Cybersecurity in the European Union recently underwent a massive glow-up, and Hungary is right at the forefront of this digital transformation. While the original NIS Directive set the stage, the Network and Information Security Directive (NIS2) is the high-stakes sequel that brings more sectors, stricter enforcement, and a lot more paperwork to the table.
Hungary has taken these EU-wide requirements and integrated them into a robust national framework that impacts everything from local municipalities to manufacturing giants.
I’ll break this down for you: Hungary didn’t just copy-paste the EU text; the government created a unified legal structure that replaces several older laws to streamline how we protect critical infrastructure. Because this transition involves new authorities and strict audit cycles, understanding the nuances of NIS2 Hungary is no longer optional for leadership teams.
Throughout this article, I will explore the legislative milestones, the unique structure of the Hungarian law, and the concrete steps you need to take to stay on the right side of the regulator.
TL;DR: What You Need to Know
Hungary has fully embraced the NIS2 Directive through Act LXIX of 2024, creating a single “Cybersecurity Act” that governs both public and private sectors. If you are an “essential” or “important” entity, your biggest immediate hurdle is the mandatory independent audit.
- Registration: Most entities should have registered by early 2025, but new players have 30 days to sign up.
- The Big Deadline: If you existed before 2025, your first cybersecurity audit must be completed by 30 June 2026.
- Enforcement: Fines are steep, reaching up to €10 million, and personal liability for managers is now a real factor.
Timelines and Legislative Milestones
The journey toward Hungary’s NIS2 implementation has been a fast-paced legislative sprint. While the EU gave Member States until October 2024 to get their houses in order, Hungary utilized a phased approach that culminated in a massive consolidation of its security laws.
I’ve tracked the key dates so you don’t have to. It is important to note that while the primary law is in force, the secondary decrees, the “fine print” from the regulator, are what actually dictate your daily operations.
| Date | Milestone | Why it matters to you |
| 20 Dec 2024 | Adoption of Act LXIX of 2024 | This is the “Big One” Cybersecurity Act. |
| 1 Jan 2025 | Act LXIX enters into force | The official start date for the new Hungarian NIS2 regime. |
| 31 Jan 2025 | Registration Deadline | The cutoff for existing entities to notify the authority. |
| 31 Aug 2025 | Auditor Contract Deadline | You must have signed a contract with a certified auditor by this date. |
| 30 June 2026 | First Audit Deadline | The hard deadline for completing your first full security audit. |
This timeline shows that we are currently in the “Active Enforcement” phase. You won’t need a law degree for this, but you do need to realize that the grace period for “figuring it out” has officially ended.
Structure and National Specificities of the Law
The Hungary NIS2 directive transposition is unique because of its “Unified Cybersecurity Act” (Act LXIX of 2024). Instead of having different rules for government offices and private companies, Hungary threw them all into one pot. This repealed the old 2013 law on public sector info-sec and the short-lived 2023 “Kibertanúsítási” law.
One thing I noticed that most teams miss is the expanded scope. Hungary went above and beyond the standard EU list. For instance, the law explicitly includes “public transport” and specific manufacturing niches like cement and plaster. Even more interesting is the inclusion of “sole providers”: if you are the only one in Hungary doing what you do, you’re likely in scope regardless of your size.
The Power of the SZTFH
The Authority for the Supervision of Regulated Activities (SZTFH) is the main boss here. They are the primary supervisory body, and they don’t just watch from the sidelines. They maintain the registry, oversee audits, and have the power to re-classify your systems if they think you’ve been too “optimistic” about your risk levels.
System Classification: Basic, Significant, High
In Hungary, you can’t just say “we’re secure” and call it a day. You have to categorize your information systems into three security classes: Basic, Significant, or High.
- High: Systems where a breach would cause a national crisis or massive service failure.
- Significant: Systems with a major impact on operations but not quite “doomsday” level.
- Basic: Standard systems with lower risk profiles.
This classification is a major part of the NIS2 Hungary transposition. Your required security controls are directly tied to these classes, largely following the NIST SP 800-53 rev.5 framework.
