NIS 2 in Hungary: A New Era of Cybersecurity Compliance

Following the far-reaching impact of GDPR and the growing importance of ESG, a new European acronym has entered the spotlight: NIS 2. The Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (the “NIS 2 Directive”) was adopted with the aim of harmonising cybersecurity obligations throughout the EU. Hungary has already transposed the directive, first through Act XXIII of 2023 and subsequently through the current Act LXIX of 2024 on Cybersecurity (the “Cybersecurity Act”).

Objectives of NIS 2

The NIS 2 Directive and the Hungarian Cybersecurity Act share a clear objective: to safeguard the continuity of essential services and strengthen the resilience of critical sectors against cyber threats. This represents a significant shift from treating cybersecurity as a purely technical issue, positioning it firmly within the realm of regulatory compliance.

Scope of Application

The scope of NIS 2 is broader than many expect. It extends beyond state institutions and IT providers to cover a wide range of private undertakings:

  • Defence-related companies, regardless of size, are automatically included.
  • Medium-sized and large enterprises in sectors listed in the annexes to the Cybersecurity Act also fall under its scope. These sectors include, among others, pharmaceutical wholesale, energy, transport, healthcare, digital infrastructure, and other critical infrastructure industries.

This means that companies operating in traditional industries may be subject to the new cybersecurity regime even if they are not primarily technology-focused.

Key Compliance Obligations

Entities falling within scope must first register with the competent supervisory authority. In most cases this will be the Supervisory Authority for Regulated Activities (SZTFH), but in certain cases the competent authority may be the national or defence cybersecurity authority. Registration is not optional: it is the gateway to compliance.

Once registered, companies must undergo a cybersecurity audit, to be performed by an auditor listed in the SZTFH’s register. This audit must then be repeated every two years.

Deadlines for Existing Companies

For companies already operating before 2025, the legislation provides for transitional deadlines:

  • By 31 August 2025: an agreement with a registered auditor must be concluded.
  • By 30 June 2026: the first cybersecurity audit must be completed.

These deadlines are strict. They differ from the general rule that requires the first audit within two years of registration. For existing entities, the obligation to complete the first audit by mid-2026 is already fixed in law.

Practical Challenges

The dual requirement of registration and audit poses several practical challenges:

  • Timing: Registration must be completed before engaging an auditor. Companies that delay may struggle to secure an auditor in time.
  • Complexity: Determining whether an organisation falls under the scope of NIS 2 requires careful analysis of the annexes to the Cybersecurity Act, the company’s size, and the nature of its activities.
  • Ongoing compliance: The biennial audit requirement means that cybersecurity will become a recurring compliance obligation, comparable in significance to financial auditing or data protection impact assessments.

Risks of Non-Compliance

Failure to comply with registration or auditing obligations may expose businesses to regulatory sanctions, reputational damage, and increased vulnerability to cyber incidents. As with GDPR, enforcement is expected to be robust, and non-compliant entities may face both administrative penalties and a loss of trust from clients, partners, and regulators.

How Companies Should Prepare

With the first critical deadline approaching in August 2025, companies should act now:

  1. Assess applicability: Determine whether the company’s activities fall under the Cybersecurity Act’s annexes or other criteria.
  2. Register in time: File the necessary forms electronically with the SZTFH or other competent authority.
  3. Plan for the audit: Identify and engage with potential auditors early to avoid a last-minute bottleneck.
  4. Integrate cybersecurity into governance: Treat NIS 2 compliance not as a one-time task but as an ongoing part of corporate governance and risk management.

Conclusion

The NIS 2 Directive represents a new chapter in EU compliance, with Hungary at the forefront of transposition. The regulatory focus on cybersecurity is set to become as significant as GDPR was for data protection. For businesses in critical sectors, the message is clear: NIS 2 is here, deadlines are imminent, and preparation must begin without delay.

Legal advisors can play a vital role in helping companies interpret the scope of the regulation, navigate the registration process, and coordinate with auditors. Early action is not only a matter of compliance, but also of ensuring resilience in an increasingly digitalised and interconnected business environment.

Katona & Partners Law Firm
(Katona & Partner Rechtsanwaltssozietät / Attorneys’ Association)
H-106 Budapest, Tündérfürt utca 4.
Tel.: +36 1 225 25 30
Mobile: +36 70 344 0388
Fax: +36 1 700 27 57
g.katona@katonalaw.com
www.katonalaw.com

Segítünk kérdései megválaszolásában!

Ha kérdése merült fel a cikkben olvasottakkal kapcsolatban, ügyvédi irodánk szakértői örömmel segítenek Önnek.
Lépjen velünk kapcsolatba még ma!