HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
(c) other documents, data, or information confirming regulatory compliance. The cybersecurity authority is authorised to take supervisory actions or apply legal consequences for: • organisations providing services in Hungary or operating network and information systems located in Hungary, based on mutual assis - tance requests from other EU member states’ cybersecurity authorities; and • organisations providing services in Hungary without a designated representative in any EU member state. Additionally, the authority may prioritise its supervisory tasks based on risk analysis to effectively fulfil its legally defined responsibili - ties. The detailed rules for conducting oversight inspections are determined by a decree issued by the president of the SZTFH. Generic Data Security Requirements for Personal Data The Hungarian Data Protection and Freedom of Information Authority (NAIH) supervises data protection-related matters. The NAIH is one of the most numerously staffed data protection authorities in EU member states, and data pro - tection enforcement in Hungary is rigorous and stringent. However, investigations usually initi - ated upon individual complaints and ex officio inspections are quite rare. Penalties that the NAIH may apply are defined by the Information Act, the GDPR and the Hungarian Sanctions Act. The GDPR imposes two tiers of fines for non- compliance: lower-level penalties up to EUR10 million or 2% of worldwide annual turnover, for issues like data security and co-operation with authorities, and upper-level penalties up to EUR20 million or 4% of annual turnover, for seri -
ous infringements like violating data subjects’ rights and unlawful data transfers. These fines are discretionary, considering factors like the infringement’s nature and any mitigating actions taken by the organisation. Financial Sector The Hungarian National Bank (MNB) supervis - es entities within the financial sector, including banks, insurance companies, payment provid - ers, etc. The MNB also takes a very rigorous and stringent approach to compliance with appli - cable financial regulations and laws. It is well- known for its extensive written guidance that also covers cybersecurity requirements, cloud services and outsourcing within the financial sector and acts as actual “soft law” and repre - sents the MNB’s legal interpretation of applica - ble laws. The MNB regularly conducts audits on actors within the financial sector, which also include thorough IT audits and reviews. During an audit, the MNB assesses if a financial institution fol - lows the MNB’s guidance, has the required doc - umentation in place that can confirm compliance with applicable cybersecurity requirements (eg, conducting penetration tests on banking sys - tems, software, consumer-facing applications, conducting regular user access reviews, hold - ing the necessary information security trainings and awareness campaigns, etc). The MNB enforces financial regulations by imposing fines, restricting banking operations, and in severe cases, suspending or revoking licences. It can also mandate corrective actions, issue public warnings affecting an institution’s reputation, and initiate legal proceedings. These measures ensure compliance and stabil - ity in Hungary’s financial sector, with penalties based on the severity of violations, impact on
100 CHAMBERS.COM
Powered by FlippingBook