Cybersecurity - Hungary

Act LXIX of 2024 on Cybersecurity (Magyar Közlöny) entered into force 1 January 2025, repealing Act XXIII of 2023. It is the sole comprehensive cyber statute covering both public and private sector networks and information systems, supplemented by Government Decree 418/2024 (XII.23.) on implementation details.

Covers medium and large enterprises (≥50 employees or >€10 M turnover/balance sheet) in high-risk sectors (energy, transport, healthcare, digital infrastructure, electronic communications) and risky sectors (postal, food, chemicals, electronic manufacturing, digital services). SMEs are generally excluded unless designated critical.

Systems are assigned one of three security classes — 'basic', 'significant', or 'high' — replacing the prior five-tier system. The 'high' class applies to critical infrastructure systems whose compromise could have the most severe societal or economic impact.

In-scope entities must submit an early warning to NBSZ within 24 hours of discovering a significant incident, followed by a full incident notification within 72 hours. These obligations run in parallel with GDPR personal-data breach notifications and do not substitute for them.

SZTFH (Supervisory Authority for Regulated Activities) is the NIS2 competent authority for the private sector; NBSZ (Special Service for National Security) supervises public-sector and state-owned entities and operates the national CERT. Failure to undergo a mandatory cybersecurity audit can result in fines of up to 2% of annual worldwide revenue (minimum HUF 1 million, maximum HUF 150 million).

Hungary adopted Act CXXXV of 2025 to implement the EU Cyber Resilience Act, published in the Hungarian Official Journal in late 2025. The deadline for entities to complete their first mandatory cybersecurity audit was extended (by amendment in force 31 May 2025) to 30 June 2026. The European Commission issued a reasoned opinion in May 2025 citing incomplete NIS2 transposition.