HUNGARY Trends and Developments Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners
Cybersecurity Act with new legislation, provid - ing a more complete implementation of the NIS2 Directive. The cybersecurity landscape in Hun - gary has undergone significant transformations with the replacement of the 2023 Cybersecu - rity Act by the 2024 Cybersecurity Act, which was passed by the Hungarian Parliament on 17 December 2024. This transition aligns with the broader implementation of the NIS2 Direc - tive. While the 2023 Cybersecurity Act marked Hungary’s initial compliance with NIS2, the 2024 Cybersecurity Act introduces a more unified and robust framework, addressing gaps and reflect - ing lessons learned from prior implementation. This article examines the key changes and their implications for entities operating in Hungary. Key changes in the legislative framework Consolidation of Cybersecurity Legislation The 2024 Cybersecurity Act, effective from 1 January 2025, consolidates Hungary’s cyber - security legal framework by repealing the 2023 Cybersecurity Act and other fragmented regu - lations, including Act CXXV of 1995 (Sections 8(7)–(10)) on the National Security Services and Act L of 2013 on Electronic Information Secu - rity of State and Municipal Bodies (Information Security Act). This consolidation aims to provide unified rules for entities in both the public and private sectors, addressing the implementation gaps of the 2023 Cybersecurity Act. As part of the NIS2 implementation efforts, the Hungarian government also released Govern - ment Decree 418/2024 (XII. 23.) on the Imple - mentation of the 2024 Cybersecurity Act. This decree outlines the specific obligations of organ - isations concerning cybersecurity measures, the framework for governmental oversight, and the procedures for compliance. It also delineates the roles of various authorities in monitoring and
ensuring adherence to cybersecurity standards, including the supervision of designated auditors responsible for assessing compliance among affected organisations. Additionally, the decree addresses co-operation between national and international entities in the realm of cyberse - curity, aligning with relevant EU directives and regulations. The primary objective of this decree is to ensure a high level of national cybersecurity, protect critical infrastructure, and facilitate effec - tive responses to cyber threats. Enhanced sectoral scope, main establishment and representative appointment The 2024 Cybersecurity Act introduced cer - tain changes to the scope of entities previously covered by the 2023 Cybersecurity Act. Public administration bodies at various local levels are now explicitly included, and the new law also applies to the electronic information systems of enterprises under majority state ownership that exceed the thresholds defined for medium- sized enterprises in the Small and Medium-Sized Enterprises Act. Similarly to the former legislation, the 2024 Cybersecurity Act distinguishes between organi - sations operating in sectors with high critical - ity (Annex 2 of the 2024 Cybersecurity Act) and organisations operating in sectors at risk (Annex 3 of the 2024 Cybersecurity Act), introducing minor but significant changes in its scope. While the 2023 Cybersecurity Act extended its scope to all food businesses, including food retailers, the 2024 Cybersecurity Act limited its applica - bility to food businesses engaged in wholesale distribution, industrial production, and process - ing of food. Holders of a pharmaceutical whole - sale distribution authorisation under Article 79 of Directive 2001/83/EC are no longer covered by the scope of the new legislation, but pharma - ceutical wholesalers are. Research organisations
116 CHAMBERS.COM
Powered by FlippingBook