Digitalisation & AI regulation

In-depth analysis

D1 — Responsible AI framework

• Mechanism: A three-tier risk-based classification system modelled on the EU AI Act, with national additions: (1) a list of prohibited uses (e.g. biometric mass surveillance in public spaces), (2) high-risk applications with mandatory audit and certification (HR screening, credit assessment, judicial decision support), (3) low-risk systems on a voluntary code-of-conduct basis. The National AI Office accredits auditors and maintains the public AI register.
• Quantified target: By 2028, every AI system applied in the public sector undergoes risk assessment; at least 500 systems registered in the AI register; 50 independent audits conducted per year.
• International precedent: Canada’s Algorithmic Impact Assessment (AIA) has been mandatory for federal bodies since 2019 — in the first year 150+ systems were assessed, but enforcement was weak (only 35% completed the full audit). Lesson: a mandatory audit needs to be paired with a sanctions mechanism.
• Trade-off / risk: Overly strict regulation deters start-ups and foreign investors — Hungary is particularly sensitive given its size: if compliance cost exceeds 3% of annual revenue, companies will choose other EU member states as their base. The sandbox (D4) serves to mitigate this risk.

D2 — Open data programme

• Mechanism: Central Open Data portal (redesign of data.gov.hu), with a mandatory API publication protocol for every budgetary body. Each dataset follows a metadata standard (DCAT-AP HU), with machine readability (CSV, JSON, RDF) and an automated update schedule. A data-quality scoreboard publicly ranks institutions based on the completeness and freshness of their published data.
• Quantified target: By 2027, 5,000+ machine-readable datasets (currently ~1,200), the portal reaches 50,000 unique monthly visitors; 80% of public institutions update their data quarterly.
• International precedent: France’s data.gouv.fr platform has been operating since 2011, with 45,000+ datasets. The key success factor was introducing a “chief data officer” position in every ministry — bodies without a dedicated official published 60% less data.
• Trade-off / risk: Re-identification risk: individual information can be reconstructed even from aggregated data, especially in small municipalities. In the US, the publication of NYC taxi data made full driver identification possible. Required: the introduction of differential privacy standards for sensitive data categories.

D3 — Digital citizenship

• Mechanism: An eIDAS 2.0-compatible implementation of the European Digital Identity Wallet in Hungary. A single mobile application containing the digital copy of the ID card, address card, social security number and tax number, and enabling qualified electronic signature. Authentication is two-factor: biometrics + PIN. Municipal and central client gateways are accessible via unified SSO (Single Sign-On).
• Quantified target: By 2028, 80% of state procedures can be handled fully online (currently ~45%); the share of adults with a digital ID reaches 70% (currently ~30% Ügyfélkapu+ penetration).
• International precedent: Estonia’s e-Residency and X-Road system: 99% of administrative matters can be handled online, but rollout took 20+ years and required a full rebuild of public administration IT. Important lesson: digitalisation only works if back-office processes are redesigned, not merely if the paper-based procedure is digitised.
• Trade-off / risk: The digital divide may deepen: smartphone penetration is below 50% among those aged 65+ and in Roma communities. If offline channels are phased out too quickly, the most vulnerable will be excluded. Required: 5 years of parallel operation and local digital mentors in small municipalities.

D4 — AI sandbox

• Mechanism: A test environment limited in time (max. 24 months) and scope (max. 10,000 users), where AI start-ups are exempt from certain regulatory requirements (e.g. a simplified procedure instead of a full GDPR impact assessment). Under the joint supervision of NMHH (the Hungarian National Media and Infocommunications Authority) and the National AI Office, with quarterly evaluation points. If the test is successful, an expedited authorisation procedure (90 days) for full market entry.
• Quantified target: By 2027, at least 30 sandbox projects launched annually; 40% of companies exiting the sandbox obtain full market authorisation; the aggregate revenue of sandbox participants reaches 5 billion HUF.
• International precedent: The UK FCA regulatory sandbox since 2016: 800+ applicants, 200+ accepted projects, 80% of participants successfully entered the market. However, critics note that sandboxes can become “innovation theatre” if post-exit regulation does not become simpler.
• Trade-off / risk: Sandbox participants gain a competitive advantage over rule-abiding companies — this distorts the market. Required: public selection criteria, a rotation system, and mandatory publication of sandbox results so that the lessons can be used by others.

