Under the latest amendment to Act LXIX of 2024 ("Cybersecurity Act"), enterprises that qualify as large enterprises solely due to their partner or linked enterprises but do not, on their own, meet the thresholds for medium-sized enterprises are now excluded from the scope of the Cybersecurity Act.
This legislative change may benefit smaller Hungarian subsidiaries of large enterprises. However, organizations that qualify as medium-sized enterprises (as the case may be, including those whose medium-enterprise status results from their affiliation with other group members) remain subject to the regulation.
Recommended actions
Organizations previously within the scope of the Cybersecurity Act are advised to reassess whether they continue to be covered under the amended rules.
If, following this assessment, an organization determines that it no longer qualifies as subject to the Cybersecurity Act, it should initiate deregistration from the relevant register of the Supervisory Authority for Regulatory Affairs (Szabályozott Tevékenységek Felügyeleti Hatósága; SZTFH). Organizations that have already submitted a registration application but have not yet been entered into the SZTFH’s register should likewise consider withdrawing their application without delay.
In more detail
From 6 January 2026, as a general rule, private sector organizations performing an activity covered by the Cybersecurity Act will fall within its scope only if they meet either of the following conditions:
- The organization qualifies as a medium-sized enterprise under the Hungarian Act on Small and Medium-Sized Enterprises and the Promotion of Their Development ("SME Act").
- The organization employs at least 50 people or has a net turnover and balance sheet exceeding EUR 10 million.
Under the amendment, the Cybersecurity Act no longer applies to enterprises that were considered large enterprises solely due to their partner or linked enterprises, where they do not independently meet the thresholds for medium-sized enterprises. However, organizations that qualify as medium-sized enterprises (either on their own or due to their linked or partner enterprises) remain subject to the regulation.
If an organization ceases to meet any of the above conditions, it will be removed from the scope of the Cybersecurity Act at the end of the second year after those conditions no longer apply. Organizations that fall outside the scope of the Cybersecurity Act as a direct result of the amendment (i.e., those that have never met the aforementioned conditions) should engage with the SZTFH to arrange their removal. This is necessary because the amendment does not clearly regulate the procedure for this specific scenario.
This amendment may particularly benefit international corporate groups with Hungarian subsidiaries that do not qualify as medium-sized enterprises and were previously deemed large solely due to their affiliated companies (e.g., smaller sales offices, service centers, software development teams, or distribution centers with a net turnover of less than EUR 10 million and fewer than 50 employees). Naturally, the same applies to Hungarian company groups if any of their subsidiaries, which would otherwise be considered micro or small enterprises on the basis of their size, are considered large enterprises solely because of their company group and have thus been subject to the regulation.
These amendments do not affect organizations that fall under the Cybersecurity Act for reasons unrelated to their qualification under the SME Act, such as entities designated by the cybersecurity authority due to specific circumstances.
By Csaba Vari, Counsel, and Gaal Andras, Associate, Baker McKenzie
