Data protection and cybersecurity laws in Hungary

• Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information (Info Act) – general rules on personal data processing (including processing for law enforcement, national security and national defence purposes, transposing the EU Law Enforcement Directive) and freedom of information.

The Info Act – which was the general privacy act before the GDPR – supplements the GDPR with certain minor, mainly procedural rules and contains freedom of information provisions not regulated by the GDPR. The Info Act also lays down the procedural rules in connection with Regulation (EU) 2022/868 (Data Governance Act or DGA).

The main sectoral rules regulating specific areas of data protection law are the following:

• Act LXVI of 1992 on Personal Data and Address Records of Citizens;
• Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (Hungarian Direct Marketing Act); 
• Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data (Medical Data Act);
• Act CXX of 2001 on Capital Markets;
• Act C of 2003 on Electronic Communications (E-Communications Act) – transposing the EU E-Privacy Directive and the European Electronic Communications Code;
• Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (Security Services Act);
• Act XLVIII of 2008 on Advertising (Advertising Act); 
• Act XXI of 2008 on the Protection of Human Genetic Data (Human Genetic Info Act);
• Act I of 2012 on the Labour Code;
• Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises;
• Act LIII of 2017 on Avoiding and Battling Money Laundering and Terrorist Financing (Money Laundering Act) – transposing the EU Money Laundering Directives;
• Act XXV of 2023 on Complaints, Notifications of Public Interest and Rules Related to Whistleblowing (Whistleblowing Act) – transposing the EU Whistleblowing Directive;
• Act LXXXVIII of 2014 on the Insurance Business;
• NMHH Decree 4/2012. (I. 24.) on the Rules concerning Data Protection and Confidentiality in relation to Public Electronic Communications Services, Special Conditions for Data Processing and Confidentiality, Security and Integrity of Networks and Services, Processing of Traffic and Billing Data, Identification and Call Forwarding Rules – transposing the EU E-Privacy Directive and the European Electronic Communications Code.

National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH).

As regards sector-specific main derogations, please see our summary below.

Derogations concerning employment law:

1. Data protection notices to employees. Employers should inform their employees of any restriction of their personal rights in advance. Notification may also be made in the workplace using a customary and generally known method (e.g. in writing, or publication on intranet and email).
2. Copies of official documents. The Labour Code clarifies that employers should take notes on information that has been requested from employees and avoid copying actual documents as possible. According to NAIH guidance, employers may lawfully copy documents relating to employee qualifications if they copy only the personal data that they are otherwise entitled to process in the context of the employment relationship.
3. Biometric identification. Employers may use biometric identification to prevent unauthorised access to information, if such access seriously or irreversibly jeopardises the life, health or significant interests of individuals (e.g. information regarding classified data, explosives, hazardous substances, assets with a value exceeding HUF 50 million / EUR 128,484).
4. Background checks. An employer is permitted to establish exclusion or restriction criteria for a particular position and can process an applicant’s criminal data to verify his/her background. Such criteria are legitimate only if the employee's position poses a potential threat to the employer's financial interests, is privy to secrets (e.g. trade secrets) or exercises significant interests protected by law and defined by the Labour Code (e.g. safe storage of firearms, ammunition, explosives, poisonous, hazardous or biological substances and nuclear materials).

Derogations concerning CCTV and entry systems:

Companies using entry systems, security cameras or security-related sensors must document in their data protection notices the legitimate interest for using these systems and include detailed specifications of the purpose of the processing (e.g. protection of classified information, storage of dangerous substances). If access has been made to data or recordings stored by such system, the company must take minutes on the specific circumstances of each case.

Derogations concerning the operation of condominiums:

CCTV monitoring in the territory of condominiums. Condominium operators must inform people entering and staying in a building of any CCTV use and include the data protection notice and contact details of the operator. When providing copies of the recordings, operators must identify the recorded image, the name of the person authorising the copies, and the reason and time for viewing the data.

