CLVPartners

CLV-02
Menu

News

The foundations of artificial intelligence regulation in the European Union

Artificial Intelligence, News / / , , , , , , , ,

Reading time: 4 minutes

In 2024, the European Union adopted its Artificial Intelligence Regulation (the “AI Regulation“), which established the world’s first comprehensive regulatory framework for artificial intelligence. The provisions of the AI Regulation will gradually become mandatory until August 2, 2027. The AI Regulation refers certain implementation and supervisory tasks to the Member States, as a result of which a domestic regulatory framework for the use of artificial intelligence (“AI“) was also promulgated in Hungary in the fall of 2025.

Given that the AI Regulation will have to be applied almost in its entirety from August this year, CLVPartners is launching a series of newsletters on artificial intelligence to help with preparations. The aim of the series of articles is to present the legal issues related to the use of artificial intelligence in a practical yet easy-to-understand way. In the first part of the series, we will outline the basic concept of the current EU and Hungarian regulatory framework and its main objectives.

Purpose of the AI Regulation, concept of its regulation

AI is one of the fastest-growing areas of technology, and according to some forecasts, its application could bring significant benefits across a wide range of economic and social activities. At the same time, the European Union has recognized that the use of AI also carries a number of risks, such as the risk that its inappropriate use could jeopardize the fundamental rights and freedoms protected by EU law.

The purpose of the AI Regulation is to ensure that the development and use of AI systems takes place within a responsible framework. It is important to note that the AI Regulation applies not only to manufacturers, importers, distributors, and service providers operating in the European Union, but also to companies outside the EU if their products or services are available on the EU market or have an impact on EU citizens. To this end, the AI Regulation imposes obligations on developers and users of AI systems and establishes a uniform regulatory system for their authorization on the EU market. The AI Regulation stipulates that its regulatory framework serves to strengthen transparency and accountability and to promote the spread of human-centered and reliable artificial intelligence. It also aims to eliminate discrimination and bias, while ensuring that EU fundamental values and rights are upheld and providing effective protection against the risks posed by AI systems.

The AI Regulation takes a risk-based approach, classifying AI systems into four risk categories and assigning different rules and obligations to each category. The use of so-called prohibited AI systems that pose an unacceptable risk, such as cognitive behavioral manipulation or emotion recognition in the workplace, is already prohibited in the European Union. High-risk AI systems are subject to strict requirements, in particular testing, transparency, and human oversight obligations, and may only be placed on the market once these requirements have been met. These include, among others, systems used in medical diagnostics, self-driving vehicles, or biometric identification. For low-risk AI systems, such as chatbots, transparency obligations are the main requirement, while the AI Regulation does not set out specific rules for minimal or risk-free AI systems.

The AI Regulation is directly applicable in all EU Member States and, due to its nature as a source of law, cannot be transposed into national law and does not need to be promulgated separately. As a result, the AI Regulation creates a uniform legal framework for the regulation of artificial intelligence throughout the European Union.

Hungarian regulations

In addition to creating a uniform EU regulatory framework, the AI Regulation also imposes several obligations on Member States. Accordingly, Member States, including Hungary, have begun to develop the institutional and legal frameworks necessary to ensure the effective implementation and supervision of the provisions of the AI Regulation.

Under the AI Regulation, the supervision of compliance with the requirements for AI systems classified in each risk category will be the responsibility of the Member States. Accordingly, Member States are required to designate a market surveillance authority and a notifying authority responsible for assessing technical compliance. In addition, each Member State must establish regulatory test environments to support the development of safe and lawful AI.

To ensure compliance with these requirements, in the fall of 2025, the Hungarian Parliament passed Act LXXV of 2025 on the implementation of the European Union’s Artificial Intelligence Regulation in Hungary (“AI Act“), which lays the foundations for the domestic regulatory and institutional structure. The AI Act is also implemented by Government Decree 344/2025 (X. 31.) on the implementation of Act LXXV of 2025 on the implementation of the European Union’s regulation on artificial intelligence in Hungary, which lays down detailed rules on the operation of authorities performing tasks related to artificial intelligence. (X. 31.) on the implementation of Act LXXV of 2025 on the implementation of the European Union’s regulation on artificial intelligence in Hungary (“AI Government Decree“), which lays down detailed rules on the functioning of authorities performing tasks related to artificial intelligence.

Under the AI Act, the reporting authority tasks are performed by a single body, the AI reporting authority. This authority is responsible for designating conformity assessment bodies that examine and certify the technical conformity of high-risk AI systems in advance. Under the provisions of the AI Government Decree, the National Accreditation Authority performs this task.

Under the AI Act, market surveillance tasks are also performed by a single authority. The market surveillance authority is responsible for examining the lawful use of AI systems after they have been placed on the market. The Act also requires the AI market surveillance authority to establish and operate an AI regulatory test environment from August 2026 and to act as a point of contact. Under the provisions of the AI Government Decree, the Minister for National Economy is responsible for performing these tasks.

The AI Act also establishes the Hungarian Artificial Intelligence Council, which acts as a coordinating and advisory body. The task of the Hungarian Artificial Intelligence Council is to promote the uniform interpretation of the AI Regulation in Hungary through guidelines and position statements.

Summary

In summary, it can be said that in 2024, the European Union was the first in the world to adopt a comprehensive regulatory framework whose primary objectives are to promote the spread of human-centered, transparent, and reliable artificial intelligence, protect EU fundamental values and rights, and adequately address the risks arising from AI systems. The AI Regulation applies a risk-based regulatory approach, setting differentiated requirements according to the risk posed by each AI system.

The AI Regulation is directly applicable in all Member States, but leaves the implementation and supervisory tasks to national authorities. As a result, in the fall of 2025, Hungary enacted the AI Act and the related AI Government Decree to ensure the domestic implementation of the AI Regulation.

Photo source: pexels.com, Dušan Cvetanović

The foundations of artificial intelligence regulation in the European Union Read More »

New developments in the regulation of energy cooperatives

Commercial Law, Corporate law, News, sustainability / / , , , ,

Reading time: 6 minutes

The Hungarian Act X of 2006 on Cooperatives (“Cooperatives Act”) has been amended with effect from 1 January 2026 with provisions governing energy cooperatives (“Amendment”). The purpose of this article is to briefly present the background to the Amendment, introduce the concept and key characteristics of energy cooperatives as a new legal institution, and provide an overview of the most important rules applicable to energy cooperatives.

The background of the Amendment

Legal basis and purpose of energy communities

In order to mitigate the adverse effects of climate change and promote the achievement of climate neutrality, the European Union adopted in 2019 the Directive (EU) 2019/944 on common rules for the internal market for electricity and amending Directive 2012/27/EU. This Directive introduced the legal framework for citizen energy communities within the EU.

