Cybersecurity 2025

HUNGARY Trends and Developments Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

PROVARIS Varga & Partners H-1053 Budapest

Károlyi street 9. Central Palace 5th Floor Hungary Tel: +36 706 051 000 Email: info@provaris.hu Web: www.provaris.hu

Analysing the Transition: From the 2023 Cybersecurity Act to the 2024 Cybersecurity Act in Hungary Introduction The NIS2 Directive, enacted by the European Union, represents a significant advancement in EU-wide cybersecurity legislation. Effective from 16 January 2023, this Directive expanded the scope of cybersecurity regulations to encom - pass a broader range of sectors and entities. Its primary goal was to bolster organisational cybersecurity across various industry ecosys - tems throughout the EU, requiring entities to adopt robust measures to secure their networks and information systems. It mandated that EU member states integrate these provisions into their national laws by 17 October 2024. However, as of 28 November 2024, the Euro - pean Commission identified that 23 member states, including Hungary, had failed to meet this deadline. Despite the European Commission’s statement, Hungary was a forerunner in adopt - ing the NIS2 Directive, implementing it through Act XXIII of 2023, known as the Cybersecurity Certification and Cybersecurity Supervision Act (“2023 Cybersecurity Act”). This Act, in line with the NIS2 Directive, defined a broad range of sectors subject to the new legislation. The 2023

Cybersecurity Act entered into force gradually by 17 October 2024 and required the registration of covered entities, the security classification of electronic information systems, and the imple - mentation of certain cybersecurity measures in line with the MK Decree 7/2024 (VI. 24.) on the Requirements of Security Classification. The authority designated to enforce the NIS2 requirements was the Supervisory Authority for Regulated Activities ( Szabályozott Tevéke- nységek Felügyeleti Hatósága , or SZTFH). The deadline for registration before the SZTFH under the 2023 Cybersecurity Act was 30 June 2024 for entities that had already commenced opera - tions prior to 1 January 2024. All other entities had to register within 30 days from starting the relevant operations. The SZTFH reviewed over 3,500 registration applications by the end of 2024 and also maintained the register for NIS2 auditors. The SZTFH was authorised to release delegated legislation on audit requirements, audit fees, and payment of the cybersecurity supervision fee. However, the NIS2 implementation provided by the Act was incomplete and had several deficiencies and gaps. Therefore, the Hungar - ian government decided to replace the 2023

115 CHAMBERS.COM

Powered by