Keywords: Hungary, European Union, NIS2 Directive, Cybersecurity

Before the winter holidays the Hungarian Parliament adopted the new Cybersecurity Act which repeals the former Cybersecurity Certification Act. The Cybersecurity Act implements the EU NIS2 Directive and imposes numerous obligations on the affected organizations. Read our short article and find out if you are affected and if so, what are your key responsibilities.

Smartlegal Schmidt&Partners reports from Hungary:

  1. Is your organization affected?

Under the previous legislative framework, separate laws applied to the electronic information security of state and municipal bodies, as well as to enterprises operating in “high-risk” and “risky” sectors. However, the new Cybersecurity Act[i] covers both the state bodies and the organizations that were previously affected by the Cybersecurity Certification Act[ii].

Thus, companies operating in “high-risk” and “risky” sectors defined by the NIS2 Directive and consequently by the Cybersecurity Act shall comply with the obligations defined by the Act.

High-risk sectors are among others energy, transport, healthcare, while risky sectors include electronic products manufacturing, machine manufacturing.[iii] As a main rule, the Cybersecurity Act only applies to medium-sized enterprises or larger companies[iv], however certain companies (e.g. electronic communications service providers) are covered by the Act regardless of their size.

  1. Is your organization essential or important?

A novelty of the Cybersecurity Act is that organizations concerned by the Act shall either be classified as essential or important depending on the criticality of the services they provide to the functioning of the state, society, and economy, as well as, in certain cases, the size of the organization.

Among others, essential organizations include companies operating in high-risk sectors which are considered as medium-sized enterprises or are larger companies based on the applicable act[v]. Smaller organizations operating in high-risk sectors and companies operating in risky sectors are regarded as important organizations.

According to this to this categorization, different requirements will apply to the concerned organizations, meaning that stricter obligations shall apply to essential organizations and the fines imposed on essential organizations might be higher.

  1. What are the most important obligations?

Affected organizations shall register themselves with the competent cybersecurity authority, which is in case of companies operating in high-risk or risky sectors is the Regulated Activities Supervisory Authority. However, concerned organizations that were already listed in the previous register kept under the Cybersecurity Certification Act are not required to re-register.

The Cybersecurity Act defines a list of obligations (e.g. operation of a risk management system, classification of electronic information systems, carrying out the necessary security measurements, provision of cybersecurity training etc.) which shall be fulfilled by the head of the organization.

Affected organisations shall pay cybersecurity monitoring fee. The annual fee shall not exceed 0,015% of the affected organization’s net sales revenue for the previous financial year, or in the absence of revenue, the pro-rata annualized portion of the current year’s revenue, with a maximum limit of 10 million HUF.[vi] The decree of the Authority about the exact fees has not yet been adopted.

Further, according to the Cybersecurity Act, affected organizations that started their operation prior to 1st January 2025 shall conduct the first NIS2-compliant cybersecurity due diligence until 31 December 2025.

  1. What are the sanctions for non-compliance?

In case the concerned organization does not comply with the obligations set forth by the Cybersecurity Act, the competent cybersecurity authority may impose certain legal consequences, such as:

  • warn the concerned organization to comply with the security requirements,
  • order the concerned organization to cease the infringing conduct and to desist from repeating it,
  • assign an information security officer at the expense of the concerned organization.

In addition to the above, the authority may impose a fine if, despite the measure(s) taken as described above, the concerned organization fails to comply with its obligations. The imposition of the fine may be repeated in the event of further non-compliance.

In case of an important organization, the penalty cap is the amount equivalent to 7 million euros in Hungarian forints, or, if higher, 1.4% of the organization’s total global annual turnover for the previous financial year. The penalty cap in case of essential organizations is the amount equivalent to 10 million euros in Hungarian forints, or, if higher, 2 % of the organization’s total global annual turnover for the previous financial year.

As an example, if the organization fails to conduct the cybersecurity audit, it may be imposed with a fine up to HUF 50 million or if the organization fails to pay the cybersecurity monitoring fee, the maximum amount of the fine shall be ten times the annual cybersecurity supervisory fee.

In case the head of the organization does not comply with his obligations, a fine up to HUF 15 million may also be imposed on him and in case of a repeated infringement, the imposition of a fine is mandatory.

  1. Summary

Based on the above, we advise companies operating in Hungary to check whether they are covered by the new Cybersecurity Act and if yes, to take the necessary measures to ensure compliance with the new law.

Written by Anita Vereb

SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at smartlegal.hu

[i] Act LXIX of 2024 on the cybersecurity of Hungary (“Cybersecurity Act”)

[ii] Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision

[iii] see Annex 2-3 of the Cybersecurity Act

[iv] companies that employ at least 50 employees or have an annual net turnover or a balance sheet total exceeding 10 million Euros

[v] Act on Small and Medium-sized Enterprises and the Promotion of Their Development

[vi] For affected organizations that are part of the same recognized corporate group, actual corporate group (as defined in the Civil Code), or a corporate group consolidated under the Accounting Act (including parent companies, subsidiaries, and jointly controlled enterprises included in the consolidation scope), the combined annual cybersecurity oversight fee shall not exceed 50 million forints.