An energy community is a voluntary association of energy producers and energy consumers. Its operation is based on open and voluntary participation, and it is governed by its members or shareholders, who may be natural persons, small enterprises, or local authorities.

Under EU regulation, energy communities may be established in various legal forms. For example, they may operate as associations, cooperatives, or non-profit companies.

The primary purpose of an energy community is not to generate financial profit, but to provide environmental, economic, and social benefits to its members, shareholders, or the area in which it operates. These benefits may be achieved, inter alia, through the generation, distribution, supply and consumption of energy, as well as through aggregation, energy storage and the provision of services aimed at improving energy efficiency. The activities of an energy community may also extend to solutions related to electric vehicle charging and to the provision of other energy-related services to its members or shareholders.

Energy community operations in practice

It is a legitimate question how an energy community operates in practice and how it can provide tangible benefits to its members.

An energy community can best be understood as a small-scale system that is partially or fully energy self-sufficient. Within the community, members with different roles cooperate with each other. Some are solely energy generators, others both generate and consume energy, while some participate exclusively as consumers. Energy producers may include, for example, households with their own solar panel systems, as well as biogas plants or even wind turbines. These production units are typically developed through community funding from the shared budget of the energy community.

Energy storage solutions form an integral part of the system, enabling the storage of energy that has been produced but not immediately consumed. The key to operation is the continuous interaction between generation, storage and consumption units. This is ensured by an intelligent management system, the so-called smart grid, which monitors production and consumption and directs energy to where it is needed at any given time.

Ideally, an energy community produces slightly more energy than its members consume, which may allow it to become fully independent from the public grid. However, if the balance between production and consumption cannot be maintained—meaning the community produces either too much or too little energy—the energy community may trade with the universal service provider to balance its energy needs.

In conclusion, it can be stated that by promoting energy communities, the European Union seeks to achieve interconnected short- and long-term objectives. In the short term, energy communities can contribute to alleviating energy poverty and strengthening local communities. In the long term, the EU aims to increase the share of renewable energy sources, establish a decentralized and sustainable energy system, and achieve its climate neutrality target set for 2050.

Regulation of energy communities in Hungary and practical experience

To fulfil its legislative obligations arising from EU law, Hungary established the legal framework for the operation of domestic energy communities through the amendment adopted in 2020 to Act LXXXVI of 2007 on electricity (“Electricity Act”).

According to the Electricity Act., an energy community is a legal entity operating in the form of an association, cooperative or non-profit company, whose purpose is to create environmental, economic and social benefits for its members or for the area of operation defined in its statutes. This purpose may be achieved, inter alia, through the generation, distribution, supply and consumption of energy—including the use of renewable energy sources—as well as through aggregation, energy storage and the provision of services aimed at improving energy efficiency.

In connection with energy communities, it should be noted that registration with the Hungarian Energy and Public Utility Regulatory Authority (MEKH) is a prerequisite for acquiring legal status. In addition, to conduct licensed activities—such as electricity generation, energy trading, aggregation or energy sharing—an energy community must obtain the relevant regulatory permits in the same way as any other market participant. According to the MEKH register, there are currently 17 registered energy communities in Hungary.

Rules applicable to energy cooperatives under the Cooperatives Act

It can be concluded that the concept of energy cooperatives has been present in the Hungarian legal system for several years as one of the possible legal forms of energy communities. Although the Electricity Act allows for the establishment of energy cooperatives, detailed and specific regulation had so far been lacking. This regulatory gap was addressed by the Amendment, as a result of which the Cooperatives Act has been supplemented with a separate chapter dedicated to energy cooperatives.

Cooperatives are legal entities established through the members’ capital contributions, with the objective of lending assistance to its members to satisfy their economic and societal needs. The primary obligations of members consist of making their capital contributions and providing the personal involvement specified in the articles of association. The general rules applicable to cooperatives are set out in Act V of 2013 on the Civil Code and in the general provisions of the Cooperatives Act. It is important to note that these general rules also apply to energy cooperatives, in accordance with the specific provisions applicable to them.

Under the Cooperatives Act, an energy cooperative is one form of energy community within the meaning of the Electricity Act, operating within a cooperative structure and conducting energy-related activities in the interest of its members. Its primary purpose is to improve the economic and social situation of its members, while also providing environmental, community and educational benefits, thereby serving the public interest.

Any natural or legal person who meets the statutory requirements may participate in the establishment and subsequent operation of an energy cooperative. At the same time, the regulation allows the energy cooperative to make membership subject to geographical or technical conditions as set out in its articles of association.

Due to the specific purpose and operation of energy cooperatives, members may contribute different amounts to the cooperative’s assets, but this does not affect the equality of membership rights. In decision-making, each member participates with equal weight, meaning that each member has one vote. The Cooperatives Act also allows for the admission of members who are not required to provide personal participation but support the operation solely through capital contributions; such members are referred by the law as investor members.

The operation of an energy cooperative must be conducted in a manner that is consistent with the interests of its members and is both efficient and sustainable. To ensure this, the Cooperatives Act provides that matters affecting the articles of association fall within the general meeting, thereby guaranteeing the cooperative’s autonomy. The legislation regulates in detail the procedure for transferring cooperative and investor shares and the related notification obligation and grants pre-emptive rights to members and the cooperative itself.

A key rule concerning the fiscal management of energy cooperatives is that the legislation requires the creation of mandatory reserves. In this context, the energy cooperative must establish a reserve fund amounting to 10% of the profit generated. The purpose of the reserve fund is to ensure the long-term financial sustainability of the energy cooperative. The regulation also requires the establishment of an education and information fund, which serves as the financial basis for the continuous training and knowledge-sharing of members. At least 2% of the profit from the previous fiscal year must be allocated to this fund.

Summary

Overall, it can be concluded that the amendment to the Cooperatives Act, in line with EU objectives, establishes the legal framework for the operation of energy communities in cooperative form. As non-profit organisations, energy cooperatives may participate in the energy market while promoting community, environmental and economic interests, thereby contributing to sustainability, energy efficiency and environmental protection. The regulation prioritises democratic decision-making, transparent operation and the protection of members’ interests, while also allowing for the involvement of external investors.

