SZTFH DECREES ON THE SUPERVISORY FEE, THE RULES OF CONDUCTING CYBERSECURITY AUDITS AND THE AUDIT FEE CAPS WERE PUBLISHED
I. INTRODUCTION
On January 31, 2025, two decrees of the president of the Supervisory Authority for Regulated Activities (Hungarian acronym: “SZTFH”), namely SZTFH Decree No. 1/2025. (I. 31.) on the Rules of Conducting a Cybersecurity Audit and the Maximum Fee of a Cybersecurity Audit (hereinafter: “Audit Decree”) and SZTFH Decree No. 2/2025. (I. 31.) on the Cybersecurity Supervisory Fee (hereinafter: “Supervisory Decree”) were published. Publication of these decrees has been long anticipated in the implementation process of Directive 2022/2555 of the European Parliament and the Council (the so-called NIS2 Directive).
The Audit Decree entered into force on February 3, 2025, whereas most rules of the SupervisoryDecree will enter into force on March 3, 2025. The SupervisoryDecree contains provisional rules for years 2024 and 2025 to assist companies in their preparation for the application of the Supervisory Decree and to provide ample time for the fulfilment of their payment and other obligations.
II. AUDIT DECREE
The Audit Decree contains detailed rules on conducting cybersecurity audits and on the respective obligations of the auditors as well as the companies concerned.
Annexes I-III of the Audit Decree contain essential information for companies affected, with Annex I includes a template for the register on the classification of electronic information systems (hereinafter: “EIS”), and Annex II includes a questionnaire to be completed with company information. Both must be prepared in advance and shared with the auditors during the contracting process.
The classification criteria for EIS guides companies that are required to apply when they prepare their EIS register in accordance with Annex I of the Audit Decree, are determined by Annex I of Decree No. 7/2024 of the Cabinet Chief of the Prime Minister on the Requirements for Security Classification and the Specific Security Measures Applicable for Each Security Class.
Annex III regulates the audit fee caps, which are calculated based on the following four factors:
- Base amount: HUF 1,750,000 (one million seven hundred and fifty thousand Hungarian Forints);
- Net turnover of the company in the prior financial year (based on which companies are divided into seven categories);
- Quantity of EIS (divided into three categories);
- Security class of EIS (divided into three categories).
III.1. GENERAL RULES OF THE SUPERVISORY DECREE
The SupervisoryDecree regulates two main topics relevant for all companies that are required to pay a cybersecurity supervisory fee:
- the amount of the cybersecurity supervisory fee; and
- the general rules of payment of the supervisory fee.
Under the general rule, the supervisory fee is determined based on the company’s net turnover in the prior financial year [calculated on the basis of the company’s last annual report published in accordance with Act C of 2000 on Accounting (hereinafter: “Accounting Act”)], as follows:
| Net Turnover (HUF) | Supervisory Fee (% of Net Turnover) | Supervisory Fee Maximum (HUF |
| < 20,000,000,000 | 0.00015% | - |
| ≥ 20,000,000,000 | 0.0015% | 10,000,000 |
If the company did not have a net turnover in the prior financial year, the supervisory fee shall be calculated based on the pro-rated amount of the prevailing year’s projected turnover (subject to the above thresholds and associated percentages), which must be reported to SZTFH by February 28 of the subject year.
Special rules apply if the company is party to a recognized group of companies or a de facto group of companies as defined by Act V of 2013 on the Civil Code or a group of companies included in consolidation in accordance with the Accounting Act, meaning that the company must inform SZTFH of such status until January 31 of the year concerned.
Based on the above, SZTFH will notify companies of the amounts of the supervisory fee to be paid by March 31 of each year. In case of a group of companies, the companies may file a joint declaration if – based on the supervisory fee communicated by the authority for each company concerned – individual payment of the supervisory fees would result in the whole group having to pay over HUF 50,000,000 (fifty million Hungarian Forints i.e., the maximum amount defined by Act LXIX of 2024 on Hungary’s Cybersecurity). This joint declaration can be filed no later than April 30 of each year.
Taking these procedural steps into consideration, the payment deadline for the supervisory fee will be May 31 each year. The fee must be paid via bank transfer to SZTFH’s bank account stated in the Supervisory Decree.
III.2. PROVISIONAL RULES OF THE SUPERVISORY DECREE
As referenced above, the Supervisory Decree includes provisional rules for years 2024 and 2025, both regarding the amount as well as the payment deadline of the supervisory fee.
For 2024, the amount of the supervisory fee will be determined by SZTFH based on the company's annual report published for the last financial year prior to 2024. The fee will only have to be paid for the period between October 18, 2024, and December 31, 2024. If the company does not have an annual report published prior to 2024, it will not be required to pay any supervisory fee for 2024.
Other provisional rules for years 2024 and 2025 pertain to these respective deadlines, as follows:
- declaration on participation in a group of companies must be filed until March 15, 2025;
- deadline for declaring pro-rata amounts based on the prior year’s projected turnover (if applicable) is March 31, 2025;
- SZTFH will notify all companies of the amount of the supervisory fee payable for years 2024 and 2025 until May 31, 2025;
- the deadline for groups of companies to file a joint declaration is June 30, 2025; and
- for years 2024 and 2025, the payment deadline of the supervisory fee is July 31, 2025.
***
If you have any further questions, please feel free to contact KNP LAW.
