Cybersecurity Β· Hungary
Cybersecurity law in Hungary: NIS2 compliance (2026)
Hungary shaded by its cybersecurity status
Cybersecurity in Hungary: comprehensive law, anchored by Act LXIX of 2024 on Cybersecurity in Hungary (in force 1 January 2025), transposing EU NIS2 Directive (2022/2555); implemented by Government Decree 418/2024 (XII.23.); supervised by SZTFH (private sector) and NBSZ/national CERT (public sector).
Hungary enacted Act LXIX of 2024 on Cybersecurity, which entered into force on 1 January 2025 and replaced the earlier partial transposition (Act XXIII of 2023), consolidating public and private sector cybersecurity obligations into a single comprehensive statute aligned with NIS2. The law establishes mandatory security classifications, cybersecurity audits, and tiered incident-reporting duties for essential and important entities in high-risk and risky sectors. Dual supervisory authorities operate: SZTFH oversees commercial/private entities and market surveillance, while NBSZ serves as the national CERT and supervises public-sector bodies.
NIS2 & cybersecurity law in Hungary
In Hungary, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to β¬10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Hungary implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Hungary: FAQ
Yes. As an EU member, Hungary has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to β¬10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
Act LXIX of 2024 on Cybersecurity (Magyar KΓΆzlΓΆny) entered into force 1 January 2025, repealing Act XXIII of 2023. It is the sole comprehensive cyber statute covering both public and private sector networks and information systems, supplemented by Government Decree 418/2024 (XII.23.) on implementation details.
Covers medium and large enterprises (β₯50 employees or >β¬10 M turnover/balance sheet) in high-risk sectors (energy, transport, healthcare, digital infrastructure, electronic communications) and risky sectors (postal, food, chemicals, electronic manufacturing, digital services). SMEs are generally excluded unless designated critical.
Systems are assigned one of three security classes, 'basic', 'significant', or 'high', replacing the prior five-tier system. The 'high' class applies to critical infrastructure systems whose compromise could have the most severe societal or economic impact.
In-scope entities must submit an early warning to NBSZ within 24 hours of discovering a significant incident, followed by a full incident notification within 72 hours. These obligations run in parallel with GDPR personal-data breach notifications and do not substitute for them.
SZTFH (Supervisory Authority for Regulated Activities) is the NIS2 competent authority for the private sector; NBSZ (Special Service for National Security) supervises public-sector and state-owned entities and operates the national CERT. Failure to undergo a mandatory cybersecurity audit can result in fines of up to 2% of annual worldwide revenue (minimum HUF 1 million, maximum HUF 150 million).
Hungary adopted Act CXXXV of 2025 to implement the EU Cyber Resilience Act, published in the Hungarian Official Journal in late 2025. The deadline for entities to complete their first mandatory cybersecurity audit was extended (by amendment in force 31 May 2025) to 30 June 2026. The European Commission issued a reasoned opinion in May 2025 citing incomplete NIS2 transposition.
Timeline - major decisions & events
The Commission sent a formal reasoned opinion to Hungary (among 19 Member States) for failing to notify complete NIS2 transposition measures, despite Hungary having enacted Act LXIX of 2024. Hungary has two months to respond or face referral to the Court of Justice of the EU.
European Commission βHungary adopted a new five-year cybersecurity strategy required by Article 7 of NIS2, tasking the Cybersecurity Commissioner and relevant ministers with developing a National Cybersecurity Action Plan and integrating cybersecurity across public administration, critical infrastructure, digital services, and supply chains.
CEE Legal Matters / Government Decision 1089/2025 βHungary's comprehensive Cybersecurity Act took effect, repealing the 2013 Information Security Act and the 2023 partial transposition law and merging public-sector and private-sector cybersecurity obligations into a single statute. The Regulated Activities Supervisory Authority (SzTFH) became the primary supervisory body; mandatory cybersecurity audits must be completed by 30 June 2026.
National Legal Database of Hungary (njt.hu) βAll organisations falling within Hungary's initial NIS2 scope were required to register with the competent authority by this date, representing the first active compliance milestone under the early NIS2 framework before the comprehensive 2024 Act replaced it.
DLA Piper (citing Act XXIII of 2023) βHungary became one of the earliest EU Member States to begin NIS2 implementation, enacting a law on Cybersecurity Certification and Cybersecurity Supervision; it covered registration, supervision, and certification but was later found to be an incomplete transposition, necessitating the broader 2024 Act.
European Commission βHungary unified three separate cyber bodies, GovCERT-Hungary (incident handling), the National Electronic Information Security Authority (NEISA), and the Cyber Defence Management Authority (CDMA), into a single National Cyber Security Centre, which became Hungary's national CSIRT and the competent authority under the subsequent NIS Directive.
NCSC Hungary (official site) βHungary's foundational cybersecurity statute imposed binding obligations on state and municipal bodies, critical infrastructure operators, and their IT suppliers to classify information systems into security classes and implement commensurate controls, establishing the first comprehensive public-sector cybersecurity regime in Hungary.
National Legal Database of Hungary (njt.hu) βHungary became one of the first Central and Eastern European states to adopt a national cybersecurity strategy, defining protecting critical information infrastructure as a national security priority, assigning institutional responsibilities, and providing the policy mandate for the 2013 Information Security Act and subsequent NCSC creation.
Government of Hungary (English translation via NSA Archive, GWU) βHungary enacted its critical infrastructure protection law, establishing the legal framework for identifying and designating critical systems and facilities across energy, transport, water, and telecommunications sectors, creating the statutory foundation for sector-specific cybersecurity and resilience obligations.
National Legal Database of Hungary (njt.hu) βAfter Hungary signed the Council of Europe Convention on Cybercrime (23 November 2001, in Budapest) and ratified it on 4 December 2003, the treaty took effect, aligning Hungarian criminal law with international cybercrime standards; domesticated by Act LXXIX of 2004 and later reinforced by the Criminal Code (Act C of 2012).
Council of Europe βHungary - other topics
Cybersecurity in other countries
Last verified 5/24/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β