Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Hungary
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Hungary’s data authority issues specific requirements for breach management and website security

23 Sep 2025 Hungary 3 min read

Hungary’s Data Protection Authority (NAIH) recently published a decision based on a detailed review of a website operator’s breach management and security measures, which contains detailed criteria on how data controllers must handle breaches and the technical and organisational measures that must be applied to ensure the security of websites. The case can serve as a lesson and cautionary tale for any company operating a website.

What happened?

Certain admin subpages of the website, intended for administrators only, became visible on search engines, revealing the data of 62 applicants for adult education courses. The breach was caused by a plug-in configuration error. The exposed data included the applicants’ names, email addresses, telephone numbers, motivational videos, motivational letters, and social media accounts. The NAIH issued a warning (without a fine) and instructed the company to publish the NAIH decision on its website homepage for 30 days.

What did the NAIH examine?

Adequacy of breach management: The NAIH found the company’s breach response adequate. The company had a breach management policy and register, a detailed risk analysis, and a commitment to implement additional measures, such as introducing two-factor authentication for administration, reviewing users with elevated privileges, adding security functions to the server environment, and documenting extended testing.

Deficiencies in the existing data security measures

The NAIH also reviewed the company’s data security measures and found them insufficient. The breach could have been avoided with additional steps, such as:

  • Testing plug-ins in a separate test environment before use in the live system.
  • Regular logging, monitoring, and security audits, including extra checks when new elements are added.
  • Proper web server configuration (e.g. disabling directory listings and restricting access).

Takeaways for website operators

The NAIH requires companies to have a breach management policy and register, and to prepare a detailed risk analysis for each incident. They must also use two-factor authentication, manage user privileges, and document testing. For websites, it is essential to configure servers so that data is secure, conduct tests in a separate environment, enable logging and monitoring, and conduct regular security audits and vulnerability checks.

For more information on data protection regulations in Hungary, contact your CMS client partner and these CMS experts.

More insights
Banking & Finance Consumer Products Energy & Climate Change Life Sciences & Healthcare Hospitality, Travel & Leisure Infrastructure & Projects Insurance Private Equity Public Procurement Real Estate TMT - Technology, Media & Telecommunications

Explore more

Event Hungary

IP Insights webinar series 2026

28 Apr 2026
Publication Hungary

Signing with e-signature in CEE 2026

05 Jan 2026 2 min read
Expert Guide International

Real estate finance law in Hungary

22 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.