementation

Later, Hungary implemented the Directive (EU) 2016/1148 (NIS Directive) in various laws, including the Act CVIII of 2001 on Certain Issues of Electronic Commercial Services and Information Society Related Services (E-commerce Act). Detailed rules regarding cybersecurity event management and supervision were laid down in Government Decree 270/2018 (XII. 20.) on the Supervision of the Electronic Information Security of Information Society Services and the Procedure on Security Events. Further to this, critical assets and pieces of critical infrastructure were defined in Act CLXVI of 2012 on the Identification, Designation and Protection of Critical Systems and Facilities.

The 2020 National Security Strategy

Hungary updated its National Security Strategy in 2020 (Government Decision 1163/2020) to address significant changes in the global security environment since 2012. The strategy highlights factors such as a shifting world order, climate change, migration, resource depletion, and technological advancements. It emphasises preserving security levels, national values, economic priorities, and defence industry development to ensure Hungary’s stability and growth amid global, European, and national challenges.

Cybersecurity features prominently in the updated strategy, which recognises cyberspace as a critical operational domain alongside land, sea, air, and space. It underscores the increasing frequency and sophistication of cyber threats, including attacks on critical systems by state and non-state actors such as cybercriminal groups and international terrorist organisations. The strategy prioritises enhancing resilience to hybrid attacks through national unity, strong democracy, efficient decision-making, and collaboration across defence, law enforcement, and civilian infrastructure. Key measures include bolstering cybersecurity to protect critical information infrastructure and governmental IT systems, addressing risks, and fostering public-private partnerships. The strategy highlights the importance of AI-based systems’ secure development, international co-operation, and the establishment of global norms for cyberspace security. It considers cyber capabilities causing physical harm or material damage as weapons, warranting potential physical responses, with attribution requiring careful governmental evaluation. Hungary’s approach focuses on strengthening cybersecurity through enhanced regulations, sectoral alignment with national security goals, and partnerships to address rising cyber threats targeting governmental platforms, utilities, and critical infrastructure.

NIS2 Implementation and Harmonisation of Requirements

In line with its National Security Strategy, Hungary has enacted several pieces of legislation to implement the EU’s NIS2 Directive into Hungarian law. This included the Act XXIII of 2023 on Cybersecurity Certification and Supervision (“2023 Cybersecurity Act”), MK Decree 7/2024 (VI. 24.) on Security Classification Requirements (“MK Decree”), and SZTFH Decree 23/2023 (XII. 19.) on the cybersecurity register of affected entities. However, due to significant shortcomings in implementing NIS2 Directive requirements in the 2023 Cybersecurity Act, the European Commission initiated an infringement procedure against Hungary for failing to fully transpose the NIS2 Directive and ensure the protection of critical infrastructure and the resilience of critical entities. Consequently, Act No LXIX of 2024 on Hungary’s Cybersecurity (“2024 Cybersecurity Act”), published in Hungarian Official Journal No 130 on 20 December 2024, and effective as of 1 January 2025, repealed the 2023 Cybersecurity Act. Additionally, Act No LXXXIV of 2024 on the Resilience of Critical Organisations (“Critical Infrastructure Act”), published in Official Journal No 131 on 20 December 2024, also took effect on 1 January 2025, albeit in stages, repealing the 2012 Act on the Identification, Designation, and Protection of Critical Systems and Facilities.

Several lower-level pieces of legislation, such as the presidential decree of the supervisory authority regarding the applicable audit methodology and auditor fees, are not yet published.

General

In general, requirements regarding the cybersecurity-related protection and processing of personal data are laid down in the EU’s General Data Protection Regulation and in general, organisations processing personal data must comply with privacy by design, privacy by default and data security requirements laid down by Article 32 GDPR.

NIS2 Regulations

As opposed to the legislative landscape in 2024 and previous years, the 2024 Cybersecurity Act, its executive regulation, the Government Decree 418/2024 (XII. 23.) on the Implementation of the 2024 Cybersecurity Act (“Execution Decree”) and the MK Decree harmonised requirements for both private and public sector entities falling within the scope of the 2024 Cybersecurity Act. According to the justification to the draft of the 2024 Cybersecurity Act, the Act “uniformly regulates the legal framework for defense against cyberattacks and harmonizes it with European Union legislation. At the same time, it establishes a new and effective defense structure that simplifies the protection of state information systems and provides guidance for market players as well.” According to the justification for the proposal, "[t]he transposition of the NIS2 Directive into Hungarian law was initiated by Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision (hereinafter: Cybersecurity Act). However, considering the increasing number of cyberattacks and incidents affecting various sectors across Europe, the state organizational framework dealing with cybersecurity has been reviewed, and it has become expedient to unify the fundamental cybersecurity rules in a single law.”

The 2024 Cybersecurity Act, along with its Execution Decree and the MK Decree, harmonised requirements for both private and public sector entities. These include administrative bodies, state-owned enterprises, entities designated as essential or important but not covered under the 2024 Cybersecurity Act or the EU Digital Operational Resilience Act (DORA), NIS2 entities qualifying as at least medium-sized enterprises, and entities covered by NIS2 regardless of their size. The 2024 Cybersecurity Act also introduced changes to the scope of entities covered by the 2023 Cybersecurity Act. While the 2023 Act applied to all food businesses, including retailers, the 2024 Act limits its scope to food businesses involved in wholesale distribution, industrial production, and food processing. Additionally, holders of pharmaceutical wholesale distribution authorisations under Article 79 of Directive 2001/83/EC are excluded from the new legislation, though pharmaceutical wholesalers remain covered.

The 2024 Cybersecurity Act does not apply to electronic information systems handling classified data, operational electronic information systems, programmable systems covered by the government decree on physical protection and related licensing, reporting, and inspection in the application of nuclear energy, and cybersecurity services provided by entities designated in a separate government decree. Furthermore, the 2024 Cybersecurity Act did not implement Annex I, Section 3 (banking sector) and Annex I, Section 4 (financial market infrastructures) of the NIS2 Directive, as these fall within the scope of DORA.

