Sun, Jun
67 New Articles

New Hungarian Cybersecurity Laws Introduce Important Obligations – The Countdown Begins

New Hungarian Cybersecurity Laws Introduce Important Obligations – The Countdown Begins

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

From 1 January 2024, companies operating in Hungary will face new significant cyber security related obligations under the Hungarian legislation implementing the EU NIS2 Directive. In this short article, we describe which companies will be affected by the new regulation and what are the most important tasks in the new year.

As regards to the background, the NIS2 Directive which is the strengthened European cybersecurity legislation entered into force in January 2023. To implement the provisions of the NIS2 Directive to the Hungarian legislation, the parliament enacted Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision (“Cybersecurity Certification Act”).

The companies concerned

Service providers and organisations operating in “high-risk” and “risky” sectors are covered by the new law. High-risk sectors include for example energy, transport, healthcare, digital infrastructure and electronic communication. Among others, postal services, food and chemical manufacturing, electronic product manufacturing and digital services are classified as risky sectors.

As a main rule, the Hungarian Cybersecurity Certification Act does not apply to SMEs, only companies that employ at least 50 employees or have an annual net turnover or a balance sheet total exceeding 10 million Euros.

However, companies electronic communications service providers, trust service providers, DNS service providers, top level domain name registrars and domain name registration service providers are covered by the law regardless of their size.

Major obligations

The Cybersecurity Certification Act requires basic cybersecurity measures for the electronic information systems of the entities covered by the act.

As a part of the basic cybersecurity measures, companies concerned by the law shall classify their electronic information systems. Based on the risk of confidentiality, integrity, or availability being compromised, "basic", "significant" or "high" security class shall be applied.

The specific security measures applicable to each security class will be laid down in a ministerial decree and shall be applicable as of 18 October 2024.

The companies covered by the act have until 30 June 2024 to register with the Regulated Activities Supervisory Authority.

Further, until 31 December 2024 the companies shall appoint an independent auditor who shall conduct the first NIS2-compliant cybersecurity due diligence until 31 December 2025.


In accordance with the NIS2 Directive, the companies concerned that fail to comply with the cybersecurity related obligations may face administrative fines of a maximum of 10 million euros or 2% of their total worldwide annual turnover.

Based on the above, we advise companies operating in Hungary to check whether they are covered by the new Cybersecurity Certification Act and if yes, to start the preparation of the necessary measurements.

By Anita Vereb, Attorney-at-law, SmartLegal Schmidt & Partners

Hungary Knowledge Partner

Nagy és Trócsányi was founded in 1991, turned into limited professional partnership (in Hungarian: ügyvédi iroda) in 1992, with the aim of offering sophisticated legal services. The firm continues to seek excellence in a comprehensive and modern practice, which spans international commercial and business law. 

The firm’s lawyers provide clients with advice and representation in an active, thoughtful and ethical manner, with a real understanding of clients‘ business needs and the markets in which they operate.

The firm is one of the largest home-grown independent law firms in Hungary. Currently Nagy és Trócsányi has 26 lawyers out of which there are 8 active partners. All partners are equity partners.

Nagy és Trócsányi is a legal entity and registered with the Budapest Bar Association. All lawyers of the Budapest office are either members of, or registered as clerks with, the Budapest Bar Association. Several of the firm’s lawyers are admitted attorneys or registered as legal consultants in New York.

The firm advises a broad range of clients, including numerous multinational corporations. 

Our activity focuses on the following practice areas: M&A, company law, litigation and dispute resolution, real estate law, banking and finance, project financing, insolvency and restructuring, venture capital investment, taxation, competition, utilities, energy, media and telecommunication.

Nagy és Trócsányi is the exclusive member firm in Hungary for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+countries worldwide.

The firm advises a broad range of clients, including numerous multinational corporations. Among our key clients are: OTP Bank, Sberbank, Erste Bank, Scania, KS ORKA, Mannvit, DAF Trucks, Booking.com, Museum of Fine Arts of Budapest, Hungarian Post Pte Ltd, Hiventures, Strabag, CPI Hungary, Givaudan, Marks & Spencer, CBA.

Firm's website.

Our Latest Issue