The Audit Roadmap: Your Path to 2026
Since the law is already in full effect, we aren’t looking at an “estimated” roadmap anymore; this is the real deal. If your organization was already running before January 2025, you are currently in the “Audit Preparation” window.
I’ll break this down: the Hungarian government realized that finding enough certified auditors would be a struggle, so they extended the original 2025 deadline.
However, that extension to 30 June 2026 is likely the last one you’ll get.
| Stage | Action Item | Status |
| Registration | Submit company data via the SZTFH portal. | Overdue (should be done). |
| Contracting | Sign a formal agreement with a certified auditor. | Mandatory (since Aug 2025). |
| Classification | Self-assess systems into Basic/Significant/High. | Active |
| Remediation | Close gaps identified in pre-audit checks. | Current focus |
| Final Audit | Auditor submits the report to SZTFH. | Deadline: 30 June 2026 |
This is the part most teams miss: you can’t just hire any IT consultant. You must use a firm from the official SZTFH Auditors Registry. Using an uncertified auditor is basically like bringing a plastic spoon to a knife fight; it won’t count, and it’ll probably be messy.
Fines and Enforcement: The Cost of “Oops”
Hungary has aligned its penalty regime with the EU’s maximums, which are nothing to sneeze at. For “Essential” entities, we are looking at up to €10 million or 2% of global annual turnover. For “Important” entities, it’s €7 million or 1.4%.
But here is the real kicker: personal liability. The Hungarian law allows the authority to fine managers personally, up to 15 million HUF, if they willfully ignore compliance. This is designed to ensure that cybersecurity is a boardroom conversation, not just something the IT guy worries about in the basement.
The SZTFH has stated they prefer a cooperative approach initially, but as we move deeper into 2026, the “guiding hand” will likely turn into a “heavy hammer” for those who haven’t even started their registration or audit contracting.
Short Checklist: How to Prepare
Ready to get to work? Here is a concrete checklist to ensure your Hungary NIS2 implementation doesn’t go off the rails.
- Verify Scope: Use the SZTFH guidance to confirm if you are “Essential” or “Important.”
- Check Your Registry Status: Ensure your info on the SZTFH portal is current (including EU countries where you operate).
- Appoint a CISO: Designate a Cybersecurity Officer with a clean criminal record and actual authority.
- Classify Everything: Don’t wait for the auditor to tell you your systems are “High” risk; do the assessment now.
- Audit Prep: If you haven’t signed a contract with a certified auditor yet, do it today. Seriously.
- Incident Drills: Practice the 24-hour “Early Warning” report. Reporting late is an easy way to get flagged for an inspection.
Using a platform like Copla can drastically simplify this process. Instead of drowning in spreadsheets, Copla provides the visibility and automation needed for audit readiness, helping you track your NIST controls and manage the documentation that Hungarian auditors will demand. It’s about making the complex feel doable so you can get back to actually running your business.
Make NIS2 Compliance a Calm, Continuous Operating System, Not a Last-Minute Audit Project
Copla is built for teams that need NIS2 compliance without burning out staff or blowing the budget. It combines an automation-first GRC platform with experienced CISO oversight. That gives you four clear advantages:
- Cuts compliance workload by up to 80%
- Automates key NIS2 tasks across controls, evidence, and registers
- Guides execution step by step with clear ownership and built-in prompts
- Gives you CISO-level leadership without hiring a full internal team
On top of that, teams typically save €60K+ per year versus adding in-house capacity for the same workload, while staying continuously audit-ready, not “ready when the audit starts.”
The only compliance management platform you’ll need
Copla brings together capabilities such as asset and risk registries, evidence mapping, audit verification, regulatory reporting, vulnerability management, awareness training, and incident tracking — all in one place.
The Finish Line is Just the Beginning
The NIS2 Hungary framework isn’t a “one and done” project. Once you hit that June 2026 milestone, you enter a biennial (every two years) cycle of audits and continuous improvement. Hungary is even looking toward the future by encouraging post-quantum encryption, proving that this law is built for the long haul.
I recommend treating this not as a regulatory burden, but as a baseline for survival in a very messy digital world. By following the roadmap and staying proactive with your audits, you’re not just avoiding fines; you’re building a resilient company.
