Cybersecurity 2025

HUNGARY Law and Practice Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

6. Cybersecurity in Other Regulations

fication for ICT products, services, and process - es, except for defence-related areas, which are managed by a government-designated author - ity. Responsibilities include monitoring European cybersecurity certification developments, par - ticipating in related standardisations activities, and maintaining national certification systems. These systems must align with EU standards and address evolving security risks. The authority evaluates and revises national cer - tification systems at least every three years, or immediately following significant developments, ensuring alignment with European frameworks. It supervises conformity assessment bodies (CABs), conducts inspections, and ensures that cybersecurity certifications meet high standards, particularly for “high” reliability levels. Additionally, the authority manages a national registry of certification-related data, including technical documentation, certifications, and compliance details. It ensures data security, confidentiality, and compliance with applicable laws. Violations by CABs or manufacturers can result in warnings, penalties, or license revoca - tion. All actions and decisions by the certification authority adhere to strict confidentiality and data protection standards, with records main - tained for up to ten years post-certification expiry. The SZTFH ensures compliance through audits, accreditation, and collaboration with the European Commission for maintaining EU-wide standards.

6.1 Cybersecurity and Data Protection The NAIH oversees compliance with data pro - tection laws, including GDPR requirements for data security (Article 32) and privacy by design and data protection by default (Article 25). The NAIH collaborates with other Hungarian authori - ties, such as the Hungarian Competition Office and the MNB. It is expected that the NAIH will also co-ordinate with the NBSZ and SZTFH on cybersecurity-related matters. The 2024 Cybersecurity Act emphasises that incident reporting obligations under the Act do not exempt organisations from fulfilling other reporting obligations. As a result, organisations will likely need to review and align their internal data breach management and reporting proce - dures to meet both data protection and cyber - security requirements. Under the GDPR, data processing agreements must include provisions for defining, requiring, and auditing technical and organisational meas - ures (TOMs) to ensure compliance with Article 32. Similarly, the 2024 Cybersecurity Act, par - ticularly Section 19 of Annex 2 to the MK Decree, mandates that organisations contractually require third-party service providers to comply with the organisation’s cybersecurity require - ments. These requirements must be based on risk assessments and security classifications. To avoid contractual conflicts, organisations are advised to harmonise these cybersecurity requirements with their existing TOMs. 6.2 Cybersecurity and AI In Hungary, apart from the EU AI Act there are no specific cybersecurity requirements exclusively for AI systems. However, the 2024 Cybersecu -

112 CHAMBERS.COM

Powered by