D5 — Cybersecurity strategy

• Mechanism: A programme going beyond the domestic implementation of the NIS2 Directive: (1) establishing a National SOC (Security Operations Center) with 24/7 operation, (2) mandatory annual cybersecurity audits for critical infrastructure operators, (3) a minimum IT security standard for municipalities, (4) semi-annual cybersecurity emergency exercises (cyber drills). A bug bounty programme for state systems.
• Quantified target: Reduction of the average detection time (MTTD) for critical infrastructure incidents from 72 hours to below 24 hours by 2028; 200+ ethical hackers engaged annually in the bug bounty programme; 90% of municipalities comply with the minimum standard.
• International precedent: Israel’s national cybersecurity programme (INCD): it spends 0.3% of GDP on cyber-defence and has built one of the world’s strongest defence ecosystems. However, the programme’s military background and the deep involvement of the private sector are hard to replicate. Singapore’s CSA (Cyber Security Agency) is a more realistic model: a medium-sized country, civilian leadership, and mandatory incident reporting within 72 hours.
• Trade-off / risk: An over-centralised cyber-defence becomes a single point of failure: if the National SOC is compromised, the entire country is defenceless. Required: a decentralised architecture with sectoral SOCs (energy, finance, healthcare) and the central SOC limited to a coordinating role.

D6 — Procurement innovation quota

• Mechanism: The 10% quota applies in two ways: (1) lots reserved exclusively for SME/start-up bidders, (2) an innovation score built into the evaluation criteria (min. 20% weight alongside the price ratio). Start-up status is defined as: under 5 years old, fewer than 250 employees, annual revenue below 5 billion HUF. Annual monitoring: if the quota is not met, the contracting authority has an obligation to justify the shortfall.
• Quantified target: By 2027, 15% of state IT procurement is won by SME/start-up bidders (currently ~5%); at least 20 of the innovation projects from procurement scale up nationally within 3 years.
• International precedent: The US Small Business Innovation Research (SBIR) programme: 3.2% of the federal R&D budget is reserved by law for small businesses. Since 1982, 170,000+ awards; Apple, Qualcomm and Symantec also started from SBIR. However, bureaucratic burden has left the smallest firms (1–5 employees) underrepresented — simplification of the application process is critical.
• Trade-off / risk: The quota system creates an opportunity to set up “pseudo-start-ups” as subsidiaries of large firms to circumvent the rules. Required: genuine beneficial-ownership transparency and a broad interpretation of “affiliated undertaking” when assessing quota eligibility.

D7 — Digital skills development programme

• Mechanism: Three pillars: (1) Public education: introducing coding and AI fundamentals from age 10 into the National Core Curriculum (not as an optional club, but as a mandatory subject element). (2) Vocational training: 50,000+ annual training places in digital fields (software development, systems operation, data analytics, cybersecurity) — according to EC IP304, the digital skills gap is one of the largest obstacles to EU competitiveness. (3) Lifelong learning: a “digital skills account” for workers (worth 200,000 HUF per year), which can be redeemed for accredited digital training — modelled on the Danish flexicurity system. Priority target groups: those aged 40+, women in STEM, workers in disadvantaged regions.
• Quantified target: By 2030, the adult population’s basic digital skills level (DESI index) rises above the EU average (currently below it); 50,000 digital retraining places annually; women’s STEM participation rises from 30% to 40%; lifelong learning participation rises from 6% to 15% (EU target: 37.5%).
• International precedent: Singapore’s SkillsFuture (2015): every adult citizen receives 500 SGD “skills credit” per year, redeemable for accredited training — training participation doubled over 5 years. Estonia: programming has been compulsory in public education since 2012 (ProgeTiiger programme), which led to the EU’s highest adult digital skills level. Finland’s Elements of AI: a free online course completed by 1% of the population — also scaled at EU level.
• Trade-off / risk: There is a risk of mismatch between training supply and market demand: if training is not aligned with actual labour-market needs, the investment becomes a “deadweight loss”. Required: linking training content to the demand forecast of the employment data platform (FO1). The digital skills account is open to abuse (sham training) — accreditation and ex-post impact assessment filters are needed. 📖 Source: EC: 2025 Euro Area Report (IP304); OECD: EU Economic Survey 2025

