Cybersecurity 2025

HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

the financial system, and the institution’s past conduct. Furthermore, the MNB is empowered to impose fines not only on the inspected organi - sation itself, but also on its leadership and any individual classified as holding a senior position under applicable laws. The level of fines varies according to numerous circumstances, with dif - ferent ranges applicable depending on the spe - cifics of the case. E-Privacy The NMHH is in charge of the enforcement of e-privacy-related data security requirements applicable to public electronic communication service providers and can audit service provid - ers in an administrative procedure. The NMHH Decree No 4/2012 (I. 24.) lays down the specific rules concerning data protection and confidenti - ality obligations related to the provision of public electronic communication services in Hungary and the decree is the local implementation of the EU ePrivacy Directive. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation The Critical Infrastructure Act, announced in Hungarian Official Journal No 131 on 20 Decem - ber 2024, and technically effective from 1 Janu - ary 2025, requires the designation authority to initiate procedures by 30 April 2025 to review and potentially revoke or uphold decisions made under the 2012 Act on the Identification, Desig - nation, and Protection of Critical Systems and Facilities. Operators of critical system elements designated under the 2012 Act will continue to be treated as critical organisations until a final decision is made. Additionally, the Critical Infra - structure Act repealed the 2012 Act on the Iden -

tification, Designation, and Protection of Critical Systems and Facilities. The Critical Infrastructure Act regulates meas - ures to enhance the resilience of critical organisa - tions headquartered in Hungary, along with their support and supervisory systems. It applies to critical organisations, critical infrastructures, par - ticipating individuals and entities, administrative bodies, and relevant sectors and organisations. Additionally, the provisions of the Critical Infra - structure Act apply to the natural gas, hydrogen, and electricity subsectors, with exceptions as specified within the law. Furthermore, the Criti - cal Infrastructure Act applies to the electricity transmission components of nuclear facilities in relation to electricity generation as an essential service. Its provisions do not affect EU treaties or regulations specifically governing nuclear ele - ments. Measures, support, and supervisory sys - tems aimed at enhancing the resilience of nucle - ar facility components fall under the authority of the regulatory body responsible for the peaceful, safe, and secure use of nuclear energy. 2.2 Critical Infrastructure Cybersecurity Requirements The provisions of the Critical Infrastructure Act for critical organisations and critical infrastruc - tures must be applied with priority given to the national legislation transposing the NIS2 Direc - tive, meaning the 2024 Cybersecurity Act, the Execution Decree and the MK Decree. Basic Principles and Obligations of Critical Organisations In organising the resilience of critical organisa - tions and implementing the tasks defined in the Critical Infrastructure Act, the following princi - ples must be upheld by critical organisations and individuals:

101 CHAMBERS.COM

Powered by