EU Cyber Resilience Act’s implementing provisions published in the Hungarian Official Journal

The Hungarian legislature recently passed Act CXXXV of 2025 on the Implementation of the Cyber Resilience Act (Regulation (EU) 2024/2847).

The following article outlines the basic provisions of this Act.

Designation of notifying and market surveillance authority

The Supervisory Authority for Regulatory Affairs (SZTFH) will act as both the notifying authority and the market surveillance authority. The Act sets forth the detailed procedural rules concerning the notification and market surveillance activities.

Fine amounts

• Non-compliance with the fundamental cybersecurity requirements laid down in the Cyber Resilience Act, as well as certain obligations applicable to manufacturers will be subject to fines ranging from HUF 500,000 (approximately EUR 1,285) to EUR 15 million or, in case of companies, up to 2.5% of their total worldwide annual turnover for the preceding financial year, or whichever is higher.
• Non-compliance with certain obligations (e.g. EU declaration of conformity, CE marking, technical documentation, etc.) applicable to manufacturers, importers and distributors will be subject to fines ranging from HUF 500,000 (EUR 1,285) to EUR 10 million or, in case of companies, up to 2% of their total worldwide annual turnover for the preceding financial year, or whichever is higher.
• Provision of incorrect, incomplete or misleading information to notified conformity assessment bodies or to the SZTFH, in its capacity as the market surveillance authority, will be subject to fines ranging from HUF 500,000 (EUR 1,285) to EUR 5 million or, in case of companies, up to 1% of their total worldwide annual turnover for the preceding financial year, or whichever is higher.

In case of repeated infringements, the amount of the fine may not be less than 1.5 times the amount of the fine previously imposed. The fine thus determined, however, may not exceed the maximum amounts specified above.

Cyber Resilience Act

The Cyber Resilience Act lays down basic and harmonised rules to ensure adequate cybersecurity for products with digital elements (e.g. health monitoring personal wearable products, Internet connected toys, smart home products, operating systems, VPNs, antivirus software, etc.). To this end, it includes essential cybersecurity requirements for the design, development and production of products with digital elements and related vulnerability handling processes.

Next steps

The provisions on the detailed rules of the notifying authority’s activities will enter into force on 11 June 2026. The provisions on the detailed rules of market surveillance activities and fines will enter into force on 11 December 2027.

The official text of the Act is available here (available only in Hungarian).

For advice on Hungarian cybersecurity obligations under the Cyber Resilience Act, contact your CMS client partner or the CMS experts who contributed to this article.

The article was co-authored by János Bálint.