The 2024 Cybersecurity Act is applicable to the following entities:

• organisations established in Hungary or represented by a local representative;
• electronic communications service providers offering services in Hungary; and
• DNS providers, top-level domain registries, domain name registration providers, cloud service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace operators, online search engines, and social media platforms, whose main business establishment is in Hungary.

An organisation’s main business establishment is considered to be in Hungary if:

• decisions regarding cybersecurity risk management measures are predominantly made in Hungary;
• cybersecurity operations for the organisation’s electronic information systems are conducted in Hungary; or
• the organisation’s largest workforce is based in Hungary.

Non-Hungarian organisations operating electronic information systems under the 2024 Cybersecurity Act must appoint a Hungarian-based representative responsible for compliance, without affecting the organisation’s or its head’s liability.

The head of the entity must establish and operate a risk management framework for protecting electronic information systems, adhering to applicable EU laws or national regulations where EU laws do not apply. Periodic reviews, including security classifications, must occur at least every two years. Key responsibilities include:

• registering and assessing all electronic information systems, central services, and supporting systems used by the organisation;
• assigning roles, responsibilities, and appointing a person responsible for system security;
• conducting risk assessments, impact analyses, and security classification of systems;
• implementing proportional protective measures and ensuring compliance with EU and national cybersecurity regulations;
• regularly reviewing protective measures and addressing identified deficiencies;
• overseeing internal cybersecurity assessments and ensuring system security through periodic evaluations; and
• deciding on system usage and complying with cybersecurity authority mandates.

To ensure the protection of electronic information systems, the head of the entity must, among other duties:

• provide training on cybersecurity responsibilities for themselves and staff, including mandatory and continuing education as specified by the responsible minister;
• ensure participation in mandatory national cybersecurity exercises or conduct independent exercises;
• maintain traceability of events within electronic information systems;
• ensure third-party service providers comply with cybersecurity requirements through contractual obligations when involved in system creation, operation, auditing, maintenance, or incident handling;
• respond swiftly and effectively to cyber threats, incidents, or near-incidents, including reporting to the cybersecurity incident response centre and overseeing recovery efforts;
• notify affected parties promptly about cybersecurity incidents and potential threats;
• implement recommendations and guidelines from the cybersecurity authority and incident response centre;
• strive to execute tasks outlined in the legislation as quickly as possible;
• allocate at least 5% of the organisation’s annual IT development budget to cybersecurity improvements for applicable organisations; and
• take any additional necessary measures to safeguard electronic information systems.

Organisations must classify their electronic information systems as “basic”, “significant”, or “high” security classes to ensure proportional protection for their systems, data, and services. Classification is based on the risks to system integrity and availability, as well as the confidentiality, integrity, and availability of the data processed. The organisation’s head is responsible for making the classification decision, ensuring compliance with regulations, and verifying the completeness and timeliness of the data used. The classification results must be documented in the organisation’s system registry or internal policies. The security classification must be reviewed at least every two years or promptly following any legally defined changes affecting the system’s security, with the review process documented. Further details are set out in the MK Decree.

The head of the entity must appoint an individual responsible for the security of electronic information systems or enter into an agreement with an external party to fulfil these responsibilities. This includes operating the risk management framework, reporting cybersecurity incidents, and liaising with the cybersecurity incident response centre. For certain organisations, the mandatory elements of such agreements are specified in the Execution Decree. Even when outsourcing, a designated individual must be named as the responsible person. The role can only be performed by someone who is legally competent, has a clean criminal record, and, for specific organisations, meets the qualifications, certifications, or experience requirements outlined by the decree of the minister responsible for IT.

Enterprises under majority state ownership that exceed the thresholds defined for medium-sized enterprises and entities covered by Annex 2 and Annex 3 of the 2024 Cybersecurity Act (whose scope corresponds to Annex I and Annex II of the NIS2 Directive) must conduct a cybersecurity audit every two years to demonstrate compliance with the 2024 Cybersecurity Act’s requirements. Additionally, audits may be mandated by the competent cybersecurity authority. Organisations are required to enter into an agreement with an auditor listed in the supervisory authority’s registry within 120 days of their registration and conduct their first cybersecurity audit within two years of their registration. The related audit methodology and auditor fee regulation is not yet published.

Requirements regarding risk management, risk assessment methodology, security classification and technical and organisational controls are detailed in the MK Decree, while the Execution Decree sets out procedural and detailed requirements regarding entities falling within the scope of the 2024 Cybersecurity Act.

Financial Sector

Cybersecurity-related requirements, including mandatory and regular audits of relevant systems and procedures, are outlined in Government Decree 42/2015 (III. 12.) on the Protection of IT Systems for Financial Institutions, Insurance and Reinsurance Companies, and Investment Firms and Commodity Exchange Service Providers. Additionally, EU-level legislation, such as the PSD2 Directive, has been incorporated into Hungarian law through amendments to various financial sectoral regulations. From 17 January 2025, the DORA regulation, governing cybersecurity and supply chain risk management requirements alongside Government Decree 42/2015 (III. 12.), came into effect in Hungary.

Healthcare Providers

Public and private healthcare providers must connect to the Electronic Health Service Space (EESZT). IT systems used to connect to the EESZT must comply with strict requirements, including with regard to secure access, identification, communication protection, service handling, and adherence to technical and security standards. Developers with appropriate rights can apply for authorisation, specifying the system’s intended use. Authorised systems must ensure continuous compliance during updates, version changes, or technical modifications for system integration, with significant changes reported within eight days. Operators monitor system performance to verify ongoing compliance, with the authority to revoke authorisation if requirements are unmet. Additionally, operators maintain and publish a registry of authorised systems for transparency. These regulations aim to enhance the security, functionality, and reliability of IT systems, ensuring they meet technical and operational standards.

