What is AI regulation in Hungary?
AI regulation: countries and regions
AI regulation in Hungary is mainly the EU AI Act, which applies directly, plus Hungarian implementation rules that assign national authorities, procedures and enforcement powers. Since late 2025, Hungary has put in place a domestic framework under Act LXXV of 2025 and Government Decree 344/2025. In that framework, the minister responsible for enterprise development is the general AI market surveillance authority and single contact point, the National Accreditation Authority is the notifying authority, and data protection, financial and other sector rules still apply alongside the AI Act.
What this means
Hungary does not run a separate, freestanding national AI code that replaces the EU regime. The core legal rulebook is the EU AI Act. Hungary's own 2025 legislation mainly tells you which Hungarian bodies supervise it, how enforcement is organised, and how AI questions fit into existing market surveillance, privacy, competition, health and financial supervision.
For most organisations, that means AI governance in Hungary is a layered exercise. You may need to deal with the EU AI Act itself, a Hungarian authority responsible for AI market surveillance, your sector regulator, and GDPR if personal data is involved. So the practical question is not only "is this AI?" but also "which authority could ask questions, and under which legal route?"
Hungary's wider policy stance is broadly pro-adoption, but not laissez-faire. The current AI strategy is framed around competitiveness, data economy, skills, public-sector use, innovation capacity and national sovereignty, while the implementation act also stresses fundamental rights, human autonomy and the protection of vulnerable groups, especially children.
Why it matters
If you build, buy, deploy or govern AI in Hungary, you need to know where accountability sits before a launch, procurement, audit, complaint or incident forces the issue. The framework matters for vendor diligence, public-sector procurement, financial services, consumer-facing products, internal employee tools and cross-border deployments. It also matters for non-Hungarian providers, because Hungary's implementation act is written to cover systems whose outputs are used in Hungary even where the provider or deployer is established elsewhere.
How it works
Hungary's AI rules are mainly EU rules
The starting point is the EU AI Act, not a uniquely Hungarian AI code. The Act is directly applicable across the EU and sets the main obligations for prohibited practices, high-risk AI, transparency, governance and general-purpose AI models. Hungary's domestic act and decree do not rewrite those duties. Instead, they create the national institutional and procedural framework for applying them in Hungary. That distinction matters, because a lot of the substance still comes from EU law and EU guidance, while the Hungarian rules answer the practical question of who supervises, who designates assessment bodies and how local procedures run.
What the Hungarian implementation act actually covers
Act LXXV of 2025 gives Hungary a domestic enforcement architecture for AI systems placed on the market or put into service in Hungary. It also reaches cases where an AI system's output is used in Hungary, even if the provider or deployer is located in a third country. The act also covers notification procedures started in Hungary and administrative procedures for sanctions against providers, deployers, product manufacturers, importers and authorised representatives where the EU AI Act is breached. In practical terms, it is Hungary's bridge between the directly applicable EU regulation and the country's own administrative machinery.
Which Hungarian institutions do what
Hungary has chosen a multi-body model rather than a single classic AI regulator. Under Government Decree 344/2025, the minister responsible for enterprise development is the general AI market surveillance authority and also the single contact point for the AI Act. The National Accreditation Authority is the notifying authority, meaning it handles the national side of designating and overseeing bodies involved in conformity assessment.
The model is not fully centralised, however. For high-risk AI systems used by regulated financial institutions in direct connection with financial services, Hungary has assigned the relevant market surveillance role to the Hungarian National Bank, reflecting the AI Act's special rule for financial supervision. This is important for firms in banking, insurance and related regulated finance, because the main AI authority may not be their only supervisory touchpoint.
Hungary has also created the Hungarian Artificial Intelligence Council. That body is advisory rather than adjudicative. It does not itself impose fines or issue binding enforcement decisions. Instead, it supports national AI strategy and policy, coordinates implementation activity, issues recommendations and develops guidance on member-state questions under the AI Act. It brings together a broad set of Hungarian institutions, including the media and communications authority, the Hungarian National Bank, the competition authority, NAIH, the supervisory authority for regulated activities, the intellectual property office, tax administration, the AI notifying authority, the AI market surveillance authority, ministers and other state bodies. The council's guidance cannot contradict EU-level guidance issued by the institutions responsible for implementing the AI Act.
What enforcement looks like in practice
Hungary's general AI market surveillance authority acts as a market surveillance body with national competence. It can proceed ex officio, impose administrative fines, establish that an AI system is being used unlawfully, and order the relevant person to stop the unlawful conduct or restore lawful conditions. For real-world testing and related high-risk systems, it can require information, and it can carry out remote or on-site inspections.