Derogations concerning the health sector:

1. If additional copies of health data (i.e. after the first copy of the same data request) are required, a fee can be levied by the health organisation reflecting the costs of processing. The first copy is however free of charge.
2. Genetic data. Companies may transfer only anonymised, encoded or pseudonymous genetic samples or data to a third country for human genetic testing. They should also use the appropriate safeguards required by the GDPR (e.g. BCRs, EU Standard Contractual Clauses, etc.). It is not permitted to transfer the coding key. The same applies for importing genetic samples or data. The local health administration should be notified of the transfer of genetic samples and data to a third country and the transfer should be made in a manner where personal identification is impossible.
3. Deceased persons’ data. A number of laws in Hungary expand data protection to deceased persons’ data in certain aspects, which generally would not be covered by the GDPR. This affects health documentation and insurance-related data of deceased persons. In addition, under Hungarian law, the person designated by the deceased person, or his/her close relatives may also exercise data protection rights after five years of the death of such person.

Derogations concerning the financial sector:

The service providers subject to AML requirements may copy personal documents specified by law for the following purposes: preventing and combatting money laundering and terrorist financing, fulfilment of obligations under the Money Laundering Act, fulfilment of customer identification obligations and effective supervision of client-monitoring activities. Copies cannot include personal identification numbers.

Derogations concerning trading activities:

When a customer makes a complaint or suggestion in a merchant's customer comment book (vásárlók könyve), the merchant must remove the page containing the complaint or suggestion, keep it in a secure place and hand it over to the authority if requested.

The administrative sanctions are set forth in the GDPR.

The Hungarian Criminal Code regulates and sanctions the misuse of personal data, which is punishable with one year of imprisonment – or two years, in case special categories of data were involved.

Based on the GDPR and in compliance with Hungarian Civil Code, the data subject may claim compensation of its damages suffered as a result of processing that infringed the GDPR.

Data controllers are no longer required to register their data processing activities with NAIH as of 25 May 2018 with regard to the fact that each data controller and data processor must record its data processing activities internally in line with Article 30 of the GDPR. In addition to that, the notification and registration obligations prescribed by the GDPR (e.g. concerning data protection officers or data breaches) apply in Hungary as of 25 May 2018.

There are no derogations from the GDPR. 

As regards data processing for crime-fighting, national security and national defence purposes, the provisions of the Info Act apply. These are similar in many aspects to the GDPR requirements (e.g. data subject rights, data breach management, data protection impact assessment, etc.).

There are no derogations from the GDPR.

The Info Act provides that individuals can seek effective judicial remedy at the court when their data protection rights are infringed and without prejudice to any available administrative or non-judicial remedy (e.g. complaint to NAIH). In Hungary, the competent court is the tribunal (törvényszék) of the domicile or habitual residence of the claimant. In addition to the payment of the individual’s direct and indirect damages, the court can also impose a general compensation fee for the infringement of the individual’s right to data protection as personality right (sérelemdíj). The court can also publish its judgment with the identification of the data controller or the data processor if the infringement is affecting a large scale of individuals, the infringer is carrying out public tasks, or the gravity of the infringement requires the publication. The Info Act authorises NAIH to join any litigation to facilitate the winning of an individual.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR. 

Data controllers and data processors shall publish the contact details of their data protection officers and communicate them to NAIH through the Data Protection Officer Reporting System

There are no derogations from the GDPR.

The provisions of the GDPR apply. 

Data controllers shall notify personal data breaches to NAIH through the Personal Data Breach Reporting System. The reporting form is also available on NAIH’s website in paper form, if a company wants to report the breach on paper.

Bearing in mind that the language of the administrative procedures in Hungary is Hungarian, organisations shall report data breaches in Hungarian language to NAIH.

Before 25 May 2018, Hungary clearly operated an “opt-in” regime for direct marketing communications. Currently, the rules of the GDPR apply, meaning that in certain cases, the data controller may send direct marketing messages on an “opt-out” basis. However, the Advertising Act has still not been amended to guarantee harmonisation with the GDPR, causing uncertainty in this matter.

