On December 4, 2024, the Parliament of Hungary published that the advance procedure of the Draft law on the cybersecurity of Hungary to the Legislative Committee was declared allowed. The draft law was submitted to the parliament on October 29, 2024.

Scope

The draft law outlines that it would apply to electronic information systems of the organizations, among others:

• belonging to the public administration sector;
• under majority state influence;
• identified by the national cybersecurity authority as essential or important organizations;
• certain organizations in particularly risky sectors, such as energy, transportation, healthcare, and outsourced ICT services; and
• certain organizations in risky sectors, such as digital service providers.

Moreover, the draft law would apply to, among others, electronic communication service providers providing services in the territory of Hungary.

General principles

The draft law highlights that the entire life cycle of the electronic information systems covered by this draft law must implement and ensure:

• the confidentiality, integrity, and availability of the data and information managed in the electronic information system and the services provided by or accessible through the electronic information systems; and
• integrity and availability of the elements of the electronic information system, ensuring closed, comprehensive, continuous, and risk-proportionate protection.

Obligations of essential and important organizations

The draft law enumerates obligations placed on essential and important organizations, including carrying out:

• the operation of a risk management framework;
• assessment of the adequacy of the protection measures;
• periodic review of such measures, training, and awareness raising; and
• response and notification to the cybersecurity incident management center of cyber incidents.

Mandatory classification and appointment of responsible person

The draft law clarifies that the organization must carry out mandatory classification of data managed in the electronic information system according to confidentiality, integrity, and availability, as well as according to the security class ('basic,' 'significant,' or 'high').

Moreover, the draft law requires the appointment of a person responsible for tasks related to the protection of the electronic information system, operating the risk management framework, reporting cybersecurity incidents, and maintaining contact with the cybersecurity incident management center.

Vulnerability assessment, reporting of cybersecurity incidents, and certifications

The draft law foresees, among other things:

• cases in which a vulnerability assessment and testing may be required to be carried out;
• management of cybersecurity incidents, including responsibilities of the national cybersecurity incident management center, required use of prevention tools by the organizations, and reporting obligations; and
• establishment of cybersecurity certifications, including national cybersecurity certification system, compliance statements, and conformity assessments.

Oversight and enforcement

The draft law clarifies that cybersecurity oversight may be carried out by, among other things, the national cybersecurity authority and includes provisions on its tasks and responsibilities.

According to the draft law, legal consequences in case of violation of the draft law include warnings, fines, mandatory disclosure to the service users, and possible prohibitions of continuing to carry out the service.

Other key provisions

Moreover, the draft law includes other key provisions on, among other things:

• education and training related to cybersecurity;
• development of security of electronic information systems, particularly including in its design life cycle, the classification of the data planned to be handled in the system and the security class, which must be submitted to the national cybersecurity authority for approval;  
• certain special provisions on support systems, central systems, systems provided by central service providers; and
• use and conditions of post-quantum encryption during the entire life cycle of the electronic information system.

Entry into force

The draft law, with the exception of a section on a provisional transition, will enter into force on January 1, 2025. The aforementioned section will enter into force on June 1, 2025.

You can read the draft law here and track its progress here, both only available in Hungarian.