Cybersecurity 2025

HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

intended purpose. Furthermore, if personal data is involved, institutions must ensure full compli - ance with applicable international and national data protection laws and regulations. 3.6 Threat-Led Penetration Testing At the date of writing, DORA is not yet applica - ble and the MNB has not published any written guidance or requirement on conducting threat- led penetration testing (TLPT) in the Hungarian financial sector. 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation See 1. General Overview of Laws and Regula- tors . 4.2 Key Obligations Under Legislation See 1. General Overview of Laws and Regula- tors . 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation The 2024 Cybersecurity Act establishes require - ments for both cybersecurity certifications and certification bodies. The 2024 Cybersecurity Act incorporates the requirements of the EU Cyber - security Act into Hungarian law. The Hungarian National Cybersecurity Certifica - tion System aims to safeguard data and ICT pro - cesses across their life cycle by ensuring protec - tion against unauthorised access, modification, or destruction and implementing mechanisms for data confidentiality, integrity, and availability. It mandates robust security measures, such as

logging access, detecting vulnerabilities, and enabling secure recovery post-security inci - dents. ICT products and services must be inher - ently secure by design, regularly updated, and supported with mechanisms for secure updates. The system also specifies comprehensive cer - tification requirements, including defining the scope, objectives, standards, reliability levels, and evaluation criteria. It establishes guidelines for self-assessment, compliance evaluation, and certification validity, including renewal and extension conditions. Evaluations cover techni - cal elements like vulnerability testing, crypto - graphic assessments, and security source code analysis, ensuring documentation and post-cer - tification monitoring. The national cybersecurity certification system defines three reliability levels – basic, substan - tial, and high – for ICT products, services, and processes. These levels indicate compliance with security requirements and the degree of evaluation undertaken to mitigate risks. Basic reliability addresses fundamental and known risks, substantial focuses on cybersecurity risks posed by attackers with limited resources, and high reliability aims to counter advanced cyber - attacks using state-of-the-art techniques. Evaluations involve reviewing technical docu - mentation at all levels. For substantial and high levels, additional assessments verify the absence of vulnerabilities and test security functionality. High-level certification includes advanced pene - tration testing to ensure resilience against skilled attackers. The reliability level must align with the risk associated with the intended use of the ICT solution. The national cybersecurity certification authority in Hungary, primarily the SZTFH, oversees certi -

111 CHAMBERS.COM

Powered by