The decree also translates the EU AI Act's maximum administrative fines into Hungarian forints. The highest referenced ceiling is HUF 13.3 billion, with lower ceilings for other categories of breach. So although the AI Act is EU law, Hungary has already made the sanctioning framework operational in national currency and national procedure.
The Hungarian framework also expects AI supervision to interact with existing regulators. If an AI-related issue appears inside another regulated context, the AI market surveillance authority can work together with sectoral market surveillance authorities. In some situations, the other authority must seek the AI authority's specialist view before it decides the case.
Where privacy and other digital regulation still fit
The AI Act does not replace GDPR, and in Hungary that point is especially important. NAIH remains Hungary's autonomous data protection and freedom of information authority. It is not the general AI Act market surveillance authority, but it remains highly relevant wherever AI systems process personal data, affect transparency duties, rely on training data linked to individuals, or raise questions about legal basis, retention, objection rights, anonymisation, pseudonymisation or automated decision-making.
That means many AI projects in Hungary still need a dual legal reading. One track is AI Act compliance. The other is data protection and sector law. NAIH's own AI-related materials show this clearly. Its work on AI in the banking sector focuses on practical privacy questions such as the source of training data, documentation, accuracy, retention, shadow AI and whether personal data collected for one legal purpose can later be reused for AI development. So an organisation that thinks "we are covered because this is an AI Act project" may still be exposed if its GDPR analysis is weak.
Hungary's governance stance is pro-use, coordinated and sovereignty-aware
Hungary's AI Strategy 2025-2030 presents AI as a competitiveness and state-capacity priority. The strategy describes itself as a living document that will be renewed annually. It is organised around foundational pillars such as regulation, infrastructure, education, data economy, research and development, and the promotion and development of applications. It also frames AI through social, technological and business lenses.
At the same time, the strategy and the implementation act are not purely deregulatory. They repeatedly refer to fundamental rights, human autonomy, vulnerable groups, digital child protection and national sovereignty. In other words, Hungary's stance is not simply "light-touch innovation". It is closer to "active adoption under central coordination, with existing regulators and state institutions kept closely in the loop".
There is also an institutional nuance worth noting. The strategy described a more unitary "AI Office" direction inside the national economy minister's structure. The binding legislation that followed implemented that direction functionally, but not as a single separately branded standalone agency. Instead, Hungary ended up with a split model: ministerial market surveillance, a separate notifying authority, a finance-sector carve-out for the central bank, and an advisory council.
What is settled, and what is still moving
Hungary's domestic architecture is now substantially settled. Most of Act LXXV of 2025 and Government Decree 344/2025 have been in force since December 2025. The act's sandbox provision takes effect from 2 August 2026, with the detailed operating rules to be set by ministerial regulation. Note that the European Commission has proposed a digital Omnibus package that could defer some high-risk obligations, so the 2 August 2026 dates should be read as the current legal position rather than a settled certainty. So the core domestic institutions are already chosen, and the remaining moving parts are more about operational detail than about which regulator exists.
The less settled part is timing and interpretation at EU level. As at June 2026, the European Commission is already working on AI Act implementation on the basis of the 2025-2026 simplification package and a political agreement that points to later enforcement dates for major high-risk categories and product-integrated systems. Draft classification guidance for high-risk AI is also still being finalised. For Hungary, that means the national supervisory map is in place, but some of the most operationally important EU dates and interpretive materials still need close monitoring.
Examples
A Hungarian bank using AI-assisted remote onboarding cannot treat the project as a pure fraud or customer-convenience tool. In NAIH's 2025 report on AI systems used by banks, one bank used a third-party AI system to compare a customer's self-portrait on an identity document with the facial image captured during online account opening. The process still involved manual human verification by both the processor and the bank. In practice, that means AI use in onboarding can trigger privacy, banking and AI-governance questions at the same time.
The same NAIH banking report draws a sharp line on purpose limitation. It explains that where personal data is collected to meet customer due diligence duties under anti-money-laundering rules, that does not automatically let a bank reuse the same data to develop or train an algorithm. NAIH's position is that such reuse would require a separate legal basis, and in the example discussed, explicit consent. This is a useful reminder that "we already lawfully collected the data" is not enough by itself for AI training.
AI questions in Hungary can also surface through pre-existing regulators instead of a single AI-only proceeding. Under Government Decree 344/2025, certain proceedings run by bodies such as NAIH, the competition authority, consumer and market surveillance authorities, or health authorities must obtain the enterprise-development minister's specialist view when the case concerns a product or service that contains AI or where AI is an essential component of the subject matter.
Hungary also already has a concrete AI-and-privacy enforcement example. In NAIH-85/2022, the authority ordered changes and imposed a HUF 250 million data protection fine in an AI-supported voice analytics case involving the analysis of customer calls and emotions. The decision is important because NAIH treated the use of human review as a mitigating factor, but not as a complete defence. The authority still found serious failings on transparency, objection rights, lawfulness and safeguards.
