Hungary

(a) What is the NIS2 implementation status?

In Hungary, a new cybersecurity legislation was introduced in Hungary with Act LXIX of 2024. The Act replaces Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision, overwriting and expanding the previous regulations.

The newly enacted law establishes stricter and more comprehensive regulations to enhance the security of electronic information systems, with a strong emphasis on safeguarding state and public service infrastructures from cyber threats.

(b) What is the envisaged NIS2 implementation timeline?

The Act entered into force on 3 January 2025. This Act consolidates and replaces previous laws, specifically Act XXIII of 2023.

(c) What does the NIS2 mean for other national cybersecurity legislation?

This Act consolidates and replaces previous laws, specifically Act XXIII of 2023. The primary objectives of Act LXIX of 2024 are to fully transpose the NIS2 Directive and the CER Directive into Hungarian law, addressing gaps left by prior legislation, and to unify the country’s cybersecurity regulations into a single, cohesive legal framework.

Key provisions of the law introduce more rigorous requirements regarding:

  • the protection of electronic systems used in state and public services;
  • the roles and obligations of certification and conformity assessment bodies;
  • regulations for data management and vulnerability assessments;
  • the implementation of post-quantum encryption technologies;
  • new construction standards, such as the mandatory underground installation of new telecommunications infrastructure in urban areas starting in 2027.

Special attention is given to post-quantum encryption requirements and vulnerability assessment protocols. Additionally, from 1 January 2027, all newly constructed electronic telecommunications structures in urban areas must be placed underground.

(d) Who will be the supervisory authority and how are they preparing the market?

Under Act LXIX of 2024, which came into force in January 2025, the Regulated Activities Supervisory Authority (Szabályozott Tevékenységek Felügyeleti Hatósága, SzTFH) serves as the primary cybersecurity supervisory authority in Hungary. SzTFH is responsible for overseeing compliance with the new cybersecurity framework, conducting audits, and enforcing regulations across both public and private sectors.

To prepare the market for the new regulations, SzTFH has undertaken several initiatives:

  • Issuance of Decrees: SzTFH is in the process of issuing detailed decrees that will outline specific requirements, including fines, supervisory fees, security incident reporting protocols, cybersecurity training standards, and official audit procedures.
  • Audit Requirements: Organizations that commenced operations before 1 January 2025 are required to complete their first cybersecurity audit by 31 December 2025. SzTFH is expected to release further details on audit procedures and fees to assist organizations in meeting this deadline.
  • Registration and Compliance Deadlines: Entities previously registered under the former cybersecurity laws are automatically included in the new framework and are not required to re-register. However, these entities must submit a list of other EU member states where they operate by 15 February 2025.

(e) What should you be doing/on the lookout for?

Organizations operating within the country must take several actions to ensure compliance with the new cybersecurity framework:

  • Determine Applicability: Assess whether the organization is classified as “essential” or “important” based on the services provided and the sectors in which you operate.
  • Appoint a Qualified Information Security Officer (ISO): Designate an ISO who meets the qualifications set forth in the legislation. The ISO should possess legal competence, a clean criminal record and be sufficiently involved in key organizational decisions related to cybersecurity.
  • Prepare for Mandatory Audits: Organizations that commenced operations before 1 January 2025 are required to complete their first cybersecurity audit by 31 December 2025.
  • Submit Required Information: If your organization was previously registered under the former cybersecurity laws, you are automatically included in the new framework and do not need to re-register.

Contact

Ildiko Szegedi E: szegedi@eversheds-sutherland.hu

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page