Photo source: pexels.com, Centre for Ageing Better

New developments in the regulation of energy cooperatives Read More »

Data and Information Security: The Relationship Between GDPR and NIS2

Data protection, News / / , , , , ,

Reading time: 6 minutes

With the rise of digitalization and data-driven decision-making, the volume of sensitive information has increased, along with the associated cyber risk. It has become necessary to establish a regulatory framework that provides guidance on managing expectations, responsibilities, and approaches shaped by the technological environment. Its two main pillars are the European Parliament and Council Directive (EU) 2022/2555 (14 December 2022) (general EU cybersecurity directive, hereinafter: “NIS2 Directive”), implemented in Hungary through Act LXIX of 2024 on Cybersecurity (“Cybersecurity Act”), and the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (“GDPR”), which ensures data protection compliance.

The NIS2 Directive, the resulting national cybersecurity regulations, and GDPR apply different perspectives; however, the affected areas often overlap in practice, particularly in electronic information systems that process personal data. Therefore, aligning the requirements of these two regulatory frameworks is essential for the lawful and secure operation of the affected organizations. This article outlines the relationship between the NIS2 Directive and national regulations with GDPR, their overlaps, conflicts, and practical resolutions.

Scope of NIS2 and GDPR: Dual obligations

The GDPR applies to all organizations that qualify as data controllers, meaning they determine the purposes and means of processing personal data either independently or jointly with others. The scope of NIS2 is determined based on a complex set of criteria, which may include various enterprises depending on their activities, size, and revenue. Consequently, if an entity falls under both NIS2 and GDPR, it must comply with the rules of both frameworks simultaneously. For example, a medium- or large-sized company in the manufacturing sector may be subject to cybersecurity regulations based on its activities and size, and in the course of its activities, it typically processes at least employee and supplier data as a data controller, thus requiring the application of both the GDPR and NIS2 provisions.

In practice, electronic information systems often process personal data, such as HR systems or customer databases. In the event of an incident, both GDPR and NIS2 impose obligations on the organization. A data protection incident involves a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, whereas a cybersecurity incident refers to an event that threatens the availability, integrity, or confidentiality of data stored, transmitted, or processed in electronic information systems, or the services provided or accessible through such systems. Therefore, if a cybersecurity incident involves personal data—for example, data loss or leakage due to a phishing email or a ransomware attack—it simultaneously constitutes a data protection incident. Consequently, incident handling must comply with both regulations, and notifications to the competent authorities must be made when conditions are met. For this purpose, it is advisable to establish an internal procedure that accounts for the obligations required by both frameworks.

Proper classification of incidents is particularly important, as different types of incidents have distinct notification obligations, content requirements, and deadlines. In a data protection incident, the organization must first assess whether the event poses a risk to the rights and freedoms of natural persons. If such a risk is likely, the incident must be reported to the National Authority for Data Protection and Freedom of Information within 72 hours, and, in case of high risk, the affected individuals must also be notified. Cybersecurity incidents, on the other hand, follow a different procedure: the organization must report the incident within 24 hours based on the available information, submit a detailed report within 72 hours, and, after completing the investigation, submit a final report to the national cybersecurity incident handling center no later than 30 days. Since GDPR and cybersecurity rules define incidents and related obligations differently, situations may arise where an event qualifies as a cybersecurity incident but does not require a data protection incident report.

The practical significance of dual compliance is illustrated by a medium- or large-sized company engaged in “other machinery manufacturing,” which falls under the scope of the NIS2 Directive. If the company suffers an incident as a result of which the attacker gains unauthorized access to a server containing employees’ personal data, the event must be assessed not only from a data protection perspective but also under the Cybersecurity Act. According to the law, any threat, near-incident, or actual incident—including operational cybersecurity incidents—that causes severe disruption or financial loss to the organization or significant material or immaterial harm to others must be reported without undue delay, but no later than 24 hours, to the competent cybersecurity incident handling center. This example highlights that organizations must comply with both legal frameworks simultaneously and design incident handling accordingly.

Aligning processes at the documentation and operational levels

If an organization falls under both GDPR and cybersecurity regulations, the documentation and operational processes required by both frameworks must be aligned for dual compliance. GDPR requires that the organization maintain a data protection policy, provide a privacy notice to data subjects, and, in some cases, conduct a data protection impact assessment. Similarly, cybersecurity rules require the establishment of an information security policy. In addition, both frameworks require regulation of incident management processes and training to raise awareness among relevant staff.

The organization’s leadership is responsible for complying with NIS2 and GDPR requirements, while the data protection officer and the professional responsible for the security of electronic information systems play a key role in ensuring compliance. To avoid parallel, isolated processes, it is essential for information security and data protection officers to collaborate actively on a daily basis. Aligning the requirements of both frameworks is not merely an administrative task: its significance lies in the fact that both areas rely on the same information systems, data flows, and risks, even if they examine them from different perspectives. When an organization designs its processes in a unified, coherent manner, overlaps can be avoided, error risks reduced, and both cybersecurity and data protection requirements can be ensured. Incident management processes should be designed to ensure that any potential event is handled in a way that fulfills the obligations of both frameworks. This approach is not only resource-efficient but also strengthens legal compliance, system security, and the trust of clients, partners, and employees.

NIS2 and GDPR serve different purposes and approach the same events differently. GDPR’s primary objective is to protect the rights and freedoms of natural persons, whereas NIS2 focuses on strengthening information system security, safeguarding service continuity, and increasing resilience against cyber threats. Accordingly, the two frameworks impose different expectations on organizations: GDPR emphasizes data minimization and purpose limitation, while NIS2 specifically requires detailed logging, continuous monitoring, and retention of log files. This often results in NIS2 compliance requiring the storage of large volumes of technically processed personal data, which must be handled carefully from a data protection perspective.

Apparent conflicts between the two regulations can be resolved in practice through a coordinated approach. One key step is integrating information security risk assessments with GDPR data protection impact assessments, as both assess the same systems, data flows, and risk factors from different perspectives. Equally important is designing internal policies that simultaneously comply with mandatory cybersecurity measures and GDPR provisions.

Both NIS2 and GDPR require that organizations properly train all personnel who have access to information systems or process personal data. Therefore, it is advisable to align the strategic planning and content of training programs, considering risk assessment results, previous incidents, regulatory changes, and the professional opinions of the organization’s security experts. True alignment between the two regulatory areas is important not only for legal compliance but also for operational security, risk reduction, and maintaining internal and external trust.

Conclusion

GDPR and the NIS2 Directive serve different purposes but converge on many points regarding information security requirements. Dual compliance therefore requires careful alignment: interpreting the regulations consistently and integrating related procedures can ensure that an organization meets the expectations of both frameworks simultaneously. Coherent revision of professional documentation and operational processes, coordination of internal responsibilities, and alignment of regular training and audits facilitate achieving both GDPR data protection and NIS2 cybersecurity goals. Compliance with these requirements strengthens the organization’s information security and data protection resilience, meeting the relevant EU and national legal obligations.

