Cybersecurity 2025

HUNGARY Trends and Developments Contributed by: Adam Liber and Tamás Bereczki, PROVARIS Varga & Partners

leader must appoint an ISO for the purposes of risk management, incident handling, and com - munication, or enter into an agreement with an external individual. The mandatory content of such an agreement is defined by the Govern - ment Decree on the Implementation of the 2024 Cybersecurity Act. The role can only be per - formed by a person who is (i) legally competent; (ii) has a clean criminal record; (iii) holds quali - fications, professional certifications, or relevant work experience as defined in a decree issued by the minister responsible for IT. For organisa - tions that are critical or significant from a security perspective, the ISO must possess accredited international qualifications or relevant expertise. Security and incident reporting obligations Cybersecurity risk management measures under Article 21 are detailed in the Annexes of MK Decree 7/2024 (VI. 24.) which are based on NIST 800-53 rev. 5. Organisations are required to pro - tect their electronic information systems and the data processed within them proportionally to the associated risks and must classify their relevant systems and data into “basic”, “significant”, or “high” security classes based on the confidenti - ality, integrity, and availability of the data, as well as the integrity and availability of the systems. Security classification must be reviewed and documented at least every two years or promptly in the event of regulatory or security changes. Concerned entities must report cybersecurity incidents to the NBSZ as the cybersecurity authority designated as the national Computer Security Incident Response Team (CSIRT) for Hungary. Organisations are also required to report significant cybersecurity threats, near- miss incidents, and incidents, including opera - tional ones, that cause major disruptions or damages, to the CSIRT. Notification timescales and phases are laid down by Section VI of the

Government Decree on the Implementation of the 2024 Cybersecurity Act. The notification deadline is 24 hours after having become aware of the incident, 72 hours for a detailed report, and a final report within one month. The notifica - tion shall be made in electronic form as defined by the CSIRT. Mandatory security audits The 2024 Cybersecurity Act emphasises regular oversight through biennial cybersecurity audits and mandatory security classifications for state- owned enterprises and organisations operating in sectors with high criticality, and organisations operating in sectors at risk. The SZTFH does not primarily conduct inspec - tions of the affected organisations – this task will fall to designated auditors. However, the over - sight of these auditors remains the responsibility of the SZTFH. The organisation is required to enter into an agreement with an auditor listed in the SZTFH register within 120 days of its regis - tration and conduct the cybersecurity audit for the first time within two years following regis - tration. During the audit, the auditor verifies the classification and the adequacy of protective measures corresponding to the organisation’s assigned security classification. The President of the SZTFH will issue a decree specifying the maximum fee for the audit (excluding VAT), and the procedures for conducting the cybersecurity audit. Cybersecurity supervision fee payment Enterprises under majority state ownership that exceed the thresholds defined for medium-sized enterprises. organisations supervised by the SZTFH must pay a cybersecurity supervisory fee as determined by the SZTFH President’s decree, which has not yet been released. The annual cybersecurity supervisory fee is up to 0.015%

119 CHAMBERS.COM

Powered by