Criminal Law

Act C of 2012 on the Criminal Code defines penalised behaviours related to cybersecurity, such as intercepting electronic communications, computer abuse, and fraud committed using computer devices. Act LXXVIII of 2024 on Combating Online Aggression, which entered into force on 1 January 2025, amends the Criminal Code to introduce the offence of “Internet Aggression”. This offence penalises publishing or using expressions, depictions, or audio-visual content via electronic communication networks that express intent or desire for violent crimes (causing death or extreme cruelty) against identifiable persons, with up to one year of imprisonment unless a more severe crime is committed. Exceptions are provided for educational, scientific, artistic, or informational purposes, as long as the act does not incite fear.

NIS2

Under the 2024 Cybersecurity Act, the cybersecurity oversight of electronic information systems under this law is handled by:

• the national cybersecurity authority, the Special Service for National Security (Nemzetbiztonsági Szakszolgálat, NBSZ) designated by government decree for systems of administrative bodies, state-owned enterprises, entities designated as essential or important but not covered under the 2024 Cybersecurity Act or DORA (the NBSZ operates independently, with sole accountability to legal regulations, and performs its tasks autonomously, free from instructions, except for directives to complete tasks or address omissions);
• the SZTFH for systems of NIS2-related organisations not covered by the above; and
• for defence-related electronic information systems, the defence cybersecurity authority within the defence sector, the Hungarian Minister of Defence is responsible; its operations follow the regulations applicable to the national cybersecurity authority.

The NBSZ is responsible for a wide range of tasks to ensure the security of electronic information systems. Key responsibilities include:

• verifying compliance of individuals responsible for system security and registering their qualifications;
• reviewing and approving security classifications for systems and ensuring compliance with relevant regulations and standards;
• issuing guidelines, recommendations, and technical requirements for system security and mandating adherence to international and European standards;
• addressing and rectifying identified security deficiencies and monitoring the effectiveness of corrective measures;
• overseeing system security during development and approving their deployment while restricting usage if requirements are unmet;
• managing cybersecurity incidents, notifying the incident response centre, and participating in national and international cybersecurity exercises and events;
• representing Hungary in EU and international cybersecurity bodies;
• identifying critical or important organisations and recommending their designation to the relevant authorities;
• organising or mandating cybersecurity drills for organisations and issuing guidance on their exercises.

The SZTFH:

• defines guidelines, recommendations, and requirements for the security of electronic information systems;
• may issue guidance on the compatibility of protective measures specified in EU legislation and regulations issued by the minister responsible for IT;
• ensures compliance with electronic information security requirements, may mandate the application of relevant European and international standards and technical specifications for the security of electronic information systems, without prescribing or favouring specific technologies;
• verifies compliance with statutory or self-defined requirements for the classification of electronic information systems;
• orders the remediation of security deficiencies identified during inspections or brought to its attention, oversees the implementation of corrective measures, and evaluates their effectiveness;
• participates in cybersecurity-related exercises and represents Hungary in international cybersecurity exercises upon request;
• represents Hungary in domestic and international cybersecurity and information security events;
• may participate in expert evaluations under Article 19 of the NIS2 Directive or initiate evaluations;
• monitors the Hungarian implementation of the NIS2 Directive;
• contributes to awareness-raising activities to protect Hungarian cyberspace;
• may order and verify any measures necessary to mitigate threats to electronic information systems;
• maintains a registry of reported registration data;
• conducts extraordinary inspections or orders audits in the event of significant security incidents or suspected non-compliance;
• may request and review, for oversight purposes, the following from organisations:
1. documents supporting the appropriateness of security classifications and measures;
2. reports on internal IT security audits; and
3. other documents, data, or information confirming regulatory compliance.

The cybersecurity authority is authorised to take supervisory actions or apply legal consequences for:

• organisations providing services in Hungary or operating network and information systems located in Hungary, based on mutual assistance requests from other EU member states’ cybersecurity authorities; and
• organisations providing services in Hungary without a designated representative in any EU member state.

Additionally, the authority may prioritise its supervisory tasks based on risk analysis to effectively fulfil its legally defined responsibilities. The detailed rules for conducting oversight inspections are determined by a decree issued by the president of the SZTFH.

Generic Data Security Requirements for Personal Data

The Hungarian Data Protection and Freedom of Information Authority (NAIH) supervises data protection-related matters. The NAIH is one of the most numerously staffed data protection authorities in EU member states, and data protection enforcement in Hungary is rigorous and stringent. However, investigations usually initiated upon individual complaints and ex officio inspections are quite rare. Penalties that the NAIH may apply are defined by the Information Act, the GDPR and the Hungarian Sanctions Act. The GDPR imposes two tiers of fines for non-compliance: lower-level penalties up to EUR10 million or 2% of worldwide annual turnover, for issues like data security and co-operation with authorities, and upper-level penalties up to EUR20 million or 4% of annual turnover, for serious infringements like violating data subjects’ rights and unlawful data transfers. These fines are discretionary, considering factors like the infringement’s nature and any mitigating actions taken by the organisation.

Financial Sector

The Hungarian National Bank (MNB) supervises entities within the financial sector, including banks, insurance companies, payment providers, etc. The MNB also takes a very rigorous and stringent approach to compliance with applicable financial regulations and laws. It is well-known for its extensive written guidance that also covers cybersecurity requirements, cloud services and outsourcing within the financial sector and acts as actual “soft law” and represents the MNB’s legal interpretation of applicable laws.

The MNB regularly conducts audits on actors within the financial sector, which also include thorough IT audits and reviews. During an audit, the MNB assesses if a financial institution follows the MNB’s guidance, has the required documentation in place that can confirm compliance with applicable cybersecurity requirements (eg, conducting penetration tests on banking systems, software, consumer-facing applications, conducting regular user access reviews, holding the necessary information security trainings and awareness campaigns, etc).