Common misunderstandings
Misunderstanding: "Hungary has its own standalone AI Act." Correction: the core rulebook is the EU AI Act. Hungary's 2025 measures mainly assign domestic authorities, procedures and penalties.
Misunderstanding: "NAIH is Hungary's general AI regulator." Correction: NAIH remains central on privacy and information-rights issues, but the general AI market surveillance role sits with the minister responsible for enterprise development, with a finance carve-out for the Hungarian National Bank.
Misunderstanding: "If my company is not based in Hungary, Hungarian AI enforcement cannot touch me." Correction: Hungary's implementation act covers cases where an AI system's output is used in Hungary, even if the provider or deployer is abroad.
Misunderstanding: "The Hungarian Artificial Intelligence Council is the body that fines companies." Correction: the council is advisory and coordinating. It can issue recommendations and guidance, but it is not the main enforcement body.
Misunderstanding: "If we comply with the AI Act, our Hungary privacy work is done." Correction: GDPR and sector-specific rules still run in parallel, and NAIH has already shown that AI-related privacy failings can produce serious enforcement risk.
Risks and boundaries
This page is about Hungary's implementation posture, not the full mechanics of the EU AI Act. So it should not be read as a substitute for a separate analysis of the EU-wide rulebook, risk categories, conformity routes or model-level obligations.
There is also a timing boundary. Hungary's domestic authority designations are in force, but some of the most commercially important AI Act dates for high-risk systems are still being reshaped at EU level through the simplification package and related guidance work. That means the institutional picture in Hungary is clearer than the final operative timetable for every class of system.
A further boundary is precedent. Hungary now has AI-relevant privacy enforcement and supervisory material, but AI Act-specific Hungarian enforcement practice is still new. Organisations should not assume there is already a deep local body of case law or settled regulator custom to rely on. The council's recommendations may become influential, but they are not themselves the same thing as legislation or a court judgment.
What to do next
Start with an inventory of every AI system you build, buy, integrate or govern for the Hungarian market, including embedded AI in products and internal tools. Classify which systems might be high-risk, which are only transparency cases, and which sit mainly in privacy or sector law. Map the likely Hungarian touchpoints early: the AI market surveillance authority, NAIH, the Hungarian National Bank, consumer or health regulators, and procurement or public-law controls if you work with the state. Join AI documentation to GDPR documentation, especially around legal basis, data source, training use, retention, objection rights and human oversight. If you may need conformity assessment, check the Hungarian notifying-authority route sooner rather than later. Finally, track two moving items in parallel: Hungary's sandbox operating rules and the final EU-level timetable and guidance for high-risk AI.
FAQs
Is AI regulation in Hungary mostly EU law or Hungarian national law?
Mostly EU law. The EU AI Act is the main rulebook. Hungary's national law mainly creates the domestic supervisory and procedural framework for applying that EU regulation.
Who is the main AI regulator in Hungary?
For general AI market surveillance, it is the minister responsible for enterprise development, who also acts as the single contact point. The National Accreditation Authority is the notifying authority, and the Hungarian National Bank has a specific role for certain high-risk AI in regulated financial services.
Does NAIH enforce the AI Act generally?
Not as the general market surveillance authority. But NAIH remains highly relevant where AI systems process personal data, and it is part of Hungary's wider AI governance and coordination architecture.
Does Hungary already have a regulatory sandbox for AI?
Hungary has legislated for one. The act says the AI market surveillance authority will establish and operate the national AI regulatory sandbox, with the sandbox provision taking effect from 2 August 2026 and detailed operating rules to follow in ministerial regulation.
If I use a general-purpose AI model in Hungary, do I mainly deal with Hungarian authorities?
Not only. Model-level oversight for general-purpose AI is largely an EU-level question handled through the AI Office framework. Hungarian authorities matter mainly when the model is wrapped into an AI system deployed, marketed or used in Hungary, or where Hungarian sector and privacy rules also apply.
Can Hungary act against a provider outside Hungary?
Yes. Hungary's implementation act is drafted to cover cases where an AI system's output is used in Hungary, even if the provider or deployer is established in a third country.
Do we need to think about privacy separately from AI regulation?
Yes. In Hungary, AI Act compliance does not displace GDPR. If your system processes personal data, NAIH and the Hungarian privacy framework still matter, including transparency, legal basis, impact assessment and safeguards.
When do the hardest obligations bite?
Hungary's domestic institutions are already in place, but the most operationally important dates for high-risk AI are still being adjusted at EU level through the simplification package and related guidance. So treat the Hungarian authority map as settled, but keep watching the final EU timetable.