D8 — Disinformation-detection AI system

• Mechanism: A publicly available, open-source AI tool: automatically flagging potential disinformation spreading on social media and news portals — not by censoring, but by offering context and verification sources. Against the methodology of spin dictators (manipulated news, troll networks), the combination of transparency and technology is the most effective defence.
• Quantified target: The system in pilot operation by 2029; 10,000+ pieces of content analysed daily; false-positive rate below 5%; open source, annual bias audit. 📖 Source: Guriev–Treisman: Spin Dictators

D9 — Data-driven public policy decision-support system

• Mechanism: Dalio: the best decisions are based on “radical transparency” and “weighing credible opinions”. A central, publicly accessible decision-support platform that integrates the data platforms of every policy area (A1, KB1, DM1, FO1) and offers scenario analysis to decision-makers.
• Quantified target: The platform integrates 10+ data platforms by 2030; 50+ scenario analyses annually; the platform’s public interface reaches 100,000+ unique visitors per year. 📖 Source: Ray Dalio: Principles

D10 — Digital democratic participation platform

• Mechanism: Tocqueville: local self-government and direct participation are the foundations of democratic culture. An online citizen consultation and participation platform: review of draft legislation, local participatory budgeting, submission of citizen proposals — authenticated with digital signature.
• Quantified target: By 2030, 20+ online consultations on draft legislation per year; 200,000+ contributions per year; 50+ municipalities with digital participatory budgeting. 📖 Source: Tocqueville: Democracy in America; Dalio: Principles

D11 — Algorithmic transparency register

• Mechanism: A public register of every state algorithmic decision-making system affecting citizens: its purpose, operational logic, bias-assessment results and legal-remedy options. A defence against the digital manipulation used by spin dictators: the public visibility of the state’s own algorithms builds trust.
• Quantified target: By 2029, every state algorithm registered; annual bias assessment at 100%; average handling time for legal-remedy requests under 30 days. 📖 Source: Guriev–Treisman: Spin Dictators; Dalio: Principles

D12 — AI productivity impact analysis and strategy

• Mechanism: The OECD’s 2026 Economic Outlook found that AI investment is already generating measurable productivity effects — in the US, productivity growth is faster in sectors with high AI adoption. At the same time, the risk of “lower-than-expected” AI returns is also real. Hungarian strategy: (1) Sector-by-sector AI adoption survey: in which sectors is the productivity gap largest, and where is AI-return potential the highest? (2) Targeted AI investment incentives: tax credits or co-financing in the sectors with the highest potential (manufacturing, logistics, healthcare, public services). (3) AI-return monitoring: semi-annual measurement of whether investments actually generate productivity improvements. (4) Downside-risk preparedness: if AI returns fall short, what impact will this have on investment and the labour market?
• Quantified target: A sector-by-sector AI adoption map by 2028; 50+ billion HUF per year in targeted AI investment incentives; manufacturing TFP growth rising by 2 percentage points in AI-intensive sectors; semi-annual AI-return report.
• Trade-off / risk: AI investment may concentrate in already-advanced sectors and regions, widening regional inequality. The “downside risk” scenario is not negligible: if the AI bubble bursts, over-investment will produce losses. Monitoring and gradualism are the key. 📖 Source: OECD: Economic Outlook, Interim Report — Testing Resilience (March 2026)

