Cybersecurity 2025

HUNGARY Trends and Developments Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

istration providers are also covered. The 2024 Cybersecurity Act also grants authority to the SZTFH to issue delegated regulations concern - ing the following matters: • cybersecurity supervisory fee payment obli - gation; • auditor registration and requirements; • cybersecurity audit procedures; • detailed rules for cybersecurity supervision; • detailed rules for registering economic organi - sations and individuals authorised to conduct vulnerability assessments; and • detailed rules for registering organisations authorised to handle cybersecurity incidents. Government Decree 418/2024 (XII. 23.) on the Implementation of the 2024 Cybersecu - rity Act specifies the monetary fines that may be imposed on relevant entities. The authority responsible for imposing the fines depends on the supervisory body. The maximum fines stipu - lated by Government Decree 418/2024 (XII. 23.) for organisations classified as essential entities are up to EUR10 million or 2% of the total global annual turnover for the preceding financial year, whichever is higher. For organisations classified as important entities, it is up to EUR7 million or 1.4% of the total global annual turnover for the preceding financial year, whichever is higher. Importantly, if the National Authority for Data Protection and Freedom of Information (NAIH) imposes a fine for a violation, the national cyber - security authority will not impose a fine for the same conduct. However, in justified cases, it may apply other legal consequences. In cases where multiple legal violations occur simultane - ously, the maximum fine imposed is the sum of the maximum fines applicable to each individual violation. Payment of the fine does not exempt the offender from criminal or civil liability, nor

does it relieve them of the obligation to rectify the circumstances that led to the imposition of the fine. Furthermore, except for violations that can be immediately remedied, a fine for the same infraction may be re-imposed after two months from the communication of the final decision imposing the previous fine. Governance and management obligations and personal responsibility The 2024 Cybersecurity Act also introduced certain changes regarding the governance and management obligations of covered entities. The 2023 Cybersecurity Act imposed obligations on the “upper management”, whereas under the 2024 Cybersecurity Act, cybersecurity man - agement obligations are now imposed on the “head of the organisation”, because the new law assigns accountability to the head of the organisation for cybersecurity compliance and risk management. The term “head of the organisation” is not defined by the law. Under Hungarian law, this term typically refers to the person responsible for the management and operation of a given organisation, such as a Chief Executive Officer. This role can be fulfilled by an individual or a collective body, depending on the organisa - tion’s structure. This person or body holds the highest authority within the organisation and is accountable for its overall functioning and decision-making processes. The head of the organisation is generally liable for cybersecurity and governance responsibilities in line with the general provisions of civil law and criminal law. The 2023 Cybersecurity Act did not introduce any qualification requirements for information security officers (ISO). With the 2024 Cyberse - curity Act, the appointment of ISOs has become more rigorous. Accordingly, the organisation’s

118 CHAMBERS.COM

Powered by