New Cybersecurity Act

New Cybersecurity Act- What New Obligations Arise from the Transposition of the NIS 2 Directive?

The new Cybersecurity Act, which entered into force on 1 January 2025, primarily serves to ensure compliance with the provisions of the NIS 2 Directive.

In today's increasingly digitalised environment, a significant portion of an organisation's operations takes place within electronic information systems and cyberspace. Therefore, the purpose of the Act is to ensure cyber protection of electronic information systems used by the entities falling under its scope.

As with previous legislation, the new regulation assigns non-transferable responsibility to the head of the organisation to comply with cybersecurity-related legal obligations and to fulfil such obligations through a duly designated cybersecurity authority. The head of the organisation bears a complex responsibility: they must determine not only whether their organisation falls within the scope of the new law but also whether it qualifies as an essential or an important entity under the criteria set out in the legislation.

The new law significantly broadens the scope of entities subject to cybersecurity obligations. Within the affected organisations, classification as either essential or important depends on the criticality of the services they provide to the functioning of the state, society, and the economy, and, in certain cases, also on the size of the organisation.

Examples of essential entities include:

Public sector bodies, such as central government agencies, the Sándor Palace (Office of the President), the Office of the National Assembly, the Constitutional Court, the judiciary, and the prosecution service.

State-controlled economic operators classified at least as medium-sized enterprises.

The important entities category includes:

Organisations identified as important by the national cybersecurity authority,

Operators and service providers active in high-risk or sensitive sectors.

The NIS 2 Directive—and accordingly, the new Hungarian law—affects a wider range of sectors compared to the previous framework. In addition to sectors already covered under NIS 1, such as energy, transport, healthcare, finance, water management, and digital infrastructure, the new rules now also apply to:

Public electronic communications services providers,

Various digital service providers (including social media platforms),

Wastewater and waste management operators,

Manufacturers of critical products,

Postal and courier service providers.

The primary duty of affected entities is to ensure the confidentiality, integrity, and availability of data and information managed within electronic information systems, as well as the integrity and availability of the system components throughout their entire lifecycle. This protection must be closed, comprehensive, continuous, and proportionate to the risks involved.

To fulfil this duty, the legislation imposes several sub-obligations, including:

Data classification requirements,

Security level classification of systems.

Responsibility for compliance lies with a dedicated internal staff member or an external service provider. Affected entities must also undergo a cybersecurity audit every two years to demonstrate compliance with legal cybersecurity requirements.

One of the most pressing concerns for affected organisations is naturally the potential sanctions in case of non-compliance. Initially, the competent authority may impose lighter penalties, such as warnings or appointing an information security supervisor. However, in cases of repeated non-compliance, substantial administrative fines may be imposed.

According to government decree (issued in alignment with NIS 2), the maximum fine amounts are as follows:

For important entities: up to 1.4% of the organisation’s worldwide annual turnover from the previous financial year, with a minimum of EUR 7 million (or the HUF equivalent).

For essential entities: up to 2% of the worldwide annual turnover, with a minimum of EUR 10 million (or the HUF equivalent).

In case of repeated infringements, the fine may be imposed again.

It is therefore of utmost importance that potentially affected organisations promptly assess whether they fall within the scope of the new Act and, if so, what specific obligations they are required to fulfil. This proactive approach is essential to avoid legal exposure and financial penalties stemming from non-compliance.