CLVPartners

Compliance

The foundations of artificial intelligence regulation in the European Union

Reading time: 4 minutes

In 2024, the European Union adopted its Artificial Intelligence Regulation (the “AI Regulation“), which established the world’s first comprehensive regulatory framework for artificial intelligence. The provisions of the AI Regulation will gradually become mandatory until August 2, 2027. The AI Regulation refers certain implementation and supervisory tasks to the Member States, as a result of which a domestic regulatory framework for the use of artificial intelligence (“AI“) was also promulgated in Hungary in the fall of 2025.

Given that the AI Regulation will have to be applied almost in its entirety from August this year, CLVPartners is launching a series of newsletters on artificial intelligence to help with preparations. The aim of the series of articles is to present the legal issues related to the use of artificial intelligence in a practical yet easy-to-understand way. In the first part of the series, we will outline the basic concept of the current EU and Hungarian regulatory framework and its main objectives.

Purpose of the AI Regulation, concept of its regulation

AI is one of the fastest-growing areas of technology, and according to some forecasts, its application could bring significant benefits across a wide range of economic and social activities. At the same time, the European Union has recognized that the use of AI also carries a number of risks, such as the risk that its inappropriate use could jeopardize the fundamental rights and freedoms protected by EU law.

The purpose of the AI Regulation is to ensure that the development and use of AI systems takes place within a responsible framework. It is important to note that the AI Regulation applies not only to manufacturers, importers, distributors, and service providers operating in the European Union, but also to companies outside the EU if their products or services are available on the EU market or have an impact on EU citizens. To this end, the AI Regulation imposes obligations on developers and users of AI systems and establishes a uniform regulatory system for their authorization on the EU market. The AI Regulation stipulates that its regulatory framework serves to strengthen transparency and accountability and to promote the spread of human-centered and reliable artificial intelligence. It also aims to eliminate discrimination and bias, while ensuring that EU fundamental values and rights are upheld and providing effective protection against the risks posed by AI systems.

The AI Regulation takes a risk-based approach, classifying AI systems into four risk categories and assigning different rules and obligations to each category. The use of so-called prohibited AI systems that pose an unacceptable risk, such as cognitive behavioral manipulation or emotion recognition in the workplace, is already prohibited in the European Union. High-risk AI systems are subject to strict requirements, in particular testing, transparency, and human oversight obligations, and may only be placed on the market once these requirements have been met. These include, among others, systems used in medical diagnostics, self-driving vehicles, or biometric identification. For low-risk AI systems, such as chatbots, transparency obligations are the main requirement, while the AI Regulation does not set out specific rules for minimal or risk-free AI systems.

The AI Regulation is directly applicable in all EU Member States and, due to its nature as a source of law, cannot be transposed into national law and does not need to be promulgated separately. As a result, the AI Regulation creates a uniform legal framework for the regulation of artificial intelligence throughout the European Union.

Hungarian regulations

In addition to creating a uniform EU regulatory framework, the AI Regulation also imposes several obligations on Member States. Accordingly, Member States, including Hungary, have begun to develop the institutional and legal frameworks necessary to ensure the effective implementation and supervision of the provisions of the AI Regulation.

Under the AI Regulation, the supervision of compliance with the requirements for AI systems classified in each risk category will be the responsibility of the Member States. Accordingly, Member States are required to designate a market surveillance authority and a notifying authority responsible for assessing technical compliance. In addition, each Member State must establish regulatory test environments to support the development of safe and lawful AI.

To ensure compliance with these requirements, in the fall of 2025, the Hungarian Parliament passed Act LXXV of 2025 on the implementation of the European Union’s Artificial Intelligence Regulation in Hungary (“AI Act“), which lays the foundations for the domestic regulatory and institutional structure. The AI Act is also implemented by Government Decree 344/2025 (X. 31.) on the implementation of Act LXXV of 2025 on the implementation of the European Union’s regulation on artificial intelligence in Hungary, which lays down detailed rules on the operation of authorities performing tasks related to artificial intelligence. (X. 31.) on the implementation of Act LXXV of 2025 on the implementation of the European Union’s regulation on artificial intelligence in Hungary (“AI Government Decree“), which lays down detailed rules on the functioning of authorities performing tasks related to artificial intelligence.

Under the AI Act, the reporting authority tasks are performed by a single body, the AI reporting authority. This authority is responsible for designating conformity assessment bodies that examine and certify the technical conformity of high-risk AI systems in advance. Under the provisions of the AI Government Decree, the National Accreditation Authority performs this task.

Under the AI Act, market surveillance tasks are also performed by a single authority. The market surveillance authority is responsible for examining the lawful use of AI systems after they have been placed on the market. The Act also requires the AI market surveillance authority to establish and operate an AI regulatory test environment from August 2026 and to act as a point of contact. Under the provisions of the AI Government Decree, the Minister for National Economy is responsible for performing these tasks.

