Hungarian companies are being hit by a wave of EU tech rules, according to BLB Legal Managing Partner Adam Liber, who stresses how this wave is reshaping the compliance function.
“The intersection of EU digital regulation and local implementation is creating an enormous amount of work across sectors,” Liber begins. “At the moment, there are four particularly important frameworks that are reshaping compliance requirements for Hungarian companies: NIS2 Directive, EU AI Act, Digital Services Act, EU Data Act. Each of these is at a different stage of implementation, but together they form a comprehensive shift in how data, cybersecurity, and technology are regulated.”
Starting with cybersecurity and the NIS2 Directive, Liber says that Hungary has “transposed much of the framework already, and companies operating in sensitive sectors such as critical infrastructure and other high-risk industries are now required to comply with stringent cybersecurity obligations. These include concluding agreements with cybersecurity auditors registered by the national authority, the Hungary Supervisory Authority of Regulatory Affairs (SZTFH) – Hungary’s cybersecurity agency for the private sector – and follow a two-year mandatory audit cycle.” According to Liber, third-party auditors conduct security assessments and submit audit reports directly to the SZTFH. In parallel, regarding entities designated as critical organizations or as significant for the country’s defense and security, only a person who meets the statutory qualification requirements may act as Chief Information Security Officer; only a registered person may act before the authority. “While these are positive steps toward standardization, many businesses have found the process slow, especially when it comes to vendor screening and supply chain compliance,” Liber opines. “The authority’s responsiveness hasn’t quite met business expectations, which adds friction in an already demanding compliance environment.”
Furthermore, Liber reports that the EU AI Act mostly applies from August 2, 2026, but it’s already causing a stir. "It requires providers to classify each AI system they place on the market or put into service; high-risk systems must be registered in the EU database before placing them on the market or putting them into service. Deployers must also determine whether the system they use is high-risk and comply with deployer obligations. The relevant obligations apply across the AI value chain, and compliance costs could be significant. For instance, certain estimates state that ensuring compliance for a single high-risk AI application could cost around EUR 400,000 for a mid-sized business. Non-compliance penalties are steep too, up to 7% of global turnover,” he explains. In practice, this means companies will need comprehensive AI governance systems, with internal controls for procurement, data use, and model validation. “Contracts will increasingly require AI-related clauses, for example, warranties that data has not been used for model training without a legal basis. The overlap with GDPR is another major concern, since both frameworks overlap significantly,” Liber says. The Hungarian legislature has already issued the local implementation act to meet the August 2026 deadline. "While there’s talk of minor delays, the hard date remains firm, so we’re advising clients to start their compliance projects now rather than later."
Additionally, Liber indicates that the Digital Services Act is another important piece of the puzzle. “The National Media and Infocommunications Authority has been tasked with enforcement as a Digital Services Coordinator and is currently collecting input from affected businesses. The DSA applies to providers of intermediary services, including hosting providers, access providers, and online platforms." According to him, even though Hungary doesn’t host very large online platforms, “many local companies are discovering they fall under the DSA’s scope because of the services they provide; we’re frequently asked to audit websites, assess whether they qualify under the DSA, and help companies understand their obligations." Moreover, e-commerce service providers fall within the scope of the European Accessibility Act, which applies from June 28, 2025. It requires certain digital services, including e-commerce services, to comply with accessibility requirements for persons with disabilities. In practice, compliance levels remain low.”
Finally, the EU Data Act, applicable from September 12, 2025, has also added new layers of complexity. “It governs access to and sharing of data from connected devices, everything from vehicles to smart appliances such as refrigerators and coffee machines, even,” Liber says. “Manufacturers must provide users with direct access to both personal and non-personal data, which requires entirely new data governance mechanisms. Many businesses are still unaware that they’re covered, and knowledge gaps are significant. Earlier speculation about deadline extensions did not materialize. There is still no official announcement from the Hungarian legislator on the designation of the competent authority or the data coordinator, so preparations must proceed amid uncertainty,” he concludes.
