The cybersecurity audit is governed by the Cybersecurity of Hungary, and it involves classifying electronic information systems into security categories and verifying the adequacy of the protective measures corresponding to those security categories. Organizations specified in the Cybersecurity Act shall be required to demonstrate compliance with cybersecurity requirements every two years and shall have the first cybersecurity audit conducted by 30 June 2026. During the cybersecurity audit, the auditor verifies the security classification of electronic information systems and the adequacy of the protective measures corresponding to that classification. A cybersecurity audit may be conducted by an auditor who possesses the expertise and infrastructure necessary to perform the task and is classified as a business organization authorized to conduct vulnerability assessments. The SZTFH registers business organizations authorized to conduct audits.
Changes to the current regulatory environment have become necessary due to the fact that, according to the minister, the pool of auditors authorized to audit companies classified significant or high-security in recent years has been too small. This has led to a significant shortage of capacity, even as thousands of companies have had to comply with the regulations. The purpose of the changes is to amend the regulations governing auditors in order to ease the burden on businesses, reduce their administrative burdens and promote market competition. Now the requirements for auditors are being standardized, meaning that all auditors are subject to the same (simplified) expectations, regardless of the security class of the electronic information system they are auditing. The Government expects that the amendments will result in shorter waiting times, greater auditor capacity and stronger price competition.