The AI Act also establishes the Hungarian Artificial Intelligence Council, which acts as a coordinating and advisory body. The task of the Hungarian Artificial Intelligence Council is to promote the uniform interpretation of the AI Regulation in Hungary through guidelines and position statements.

Summary

In summary, it can be said that in 2024, the European Union was the first in the world to adopt a comprehensive regulatory framework whose primary objectives are to promote the spread of human-centered, transparent, and reliable artificial intelligence, protect EU fundamental values and rights, and adequately address the risks arising from AI systems. The AI Regulation applies a risk-based regulatory approach, setting differentiated requirements according to the risk posed by each AI system.

The AI Regulation is directly applicable in all Member States, but leaves the implementation and supervisory tasks to national authorities. As a result, in the fall of 2025, Hungary enacted the AI Act and the related AI Government Decree to ensure the domestic implementation of the AI Regulation.

Photo source: pexels.com, Dušan Cvetanović

The foundations of artificial intelligence regulation in the European Union Read More »

Cybersecurity – new regulations, new tasks

On January 1 this year, Act LXIX of 2024 on cybersecurity in Hungary (the “Cybersecurity Act“) came into force, which was adopted in accordance with Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (“NIS2 Directive”) which aims to mitigate threats to electronic information systems due to threats to the information society and to ensure the continuity of services in key sectors. The Cybersecurity Act and related legislation impose strict requirements and provide for serious legal consequences in the event of non-compliance.

As we support many companies in preparing for compliance with the NIS2 Directive and the Cybersecurity Act, the purpose of this article is to draw the attention of all potentially affected companies to the provisions of the Cybersecurity Act that will become relevant in the near future, namely the obligations and deadlines related to contracting and conducting cybersecurity audits.

Scope of affected organizations

The Cybersecurity Act broadly defines the organizations that are required to monitor the security of their electronic systems and audit them. Private sector companies that reach a certain size and engage in activities classified as high-risk or risky fall into this category, as follows:

  • In terms of size, the companies concerned are those that qualify as medium-sized enterprises or exceed the thresholds set for medium-sized enterprises, i.e. those with a total workforce of more than 50 and an annual net turnover or balance sheet total exceeding the equivalent of EUR 10 million in Hungarian forints.
  • The condition relating to the scope of activity is that the enterprises operate in (highly) risky sectors, such as healthcare, telecommunications services, digital infrastructure (cloud service providers, data center service providers), food production, processing and distribution, computers, electronics, optical product manufacturing, or machinery and equipment manufacturing.

If it is unclear whether the obligations under the regulation apply to a given company, it is recommended to clarify this as soon as possible by reviewing the legislation.

Cybersecurity obligations

  • Audit contract:

The current obligation of the enterprises concerned is to enter into a contract with an independent economic operator authorized to perform cybersecurity audits registered by the Supervisory Authority for Regulatory Affairs of Hungary (SZTFH) in order to verify the cybersecurity of their electronic systems. The SZTFH is already sending out notifications to potentially affected parties, requiring them to provide proof of the conclusion of such a contract by September 15, 2025. Failure to comply with this obligation may result in a fine of between HUF 1 million and HUF 15 million being imposed on the company.

  • Cybersecurity audit:

Following the conclusion of the contract with the auditor, a cybersecurity audit must be carried out by June 30, 2026, during which the security classification of electronic information systems and the adequacy of protective measures according to the security classification will be checked. Failure to perform the audit may result in severe penalties, including fines of up to 2% of the previous year’s turnover, but at least HUF 1 million and up to HUF 150 million.

A cybersecurity audit may take longer depending on the size of the business and the technological and organizational complexity of its activities. For this reason, it is advisable to plan the timing and schedule of the review in advance so that the process not only serves the purpose of compliance, but also actually identifies areas where further action or deficiencies may exist. Examples include reviewing data protection compliance, updating information security policies, or fine-tuning risk management procedures.

The importance of compliance

Due to stricter cybersecurity regulations and the risk of high fines, compliance is not only a legal obligation but also a key business interest. Available benefits:

  • Reduced financial and reputational risk;
  • Strengthened cybersecurity protection and digital stability for the business;
  • With the right contract, the content, schedule, and definition of tasks and responsibilities of the audit become predictable;
  • At the same time, data protection aspects can be reviewed and, if necessary, data protection impact assessment documents can be revised, thus fulfilling the NAIH’s expectation of compliance with the principle of accountability.

Image source: Brian Penny, pixabay.com

Cybersecurity – new regulations, new tasks Read More »

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.