Hungary's new cybersecurity law Act LXIX of 2024 entered into force in January 2025. Although Hungary adopted the NIS2 legislation in 2023, the country passed a completely new law by the end of 2024, which took effect in January 2025 (replacing Act L of 2013 and Act XXIIII of 2023).
The purpose of this new legislation is twofold: to fully transpose the NIS2 Directive and CER Directive addressing gaps left by previous legislation, and to consolidate Hungary's scattered cybersecurity laws into a unified legal framework. Below are the key takeaways of the new framework:
- Basic Framework: The new law establishes a basic framework, with certain details (such as fines, supervisory fee, security incidents, cybersecurity training, and official audits) to be regulated in upcoming decrees. The existing MK Decree 7/2024 will remain the core decree, as it outlines the technical cybersecurity framework, including risk governance mechanisms, threat assessments, risk classification of information systems, and control measures.
- Extended Scope: The law extends its coverage beyond NIS2 entities to include those under the CER Directive. The same cybersecurity framework applies to both sets of entities, though with some exceptions.
- Territorial Scope: The law retains the concept of "main establishment," meaning it generally applies to organizations established in Hungary. Non-EU organizations providing services in Hungary must appoint a representative.
- Affected Entities: As under NIS2, companies operating in high-risk or risky sectors are subject to the law. Generally, the regulations apply to medium and large-sized organizations, with certain exceptions.
- Distinction Between Essential and Important Entities: The new law provides clearer differentiation between essential and important organizations. Entities operating in high-risk sectors by default are classified as essential, with stricter cybersecurity obligations in some cases.
- Designation Mechanism: In addition to the self-identification and registration requirement under NIS2, the cybersecurity regulator may designate an organization as essential or important. For instance, an entity providing services to 20,000 individuals in risky or high-risk sectors may be designated as important or essential.
- Registration: NIS2 entities already registered as of 2024 will not need to re-register. However, by 15 February 2025 certain registered entities must submit a list of other EU member states where they conduct business beyond Hungary.
- Contracting with an Auditor: Organizations must conclude a contract with an auditor within four months of receiving their registration order. This will be possible once the cybersecurity regulator issues a decree on official audits and audit fees.
- Security Risk Classification: The law does not change the security classification method set out in MK Decree 7/2024. This classification, which determines the risk level of an information system (level 1, 2, or 3), is crucial for determining appropriate security control measures.
- Control Measures: The list of controls outlined in MK Decree 7/2024 remains unchanged. The National Cybersecurity Center of Hungary has issued an Excel table comparing Hungary's control measures with ISO 27001 and NIST 800-53 standards, facilitating compliance for organizations already using these international frameworks. Additionally, the EU Commission's NIS2 implementing act and the new ENISA guidelines provide further control lists.
- Cybersecurity Risk Governance Framework: The risk governance framework set out in MK Decree 7/2024 remains intact. Its purpose is to ensure ongoing cybersecurity compliance within organizations.
- Audit Deadlines: Organizations that began operations before January 1, 2025, must complete their first audit by the end of 2025.
- New Rules on Information Security Officers (ISO): The new law introduces specific requirements for ISOs, similar to the rules for Data Protection Officers (DPOs) under GDPR. Organizations must ensure that the ISO is involved in all key decisions and has the resources necessary to perform their duties. Upcoming decrees will provide further details on ISO training requirements.
- Incident Response Management: In addition to the central CSIRT, the law allows for the establishment of sector-specific incident management centers. Detailed rules on incident response will be provided in an upcoming decree.
- Audit Requirements: Detailed regulations on official audits will be outlined in an upcoming decree. Audits will likely cover the review of control measures, risk classifications, and documentation, as well as testing (such as vulnerability, penetration, and source code tests).
- Corporate Management Responsibility: The new law introduces the NIS2 concept of corporate management responsibility for cybersecurity. Corporate management is required to oversee and approve cybersecurity measures and ensure management-level training on cybersecurity. The law also provides for direct liability for corporate management, including potential temporary bans from management activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