The MNB enforces financial regulations by imposing fines, restricting banking operations, and in severe cases, suspending or revoking licences. It can also mandate corrective actions, issue public warnings affecting an institution’s reputation, and initiate legal proceedings. These measures ensure compliance and stability in Hungary’s financial sector, with penalties based on the severity of violations, impact on the financial system, and the institution’s past conduct. Furthermore, the MNB is empowered to impose fines not only on the inspected organisation itself, but also on its leadership and any individual classified as holding a senior position under applicable laws. The level of fines varies according to numerous circumstances, with different ranges applicable depending on the specifics of the case.

E-Privacy

The NMHH is in charge of the enforcement of e-privacy-related data security requirements applicable to public electronic communication service providers and can audit service providers in an administrative procedure. The NMHH Decree No 4/2012 (I. 24.) lays down the specific rules concerning data protection and confidentiality obligations related to the provision of public electronic communication services in Hungary and the decree is the local implementation of the EU ePrivacy Directive.

The Critical Infrastructure Act, announced in Hungarian Official Journal No 131 on 20 December 2024, and technically effective from 1 January 2025, requires the designation authority to initiate procedures by 30 April 2025 to review and potentially revoke or uphold decisions made under the 2012 Act on the Identification, Designation, and Protection of Critical Systems and Facilities. Operators of critical system elements designated under the 2012 Act will continue to be treated as critical organisations until a final decision is made. Additionally, the Critical Infrastructure Act repealed the 2012 Act on the Identification, Designation, and Protection of Critical Systems and Facilities.

The Critical Infrastructure Act regulates measures to enhance the resilience of critical organisations headquartered in Hungary, along with their support and supervisory systems. It applies to critical organisations, critical infrastructures, participating individuals and entities, administrative bodies, and relevant sectors and organisations. Additionally, the provisions of the Critical Infrastructure Act apply to the natural gas, hydrogen, and electricity subsectors, with exceptions as specified within the law. Furthermore, the Critical Infrastructure Act applies to the electricity transmission components of nuclear facilities in relation to electricity generation as an essential service. Its provisions do not affect EU treaties or regulations specifically governing nuclear elements. Measures, support, and supervisory systems aimed at enhancing the resilience of nuclear facility components fall under the authority of the regulatory body responsible for the peaceful, safe, and secure use of nuclear energy.

The provisions of the Critical Infrastructure Act for critical organisations and critical infrastructures must be applied with priority given to the national legislation transposing the NIS2 Directive, meaning the 2024 Cybersecurity Act, the Execution Decree and the MK Decree.

Basic Principles and Obligations of Critical Organisations

In organising the resilience of critical organisations and implementing the tasks defined in the Critical Infrastructure Act, the following principles must be upheld by critical organisations and individuals:

• The resilience of critical organisations is a key component of the national resilience system.
• Ensuring the continuity of essential services and the resilience of critical organisations and infrastructures is a national interest.
• Authorities, critical organisations, and individuals must respect each other’s rights and cooperate in good faith.
• Critical organisations must consider available resources, risks, and the impacts of extraordinary events when meeting resilience requirements.
• Attention must be given to cross-border interdependencies of essential services, critical infrastructures, organisations, subsectors, and sectors.
• Data related to critical organisations must be accessed only by those with a legitimate need for their duties, with confidentiality obligations persisting even after the relationship ends, and must not be disclosed to unauthorised individuals.
• Measures regarding the resilience of critical organisations must comply with the principle of proportionality, being necessary and appropriate to achieve the desired goal.
• In matters involving nuclear energy, the authority of the nuclear regulatory body must be respected, and safety must take precedence over all other considerations.

Critical organisations must enhance their resilience while ensuring the continuous delivery of essential services. The responsibility for maintaining and improving resilience, as well as implementing necessary measures, rests with the critical organisation. Resilience assessments and improvements should consider national risk assessments, resilience plans, risk management strategies, emergency prevention and recovery measures, physical security, organisational specifics, and applicable regulations. To fulfil resilience requirements, authorised security personnel may inspect individuals, vehicles, and objects entering or leaving critical infrastructure, and restrict or prevent access if necessary. Employees, suppliers, and contractors must co-operate and fulfil assigned tasks, while employees in critical roles must adhere to the resilience plan. Suppliers are required to meet the organisation’s standards, and individuals entering facilities must comply with organisational restrictions. These measures aim to safeguard critical infrastructure and enhance national resilience.

Risk Management

Critical organisations must assess, identify, evaluate, and manage risks that may impact the secure and continuous operation of critical infrastructure and the delivery of essential services. Risk assessments and the development of a resilience matrix must address mandatory general and sector-specific risks and additional risks identified by the organisation. The assessment and matrix must consider the potential consequences of risks that could lead to extraordinary events threatening the secure and continuous operation of the organisation and infrastructure. The detailed criteria for risk assessment and resilience matrix development are defined by government decree.

Resilience Plan and Responsible Person for the Resilience of a Critical Organisation

Critical organisations must prepare a resilience plan and its accompanying resilience matrix by the deadline set by the designation authority. These documents must be completed using a standardised form provided by the authority and submitted electronically for approval.

The general designation authority, with input from sector-specific or energy-related authorities, evaluates the submitted plan and matrix for compliance with content and format requirements. General sections are reviewed by the general authority, while sector-specific sections are assessed by the relevant sectoral or energy authorities.

The resilience plan must include:

• a description of the critical organisation, infrastructure, and essential services;
• the rules, organisational structures, and tools ensuring service continuity and operational resilience; and
• risk assessments, resilience matrices, and measures to maintain and restore operations.