With regard to the above, under the current rules of the Advertising Act, data controllers may send advertisements to private individual end-users in Hungary by email or similar electronic channels only with the express prior consent of the addressee.

Consents for individual marketing activities must contain the name, place and date of birth (if the marketing can be targeted only for people above a certain age), and the list of the consumer’s personal data which are processed in relation to the marketing.

Consent must also state that it is provided voluntarily, on the basis of adequate information provided to the consumer.

In all cases, end-users must be expressly informed in all individual marketing communications of the opportunity to freely opt-out of the communications and be given the relevant contact details (e.g. postal and email address) where they can do so. This statement is usually inserted in the footer of marketing communications.

If the consent is provided in a contract or in general terms, it must be provided separately from the main text – e.g. via the acceptance of a separate consent box. It cannot be a precondition to the contracting or receipt of a service, such as an online shop.

If the advertiser offers added value, provided that the addressee consents to receiving direct marketing messages, no separate consent box may be needed – e.g. if the addressee is given the opportunity to participate in a game or use free email services.

The sending of a direct mail message is lawful and can be based on the legitimate interest of the sender in general if the private individual addressee is an employee of a legal entity, the advertiser obtained the contact details lawfully (e.g. via the company's website or public sources), and the advertisement is targeted to a company (i.e. B2B marketing messages).

Direct marketing consents for benefits. According to NAIH, when organisations provide some benefit for subscribing to a newsletter, they must assess on a case-by-case basis how such benefit influences the free nature of the consent. In particular, it is important to examine whether the denial or withdrawal of consent (e.g. opt-out) causes any disadvantage for the individual. The provision of a service or a benefit shall not be conditional on a consent to data processing for additional purposes (e.g. direct marketing). Such practice is allowed only if the benefit is inseparable from the newsletter, e.g. the newsletter contains an exclusive content or offer.

Separate consent for different marketing channels. The NAIH clarified that separate consent is required for each processing purpose and marketing channel. Accordingly, individuals must be able to choose if they only wish to consent to direct marketing in certain channels (e.g. only by post, only by phone or only by e-mail, or by any combination of these). Direct marketing sent via other channels (e.g. targeted advertisements on the Google and Facebook advertising systems) also requires separate consent, and separate information must be provided on the use of similar mass automated advertising systems.

The storing of information, or the gaining of access to information already stored in the electronic communications terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent and has been provided with clear and comprehensive information on the use of cookies, including information on the purpose of the data processing. In case of cookies strictly necessary for the operation of the website (especially concerning the application of session cookies), a data controller operating a website may process personal data of subscribers or users for technical and operation purposes based on its legitimate interest without the need of any consent.

In any other cases the legal basis of using cookies is consent. The above rules concerning consent do not prevent any technical storage or access for the sole purpose of carrying out the transfer of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

• The cookie’s name, type, function, purpose, necessity and lifespan;
• The data the cookie can access;
• Third parties for whom the cookie collects data and the purpose of such collection, as well as a link on how to find the cookie management menu and the functions in the most commonly used browsers (Mozilla, Firefox, Google Chrome, Internet Explorer).

In line with NAIH’s practice concerning data processing with regard to cookie management under the GDPR, we highlight the following:

1. The website operator may process the relevant personal data on the basis of its legitimate interests, without the consent from the users, when the placement of the cookies or any server-side IP address logging solely takes place for the purpose of the operation of the website, in order to ensure its operability or its essential functions, as well as the security of the computer system. The consent of the user for the cookie placement may be required when it is possible to use the webpage without the cookie.
2. As regards the usage of cookies for statistical purposes (e.g. collecting technical data which are not necessary for the ongoing operation or required only for the future development of a service or for visitor counting, etc.), as well as for marketing purposes (following the user linked to advertisements, etc.), the website operator may rely on its legitimate interests for the data processing only in exceptional cases in accordance with the GDPR. The website operator may rely on legitimate interest, for example, where there is a relevant and appropriate relationship between the user and the operator (e.g. the user is an existing customer). In case of third-party cookies, usually there is no such relationship.