Photo source: pexels.com, Kevin Ku

Data and Information Security: The Relationship Between GDPR and NIS2 Read More »

Online presence in the shadow of GDPR – rules for consent-based data processing

Data protection, News / / , , , ,

Reading time: 5 minutes

In order to remain competitive, it is no longer merely an advantage for companies to have an online presence, but a fundamental requirement. Websites and newsletters facilitate communication with customers, while providing an opportunity for addressees to learn about the latest services and offers firsthand. At the same time, it is important to note that this may also involve the processing of personal data, which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; „GDPR”). Accordingly, data processing for marketing purposes is only possible with the express consent of the data subjects, in strict compliance with the requirements set out in the GDPR. In this article, we summarize the most important rules relating to consent-based data processing.

When to apply GDPR?

As outlined by the National Authority for Data Protection and Freedom of Information (“NAIH“) in its material on website privacy settings and cookies, processing the personal data of natural persons acting on behalf of the companies (e.g., employees, private person client) falls under the scope of the GDPR. For instance, collecting, recording, storing, and using a customer’s name, phone number, address, email address, or bank account number constitutes data processing. It implies that if a company processes data relating exclusively to legal persons, its activities do not fall within the scope of the General Data Protection Regulation, and therefore compliance with its provisions is not mandatory for it. However, in many cases, the contact details of the legal person (e.g., name, personal email address, position) are essential for communication, which involves data processing.

Similarly, subscribing to a newsletter, targeted requests (also known as asking for a callback), or tools that support the effective functioning of websites—such as the use of cookies or visitor measurement – it is essential for the company to process natural persons’ data, which is why this type of data processing will also fall under the scope of the GDPR.

Consent as a possible legal basis for processing personal data

The fundamental rule of data processing is that, in the absence of a valid legal basis, processing personal data is not considered to be lawful. One of the legal bases for data processing – most commonly required for data processing for marketing purposes – is the consent of the data subject.

Conditions for consent

According to the GDPR, consent is valid if it is freely given, specific, based on adequate information, and unambiguous, indicating that the data subject agrees to the processing of his/her personal data.

Freely given

Consent can be freely given if individuals can refuse and withdraw their consent without risk of external pressure or negative consequences. Therefore, it cannot be considered voluntary if the data subject has no real choice, feels pressured to consent, or faces negative consequences from the data controller if they refuse to consent. This was confirmed by the recent opinion of the European Data Protection Board (“EDPB”), which stated that so-called “pay or consent” models do not meet the requirement of freely given consent. This is due to the fact that such models are based on offering data subjects a choice: either they consent to the processing of their personal data, or they pay a fee to prevent their data from being processed.

The voluntary nature of consent also implies that the data subject has the right to withdraw the consent at any time.

Specific and appropriate information

In order for consent to be valid, the purpose of data processing must also be specific. This condition is closely linked to the condition of informed consent. Therefore, individuals must be informed of the specific purposes in simple and easily understandable language so that they have a clear understanding of the purpose for which their data is being processed. This also means that if the purposes of the data processing operation change or further data processing operations are being added, consent must be obtained from individuals again. Likewise, if a data processing operation has multiple purposes, separate consent must be obtained for each purpose for the processing to be lawful. When providing information, the data subject must also be made aware that they may withdraw their consent at any time.

Unambiguous consent

According to the GDPR, a statement by the data subject or a clear affirmative action is required for the consent to be unambiguous. This in fact means that consent can only be given through active action or statement. The EDPB considers that the comprehensive acceptance of general terms and conditions does not constitute an act of confirmation that is unambiguously expressed. The GDPR also expressly prohibits data controllers from offering pre-ticked boxes or opt-out mechanisms that require the data subject to take action to prevent consent from being given (so called opt out systems).

Duration and demonstration of the contribution

The General Data Protection Regulation does not provide for any limitation on the duration of consent. However, this does not mean that personal data can be processed indefinitely with the consent of the data subject. The duration of consent depends in each case on the context of the data processing in question. In order to determine the duration correctly, it is therefore necessary to assess the circumstances of the data processing.

Furthermore, the GDPR stipulates that during data processing, the data controller must always be able to adequately demonstrate the existence of the consent.

Without claiming to be exhaustive, we merely refer to the fact that the General Data Protection Regulation lays down additional conditions in relation to the consent of children and special categories of data.

Summary

The online presence of companies—for example, through websites and newsletters—is essential to maintaining competitiveness, but it can also involve the processing of personal data, which falls under the scope of the GDPR. Personal data may only be processed on an appropriate legal basis, the existence of which is essential in all cases. When developing and enhancing their marketing strategies, it is crucial for companies to simultaneously establish and review their data processing frameworks to ensure that their data processing activities comply with the GDPR.

Photo source: pexels.com, Tara Winstead

Online presence in the shadow of GDPR – rules for consent-based data processing Read More »

Data Subject Rights and the Importance of Consent in Online Content Creation

Data protection, News / / , , , , , , ,

Reading time: 4 minutes

With the development of digital platforms, anyone can become a content creator today: a smartphone, a good idea, and a few clicks are enough for our messages, videos, or pictures to reach thousands of people. However, online presence carries not only creative opportunities but also legal responsibilities and risk. When sharing various types of content – such as posts or videos – especially if identifiable persons appear in them, the processing of personal data occur.

General applicability of the GDPR

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, serves a dual purpose: it ensures the protection of individuals’ personal data while also providing a framework for the free flow of such data within the European Union. The GDPR sets out in detail the rights of data subjects and the obligations of data controllers.

At the same time, the GDPR does not be applicable in certain exceptional cases; one such exception applies when a natural person processes personal data exclusively for personal purposes. Examples include private correspondence whether on paper or electronically, storage of addresses or contact details, personal notes or diaries, family photographs, communication on social networks, and other online activities. These exceptions must be interpreted narrowly, and data processing only falls outside the scope of the GDPR if it serves a purely private purpose – that is, it has no community, professional, or economic aspect. Thus, if data can be accessed by an indefinite number of persons or is made public, the activity no longer qualifies as private data processing. In the case of data processing carried out by business entities, personal or household use cannot be invoked. Therefore, the publication of any online content containing personal data (such as photographs, audio recordings, or other information) – whether it concerns employees or any other natural person – requires appropriate legal diligence in all cases.

Data processing related to online content creation

Digital platforms widely enable users to create and share photos, videos, or audio recordings – even of other people. The question may arise whether data protection rules apply in such cases. Since uploaded recordings – including images, voices, or other identifiable information – constitute personal data and are made accessible to the public, their processing falls under the GDPR.

