You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
Executive summary: The new Cybersecurity Decree, which came into force on 11 June 2026, unifies and simplifies the requirements for cybersecurity auditors and abolishes the previous differentiated system based on cybersecurity classes. Under the new regime, all auditors must meet uniform conditions regardless of the cybersecurity classification of the systems they audit.
What happened: Decree No. 6/2026 (8.VI.) of the Hungarian Supervisory Authority for Regulatory Affairs eliminates the previous auditor pre-requirements, which varied by cybersecurity class (general, significant, critical). Going forward, all auditors must meet uniform conditions: employment of at least two specialists, professional indemnity insurance with a minimum annual limit of HUF 15m (approx. EUR 42,200), and at least five IT security audit references. The supervisory authority will publish lists of registered auditors and vulnerability assessors on its website. Transitional rules apply to ongoing procedures, including the termination of redundant applications and the refund of fees.
Why it matters: The amendment reduces the administrative burden on businesses, promotes market competition, and enhances transparency in the cybersecurity audit and vulnerability assessment market. The decree also ensures compliance with the EU NIS 2 Directive.
Who is affected: Cybersecurity auditors, companies under audit obligation, business organisations carrying out vulnerability assessments, operators of electronic information systems, and the cybersecurity authority.
What to watch next: The practical implementation of the unified requirements, the publication of authority registers online, and the completion of ongoing transitional procedures and fee refunds.
Gábor
Pázsitka
Office Managing Partner
hungary