On December 20, 2024, Hungary has enacted two new cybersecurity laws, namely the Act No. LXIX of 2024 on Hungary's Cybersecurity ("2024 Cybersecurity Act"), which replaces the former national implementation of the NIS2 Directive, and the Act No. LXXXIV of 2024 on the Resilience of Critical Entities (“The Act on the Resilience of Critical Entities”), re-implementing Directive (EU) 2022/2557 on the resilience of critical entities in Hungary.
Key Changes and Implications
- The 2024 Cybersecurity Act
The 2024 Cybersecurity Act repeals the 2023 Cybersecurity Act and Act L of 2013 on the Electronic Information Security of State and Municipal Bodies, establishing a unified framework for both public and private sector entities. Lower-level cybersecurity legislation remains unaffected by these changes. The new law will take effect on January 1, 2025.
Expanded Scope
The new law broadens its scope to include additional categories of organizations and entities, focusing on the electronic information systems they manage. It applies to administrative bodies such as government committees, metropolitan and county offices, and municipal representative bodies, excluding administrative associations with regulatory authority. The law also extends to state-owned enterprises exceeding medium-sized thresholds and aligns with EU cybersecurity frameworks (NIS1 and NIS2 Directives). The new law shall designate entities as "essential" or "important" based on their services or data processing functions.
Registration Requirements
Private sector entities previously registered under the 2023 Cybersecurity Act are included in the new framework and do not need to re-register. However, they must submit a list of EU member states where they provide services by February 15, 2025. Any changes in legal status or exceeding the medium-sized enterprise thresholds must be reported to the relevant supervisory authority.
Person Responsible for the Security of Electronic Information Systems [„ISO”]
The new law introduces more detailed requirements for the person responsible for the security of electronic information systems (Information Security Officer - ISO), who must be appointed by the organization's leader. For private sector entities, this role can only be filled by someone who is legally competent and has a clean criminal record. For public sector entities, the law specifies additional requirements.
Cybersecurity Risk-Management Measures
The 2024 Cybersecurity Act retains the classification approach from the 2023 law, requiring organizations to classify systems and data as "basic," "significant," or "high" security classes. These classifications must be reviewed and updated every two years or after regulatory changes or incidents. Entities who have already classified their systems under the 2023 Cybersecurity Act do not need to reclassify them under the new law. The new law also broadens the scope of mandatory cybersecurity audits. Audits must occur every two years or as directed by SzTFH, with fees and procedures defined by a forthcoming SzTFH decree.
- The Act on the Resilience of Critical Entities
This new law aims to enhance [NATO] alliance-related duties and national resilience by protecting essential services, securing supply chains, and ensuring government continuity. In that regard, the Hungarian Government shall designate a general competent authority and a competent authority for the energy sector. The competent authorities’ designation procedures under this law must begin by April 30, 2025, reviewing decisions made under Act CLXVI of 2012, which is repealed. Operators designated under the 2012 Act will remain critical entities until final decisions are made. The first phase of the law takes effect on December 30, 2024, and its material provisions start to apply from January 1, 2025.
Practical Considerations
Organizations subject to these laws should:
- Review Applicability: Confirm whether they are classified as "essential," "important," or “critical” entities under the new laws.
- Update Compliance Measures: Ensure cybersecurity risk management measures are aligned with the new requirements and whether the designated ISO complies with the new requirements articulated by the 2024 Cybersecurity Act.
- Prepare for Audits: Plan for biennial cybersecurity audits and monitor SzTFH decrees for further procedural details.
- Submit Required Information: If currently registered, submit the required list of EU member states where services are provided by February 15, 2025.
By consolidating and expanding existing frameworks, these laws reinforce Hungary’s cybersecurity landscape and align it more closely with EU standards. Organizations must act promptly to ensure compliance with the new requirements.
By Tamas Bereczki and Adam Liber, Partners, Provaris