One of the fundamental principles of data protection is that any processing of personal data must be based on a valid legal basis. When a data controller undertakes any activity involving the processing of personal data, it must carefully assess which legal basis best suits the intended purpose. In the context of content creation, data processing most commonly relies on the data subject’s consent.

Obtaining consent is crucial, as recording or publishing someone else’s image or voice is only lawful if the data subject has given explicit, informed, and prior consent. Simply tolerating the presence of a camera or answering a question does not constitute valid consent. This demonstrates how strictly the GDPR defines the requirement of a lawful basis: unlike the Hungarian Civil Code (“Civil Code”), which allows certain exceptions for public figures or mass recordings, the GDPR does not provide such derogations. This highlights the coexistence of parallel legal frameworks – compliance with the Civil Code does not necessarily mean compliance with data protection law, thus each legal regime has distinct requirements for lawful conduct.

Consequences of Non-Compliance

Publishing content online without a valid legal basis – such as consent – constitutes a violation of data protection rules. Unlawful data processing can have serious consequences, including regulatory procedures and administrative fines. If a recording is made or published without permission and results in significant harm to an individual’s interests, the act may not only be unlawful under data protection law but could also amount to a criminal offence or establish a claim for non-pecuniary damages under the Civil Code, depending on the circumstances. Liability always lies with the person who created or published the recording.

Particularly high-risk situations include cases involving children, healthcare settings, political opinions, or other sensitive personal data. If such content is shared without the data subject’s knowledge or consent, it does not qualify as private activity and is considered full-fledged data processing under the GDPR. In such cases, data subjects have the right to request information, withdraw consent, demand deletion of recordings, and pursue legal remedies.

Summary

Presence in the online space – particularly in the context of corporate communications, marketing, or HR content creation – requires careful data protection practices. What may not entail legal consequences under the Civil Code can still constitute a data protection violation.

Consent is therefore not a mere formality, but one of the fundamental prerequisites for lawful data processing. Organizations – whether content creators or employers – are advised to establish internal procedures, training programs, or policies to manage the data protection risks associated with online content creation.

Respecting data subject rights, properly documenting consents, and complying with GDPR requirements are not only matters of legal compliance, but also essential for maintaining corporate reputation and trust.

Photo source: pexels.com, Plann

Data Subject Rights and the Importance of Consent in Online Content Creation Read More »

The Scope of the NIS2 Directive and the Cybersecurity Act – Determining Involvement in Practice

Commercial Law, News / / , , , , , ,

Reading time: 6 minutes

The rapid advancement of digitalisation has brought new opportunities but also new types of risks. In business operations, the reliability of electronic information systems plays an increasingly important role, and ensuring the confidentiality, integrity, and availability of managed data and information has become a fundamental requirement. To address this, the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (the “NIS2 Directive”), was adopted. Its national transposition in Hungary resulted in Act LXIX of 2024 on Cybersecurity (the “Cybersecurity Act”). These instruments aim to reduce risks to electronic information systems and ensure the continuity of services in key sectors such as energy, healthcare, transport, digital infrastructure, and manufacturing. Depending on their activities, size, and role, organisations are subject to different obligations. Each organisation must determine whether it falls within the scope of the Cybersecurity Act and which specific requirements apply to it. This article outlines the key aspects of self-identification, helping organisations comply with the NIS2 Directive and the Cybersecurity Act.

Who does the Cybersecurity Act apply to?

The Cybersecurity Act covers a wide range of sectors and activities. It applies to designated public administration entities, certain state-influenced enterprises, and defence-related organisations — though these are not detailed here. Beyond these, many private-sector organisations may also be affected. For them, both their activities and their size and turnover must be assessed.

Based solely on activity

Regardless of size, the Cybersecurity Act applies to organisations providing electronic communications services, trust services, DNS services, top-level domain name registry services, or domain name registration services.

These service providers can be identified by the authorities that maintain their registries, so the Cybersecurity Act applies to electronic communications service providers and trust service providers listed in the registry of the National Media and Infocommunications Authority (NMHH), DNS service providers, the top-level domain name registrar (currently the only such organization in Hungary is ISZT Nonprofit Kft.), and domain name registration service providers who are registrars available on the domain.hu website operated by ISZT).

Based on activity and size

The Cybersecurity Act applies to medium-sized and larger organisations — that is, companies with more than 50 employees and an annual net turnover or balance sheet total exceeding EUR 10 million, provided they carry out activities specified under the Cybersecurity Act.

Of the organizations that meet the size criteria, those operating in high-risk sectors, such as healthcare, telecommunications services, digital infrastructure (e.g., cloud service providers, data center service providers), as well as service providers and organizations operating in high-risk sectors, such as food production, processing, and distribution, the manufacture of computer, electronic, and optical products, and the manufacture of machinery and equipment.

Assessing and determining activities

If an organisation does not perform an activity that automatically falls within the scope of the Cybersecurity Act, both its size and its activities must be considered together. When size thresholds are met, the next step is to assess whether it operates within a high-risk or critical sector; this, however, is not always straightforward in practice.

The sector or activity to be examined and, consequently, the involvement in the case of activities subject to authorization, based on the records kept by the competent authorities (e.g., in the case of the transport sector, the Ministry of Construction and Transport as the transport authority; for activities in the food industry sector, the National Food Chain Safety Office; for the pharmaceutical industry and healthcare providers, the National Public Health and Pharmaceutical Center; and for electronic communications, trust and postal service providers, the National Media and Communications Authority).

In other cases — particularly in manufacturing — the relevant activity may be identified using the TEÁOR code (Hungarian equivalent of the NACE code) or similar classification numbers, which may indicate whether the company’s operations bring it under the scope of the Cybersecurity Act.

In most cases, the TEÁOR code makes identification relatively straightforward, for example:

manufacturing of electronic components or measuring instruments (computer, electronic, or optical products sector),

manufacturing of household electrical appliances (electrical equipment sector),

manufacturing of engines, turbines, or special-purpose machinery (machinery and equipment sector),

manufacturing of motor vehicle parts and accessories (road vehicle sector).

However, identification may be influenced by the interpretation of which sector the activities actually carried out belong to. For instance, an organisation engaged in IT consultancy and systems operation could qualify as a cloud service provider, thus falling within the scope of the Cybersecurity Act.

Furthermore, determining involvement may be complicated by the interpretation and practical application of the legal definitions of certain activities. For instance, in the case of a business engaged in the manufacture of plastic packaging materials or plastic products, the classification is not always clear-cut. According to the Cybersecurity Act, an organization is considered to be in a high-risk sector if it is classified as a food business within the food (i) production, (ii) processing, and (iii) distribution sector and is engaged in wholesale activities, industrial production, and processing. These criteria raise the need to clarify several concepts, namely whether such a manufacturing organization qualifies as a food business and whether the activities actually carried out qualify as activities related to any stage of food production, processing, or distribution.

