Navigating Hungary's Digital Landscape: Key Compliance Insights for Cybersecurity, AI, and Data Privacy

Compliance Hub

Compliance Hub

5 min read
Navigating Hungary's Digital Landscape: Key Compliance Insights for Cybersecurity, AI, and Data Privacy
Photo by Ervin Lukacs / Unsplash

Hungary's digital environment is rapidly evolving, driven by new EU directives and national legislative initiatives aimed at enhancing cybersecurity, regulating artificial intelligence, and strengthening data protection. For businesses operating in or with ties to Hungary, understanding and adapting to this complex and dynamic regulatory landscape is crucial for ensuring compliance and mitigating risks. This article provides a comprehensive overview of the key developments and compliance imperatives in these interconnected fields.

The Evolving Cybersecurity Framework

Hungary has significantly updated its cybersecurity legislation, primarily in response to the EU's NIS2 Directive. This has led to the enactment of the Act No LXIX of 2024 on Hungary’s Cybersecurity (the "2024 Cybersecurity Act") and the Act No LXXXIV of 2024 on the Resilience of Critical Organisations (the "Critical Infrastructure Act"), both effective from January 1, 2025. These acts repeal previous legislation, aiming to unify and strengthen the legal framework against cyberattacks and protect critical infrastructure.

Key Obligations for Organizations:

  • Scope of Application: The 2024 Cybersecurity Act applies to organizations established in Hungary, those represented by a local representative, electronic communications service providers, and various digital service providers (e.g., cloud, data center, online marketplace operators) whose main business establishment is in Hungary. Non-Hungarian organizations must appoint a local representative.
  • Risk Management and Audits: Organizations must implement cybersecurity risk management measures, classify their electronic information systems into "basic," "significant," or "high" security classes, and conduct mandatory cybersecurity audits every two years. These audits verify classification and the adequacy of protective measures. The audit methodology and fees are still awaiting publication.
  • Incident Reporting: Entities are required to report cybersecurity incidents that significantly disrupt operations, cause substantial financial harm, or result in significant damage to others. An initial report must be submitted within 24 hours of awareness, followed by an updated notification within 72 hours, and a detailed final report within one month.
  • Internal Governance: The head of the entity must ensure cybersecurity training for staff, participation in national exercises, traceability of events, and contractual compliance from third-party service providers. A Chief Resilience Officer (CRO) must be established within critical organizations within 90 days of designation, responsible for coordinating with authorities and evaluating resilience plans.
  • Budget Allocation: Applicable organizations must allocate at least 5% of their annual IT development budget to cybersecurity improvements.
  • Financial Sector Specifics: The financial sector is subject to stringent requirements, including the upcoming DORA regulation (effective January 17, 2025) and existing Government Decree 42/2015. The Hungarian National Bank (MNB) rigorously supervises compliance, issuing extensive guidance and conducting thorough IT audits.
  • Healthcare Sector: Public and private healthcare providers must comply with strict requirements for IT systems connected to the Electronic Health Service Space (EESZT), covering secure access, identification, and communication protection.

Supervisory Authorities: The Supervisory Authority for Regulated Activities (SZTFH) and the Special Service for National Security (NBSZ) are key regulators. The NBSZ supervises public administration bodies and state-owned enterprises, while the SZTFH oversees entities covered by Annex 2 and 3 of the 2024 Cybersecurity Act. Monetary fines for non-compliance can be substantial, reaching up to EUR10 million or 2% of global annual turnover for essential entities.

Rigorous Data Protection and Privacy Enforcement

The National Authority for Data Protection and Freedom of Information (NAIH) plays a significant role in enforcing data protection in Hungary, known for its rigorous and stringent approach. NAIH is one of the most numerously staffed data protection authorities in the EU.

Key Enforcement Trends and Practices:

  • GDPR Compliance: Organizations must comply with the GDPR, including privacy by design, privacy by default, and data security requirements (Article 32 GDPR).
  • Common Violations: NAIH investigations often focus on employment-related issues, CCTV, health data processing, banking, insurance, debt enforcement, voice recording by customer services, and data subject rights (e.g., right to access, withdrawal of consent). Inappropriate legal bases, lack of transparency, non-compliance with purpose limitation and data minimization principles, and insufficient data security are leading causes for fines.
  • Significant Fines in Practice:
    • In 2024, a bank was fined approximately EUR145,000 for deficiencies in camera warning signs, emphasizing the need for detailed and accessible privacy information.
    • In 2022, the NAIH imposed a fine of approximately EUR650,000 on a major bank for using emotion analysis software in customer care, deeming it disproportionate to data subjects' fundamental rights and lacking transparency. This decision highlights NAIH's strict stance on AI applications involving automated decision-making and profiling.
    • A leading media service provider was fined approximately EUR25,000 for non-compliant cookie management and "dark patterns" in cookie banners, stressing the need for clear, fair, and easily withdrawable consent.
    • In the "Digi Case," an electronic communications service provider was fined EUR250,000 (later reduced to EUR208,000) for a personal data breach due to a long-standing website vulnerability, underscoring the importance of addressing security flaws and timely incident reporting.
  • Data Sovereignty and International Transfers: NAIH has expressed concerns regarding data sovereignty and national security risks related to international personal data transfers, particularly for sensitive data like political opinions stored abroad. Transfers require explicit consent, adequate data protection measures, and compliant data protection legislation in the recipient country.
  • Data Protection Officers (DPOs): The appointment of a DPO is mandatory for certain entities, consistent with GDPR requirements. DPOs have a specific and permanent confidentiality obligation and are expected to interact regularly with the NAIH through an annual "conference of DPOs".
  • Transparency: NAIH strictly requires clear, detailed, and easy-to-comprehend privacy notices that specify data processing purposes, legal bases, and retention periods.