The plan must undergo regular annual reviews and immediate updates following significant changes, extraordinary events, or regulatory findings. Updates follow the same procedures as the initial submission. Sector-specific criteria are outlined by the sectoral authorities and updated as needed. For nuclear facilities, sector-specific requirements apply only to components related to electricity transmission.

Furthermore, critical organisations must establish the position of chief resilience officer (CRO) within 90 days of a designation decision. This individual shall report directly to the organisation’s leadership and ensure compliance with resilience-related tasks. The organisation must submit details about the leader’s qualifications, appointment, and any changes to the registry authority within eight days. This person is responsible for co-ordinating with authorities, conducting risk assessments, updating resilience plans and matrices, and evaluating the organisation’s resilience. They organise co-ordination among units impacting resilience and regularly report to organisational leadership.

Each critical infrastructure and essential service operated by the organisation must have a designated CRO, who must meet qualification and background requirements. For nuclear facilities, the CRO must operate under senior management, adhering to specific nuclear requirements. The CRO may also join the advisory committee for CROs or register independently with the authority if not employed by a critical organisation. Individuals failing to meet required qualifications, training, or background checks cannot be registered.

Resilience Exercises

Critical organisations must conduct resilience exercises to evaluate the effectiveness of their resilience plans and capabilities. These include:

• Regular Resilience Exercises: These are held annually from the year following designation, addressing extraordinary event management at all sites and specific risks at at least one site.
• Complex Resilience Exercises: These are conducted in collaboration with the designation authority, focusing on the suitability of organisational and operational systems and cooperation with other entities during emergencies.
• Stress Tests: These are participated in upon request by the designation authority.

The organisation’s CRO evaluates and documents exercise results, ensuring compliance with legal and regulatory obligations. Exercises may lead to updates of the resilience plan. Designated personnel must participate in all exercises and tests, with notifications sent at least 14 days in advance.

For nuclear facilities, other exercises specified by the OAH (Hungarian Atomic Energy Authority) can fulfil resilience requirements if they meet relevant regulations. Non-compliance may result in mandated revisions to the exercise procedures or the necessity to repeat the exercises.

NIS2-Related Security Events

Administrative bodies, state-owned enterprises, entities designated as essential or important but not covered by the 2024 Cybersecurity Act or DORA, as well as those covered under the 2024 Cybersecurity Act, must promptly report all threats, near-cybersecurity incidents, and cybersecurity incidents, including operational cybersecurity incidents, to the NBSZ, which serves as the National Cybersecurity Incident Response Centre (CERT).

NIS2-relevant organisations under the 2024 Cybersecurity Act are specifically required to report incidents that significantly disrupt operations or services, cause substantial financial harm to the organisation, or result in significant financial or non-financial damage to others. Additionally, these organisations may voluntarily report cybersecurity incidents that fall below the mandatory reporting threshold.

All reporting must adhere to the procedures outlined in the applicable government decree.

Organisations must submit an initial cybersecurity incident report without undue delay and within 24 hours of becoming aware of the incident. The report should include the following information, if available:

• identification of the affected electronic information system;
• a brief description of the incident, including whether it qualifies as an operational cybersecurity incident;
• the status, duration, and geographical extent of the incident;
• the expected recovery time, if estimable;
• details of the affected data type, nature, and user impact;
• the extent of service disruption and potential cross-border effects;
• contact details of the designated liaison handling the incident;
• information on intermediary or central service providers involved;
• whether the incident is intentional; and
• any other relevant information to assess cross-border impacts.

Furthermore, organisations must comply with the following reporting requirements for cybersecurity incidents:

• report infection indicators as soon as such metrics become available;
• within 72 hours of becoming aware of the incident, submit an updated notification that includes information from the initial report and provides a preliminary assessment of the incident’s severity and impact;
• provide status updates upon request from the NBSZ;
• submit a detailed final report within one month of the event notification, including:
1. a comprehensive description of the incident, its severity, and impact;
2. likely causes or threats behind the incident;
3. mitigation measures implemented or ongoing; and
4. cross-border impacts, if applicable;
• if the incident is unresolved when the final report is due, submit an update on progress; and
• within one month after resolving the incident, submit a final report summarising all actions and outcomes.

Organisations are exempt from reporting near-cybersecurity incidents and operational cybersecurity incidents that are automatically resolved during the incident management process without degrading services. However, repeated near-incidents or operational incidents must still be reported.

Additionally, trust service providers must notify the NBSZ without undue delay and within 24 hours of becoming aware of any cybersecurity incidents that impact their trust services.

Critical Infrastructure-Related Events

Critical organisations must report extraordinary events according to their resilience plan. Reporting requirements vary by resilience level:

• Level 1 organisations must report immediately, within four hours during working hours, or by 12:00 PM the next working day if the event occurs outside working hours.
• Level 2 and 3 organisations must report immediately, within four hours of detection.

Reports must be submitted using the designated form provided by the National Directorate General for Disaster Management of the Ministry of Interior, being the general designation authority. Notifications are sent to:

• Mandatory for All:
1. regional disaster management authority; and
2. general designation authority.
• Sector-Specific:
1. ministry-designated sectoral duty service; and
2. contact point specified by the sectoral authority.
• Energy Sector:
1. energy designation authority for critical organisations or infrastructures.

These authorities notify the National Incident Management Centre as outlined in the law on defence and security co-ordination.

Critical organisations must notify their CRO about extraordinary events in the format and manner specified by the responsible. Reporting requirements, content, and submission rules are defined by government decree. After resolving the event, the CRO must submit a detailed report to the organisation’s leadership, relevant designation authorities, and sectoral bodies, who forward it to the NBSZ. Reports include the event’s origin, actions taken, and preventive measures for similar incidents.