The Limits and Risks of Self-Identification – Recommended Actions

It is clear that self-identification is not always straightforward. The TEÁOR code alone may not precisely reflect the organisation’s real activities, which may lead to misclassification under the Cybersecurity Act. In Hungary, it is common for companies to retain outdated or inaccurate TEÁOR codes in their official records. In such cases, the authority may still assess the company as falling under NIS2 obligations, resulting in unnecessary compliance burdens and administrative costs.

Incorrect or incomplete self-identification can also lead to fines and subsequent enforcement measures. Therefore, it is crucial that businesses regularly review their registered activities and maintain only those TEÁOR codes that accurately represent their actual operations.

Conclusion

Accurate self-identification is not only a legal obligation but also in the best interest of the organisation. Retaining inaccurate or unnecessary TEÁOR codes may result in misinterpretation by authorities and potential sanctions. Proper self-identification and conscious management of registered activities are not merely administrative tasks — they are essential elements of business security. Those who act proactively and with awareness can not only avoid sanctions but may also gain a competitive advantage through enhanced trustworthiness and compliance.

Photo source: pexels.com, Markus Spiske

The Scope of the NIS2 Directive and the Cybersecurity Act – Determining Involvement in Practice Read More »

Product liabilty rules are changing

Commercial Law, Competition law and consumer protection, News / / , , , ,

Reading time: 4 minutes

Considering modern technological developments, it has become necessary to rethink product liability regulations, as a result of which the European Parliament and the Council have adopted Directive 2024/2853 (“Directive“) on liability for defective products and repealing Council Directive 85/374/EEC. The aim of the Directive is to promote a balance between the responsibility of economic operators and a high level of consumer protection. To comply with the Directive, whose provisions must be implemented by Member States into their national legislation by 9 December 2026 at the latest, the Ministry of Justice has drafted amendments to private law, including a comprehensive review of the product liability rules of the Act V of 2013 on Civil Code (“Civil Code“). In this article, we present the new rules on product liability.

What is a product?

The comprehensive reform of EU regulations was prompted by technological developments: the spread of digital and smart devices has brought new risks, which are addressed by the Directive and, through its implementation, by Hungarian regulations. One of the most significant innovations is that, based on the Directive, the Civil Code extends the concept of a product: Under the new provisions, any movable item is considered a product, even if it is incorporated into or connected to another movable item or immovable property, including electricity, digital manufacturing files, raw materials, and software. This means that the new liability rules will apply to products placed on the market or put into service after 9 December 2026, including digital manufacturing files and software, whether they are sold as stand-alone products or integrated into other devices.

However, free and open-source software developed or made available in the course of non-commercial activities is exempt from these regulations.

Who bears the responsibility?

The basic principle of product liability is that, to protect consumers, it imposes obligations on economic operators who are responsible for damage caused by defective products. Under the new rules, the scope of persons who can be held liable is expanded, meaning that product liability may be imposed on the following economic operators:

The manufacturer of the product is primarily responsible for any defects in the product, i.e., the party who develops, manufactures, produces, labels the product as the manufacturer, or develops, manufactures, or produces the product for their own use.

If the defect is caused by an integrated component, the manufacturer of that component shall also be liable if the component was incorporated into a product under the manufacturer’s control.

If the product or its component parts originate from a manufacturer operating outside the European Union, responsibility lies with the company importing the product into the EU, i.e. the company placing the product on the EU market, and the manufacturer’s authorized representative.

If the importer or the manufacturer’s authorized representative is also not based in the EU, then the logistics service provider is responsible, i.e. anyone who offers at least two of the following services in the course of their commercial activities: storage, packaging, addressing, and shipping of a product, without owning the product in question.

The distributor shall also be liable if the person responsible cannot be identified and, at the request of the injured party, does not identify the economic operator or distributor listed above.

In addition, if a natural or legal person substantially modifies a product without the manufacturer’s knowledge or control and then distributes or puts it into service, that person is also considered a manufacturer under the law and may be liable for product damage.

A new provision is that the manufacturer of a defective product is jointly and severally liable for product damage with other economic operators cooperating with it, such as the component manufacturer or importer, so that the consumer can claim full compensation from any of them. The economic operator providing compensation to the injured party may then recourse against the other responsible economic operators.

When is a product considered defective?

A product is considered defective if it does not provide the level of safety that is generally expected of that type of product or that is required by EU legislation or relevant domestic regulations. When assessing the level of safety, factors such as the reasonably foreseeable use of the product, the date of placing on the market, and the reasonable expectations of consumers must be considered. At the same time, the mere fact that a more advanced or modern version becomes available after the product’s release—whether in the form of an update or a completely new product—does not in itself render the previous model defective. The basis for assessing a defective product is therefore not its comparison with the latest technological standards, but rather whether it provides the level of safety that could be expected at the time of its manufacture.

When can the manufacturer, importer, or other economic operator be exempt from liability?

Economic operators may be exempted from product liability under certain conditions if they can prove that the defect causing the damage did not arise within their sphere of responsibility or was not foreseeable.

The manufacturer or importer shall be exempt from liability if they can prove that they did not place the product on the market or put it into service. The distributor may be exempt if they can prove that they did not make the product in question available on the market.

Any economic operator may be exempted from liability if they can prove that the defect in the product was not likely to exist at the time of placing on the market, putting into service or distribution, or that it only arose after that time. However, this provision shall not apply if the defect of the product is related to a service associated with the product under the manufacturer’s control, to software accompanying the product (including software updates or upgrades), to the absence of software updates or upgrades necessary to maintain safety, or to a material modification of the product.

Liability shall also be excluded if the defect of the product results from compliance with legal requirements (e.g., adherence to a mandatory technical standard that caused the defect), or if the defect could not have been detected based on the state of scientific and technical knowledge at the time the product was placed on the market or put into use, or while the product was still under the manufacturer’s control.

Unchanged provisions

The manufacturer and other liable parties are subject to product liability for a period of 10 years. The injured party must still prove the defect in the product, the damage suffered, and the existence of a causal link between the defect and the damage. There is a three-year limitation period for asserting claims, which begins from the date on which the injured party became aware or could reasonably have become aware of the occurrence of the damage, the defect in the product, and the identity of the responsible economic operator.