D13 — Crypto-asset and blockchain regulation

• Mechanism: Four pillars: (1) Domestic implementation of MiCA (Markets in Crypto-Assets, EU 2023/1114) — licensing of crypto-asset service providers (CASPs) is placed under the Hungarian central bank (MNB), with a single EU passport system. (2) Pilot of tokenised state securities: a tokenised bond issued by the Hungarian State Treasury (500 billion HUF ceiling), with secondary trading on an authorised DLT infrastructure under the EU DLT Pilot Regime. (3) Digital forint (CBDC) preparatory programme: an MNB technical pilot by 2027, with go-live aligned to the ECB’s introduction of the digital euro (expected 2028–2029), a two-tier distribution model (ECB/MNB → commercial banks → retail). (4) Stablecoin requirements and AML/KYC: 1:1 backing ratio, daily public reserve reporting, mandatory travel rule (FATF R.16) above 1,000 EUR.
• Quantified target: By 2028, at least 30 CASPs licensed in Hungary; the tokenised sovereign bond pilot reaches 500 billion HUF issuance volume; the retail digital forint pilot reaches at least 100,000 users; the number of AML-suspicious transaction reports reaches at least 2,000 per year (currently <500).
• International precedent: Switzerland’s FINMA DLT framework (2021) created the new “DLT trading system” licence category, and by 2023 15+ licensed providers were operating, including the SIX Digital Exchange. France’s AMF “PSAN” regime produced more modest results: 90+ registrations, but only 2 full licences — lesson: gradual transition and clear audit criteria are critical. China’s digital yuan (e-CNY) pilot reached 260+ million wallets, but due to centralised data collection it is not suitable as an EU-compatible model. Within the EU, Lithuania is the leader in CASP licensing (50+ licensed companies by 2025).
• Trade-off / risk: (1) Regulatory arbitrage: if licensing is stricter than in other EU member states, companies will use passports under another country’s licence and keep only a branch office in Hungary — tax revenue and supervision are lost. (2) Introducing a CBDC can trigger migration of commercial bank deposits (disintermediation), which may tighten credit supply — a holding limit (e.g. 3,000 EUR/person) and a non-interest-bearing structure are critical. (3) Owing to the high volatility of crypto markets, retail protection must be supplemented not only with information but also with investment limits (e.g. a cap set as a % of net assets). 📖 Source: EU 2023/1114 (MiCA); EU 2022/858 (DLT Pilot Regime); ECB: Digital euro progress reports (2023–2025); BIS: Project Icebreaker (2023)

D14 — Robotics and industrial automation strategy

• Mechanism: Four main directions: (1) Increasing robot density: targeted investment tax credit (25% immediate write-off) for installing robots and supporting systems, with explicit SME focus. (2) Industry 4.0 SME adaptation programme: a 50 billion HUF co-financing envelope (max. 50%, max. 300M HUF/project) for introducing collaborative robots (cobots), IoT sensors and MES integration. (3) Service and healthcare robotics pilots: assistant robots in 10+ care homes, surgical and rehabilitation robot pilots in 5+ hospitals (linked to the healthcare area). (4) Robot-ethics and labour-market impact analysis: the National AI Office with an expanded mandate, an annual robotics-employment report, and retraining pathways out of occupations at high automation risk.
• Quantified target: By 2030, Hungarian industrial robot density rises from 150 robots per 10,000 workers (2023) to 280 (EU median expected ~250 by 2030); 40% of manufacturing SMEs have at least one collaborative robot (currently <10%); the robotics sector’s value added reaches 0.8% of GDP (currently ~0.3%); 5,000 workers retrained annually on robotics-integration pathways.
• International precedent: South Korea’s robot density is 1,012 robots per 10,000 workers — first in the world (IFR 2024 World Robotics Report), largely thanks to the “Intelligent Robot Act” running since 2008 and a targeted industrial-policy package. Germany (415 robots per 10,000) has an SME-focused Mittelstand programme: under “Industrie 4.0”, more than 15 billion EUR of EU and federal funding since 2013, which produced a 40% increase in robot density. The Czech Republic caught up faster (137 → 230 robots per 10,000 in 2014–2023) through a combination of investment incentives and the dual vocational training system.
• Trade-off / risk: (1) Labour-market dislocation: 15–25% of manufacturing manual jobs are automatable (OECD estimate); delays in retraining can cause regional unemployment (especially in Borsod, Szabolcs-Szatmár-Bereg and Nógrád counties, where the share of industrial employment is high). (2) For SMEs, robot ROI is typically 3–5 years; if incentives do not cover the full payback period, adoption will not take off. (3) Import dependency: >90% of installed robots are foreign (ABB, KUKA, FANUC, Universal Robots) — the strategy must focus on developing the domestic integrator and software layer, not on competing in robot manufacturing. 📖 Source: IFR: World Robotics Report 2024; OECD: The Impact of Robots on Labour Market Transitions in Europe (2022); European Commission: Industry 5.0 — Towards a Sustainable, Human-centric and Resilient European Industry (2021)