Website operators must differentiate between first-party cookies applied for statistical or development purposes and marketing cookies (which are also third-party cookies many times in practice), bearing in mind that the user may want to consent to one of the cookies, but does not intend to provide consent to the other one. Bundling such consents may lead to unlawful data processing.

The NAIH clarified that companies implementing consent management platforms (CMP) on their websites should ensure that (i) the legal bases connected to the use of each type of cookie is correctly identified and (ii) users are clearly informed of the necessary details of the processing before consenting. CMPs should also provide for an opportunity for users to withdraw their consents as easily as it was to give them.

Moderate

• https://www.naih.hu/

• Act LXIX of 2024 on the Cybersecurity of Hungary (Cybersecurity Act);
• Government Decree 418/2024. (XII. 23.) on the Implementation of the Cybersecurity Act (Cybersecurity Implementing Decree);
• MK Decree 7/2024 (VI. 24.) on the requirements for classification into security classes and the specific security measures applicable to each security class;
• EM Decree 17/2025 (VII. 24.) on the requirements for qualifications, professional skills, training and further training under the Cybersecurity Act;
• SARA Decree 10/2023. (V. 15.) on cybersecurity certification of information and communication technologies;
• SARA Decree 15/2023. (VII. 31.) on the fees for administrative procedures of the Supervisory Authority for Regulatory Affairs in connection with its cybersecurity tasks;
• SARA Decree 23/2023. (XII. 19.) on the register of the cybersecurity supervisory authority of the affected entities;
• SARA Decree 7/2024 (VI. 24.) on the registration of auditors authorized to perform cybersecurity audits and the requirements for auditors;
• SARA Decree 1/2025 (I. 31.) on the procedure for conducting cybersecurity audits and the maximum fee for cybersecurity audits;
• SARA Decree 2/2025 (I. 31.) on cybersecurity supervision fees;
• SARA Decree 3/2025 (IV. 17.) on the detailed rules for cybersecurity supervision and tasks and the conduct of official inspections, as well as on the information security supervisor;
• Act CVIII of 2001 on Electronic Commerce and Information Society Services (E-Commerce Act).

• Act LXXXIV of 2024 on the Resilience of Critical Entities (CER Act);
• Government Decree 474/2024 (XII. 31.) on the implementation of the CER Act (CER Implementing Decree).

• Act X of 2024 on Amendments Affecting the Financial Intermediary System for the Purpose of Legal Harmonization with Regulation (EU) 2022/2554 (DORA).

We do not anticipate any further material changes to Hungarian laws in connection with the transposition of the NIS2 and CER Directives and the implementation of DORA.

• entities belonging to the public administration sector, as listed in Annex 1 of the Cybersecurity Act;
•  companies under majority state control qualifying at least medium-sized enterprises;
• entities designated as essential or important entities by the national cybersecurity authority or the defence cybersecurity authority (this list is not public);
• entities operating in sectors of high criticality, as listed in Annex 2 of the Cybersecurity Act (in line with Annex I of the NIS2 Directive);
• entities operating in other critical sectors, as listed in Annex 3 of the Cybersecurity Act (in line with Annex II of the NIS2 Directive);
• companies engaged in activities related to national defence interests.

The Cybersecurity Act applies to critical entities and infrastructures identified in line with the CER Act and entities and infrastructure significant for the defence and security of Hungary, identified in line with Act XCIII of 2021 on the Coordination of Defence and Security Activities (these lists are not public). The provisions of the Cybersecurity Act regarding cybersecurity incident management and notification apply to financial entities under the scope of DORA.

The Cybersecurity Act distinguished between essential entities and important entities, in line with the NIS2 Directive.

The Cybersecurity Act transposes the extra-territorial scope and “one-stop-shop” mechanism of Article 26 of the NIS2 Directive.

The CER Act applies critical entities and infrastructures identified based on the sectors, subsectors and categories of entities in its Annex 1 (in line with the Annex of the CER Directive; these lists are not public).

In addition to the financial entities falling under the scope of DORA, the Hungarian implementing act also applies to all financial enterprises, all stock exchanges and all insurance and reinsurance undertakings, irrespective of size.

• The National Cyber Security Centre of the Special Service for National Security (Nemzetbiztonsági Szakszolgálat Nemzeti Kibervédelmi Intézet) oversees the compliance of mostly public and some private sector entities with the Cybersecurity Act. This includes entities belonging to the public administration sector (as listed in Annex 1 of the Cybersecurity Act), companies under majority state control qualifying at least medium-sized enterprises, entities designated as essential or important entities by the national cybersecurity authority or the defence cybersecurity authority, companies engaged in activities related to national defence interest, critical entities and infrastructures identified in line with the CER Act and entities and infrastructure significant for the defence and security of Hungary, identified in line with Act XCIII of 2021 on the Coordination of Defence and Security Activities. The National Cyber Security Centre also acts as the computer security incident response team managing cybersecurity incidents.
• Supervisory Authority for Regulatory Affairs (Szabályozott Tevékenységek Felügyeleti Hatósága – “SARA”) oversees the compliance of most private sector entities with the Cybersecurity Act (i.e. entities operating in sectors of high criticality and entities operating in other critical sectors, as listed in Annexes 2-3 of the Cybersecurity Act, in line with Annexes I-II of the NIS2 Directive).
• National Disaster Management Authority (Országos Katasztrófavédelmi Főigazgatóság) is the general authority identifying critical entities, keeping a register of critical entities, overseeing the electronic information systems of national and European critical infrastructure with the exception of state and municipal bodies and assisting the sectoral authorities during the identification procedure of critical entities. In case of the electricity, gas and hydrogen subsectors of the energy sector, the Hungarian Energy and Public Utility Regulatory Authority (Magyar Energetikai és Közmű-szabályozási Hivatal) is identifying critical entities. Sectoral authorities also provide special expertise during the identification of critical entities (e.g. the National Media and Infocommunications Authority (Nemzeti Média- és Hírközlési Hatóság) in case of information communication service provider).
• The Hungarian National Bank (Magyar Nemzeti Bank) acts as the competent authority under DORA.

• Registering with SARA or the National Cyber Security Centre;
• Designating a Hungarian-based representative;
• Appointing a person responsible for the security of the electronic information systems;
• Establishing a risk management framework;
• Classifying electronic information systems into security classes and applying related security measures;
• Preparing of information security policy;
• Completing cybersecurity training;
• Completing cybersecurity exercises;
• Specifying contractual cybersecurity requirements for IT subcontractors;
• Reporting and handling cybersecurity incidents;
• Performing vulnerability assessments;
• Payment of cybersecurity supervision fees to the SARA;
• Performing data classification;
• Performing cybersecurity audits.

From the above, different obligations apply to essential / important entities and entities supervised by SARA / the National Cyber Security Centre.

• Information society service providers must cooperate with the National Cyber Security Centre during the management of cybersecurity incidents.

• Maintaining and developing resilience;
• Preparing risk assessment;
• Preparing resilience plan and resilience matrix;
• Appointing a person responsible for the resilience of the critical entity;
• Completing resilience exercises;
• Reporting extraordinary events;
• Performing resilience audit;
• Completing resilience trainings.

DORA:

• In case of financial entities, the Hungarian implementing act contains no specific obligations, meaning that the obligations outlined in DORA apply. (This includes information and communication technology (“ICT”) risk management; reporting of major ICT-related incidents; digital operational resilience testing; and requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities.)