Summary

The Directive and its domestic implementation bring significant changes to product liability regulations. With these amendments, both the definition of “product” and the scope of parties who may be held liable for damages caused by defective products are expanded. The concept of a product now includes software, digital manufacturing files, and related services, meaning that the liability framework also applies to modern, digital, and complex technologies. This implies that economic operators will need to act with greater caution and awareness in the design, manufacture, distribution, and modification of products in the future.

The aim of the new regulation is to strengthen consumer protection against modern product risks, while at the same time imposing greater liability on economic operators. In light of these changes, it is essential for the affected companies to review their operations, internal processes, contracts, and liability insurance practices.

Photo source: pexels.com, Lukas

Product liabilty rules are changing Read More »

The most important things to know about mothers and employees with young children returning to work

Employment, labour law, News / / , , , , , , , ,

Reading time: 5 minutes

The birth of a child is a significant event in a human ‘s life, which also has a major impact on the professional and work-related life of employees. Given the importance of becoming a parent, the Hungarian labour law contains numerous provisions aimed at promoting the proper development and care of children and protecting mothers and parents with young children.

According to Act I of 2012 on the Labor Code („Labour Code“), mothers are entitled to 24 consecutive weeks of maternity leave (CSED) and parents of young children (until the child reaches the age of 3) are entitled to unpaid leave (GYED, GYES) for the purpose of caring for their children.

During the care and upbringing of a child, there may come a point when the desire to return to work arises. However, it is important to note that during the parent’s absence, numerous changes may occur in the employee’s personal circumstances and in the employer’s organization, because of which the employee’s previous employment conditions may no longer be guaranteed or may no longer be appropriate. The Labor Code contains detailed rules for reconciling the differing interests of employees and employers and for protecting social objectives. In this article, we summarize the most important rules related to this topic.

General rules applicable in all cases

Announcement of return

According to the Labor Code, the employee may specify the date of his/her return, but when indicating the date, to comply with the obligation to cooperate, the employer must be given at least 30 days’ notice. Therefore, the employee must give notice of his/her intention to end unpaid leave taken for the purpose of caring for a child at least 30 days before the end of the leave.

Wage adjustment

Given the wage increases that occur during the employee’s absence, a situation may arise where the wages of the employee with young children are less than their colleagues. This situation clearly violates the requirement of equal treatment, thus the Labor Code stipulates that the employer is obliged to make an offer to adjust the wage after the absence has ended. For the purposes of making an offer, the average annual wage increase applied by the employer to colleagues working in the same position as the employee must be considered. If there are no other employees in the same position, then the average annual wage increase implemented by the employer on a company level shall be the reference point.

Granting leave

The entire duration of maternity leave and the first six months of unpaid leave taken for the purpose of caring a child are considered leave-entitling periods, meaning that the employee’s leave entitlement accrues even during his/her absence. As a general rule, the employer must grant this accumulated leave within 60 days of the employee’s return (typically before the employee actually returns to work).

Changes in terms and conditions of employment

Generally, the employer is obliged to employ the employee upon his/her return in accordance with the original conditions (e.g., working hours, job description, place of work). However, it is easy to see that during the employee’s absence, changes may occur on both sides (e.g., the employee relocates, termination of his/her position), which would make employment (under the same conditions) no longer possible or would cause the parties to temporarily deviate from it (e.g., part-time employment). The parties may, of course, amend any terms and conditions or terminate the employment relationship by mutual agreement, but in certain cases and under certain conditions, they may also be entitled to do so unilaterally.

Modification of employment conditions upon the request of the employee with young children

In order to facilitate the appropriate development of young children, the Labor Code provides employees with young children with the opportunity to request changes to their employment conditions (e.g., place of work, remote work, part-time work) under certain conditions.

In the context of changes to employment conditions, we would like to point out that employers are often subject to a prior notification obligation, i.e. they must inform employees about the availability of part-time and remote working positions.

In certain cases, employers are obliged to comply with requests from employees with young children without consideration, while in other cases, the feasibility of the request and its acceptability by the employer may be examined.

The employer is obliged to respond to requests that are subject to employee justification or employer discretion within 15 days. If the employer fails to do so or rejects the request without justification, the employee has the right to challenge the decision before a court, so it is advisable for employers to prepare in advance for the return and employment of parents with young children and to establish appropriate procedures.

Special rules relating to termination of employment

Employees are forbidden to be dismissed during pregnancy, maternity leave, paternity leave, parental leave and leave of absence taken without pay for caring for a child. After the employee’s return, this absolute prohibition no longer applies, but until the child reaches the age of three, the employer has limited rights to terminate the employee’s employment in certain cases. Termination on grounds related to the employee’s abilities or the employer’s operations (e.g., cessation of the employee’s position) may only be given if there is no other suitable vacant position or if the employee has rejected an offer of the position. It is also important to note that the fact that the employer filled the employee’s position by a way of hiring another employee in the meantime does not in itself constitute a legal basis for termination of employment, as the employee has the right to be employed in their original position. Termination based on conduct may only be given if it meets the requirements for termination without notice.

Summary

Overall, it can be stated that the Labour Code contains numerous restrictions regarding the return to work and employment of mothers/parents with young children in order to take into account the individual circumstances of employees. However, it is important to emphasize that the interests of employees are not exclusively protected, as the legislator considers the economic aspects of employers in many respects.

Photo source: pexels.com, Yan Krukau

The most important things to know about mothers and employees with young children returning to work Read More »

General obligations of the employer in the event of a change in the employee’s health

Employment, labour law, News / / , , , , , , , , ,

Reading time: 5 minutes

During the course of employment, situations may arise where an employee’s health condition changes, either temporarily or permanently. This may result, for instance, from an accident-related injury, post-surgery rehabilitation, treatment of a chronic illness, or even partial loss of working capacity. In such circumstances, a key question for the employer is to what extent and in what manner they are required to adapt work organisation and working conditions to the employee’s altered health status.

In this respect, the employer bears not only legal but also social responsibility — the way an employer handles changes in employees’ health conditions is a key indicator of responsible employment. However, it is important to define the limits of the employer’s duty to adjust and take appropriate measures, as this obligation may vary depending on the specific case and circumstances (e.g. the employer’s available resources). The following article provides guidance on situations where the employee is still considered fit for work but experiences a change in their state of health.

General Obligations

Pursuant to Act I of 2012 on the Labour Code (hereinafter: the “Labour Code”) and occupational safety regulations, employees may only be employed for work that, in view of their physical constitution, development, and state of health, do not have adverse consequences for them. Furthermore, it is the employer’s fundamental responsibility to ensure that work is performed under safe and healthy conditions that do not pose a risk to the employee’s well-being. This obligation applies throughout the entire duration of the employment relationship and includes continuous assessment. Accordingly, if an employee’s health condition changes over time, the employer is required to take appropriate measures in response to the situation.

