Cybersecurity · Hungary
Cybersecurity regulation in Hungary (2026)
Hungary shaded by its cybersecurity status
Hungary enacted Act LXIX of 2024 on Cybersecurity, which entered into force on 1 January 2025 and replaced the earlier partial transposition (Act XXIII of 2023), consolidating public and private sector cybersecurity obligations into a single comprehensive statute aligned with NIS2. The law establishes mandatory security classifications, cybersecurity audits, and tiered incident-reporting duties for essential and important entities in high-risk and risky sectors. Dual supervisory authorities operate: SZTFH oversees commercial/private entities and market surveillance, while NBSZ serves as the national CERT and supervises public-sector bodies.
Key points
Act LXIX of 2024 on Cybersecurity (Magyar Közlöny) entered into force 1 January 2025, repealing Act XXIII of 2023. It is the sole comprehensive cyber statute covering both public and private sector networks and information systems, supplemented by Government Decree 418/2024 (XII.23.) on implementation details.
Covers medium and large enterprises (≥50 employees or >€10 M turnover/balance sheet) in high-risk sectors (energy, transport, healthcare, digital infrastructure, electronic communications) and risky sectors (postal, food, chemicals, electronic manufacturing, digital services). SMEs are generally excluded unless designated critical.
Systems are assigned one of three security classes — 'basic', 'significant', or 'high' — replacing the prior five-tier system. The 'high' class applies to critical infrastructure systems whose compromise could have the most severe societal or economic impact.
In-scope entities must submit an early warning to NBSZ within 24 hours of discovering a significant incident, followed by a full incident notification within 72 hours. These obligations run in parallel with GDPR personal-data breach notifications and do not substitute for them.
SZTFH (Supervisory Authority for Regulated Activities) is the NIS2 competent authority for the private sector; NBSZ (Special Service for National Security) supervises public-sector and state-owned entities and operates the national CERT. Failure to undergo a mandatory cybersecurity audit can result in fines of up to 2% of annual worldwide revenue (minimum HUF 1 million, maximum HUF 150 million).
Hungary adopted Act CXXXV of 2025 to implement the EU Cyber Resilience Act, published in the Hungarian Official Journal in late 2025. The deadline for entities to complete their first mandatory cybersecurity audit was extended (by amendment in force 31 May 2025) to 30 June 2026. The European Commission issued a reasoned opinion in May 2025 citing incomplete NIS2 transposition.
Timeline - major decisions & events
The Commission sent a formal reasoned opinion to Hungary (among 19 Member States) for failing to notify complete NIS2 transposition measures, despite Hungary having enacted Act LXIX of 2024. Hungary has two months to respond or face referral to the Court of Justice of the EU.
European Commission ↗Hungary adopted a new five-year cybersecurity strategy required by Article 7 of NIS2, tasking the Cybersecurity Commissioner and relevant ministers with developing a National Cybersecurity Action Plan and integrating cybersecurity across public administration, critical infrastructure, digital services, and supply chains.
CEE Legal Matters / Government Decision 1089/2025 ↗Hungary's comprehensive Cybersecurity Act took effect, repealing the 2013 Information Security Act and the 2023 partial transposition law and merging public-sector and private-sector cybersecurity obligations into a single statute. The Regulated Activities Supervisory Authority (SzTFH) became the primary supervisory body; mandatory cybersecurity audits must be completed by 30 June 2026.
National Legal Database of Hungary (njt.hu) ↗All organisations falling within Hungary's initial NIS2 scope were required to register with the competent authority by this date, representing the first active compliance milestone under the early NIS2 framework before the comprehensive 2024 Act replaced it.
DLA Piper (citing Act XXIII of 2023) ↗Hungary became one of the earliest EU Member States to begin NIS2 implementation, enacting a law on Cybersecurity Certification and Cybersecurity Supervision; it covered registration, supervision, and certification but was later found to be an incomplete transposition, necessitating the broader 2024 Act.
European Commission ↗Hungary unified three separate cyber bodies — GovCERT-Hungary (incident handling), the National Electronic Information Security Authority (NEISA), and the Cyber Defence Management Authority (CDMA) — into a single National Cyber Security Centre, which became Hungary's national CSIRT and the competent authority under the subsequent NIS Directive.
NCSC Hungary (official site) ↗Hungary's foundational cybersecurity statute imposed binding obligations on state and municipal bodies, critical infrastructure operators, and their IT suppliers to classify information systems into security classes and implement commensurate controls — establishing the first comprehensive public-sector cybersecurity regime in Hungary.
National Legal Database of Hungary (njt.hu) ↗Hungary became one of the first Central and Eastern European states to adopt a national cybersecurity strategy, defining protecting critical information infrastructure as a national security priority, assigning institutional responsibilities, and providing the policy mandate for the 2013 Information Security Act and subsequent NCSC creation.
Government of Hungary (English translation via NSA Archive, GWU) ↗Hungary enacted its critical infrastructure protection law, establishing the legal framework for identifying and designating critical systems and facilities across energy, transport, water, and telecommunications sectors, creating the statutory foundation for sector-specific cybersecurity and resilience obligations.
National Legal Database of Hungary (njt.hu) ↗After Hungary signed the Council of Europe Convention on Cybercrime (23 November 2001, in Budapest) and ratified it on 4 December 2003, the treaty took effect, aligning Hungarian criminal law with international cybercrime standards; domesticated by Act LXXIX of 2004 and later reinforced by the Criminal Code (Act C of 2012).
Council of Europe ↗Hungary - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →