1. New Regulatory Authority Roles in the Field of Cyber Resilience
The Act clearly designates the Supervisory Authority for Regulated Activities (SZTFH) as the body responsible for:
-
the notifying authority functions under the Cyber Resilience Regulation;
-
the market surveillance authority functions under the same Regulation; and
-
the competences related to the cybersecurity certification of non-military digital products.
In practice, this means that a single, central authority will in the future be responsible for verifying whether digital products comply with the prescribed cybersecurity requirements and, where necessary, for adopting enforcement measures.
2. Extension of the Scope of Application of the Cybersecurity Act
The amendment reshapes the range of organisations required to apply the provisions of the Cybersecurity Act. The legislation уточifies and expands the circle of affected entities, in particular:
-
undertakings under majority state ownership, provided that
-
their annual turnover or budgetary revenue exceeds EUR 10 million, and
-
their balance sheet total also reaches this threshold;
-
-
certain medium-sized enterprises, where
-
they employ at least 50 employees, or
-
their annual turnover reaches EUR 10 million.
-
An important rule is that the thresholds expressed in euros must be converted into Hungarian forints based on the official exchange rate of the Hungarian National Bank.
As a result, many undertakings that previously did not consider themselves affected may now fall under cybersecurity obligations. This may entail new administrative, organisational, and IT-related requirements.
3. Clarification of Notification and Registration Obligations
The Act establishes clear statutory deadlines:
-
affected organisations must register with the national cybersecurity authority within 30 days;
-
it also defines when an entity becomes subject to, and ceases to be subject to, the scope of the Act (for example, if headcount or turnover subsequently decreases).
This predictability is particularly important for organisations facing growth or restructuring.
4. National Implementation of the Cyber Resilience Regulation
The Act dedicates a separate chapter to the implementation of the EU Cyber Resilience Regulation at national level. Within this framework, it:
-
defines the concepts of conformity assessment, notified body, and market surveillance;
-
stipulates that products containing digital elements must comply with security requirements already at the design and development stages.
This is of particular relevance to software developers, technology suppliers, and undertakings marketing digital products.
