Schonherr
Schonherr
straight to the point. what are you looking for?
you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu

22 August 2025
newsletter
hungary

Cybersecurity in Hungary: How to Avoid Million-Forint Fines in 2025

it & technology law

Cybersecurity regulations in Hungary have become significantly stricter in 2025, affecting business entities. Compliance with the new rules is crucial, as the deadline for cybersecurity audits is approaching and non-compliance may result in substantial fines.

Stricter Regulations, New Requirements

Cybersecurity regulation in 2025 has reached a new level under Government Decree 189/2025 (VII. 3.), Government Decree 418/2024 (XII. 23.) and Act LXIX of 2024. These laws impose stricter compliance requirements, emphasising the role of cybersecurity in protecting digital infrastructures.

Ongoing Official Notifications

The Supervisory Authority for Regulated Activities (SZTFH) has already started sending official notifications via e-Papír, drawing attention to the obligation to conclude contracts. Every affected organisation will receive an official notice and must report the conclusion of the contract the authority by 15 September 2025. Failure to comply may have serious consequences.

The Three Main Pillars of the Regulation

The new requirements focus on three key areas:

  1. Conclusion of an audit contract: Every affected organisation must conclude a contract with an officially accredited auditor. Failure to do so may result in a fine of 1-15 million forints, making contract conclusion the first and most important step towards compliance.
  2. Conducting a cybersecurity audit: The contract alone is not sufficient. The actual audit must be carried out by 30 June 2026. Failure to conduct the audit may result in severe sanctions, including a fine of up to 2% of the previous year's revenue, but at least 1 million and up to 150 million forints.
  3. Reporting information security incidents: All significant incidents must be reported to the National Cybersecurity Incident Response Centre (NKI) without undue delay, but no later than 24 hours after detection. Failure to comply with the reporting obligation may result in a fine ranging from 500,000 to 5 million forints. Incidents must be recorded. If an incident is not reported, the decision must be justified in the event of an official investigation.

How to Prepare?

To ensure compliance, organisations must adopt a comprehensive, systematic approach:

  • Contract conclusion: Conclude a contract with an accredited auditor in time to avoid fines.
  • Audit scheduling: Plan the timing of audits carefully to ensure they are completed by 30 June 2026.
  • Incident management: Establish and maintain a record of information security incidents and ensure prompt reporting to the NKI.

Why is Proactive Compliance Important?

Due to strict regulations and high fines, compliance is not only a legal obligation but also a business imperative. A proactive approach reduces financial and reputational risks while strengthening the organisation's cybersecurity defences. Proper preparation and strict adherence to the rules contribute to stable and secure operations in the long term.

authors: Adrián Menczelesz, Klaudia Krebsz

Adrián
Menczelesz

Attorney at Law

hungary

+36 70 775 0266
a.menczelesz@schoenherr.eu
download contact
more
co-authors