NIS2 UPDATE

ADDITIONAL CYBERSECURITY REGULATIONS PUBLISHED

Two new cybersecurity regulations were published in the Hungarian Gazette on April 17, 2025. The regulations, issued by the Supervisory Authority for Regulated Activities (hereinafter: "SZTFH"), establish detailed rules concerning cybersecurity supervision, task execution, official inspections, and the role of the Information Security Supervisor.

Regulation 3/2025 (IV. 17.) SZTFH sets out the detailed rules for cybersecurity supervision and task execution, the conduct of official inspections, and the role of the Information Security Supervisor (hereinafter: "Supervision Regulation"). It also outlines specific procedural details for the authority’s actions in cybersecurity oversight.

Regulation 4/2025 (IV. 17.) SZTFH, regarding amendments to regulations within the Authority's scope (hereinafter: "Amendment Regulation"), introduces changes primarily related to other licensable activities under SZTFH’s jurisdiction, and amends numerous earlier SZTFH regulations in the field of cybersecurity.

I. CYBERSECURITY SUPERVISION AND OFFICIAL INSPECTION

The Supervision Regulation outlines provisions related to cybersecurity supervision, task performance, and rules of official inspections. Based on this, the SZTFH is authorized to monitor and oversee the cybersecurity measures and risk management of the relevant organizations. SZTFH may also conduct inspections, request data and documents, impose additional security requirements, and order extraordinary audits if necessary.

During the supervision process, SZTFH may enter premises related to the subject organization's IT activities, conduct inspections and technical reviews at locations where data processing occurs, and examine or copy any documents related to electronic information security.

The organization subject to inspection is required to cooperate with SZTFH. The person responsible for cybersecurity must be present during on-site inspections. SZTFH prepares an official record of the inspection, which is either handed over on-site or sent by mail within 8 days. The inspected organization may submit written comments on the official record within 15 days.

II. INFORMATION SECURITY SUPERVISOR

The Information Security Supervisor is appointed to an organization by the president of the SZTFH from among its staff members.

The Information Security Supervisor is entitled to the following:

• Request written or verbal information from any executive or employee of the organization, to be recorded in a report;
• Recommend measures to establish or restore lawful operation and review related internal policies.

The Regulation does not clarify whether the appointment of an Information Security Supervisor is mandatory for all organizations or only in cases of cybersecurity violations. The appointment order includes the purpose, subject, relevant circumstances, and identification details for the assignment.

III. THE AMENDMENT REGULATION

Act LXIX of 2024 on Cybersecurity in Hungary (hereinafter: "Cybersecurity Act") entered into force on January 1, 2025. Consequently, updates to the wording of several earlier issued SZTFH regulations were required, which have been implemented by the Amendment Regulation.

Among others, the Amendment Regulation updated references to the now-repealed legislation in the following regulations:

• Regulation 10/2023 (V. 15.) SZTFH on the cybersecurity certification of information and communication technologies;
• Regulation 15/2023 (VII. 31.) SZTFH on administrative service fees for SZTFH procedures related to cybersecurity responsibilities;
• Regulation 7/2024 (VI. 24.) SZTFH on the registry of auditors authorized to carry out cybersecurity audits and the requirements for auditors;
• Regulation 10/2024 (VIII. 8.) SZTFH on the national cybersecurity certification scheme for IoT devices;
• Regulation 12/2024 (VIII. 15.) SZTFH on the registry of ESG reports, ESG rating agencies, and ESG software.

***

Please contact us if you have any questions.