Cybersecurity 2025

HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

• if the incident is unresolved when the final report is due, submit an update on progress; and • within one month after resolving the incident, submit a final report summarising all actions and outcomes. Organisations are exempt from reporting near- cybersecurity incidents and operational cyber - security incidents that are automatically resolved during the incident management process with - out degrading services. However, repeated near- incidents or operational incidents must still be reported. Additionally, trust service providers must notify the NBSZ without undue delay and within 24 hours of becoming aware of any cybersecurity incidents that impact their trust services. Critical Infrastructure-Related Events Critical organisations must report extraordinary events according to their resilience plan. Report - ing requirements vary by resilience level: • Level 1 organisations must report immediate - ly, within four hours during working hours, or by 12:00 PM the next working day if the event occurs outside working hours. • Level 2 and 3 organisations must report immediately, within four hours of detection. Reports must be submitted using the designated form provided by the National Directorate Gen - eral for Disaster Management of the Ministry of Interior, being the general designation authority. Notifications are sent to: • Mandatory for All: (a) regional disaster management authority; and (b) general designation authority.

• Sector-Specific: (a) ministry-designated sectoral duty service; and (b) contact point specified by the sectoral authority. • Energy Sector: (a) energy designation authority for critical organisations or infrastructures. These authorities notify the National Incident Management Centre as outlined in the law on defence and security co-ordination. Critical organisations must notify their CRO about extraordinary events in the format and manner specified by the responsible. Reporting requirements, content, and submission rules are defined by government decree. After resolv - ing the event, the CRO must submit a detailed report to the organisation’s leadership, relevant designation authorities, and sectoral bodies, who forward it to the NBSZ. Reports include the event’s origin, actions taken, and preventive measures for similar incidents. Extraordinary events are analysed to enhance response, defence, and recovery efforts for critical organisations. Maintenance and repairs related to critical infrastructure must prioritise minimising service disruptions. Annual reports on controlled extraordinary events must also be submitted by the CRO to the relevant authorities. For incidents impacting six or more EU mem - ber states, authorities notify the affected states’ contact points and the European Commission, adhering to confidentiality to protect security and business interests. 2.4 State Responsibilities and Obligations The Critical Infrastructure Act defines the follow - ing responsibilities for the Hungarian state.

105 CHAMBERS.COM

Powered by