Cybersecurity act

• SARA and the National Cyber Security Centre may issue a warning, set a deadline for compliance, issue a fine, appoint an information security officer, order the temporary suspension or removal of electronic data or order the publishing of the infringement. For essential entities in the private sector, SARA and the National Cyber Security Centre may initiate the temporary suspension of the sectoral authorisation of the entity or the temporary disqualification of the entity’s executive officer from performing his or her duties. SARA may also prohibit the entity from engaging in certain activities subject to sectoral supervision or authorisation or inform its relevant sectoral supervisory authority of the infringement.
• For essential entities, the maximum amount of administrative fine is the HUF equivalent of EUR 10 million or 2 % of the total worldwide annual turnover in the preceding financial year (whichever is higher). For essential entities, the maximum administrative fine is the HUF equivalent of EUR 7 million or 1,4 % of the total worldwide annual turnover in the preceding financial year (whichever is higher). (In line with Articles 34(4)-(5) of the NIS2 Directive.) For specific infringements, the Cybersecurity Implementing Decree lays down specific minimum and maximum fine thresholds.
• SARA and the National Cyber Security Centre may fine electronic communications service providers ranging from HUF 1 million (EUR 2,571) to HUF 5 million (EUR 12,856) for non-compliance with orders to temporarily suspend or remove electronic data. Intermediary service providers are subject to a fine of up to HUF 15 million (EUR 38,569) for non-compliance with their obligations in relation to the management of cybersecurity incidents.
• Executive officers are liable for a fine of up to HUF 15 million (EUR 38,569) for non-compliance with their obligations under the Cybersecurity Act.

CER Act:

• The National Disaster Management Authority may set a deadline for compliance or issue a fine. The maximum amount of fine is HUF 100 million (EUR 257,140). For specific infringements, the CER Implementing Decree lays down specific minimum and maximum fine thresholds.
• The National Disaster Management Authority may also suspend the person responsible for the resilience of the critical entity from his or her duties.

DORA:

• In case of financial entities, the Hungarian implementing act contains no specific administrative sanctions, meaning that the administrative sanctions outlined in DORA apply.

• The Hungarian Criminal Act punishes breach of information system or data. The unlawful access to information systems is punishable with imprisonment up to two years, the unlawful hindering of information systems or unlawful deletion or modification of data with imprisonment up to three years. In aggravated cases the above acts may be punished with imprisonment up to five or eight years.
• The Hungarian Criminal Act also punishes the compromising or defrauding the integrity of the computer protection system or device with imprisonment up to two years.
• The Hungarian Criminal Act also provides heightened legal protection to critical infrastructures and certain staff of critical entities.

Yes, the National Cyber Security Centre of the Special Service for National Security.

Cybersecurity incidents must be reported to the National Cyber Security Centre of the Special Service for National Security.

Entities supervised by the National Cyber Security Centre must report all cybersecurity incidents (including operational cybersecurity incidents), threats, and “near misses”. Entities supervised by the SARA must report all cybersecurity incidents (including operational cybersecurity incidents), threats, and “near misses” if they result in either:

• significant disruption or material damage to (i) their operations or (ii) the provision of their services, or
• substantial harm to other individuals or organizations, whether financial or otherwise.

The deadlines applicable for the reporting phases mostly align with those under Article 23(4) of the NIS2 Directive. However, the scope of reportable information (if available to the entity) is far wider than under the NIS2 Directive.

Cybersecurity incidents, threats, and “near misses” may be reported online or via e-mail to the CSIRT@nki.gov.hu address. It appears that an online reporting form is currently under development but is not yet publicly available.

The Government of Hungary has adopted Government Decision 1089/2025 (III. 31.) on the country's Cybersecurity Strategy, effective between 2025–2030, as mandated by Article 7 of the NIS2 Directive.

• https://nbsz.gov.hu/
• https://en.nki.gov.hu/
• https://www.katasztrofavedelem.hu/
• https://sztfh.hu/?lang=en
• https://www.mnb.hu/web/en