D15 — Autonomous vehicles regulatory and testing framework

• Mechanism: Five elements: (1) SAE L3 (conditional automation) vehicles placed on public roads under UNECE R157 (ALKS) and EU 2022/1426, L4 (high automation) testing within a defined ODD (Operational Design Domain — e.g. designated urban zones, motorway segments). (2) Expansion of the ZalaZONE test track: urban traffic simulation zone, V2X (vehicle-to-everything) infrastructure, winter/poor-visibility test track — capacity doubled by 2028. (3) Liability framework: under UNECE R157 the manufacturer is liable for accidents caused by system failure, while the driver is only liable for ignoring a takeover request — the Hungarian Civil Code’s tort rules aligned accordingly. (4) Data retention obligation: DSSAD (Data Storage System for Automated Driving) 6 months, EDR (Event Data Recorder) expanded, authority access in case of an accident. (5) Urban robotaxi pilot: in 2–3 cities (Budapest 11th district, Győr, Szeged), a 24-month test operation under regulatory oversight.
• Quantified target: By 2028, at least 3 L4-certified fleets in test operation; at least 50 international OEM test projects per year at ZalaZONE (currently ~20); the robotaxi pilot reaches 500 rides per day; 0 fatal accidents in automated mode (safety minimum KPI).
• International precedent: Germany in 2021 (AFGBV law) was the first EU member state to allow the road authorisation of L4 vehicles — introducing the institution of the “technical supervisor” (Technische Aufsicht), who remotely oversees the fleet. The permissive model of California (CA DMV) and Arizona in the US produced faster market entry (Waymo robotaxi, San Francisco 2024: 150,000 rides per day), but several fatal accidents have occurred (e.g. Uber 2018 Tempe, Cruise 2023 San Francisco). China’s regulatory sandbox (Beijing, Shanghai) is the fastest: by 2024 20+ cities and 1 million+ robotaxi rides per month — but data sovereignty (localised data storage) makes it an unacceptable model at EU level.
• Trade-off / risk: (1) The tension between safety and market entry: overly strict authorisation causes the Hungarian market to fall behind (manufacturers will launch in other EU member states), while too lax a regime will see the first serious accident set the sector back 5–10 years (the Uber Tempe case is a precedent). (2) Reshaping the liability framework requires the insurance market to be reorganised — instead of the traditional motor third-party liability model, product liability insurance dominates, which can be 20–40% more expensive. (3) Cybersecurity risk: V2X attacks, remote compromise of vehicle fleets — D5 (cybersecurity strategy) is a closely linked area. 📖 Source: UNECE R157 (ALKS); EU 2022/1426 (automated vehicle type approval); German AFGBV (2021); SAE J3016 (2021 revision)

