The Hungarian Parliament has adopted Act No. CXXXV of 2025 on the Hungarian implementation of the European Union’s Cyber Resilience Regulation and the amendment of certain cybersecurity provisions. Key changes include a modification of the scope of the law and the designation of the SzTFH (Szabályozott Tevékenységek Felügyeleti Hatósága – Supervisory Authority for Regulated Activities) as both the notifying authority and the market surveillance authority. In addition, a significant amendment was introduced to Act LX of 2025 on Certain Court Proceedings and Liquidation Concerning Legal Entities, empowering courts to temporarily prohibit chief executive officers from performing their executive duties in specific cases based on a final decision of the SzTFH.
- NIS2 Scope Modification
The amendment significantly narrows the scope of affected entities by introducing a clarifying provision under which the law applies only to NIS2-relevant organizations that qualify as medium-sized enterprises under Hungarian SME legislation, or—regardless of SME classification—to organizations that meet at least one of the following thresholds: (i) they employ 50 or more persons, or (ii) their annual net turnover or annual budgeted revenue exceeds the HUF equivalent of EUR 10 million and, where the organization is required to prepare annual financial statements under the Hungarian Accounting Act, its balance sheet total also exceeds the HUF equivalent of EUR 10 million.
Where an organization falls within the scope of the law but the qualifying condition (such as headcount or financial thresholds) subsequently ceases to apply, the organization does not immediately exit the scope of the law; instead, it remains subject to the law until the end of the second calendar year following the year in which the relevant condition ceased to exist.
The law does not address situations in which organizations previously fell within its scope but, due to the amended criteria, are no longer subject to it, despite having already initiated compliance measures and/or conducted an audit, engaged an audit firm, and incurred audit-related costs.
These provisions entered into force on 6 January 2025.
- SzTFH as the notification authority and market surveillance authority in line with the provisions of the Cyber Resilience Act
The amendment introduces detailed provisions into the Hungarian Cybersecurity Act stipulating that conformity assessment activities may be performed only by organizations that meet the strict criteria set out in the EU Cyber Resilience Act and are officially registered by the SzTFH. In this framework, the SzTFH acts as the notifying authority, conducts a formal (non-summary) administrative procedure with a statutory deadline of 120 days, and defines detailed registration, compliance, and verification requirements by decree. Any person may report conflicts of interest to the SzTFH; reported or self-identified conflicts must be immediately suspended, reported, and remedied by the affected organization. The SzTFH reviews corrective measures within eight days and, depending on the outcome, may permit continued activity, suspend the notification, or withdraw it. If conformity assessments were conducted while an unresolved conflict of interest existed, the SzTFH may require the withdrawal of the assessment results and related certificates, except where an independent reassessment conducted within 30 days confirms the same outcome. These provisions will enter into force on 11 June 2026.
In addition, the amendment designates the SzTFH as Hungary’s general market surveillance authority for matters falling under the EU Cyber Resilience Act. In this role, the SzTFH applies the national product market surveillance framework, subject to the specific additions and deviations prescribed by EU and Hungarian law. Market surveillance procedures follow the general administrative procedure rules; however, the SzTFH may suspend a proceeding where the decision depends on another authority’s competence or on a closely related SzTFH decision or procedure without which the case cannot be properly resolved. These provisions will enter into force on 11 December 2027.
- Court-Ordered Ban of Executives Based on Cybersecurity Authority Decision
The amendments introduce a new sanction applicable to executives and establish provisions under which, if the cybersecurity authority issues a final decision finding that a non-public essential entity has failed to comply with a mandatory cybersecurity order within the prescribed deadline, the court must, within 15 working days and acting ex officio, prohibit the responsible executive from performing executive duties for the period specified by the authority, up to a maximum of five years. This prohibition is imposed solely on the basis of the authority’s final decision, and the court’s final ruling must be published in the official Company Gazette (Cégközlöny). The relevant provisions will enter into force on 1 January 2027.
By Tamas Bereczki and Adam Liber, Partners, BLB Legal