In practice, this may involve temporary adjustments (e.g. part-time work, reduction of physical strain) or minor organisational changes (e.g. reassignment of certain tasks, review of working logistics).

Limits of the employer’s obligations – the principle of reasonableness

It is important to emphasise that the employer’s obligation to take measures is not unlimited. According to Section 6 of the Labour Code, which sets out the “principle of reasonableness”, the employer is only required to modify working conditions or reorganise work to the extent that is realistically and fairly expected under the given circumstances — that is, as long as doing so does not impose a disproportionate economic or organisational burden on the employer. The assessment of this obligation must always be based on the specific circumstances of the individual case, considering the employer’s economic and organisational capacity, as well as the nature of the employee’s health-related limitations.

In general, the employer is not required to:

create a new position,

hire additional staff, or

make significant investments

solely to ensure the continued employment of the affected employee.

The case law of the Curia (Supreme Court of Hungary) also confirms that the extent of the employer’s obligation must always be determined by the specific circumstances of the case. For example, if an office employee temporarily cannot type due to a broken hand, the employer is obliged to provide lighter or alternative administrative tasks during recovery but is not required to establish a new position.

The situation differs, however, when a professional driver is subject to a medical opinion imposing (not merely temporary) restrictions on their ability to perform driving duties. In such a case, even by modifying the working conditions, the employee would not be able to perform the essential functions of their role. Considering the principle of reasonableness — as a limitation on the employer’s duty to adapt and take measures — the continued employment of the worker would impose a disproportionate burden on the employer. Therefore, with appropriate justification, the termination of the employment relationship would be considered lawful.

Summary

The employer is required to adjust working conditions to the employee’s (changed) state of health where this is necessary to ensure safe and healthy working conditions. However, this obligation is not unlimited: under the principle of reasonableness set out in the Labour Code, the employer is only required to take measures to the extent that they do not impose a disproportionate burden. Accordingly, the extent of adaptation expected from the employer must always be assessed on a case-by-case basis, considering the specific circumstances and available resources, in order to determine what level of adjustment is reasonable to enable the continued employment of the affected worker. For a lawful and fair procedure, it is advisable to involve the employee, the occupational health physician, and—where necessary—the occupational safety specialist in the decision-making process, and to maintain transparent documentation of the measures taken. This approach ensures not only the protection of the employee’s interests but also the employer’s lawful and compliant operation.

Image source: pexels.com, Karolina Grabowska

General obligations of the employer in the event of a change in the employee’s health Read More »

The cessation of AVDH and the related tasks of companies

Corporate law, News / / , , , , , , , ,

Reading time: 4 minutes

Electronic administration has undergone significant changes in recent years with the introduction of the Digitális Állampolgári Program (DÁP). The previously widely used document authentication (AVDH) has been phased out and is now completely obsolete. Given that this has a significant impact on the way individuals and companies conduct their electronic administration (e.g. ePapír administration, either as individuals or through the Company Gate), we outline below the essence of the changes, the parties affected and the practical steps to be taken.

AVDH in brief

AVDH was previously a free document authentication solution available to all users with a client gate. It was a widely applicable, easily accessible and simple to use service, and was also considered suitable for corporate signatures. Documents authenticated with AVDH were considered private documents with full probative force, so they could be used in a wide range of procedures and administrative processes.

The general availability of AVDH ended at the end of last year, so it could only be used in a limited scope, integrated into the ePapír service. This meant that when individuals and companies submitted documents to government agencies (e.g. to the labour authority) via ePapír, they could authenticate their submissions and attachments with AVDH, thus eliminating the need for electronic signatures.

Changes in November

On 31stOctober 2025, the AVDH service was completely discontinued (i.e. in official procedures as well). It was replaced by a service for user document assignment (FEDOR) with significantly reduced functions, starting from 1 November 2025.

However, FEDOR does not provide nearly all the features of its predecessor. The FEDOR service does not replace the signature, but only assigns it to the individual, so it does not result in a fully probative private document. However, for an electronic document to be considered authentic, it must at least have the probative value of a private document (and an electronic time stamp).

Necessary steps

Given that authentic electronic documents must be submitted during electronic administration, authorities currently ask clients to resubmit the appropriate documents in cases where the documents do not qualify as private documents with full probative value.

Under current legislation, documents bearing a qualified electronic signature or an advanced electronic signature based on a qualified certificate are considered private documents with full probative value, so the documents to be submitted must be signed with one of these.

In order to ensure that the company’s communication with authorities does not become impossible, we know that many companies have quickly opted for a qualified electronic signature provided by a Hungarian trusted service provider. However, it is important to note that choosing the right partner in the long term opens up many more opportunities for digitisation.

Practical options

Private individuals have access to the eAláírás function provided by DÁP, which is considered a qualified electronic signature. However, it is important to note that this can only be used by private individuals, i.e. the DÁP eAláírás function is not suitable for corporate signatures under the provisions of the law, so business organisations will have to look for other solutions.

Qualified electronic signatures and advanced signatures based on qualified certificates can only be provided by so-called trust service providers. It is important to note that this is regulated at European Union level, which means that such services can be used not only from the three providers registered in Hungary, but also from providers registered in any EU Member State, as Member States are obliged to accept them. In Hungary, the National Media and Infocommunications Authority (NMHH) is the competent supervisory authority, which maintains this register, and the list of registered service providers can be found here. Service providers registered in the various EU Member States can be accessed via the following link.

It is also important to note that it is, of course, possible to act through an authorised representative (e.g. a private individual, accountant, legal representative) in electronic procedures, in which case the authorised representative must have the appropriate signature.

Summary

With the complete discontinuation of the previously widely used AVDH service, an appropriate electronic signature is required to use the ePapír service.

Although this may initially be perceived as a burden by those affected, electronic signatures can be used in a much wider range of applications and can practically replace the role of previous paper-based signatures entirely. Electronic signatures may, of course, entail additional costs, but it should also be noted that their use reduces several other costs (e.g. paper, printing, postage, courier and travel costs). Given that there are several types of electronic signatures, which result in different types of documents with varying degrees of evidential value, and that they can be used in a wide range of situations (e.g. company procedures, employment relationships, official notifications), it is definitely advisable to consider the purpose and scope of use when selecting a specific service (signature type). In our practice, we have assisted numerous group of companies with their digital transition, and we can clearly state that companies choose different service providers based on their varying priorities (e.g., mass document uploading, document management, a wide range of signatories, signatures that can be provided to employees by their employer, cost).

Photo source: pexels.com, Karola G.

The cessation of AVDH and the related tasks of companies Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.