Extraordinary events are analysed to enhance response, defence, and recovery efforts for critical organisations. Maintenance and repairs related to critical infrastructure must prioritise minimising service disruptions. Annual reports on controlled extraordinary events must also be submitted by the CRO to the relevant authorities. For incidents impacting six or more EU member states, authorities notify the affected states’ contact points and the European Commission, adhering to confidentiality to protect security and business interests.

The Critical Infrastructure Act defines the following responsibilities for the Hungarian state.

National Strategy for Enhancing the Resilience of Critical Organisations

The National Strategy for the Resilience of Critical Organisations is a medium-term strategic planning document issued by the government. Based on the National Security Strategy and other sectoral strategies, it outlines goals and measures to enhance the general resilience of critical organisations and ensure the continuity of essential services. Key elements include:

• strategic objectives and priorities considering cross-border and sectoral interdependencies;
• governance frameworks defining roles and responsibilities of critical organisations and involved authorities;
• measures to strengthen resilience and procedures to support critical organisations;
• actions to promote public-private collaboration;
• identification of key authorities, stakeholders, and processes for co-ordination; and
• a policy framework for co-ordinating cybersecurity risks, threats, and incidents under NIS2 compliance.

The strategy is reviewed every four years and provided to the European Commission within three months of its adoption.

National Risk Assessment for Enhancing the Resilience of Critical Organisations

The National Risk Assessment for Critical Organisations’ Resilience (National Risk Assessment), approved by the Hungarian government, serves as a planning document to support the resilience of critical organisations and infrastructure. It covers:

• sectors listed in Annex 1 of the Critical Infrastructure Act;
• Hungary’s national disaster risk assessment;
• general and sector-specific risks and defence plans;
• EU-based regulations addressing terrorism, energy supply security, flood risk, and hazardous materials;
• tasks related to defence and security planning under national law; and
• reporting and management of extraordinary events.

The assessment evaluates critical organisations’ development of risk evaluations, resilience matrices, and resilience measures. It is reviewed every four years, and relevant information is submitted to the European Commission within three months of adoption.

Designation of Critical Organisations

The process for designating critical organisations in Hungary is governed by a comprehensive framework designed to ensure national resilience and the continuity of essential services. This involves evaluating both horizontal and sector-specific criteria to identify organisations that play a critical role in maintaining societal and economic stability. Horizontal criteria include factors such as the organisation’s dependency on or relationship with other critical entities, its financial significance (eg, annual revenue exceeding HUF10 billion), or its role as the sole provider of a critical service in Hungary. Sector-specific criteria address risks and dependencies within specific industries, such as energy, transportation, or public health.

Designation authorities, in collaboration with sectoral authorities, monitor and evaluate the resilience of sectors, subsectors, and infrastructures. They initiate the designation process based on national resilience strategies, risk assessments, and relevant data. Organisations meeting the criteria are categorised into one of three resilience levels, determined by the scope and impact of their services, geographic coverage, and the number of users reliant on their operations. These levels dictate the organisation’s obligations to ensure preparedness and continuity in the face of extraordinary events.

Designation decisions are reviewed every four years or sooner if significant changes occur in the organisation’s status or the broader operating environment. Critical organisations must comply with tailored obligations, including the development of resilience plans and implementation of specific measures to address identified risks. The designation process also emphasises cross-sectoral and cross-border dependencies, ensuring a comprehensive approach to resilience. The decisions are formally communicated to relevant oversight bodies, sectoral authorities, and stakeholders, including those responsible for cybersecurity and emergency communications. This collaborative and structured approach supports the integration of critical organisations into Hungary’s national resilience framework, ensuring the continuity of essential services and preparedness for potential threats.

Designation of Critical Infrastructure

The process of designating critical infrastructure involves organisations providing data on their infrastructure and identifying those considered critical. The designation authority, with input from sectoral authorities, designates infrastructure as critical if it is essential for the basic services provided by a critical organisation, is located within Hungary, and meets at least one horizontal or sectoral criterion. The resilience level of the critical infrastructure is determined in the designation decision. A critical infrastructure cannot be designated in multiple sectors or subsectors. If eligible under multiple sectors, its designation is based on the primary essential service it supports.

Supervision of Critical Organisations

The oversight of critical organisations and infrastructure is carried out by a designated supervisory authority through comprehensive inspections. These inspections are conducted regularly, periodically, and on an ad hoc basis, often involving relevant sectoral authorities to ensure a thorough evaluation. The primary focus is on assessing compliance with applicable laws, regulations, and directives issued by the designation authority. The inspections aim to verify the effectiveness of measures taken to maintain and enhance the resilience of critical organisations and infrastructure. Key elements of these evaluations include the adequacy of resilience plans, risk assessments, resilience matrices, leadership performance, and the organisation’s collaboration with supply chain partners and other entities.

Sector-specific oversight is also conducted independently by sectoral authorities with expertise in their respective areas. These inspections follow an agreed methodology, and their plans are finalised annually after consultations with the supervisory authority. This ensures consistency and alignment with broader resilience objectives.

Resilience leaders within critical organisations play a crucial role in ensuring compliance and readiness through internal audits. They are responsible for evaluating the implementation of resilience measures, the accuracy of resilience plans, and the organisation’s overall preparedness. If any deficiencies are identified, they are required to propose corrective actions to senior management or the organisation’s leadership.

To further strengthen resilience and mitigate human risks, organisations may request background checks for key personnel responsible for resilience. These checks confirm the individual’s identity and ensure they have a clean criminal record.

Supporting Critical Organisations

The framework for supporting critical organisations aims to enhance their resilience by providing resources, guidance, and collaboration opportunities. Key measures include the following:

• development and dissemination of manuals, templates, and methodological tools, accessible via the central designation authority’s website;
• sharing best practices for resilience measurement and testing, organising central training programmes and sector-specific workshops for CROs;
• assigning advisers or creating advisory working groups to assist critical organisations;
• organising regular events to update organisations on regulatory changes, case studies, and best practices, facilitated by the designation authority and the CRO Advisory Committee, with input from sectoral authorities;
• offering expedited administrative processes and, where necessary and justified by public interest, financial aid for resilience development; and
• encouraging voluntary information sharing among critical organisations and publishing scientific research to support knowledge dissemination.