D16 — Quantum technology national programme

• Mechanism: Four pillars: (1) EuroQCI (European Quantum Communication Infrastructure) Hungarian segment: quantum key distribution (QKD) test track on the Budapest–Debrecen and Budapest–Pécs routes, connecting critical state bodies (MNB, KFH, defence). Funding: Digital Europe Programme + domestic co-financing. (2) Post-quantum cryptography (PQC) migration roadmap: introducing the algorithms standardised by NIST in 2024 (ML-KEM/Kyber, ML-DSA/Dilithium, SLH-DSA/SPHINCS+) into every critical state system; a mandatory crypto-agility architecture for every new system. (3) Quantum computing R&D: a national quantum computing research centre led by Wigner RCP and SZTAKI, with a 3 billion HUF annual budget and IBM Quantum Network / EuroHPC JU quantum-machine access. (4) Expert training: a joint BME–ELTE quantum engineering MSc programme from 2027, with at least 50 graduates per year.
• Quantified target: By 2029, QKD backbone live on at least 3 routes; 100% of critical state systems PQC-compatible by 2030; at least 150 active quantum researchers (currently ~30); 10+ Hungarian patent applications per year in quantum technology.
• International precedent: China (Micius satellite, 2016) and the world’s first intercontinental QKD links built a globally leading role; the 2,000 km Beijing–Shanghai QKD backbone has been operating since 2017 — but it is a centralised state model, not EU-compatible. The Netherlands (QuTech @ TU Delft) is a leader in scalable quantum computing, with its federal quantum strategy allocating 615M EUR in 2020. Poland’s PIONIER-Q QKD network linked 5 cities by 2023 — a directly replicable model for a medium-sized country. NIST’s PQC standards of August 2024 (FIPS 203/204/205) provide the technical basis for the domestic PQC migration.
• Trade-off / risk: (1) “Hype-curve” trap: the commercial use of quantum computing is still 5–10 years away; excessive short-term expectations can cause funding to dry up (cf. the AI winter of the 1990s). (2) Export-control risk: under the Wassenaar Arrangement, quantum technology R&D is dual-use — international research cooperation may be restricted. (3) “Harvest now, decrypt later” threat: encrypted state communications can already be collected today and decrypted with a future quantum machine — the PQC migration cannot be postponed beyond 2030, especially for data requiring 25+ years of confidentiality (defence, intelligence, diplomatic cables). 📖 Source: NIST FIPS 203/204/205 (2024 PQC standards); European Commission: EuroQCI initiative (2019); McKinsey: Quantum Technology Monitor 2024

D17 — Space and sovereign digital infrastructure

• Mechanism: Four areas: (1) Expansion of the Hungarian small-satellite programme: following MASAT-1 (2012) and RADCUBE (2021), a national constellation — 2–3 CubeSats per year and at least 1 small satellite (50–200 kg), with a focus on Earth observation, agriculture and climate monitoring. With the involvement of the BME Space Research Group and domestic suppliers (C3S, Admatis, SGF). (2) ESA participation: raising the Hungarian contribution from the current ~15M EUR/year to 30M EUR/year by 2030, and expanding the ESA BIC (Business Incubation Centre) Hungary. (3) Sovereign state cloud: a GAIA-X-compatible Hungarian reference implementation, mandatory storage of sensitive state data (healthcare, tax, defence) in the EU, domestic data centres with at least Tier III+ redundancy. (4) Edge-computing network: deploying edge nodes for critical infrastructure (power grid, railways, 5G base stations); data-localisation requirements in sensitive sectors (personal healthcare and financial data).
• Quantified target: By 2030, 15+ active Hungarian satellites in orbit (currently 3); Hungarian space-industry value added rising from 50 billion HUF to 200 billion HUF; the share of state data managed on the sovereign cloud 30% (2026) → 70% (2030); at least 500 edge nodes deployed nationally.
• International precedent: Luxembourg (SpaceResources.lu, 2017) and Northern Europe (Finnish Space Act 2018, Swedish Esrange) are successful small-country space-industry models — Luxembourg’s space industry accounts for 2% of GDP, with 70+ companies. The Czech space industry has grown 10x since 2004 (EU accession), mainly from ESA contracts. In GAIA-X, France (OVHcloud) and Germany (Telekom T-Systems) are leading, reaching 50+ GAIA-X compatible providers by 2025. Israel’s Iron Dome C2 system and the Amos satellite family show that sovereign capacity is of critical security value in a medium-sized country.
• Trade-off / risk: (1) Economies of scale: the Hungarian market on its own is too small to sustain a hyperscale cloud — a sovereign cloud is only economical within EU-level cooperation (GAIA-X, EU Cloud Alliance); a stand-alone national stack is a costly dead end. (2) Return on ESA contribution: the “geo-return” principle (80–90% of a member state’s contribution returns in the form of industrial orders) only works if domestic supplier capacity is prepared — otherwise the money flows to companies in other member states. (3) Data localisation vs. service quality: overly strict localisation excludes global SaaS providers, which degrades government IT quality — a risk-based (sensitivity-tier) localisation model is needed, not total compulsion. 📖 Source: ESA: Ministerial Council decisions 2022; GAIA-X Association: Technical Architecture Document (2024); European Commission: EU Space Strategy for Security and Defence (2023); OECD: Space Economy Handbook 2024