Hungary Finalizes Key Cybersecurity Supervisory Rules under NIS2 Framework

Entering into force the following day, the decree constitutes a significant step in Hungary’s national implementation of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). It confers broad supervisory powers on the Supervisory Authority for Regulated Activities (SZTFH), which is designated as Hungary’s competent cybersecurity authority for most sectors covered by the Directive. However, supervisory responsibilities for the public administration sector lie with the National Security Authority (NBH), while entities operating in the defence sector fall under the competence of the Ministry of Defence.

The new rules establish comprehensive procedures for inspections and audits, define the SZTFH’s enforcement powers, and formalise cooperation mechanisms with domestic and EU-level stakeholders. The decree is regarded as one of the final legislative instruments necessary to operationalise the Hungarian cybersecurity framework under NIS2.

Supervisory Powers and Enforcement Mechanisms 

According to the decree, the SZTFH is authorized to carry out supervisory activities over relevant private sector essential and important entities it supervises. The Authority has broad supervisory powers. In this capacity, it is entitled to:

• verify the classification of organizations into security categories, the implementation of protection measures, and related procedural compliance;
• define additional security requirements beyond those established by the organization itself;
• request information necessary to evaluate the organization’s cybersecurity risk management measures (e.g., policies) and compliance with incident reporting obligations;
• check the implementation of protective measures and related procedures;
• conduct regular, ad hoc, and targeted inspections—including on-site, remote, and random audits;
• access, request, and review data, documents, and information required for its supervisory functions;
• order corrective actions to address deficiencies identified during inspections and verify their implementation;
• access, request, and review evidence underlying cybersecurity audit reports;
• define objectives for subsequent audits based on prior audit findings; and
• order extraordinary (unscheduled) audits.

The power of the SZTFH to issue administrative fines is governed by the Cybersecurity Act (Act LXIX of 2024) and the specific rules on the imposition, amount, and conditions of administrative fines are detailed in the governmental implementing regulation 418/2024. (XII. 23.), which authorizes the SZTFH to issue administrative fines up to HUF equivalent of EUR 10 million or 2% of the total worldwide annual turnover for essential entities and up to HUF equivalent of EUR 7 million or 1.4% of the turnover for important entities (whichever is higher). 

Inspection Procedures and Organizational Obligations

In carrying out its duties, the Authority cooperates with a wide range of national and international bodies, including cybersecurity authorities and incident response centers, law enforcement and national security services, sectoral regulators such as the National Media and Infocommunications Authority and the Hungarian Data Protection and Freedom of Information Authority, as well as designated authorities under relevant EU and national legislation. It also maintains collaboration with the cybersecurity supervisory authorities and competent authorities of other EU Member States.

Inter-Institutional and Cross-Border Cooperation

The decree states that if an organization operates across multiple EU Member States, the SZTFH must cooperate with the relevant authorities of those states. This includes exchanging information via the single point of contact, requesting or providing supervisory actions, and offering mutual assistance based on justified requests, all within available resources. Requests for assistance cannot be refused unless the Authority lacks competence, the request is disproportionate, or it conflicts with Hungary’s core interests in national security, public safety, or defense. Before denying a request, the Authority may consult with other authorities, the European Commission, and the EU Cybersecurity Agency. It may also conduct joint supervisory actions with other Member States’ authorities.

Inspection and Audit Mechanisms

The Authority conducts inspections based on its annual inspection plan but may also carry out extraordinary inspections when necessary. To monitor the implementation of measures taken following an inspection, the Authority may order follow-up reviews. In accordance with the Act on General Administrative Procedure (Act CL of 2016), the Authority may omit prior notification of an inspection if there is a serious threat, a significant cybersecurity incident has occurred, such an event is likely to occur, or if the organization concerned would likely obstruct the effectiveness of the inspection based on available information.

The Authority is entitled, during its procedures and while performing its duties, to carry out inspections with minimal disruption to the operation and administration of the affected organization. It may do so independently or in cooperation with other authorities. This includes entering premises related to the organization's IT activities, inspecting sites where data processing or IT operations occur, reviewing and copying documents, contracts, systems, and security measures related to electronic information security, and conducting technical examinations with individualized access to IT systems. Additionally, the Authority is authorized to assess all protective measures aimed at managing threats to electronic information systems and the data processed within them.

The Authority is entitled, during its procedures and while performing its duties, to carry out inspections with minimal disruption to the operation and administration of the affected organization. It may do so independently or in cooperation with other authorities. This includes entering premises related to the organization's IT activities, inspecting sites where data processing or IT operations occur, reviewing and copying documents, contracts, systems, and security measures related to electronic information security, and conducting technical examinations with individualized access to IT systems. Additionally, the Authority is authorized to assess all protective measures aimed at managing threats to electronic information systems and the data processed within them. The organization subject to inspection must cooperate with the Authority, ensure the presence of the person responsible for IT security (information security officer – ISO) during on-site inspections, provide requested documents in an organized manner, and may submit written comments on the inspection report within 15 days of its receipt, while the Authority must deliver a copy of the report on-site or within 8 days after the inspection.

The Authority requires the organization to review and modify the security classification of its electronic information system if, during a cybersecurity audit, the auditor rates the classification determined by the organization as “non-compliant.” To ensure compliance with electronic information and cybersecurity requirements, the Authority may instruct an organization’s leadership—within a specified deadline—to remedy deficiencies or violations that pose a threat to information security, fulfill legal obligations, and implement necessary measures. If the issue presents a risk of a serious cybersecurity incident, the Authority can order immediate corrective action. Upon notification from the incident response center, it may also demand the cessation of unlawful activities or states of non-compliance. Until the appeal period or final court ruling concludes, data related to the disputed violations must not be deleted or destroyed.

Criteria for Legal Consequences and Aggravating Factors

When applying the legal consequences outlined in the Hungarian Cybersecurity Act, the Authority considers several factors, including the severity and duration of the security deficiency or violation, whether a significant or large-scale cybersecurity incident occurred or was likely, and the actual or potential impact on the affected or other organizations. It also evaluates any material or non-material damage, repetition of the incident, past violations, intent or negligence, efforts to prevent or mitigate harm, compliance with approved codes or certification schemes, the level of cooperation with authorities, and the effectiveness, proportionality, and deterrent effect of the intended sanction. The following are considered serious violations by law: repeated infringements, failure to report or remedy significant incidents, failure to correct deficiencies after binding instructions from the competent authorities, obstruction of inspections or supervisory activities ordered by the competent authority after a violation has been identified, providing false or seriously inaccurate information.

Information Security Supervisor and Future Developments

An information security supervisor may be assigned to an organization by the President of the Authority from among its staff, potentially to multiple organizations at once if justified. Assignments are for a fixed term and may be extended once before expiry, depending on the severity of the breach and necessary protective measures. The appointment decision includes the purpose, scope, relevant personal details, reasons, duration, and frequency of duties. The supervisor is entitled to request verbal and written information, propose corrective actions, and suggest policy reviews. The organization’s leadership and staff must cooperate and provide all required data and documents.

This piece of legislation is one of the last missing elements needed to complete the NIS2-related cybersecurity regulatory framework. However, we are aware of proposed amendments to the Cybersecurity Act, which are currently pending for adoption before the Hungarian Parliament.

By Tamas Bereczki and Adam Liber, Partners, Provaris