Additionally, the registry authority may verify the critical status of organisations, critical roles, and essential resources to facilitate access to support measures. If necessary and justified by public interest, financial support may be provided to enhance the resilience of critical organisations.

Act X of 2024 on the Harmonisation Amendments to Laws Affecting the Financial Intermediary System (“DORA Implementation Act”) implemented DORA into Hungarian law. The implementation act greatly broadened the material scope of the application of DORA in Hungary to include all financial enterprises, insurance companies, payment service providers, stock exchanges and investment fund managers.

Most enterprises must comply with the simplified framework, except for banks, institutions that operate payment systems, are under consolidated supervision, or subject to equivalent prudential regulations, which must adhere to the full framework.

The supervisory authority issued guidance on public cloud services in 2019 (MNB Guidance 4/2019 (IV. 1.)), which remains in effect until revoked. This guidance requires all financial enterprises to conduct a preliminary risk assessment and prepare an exit strategy before entering into contracts with any public cloud service providers. Additionally, the use of cloud services must be reported to the MNB.

It is expected that the MNB will align its practices with those of the ESAs regarding the use of cloud service providers, particularly in assessing their criticality. However, details have not yet been communicated to the public.

DORA mandates all financial enterprises in Hungary to enhance their ICT risk management frameworks, with particular emphasis on third-party risk management. Before 17 January 2025, and at the time of writing, existing sector-specific laws, notably Government Decree 42/2015 (III. 12.) on the Protection of the IT Systems of Financial Institutions, Insurers, Reinsurers, Investment Firms, and Commodity Exchange Service Providers, already require financial enterprises to maintain a robust, closed, trusted, and secure IT environment, including considerations for physical security and business continuity.

The Government Decree mandates financial institutions to establish robust IT security frameworks to ensure resiliency and business continuity. These include regular risk assessments, proportional protective measures for IT systems, and secure operations supported by independent monitoring and robust controls. Institutions must implement comprehensive data back-up and recovery plans, maintain redundancy for critical services, and ensure the secure separation of development, testing, and production environments.

Compliance with national cybersecurity standards is required, along with the use of secure digital archiving solutions to preserve electronic records. Vulnerability assessments and mitigation plans are mandatory for high-security systems, with logging and monitoring mechanisms in place for incident management. Business continuity plans must address extraordinary events to minimise disruption and ensure service continuity. These measures collectively strengthen operational stability and align with national and international cybersecurity standards.

The MNB has issued guidance on outsourcing requirements (MNB Guidance No. 7/2020 (VI. 3.)), emphasising the importance of conducting preliminary risk assessments, maintaining documented and tested exit strategies, and performing annual audits of outsourced service providers. Additionally, the MNB issued guidance on IT system security (MNB Guidance No. 8/2020 (VI. 22.)), which provides further details on the requirements established by the above-mentioned Government Decree.

DORA will expand the scope of these requirements, mandating financial enterprises to assess all ICT service providers. These providers must now be classified based on the criticality of their services concerning confidentiality, integrity, availability, and authenticity, thereby introducing a significant new element to the legislative framework.

The MNB has extensive authority to enforce effective regulations in Hungary, including conducting regular audits of financial institutions. As part of these audits, the MNB also oversees technical and organisational compliance with its issued guidance, particularly on outsourcing, the use of public cloud services, and IT system security. Additionally, the MNB audits compliance with Government Decree 42/2015 (III. 12.) on the Protection of IT Systems of Financial Institutions, Insurers, Reinsurers, Investment Firms, and Commodity Exchange Service Providers. In practice, this includes a comprehensive IT and IT security audit that evaluates the effectiveness of technical and organisational controls and ensures alignment with the institution’s own risk assessment.

Generally, the international data transfer provisions of the GDPR apply to the extent personal data is concerned by the international data transfer. Various financial sectoral provisions lay down additional requirements for international data transfers, such as those applicable to bank secrets, insurance secrets and securities secrets.

Bank Secrets

Under Section 54(1)(h) of Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises, the transfer of data constituting bank secrets from a financial institution to a foreign financial institution is permissible provided all the following conditions are met:

• Client’s Written Consent: The client (data subject) must provide explicit written consent for the data transfer.
• Adequate Data Protection Measures: The foreign financial institution (data controller) must ensure that data processing conditions meet the requirements set forth by applicable laws and directly applicable legal acts of the European Union for each piece of data.
• Adequate Data Protection Legislation: The country where the foreign financial institution is headquartered must have data protection laws that satisfy the requirements imposed by applicable laws and directly applicable legal acts of the European Union.

Insurance Secrets

Under Section 140(1) of Act LXXXVIII of 2014 on Insurance Activities, the transfer of insurance secrets by an insurer or reinsurer to a third-country insurer, reinsurer, or data processor is permissible under the following conditions:

• the data subject (client) has provided explicit written consent for the data transfer; or
• in the absence of the data subject’s consent, the data transfer complies with the regulations governing the transfer of personal data to third countries.

Securities Secrets

Under Section 120(e) of Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, the transfer of securities secrets by an investment firm or commodity dealer to a foreign investment firm or commodity dealer is permissible provided all the following conditions are met:

• the client has explicitly consented to the data transfer;
• the foreign investment firm or commodity dealer ensures that data processing conditions meet the requirements set forth by applicable laws and directly applicable legal acts of the European Union for each piece of data; and
• the country where the foreign investment firm or commodity dealer is headquartered has data protection laws that satisfy the requirements imposed by applicable laws and directly applicable legal acts of the European Union.

The MNB issued its Guidance 4/2019 (IV. 1.) on the use of public cloud services, which stipulates that institutions utilising public cloud services for data processing, storage, or management must establish appropriate safeguards in compliance with national and EU legal frameworks. These safeguards require data controllers and processors to handle, process, and store client data and financial sector secrets strictly in accordance with the principle of purpose limitation, ensuring that data is used only to the extent and for the duration necessary to fulfil the intended purpose. Furthermore, if personal data is involved, institutions must ensure full compliance with applicable international and national data protection laws and regulations.

At the date of writing, DORA is not yet applicable and the MNB has not published any written guidance or requirement on conducting threat-led penetration testing (TLPT) in the Hungarian financial sector.

See 1. General Overview of Laws and Regulators.

See 1. General Overview of Laws and Regulators.

The 2024 Cybersecurity Act establishes requirements for both cybersecurity certifications and certification bodies. The 2024 Cybersecurity Act incorporates the requirements of the EU Cybersecurity Act into Hungarian law.

The Hungarian National Cybersecurity Certification System aims to safeguard data and ICT processes across their life cycle by ensuring protection against unauthorised access, modification, or destruction and implementing mechanisms for data confidentiality, integrity, and availability. It mandates robust security measures, such as logging access, detecting vulnerabilities, and enabling secure recovery post-security incidents. ICT products and services must be inherently secure by design, regularly updated, and supported with mechanisms for secure updates.

The system also specifies comprehensive certification requirements, including defining the scope, objectives, standards, reliability levels, and evaluation criteria. It establishes guidelines for self-assessment, compliance evaluation, and certification validity, including renewal and extension conditions. Evaluations cover technical elements like vulnerability testing, cryptographic assessments, and security source code analysis, ensuring documentation and post-certification monitoring.

The national cybersecurity certification system defines three reliability levels – basic, substantial, and high – for ICT products, services, and processes. These levels indicate compliance with security requirements and the degree of evaluation undertaken to mitigate risks. Basic reliability addresses fundamental and known risks, substantial focuses on cybersecurity risks posed by attackers with limited resources, and high reliability aims to counter advanced cyberattacks using state-of-the-art techniques.

Evaluations involve reviewing technical documentation at all levels. For substantial and high levels, additional assessments verify the absence of vulnerabilities and test security functionality. High-level certification includes advanced penetration testing to ensure resilience against skilled attackers. The reliability level must align with the risk associated with the intended use of the ICT solution.

The national cybersecurity certification authority in Hungary, primarily the SZTFH, oversees certification for ICT products, services, and processes, except for defence-related areas, which are managed by a government-designated authority. Responsibilities include monitoring European cybersecurity certification developments, participating in related standardisations activities, and maintaining national certification systems. These systems must align with EU standards and address evolving security risks.

The authority evaluates and revises national certification systems at least every three years, or immediately following significant developments, ensuring alignment with European frameworks. It supervises conformity assessment bodies (CABs), conducts inspections, and ensures that cybersecurity certifications meet high standards, particularly for “high” reliability levels.

Additionally, the authority manages a national registry of certification-related data, including technical documentation, certifications, and compliance details. It ensures data security, confidentiality, and compliance with applicable laws. Violations by CABs or manufacturers can result in warnings, penalties, or license revocation.

All actions and decisions by the certification authority adhere to strict confidentiality and data protection standards, with records maintained for up to ten years post-certification expiry. The SZTFH ensures compliance through audits, accreditation, and collaboration with the European Commission for maintaining EU-wide standards.

The NAIH oversees compliance with data protection laws, including GDPR requirements for data security (Article 32) and privacy by design and data protection by default (Article 25). The NAIH collaborates with other Hungarian authorities, such as the Hungarian Competition Office and the MNB. It is expected that the NAIH will also co-ordinate with the NBSZ and SZTFH on cybersecurity-related matters.

The 2024 Cybersecurity Act emphasises that incident reporting obligations under the Act do not exempt organisations from fulfilling other reporting obligations. As a result, organisations will likely need to review and align their internal data breach management and reporting procedures to meet both data protection and cybersecurity requirements.

Under the GDPR, data processing agreements must include provisions for defining, requiring, and auditing technical and organisational measures (TOMs) to ensure compliance with Article 32. Similarly, the 2024 Cybersecurity Act, particularly Section 19 of Annex 2 to the MK Decree, mandates that organisations contractually require third-party service providers to comply with the organisation’s cybersecurity requirements. These requirements must be based on risk assessments and security classifications. To avoid contractual conflicts, organisations are advised to harmonise these cybersecurity requirements with their existing TOMs.

In Hungary, apart from the EU AI Act there are no specific cybersecurity requirements exclusively for AI systems. However, the 2024 Cybersecurity Act outlines requirements for administrative bodies, state-owned enterprises, and entities designated as essential or important, which also apply to software and system development. These requirements must be adhered to when procuring or developing AI solutions.

Additionally, Hungary has not yet established a dedicated AI supervisory authority. Data protection-related requirements for the use and development of AI systems are currently overseen by the NAIH.

In general, the EU Medical Device Regulation’s cybersecurity requirements apply to medical devices.

Moreover, public and private healthcare providers must connect to the Electronic Health Service Space (EESZT). IT systems used to connect to the EESZT must comply with strict requirements, including secure access, identification, communication protection, service handling, and adherence to technical and security standards. Developers with appropriate rights can apply for authorisation, specifying the system’s intended use.

Authorised systems must ensure continuous compliance during updates, version changes, or technical modifications for system integration, with significant changes reported within eight days. Operators monitor system performance to verify ongoing compliance, with the authority to revoke authorisation if requirements are unmet. Additionally, operators maintain and publish a registry of authorised systems for transparency. These regulations aim to enhance the security, functionality, and reliability of IT systems, ensuring they meet technical and operational standards.