The Intersection of Cybersecurity and AI

While Hungary has not yet established a dedicated AI supervisory authority (apart from the NAIH overseeing data protection aspects), the EU AI Act is a transformative regulatory shift that will redefine compliance for businesses. Hungary is still in the process of defining its national implementation plans.

  • Existing Regulations Apply: The 2024 Cybersecurity Act's requirements for administrative bodies and essential/important entities also apply to software and system development, including AI solutions.
  • NAIH's Role in AI: The NAIH has a marked focus on AI as a high-risk data processing activity, emphasizing GDPR compliance for AI and machine learning applications, especially those involving automated decision-making and profiling. This includes conducting thorough data protection impact assessments (DPIAs). The NAIH is also investigating ChatGPT in coordination with other EU authorities.
  • Hungarian AI Council: The establishment of the Hungarian Artificial Intelligence Council is anticipated, comprising members from various authorities, which will issue guidelines and opinions on AI Act implementation.
  • Market Competition: The Hungarian Competition Authority (HCA) has conducted market analyses on AI's potential to distort market competition and increase consumer vulnerability, advocating for targeted interventions to support local AI development and ensure fairness, transparency, and accountability.
  • Cybersecurity Skill Gap: The country is actively addressing a cybersecurity skills gap through a national strategy developed by CyberHub Hungary, aiming to support students, professionals, and industry players, and aligning training with industry trends. This is crucial for developing and securing AI solutions.

Challenges and Future Outlook

The sheer volume and complexity of new and overlapping regulations, such as NIS2, DORA, and the EU AI Act, present significant challenges for organizations, especially for compliance, cybersecurity, and risk management teams. Hungary's commitment to digital transformation, as seen in its Digital Citizenship Program with e-identification and digital contract signing, further underscores the need for robust compliance frameworks.

Despite the comprehensive legislative efforts, challenges remain. There have been concerns raised about the independence of national regulatory bodies like the NAIH and the National Media and Communications Authority (NMHH). The issue of government surveillance, restrictions on online anonymity, and access to encrypted content by authorities also continues to be a point of debate. Moreover, incidents like the July 2024 large-scale hacking attack that leaked data of 800,000 Hungarians highlight the persistent threat landscape, and independent media outlets have faced DDoS attacks.

For businesses operating in Hungary, the path forward requires:

  • Proactive Monitoring: Continuously monitor national legislation, regulatory guidance, and enforcement timelines, as the implementation of these directives is ongoing and evolving.
  • Holistic Compliance Strategy: Develop an integrated compliance strategy that addresses the interconnected requirements of cybersecurity, data protection, and AI, ensuring internal accountability, robust documentation, and audit readiness.
  • Engagement with Authorities: Engage with local authorities and industry groups to stay informed and potentially influence the practical application of new regulations.

Hungary's commitment to a secure digital ecosystem is evident in its legislative and strategic initiatives. By embracing these changes and adopting a proactive, comprehensive compliance approach, organizations can navigate the complexities and contribute to a more resilient and trustworthy digital future in Hungary and the broader EU.

Read more

The Compliance Officer's Nightmare: How Modern Cybercrime is Reshaping Legal and Regulatory Responsibilities

The Compliance Officer's Nightmare: How Modern Cybercrime is Reshaping Legal and Regulatory Responsibilities

Bottom Line: Compliance officers and Data Protection Officers (DPOs) have become the unsung frontline warriors in the cybercrime battle, facing an unprecedented perfect storm of triple extortion ransomware, 72-hour breach notification requirements, million-dollar forensic investigations, complex insurance claims processes, and evolving legal frameworks. As ransomware groups sophisticated their tactics with

By Compliance Hub
Ochrona Danych w Polsce: Kluczowe Wyzwania i Trendy Egzekwowania w Erze Cyfrowej

Ochrona Danych w Polsce: Kluczowe Wyzwania i Trendy Egzekwowania w Erze Cyfrowej

W dzisiejszym szybko ewoluującym krajobrazie cyfrowym, ochrona danych osobowych stanowi zarówno podstawowy wymóg prawny, jak i strategiczny imperatyw biznesowy. W Polsce, podobnie jak w całej Unii Europejskiej, Rozporządzenie Ogólne o Ochronie Danych (RODO) stanowi filar regulacyjny, który jest jednak uzupełniany i wzmacniany przez specyficzne krajowe przepisy i dynamiczne trendy egzekwowania.

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates