NIS2 in Hungary

1. Quick SME Applicability Snapshot in Hungary

Does NIS2 apply to SMEs in Hungary?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Hungary and, in certain cases, foreign digital providers serving the Hungarian market.

SMEs should assess qualification under Hungary's national cybersecurity regime based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Hungary

Hungary has transposed NIS2 through Act LXIX of 2024 on the Cybersecurity of Hungary, adopted on 20 December 2024 and in force since 1 January 2025. The new act is a comprehensive standalone statute that replaces both Act XXIII of 2023 and Act L of 2013, consolidating Hungary's cybersecurity framework into a single instrument.

Hungary's national framework introduces four notable deviations from the Directive baseline: banking, financial market infrastructure, and public administration are excluded from scope; drinking water and wastewater are merged into a single water services sector; entities are assigned to a three-tier security classification (Basic, Significant, High) based on NIST SP 800-53; and in-scope entities must undergo a biennial external cybersecurity audit conducted exclusively by SZTFH-registered auditors.

On 7 May 2025 the European Commission issued a reasoned opinion against Hungary for incomplete notification of national transposition measures. The Commission's assessment remains ongoing.

3. Scope of Application in Hungary

Hungary's scope departs from the Directive baseline by excluding banking, financial market infrastructure, and public administration, and by merging drinking water and wastewater into a single water services sector. Manufacturing scope additions include public transport equipment and cement/plaster manufacturing.

4. Size Thresholds and SME Applicability in Hungary

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope. A January 2026 amendment excludes companies that qualify as large enterprises solely due to corporate group structure (without independently meeting medium-sized enterprise criteria) from scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Hungarian authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Hungary

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including audits and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced supervision.

Hungary follows the Directive's two-tier supervisory model.

6. Cybersecurity Risk Management Requirements in Hungary

Hungary's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Hungary risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Hungarian cybersecurity guidance is encouraged.

7. Management Liability and Governance in Hungary

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Hungary's framework:

• Boards are accountable for compliance oversight, including approval and supervision of the biennial external cybersecurity audit.
• Senior management must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures, including separate personal fines on management members under the Cybersecurity Act, in addition to corporate-level penalties.
• Temporary suspension of managerial functions may be imposed by the supervisory authority under Directive-aligned enforcement mechanisms.

NIS2 management liability Hungary expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Hungary

9. Supervisory Authorities and Enforcement Model in Hungary

Primary regulatory authority: SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága — Supervisory Authority for Regulated Activities). NKI/NCSC Hungary serves as the national CSIRT.

Hungary operates a centralized supervisory model under SZTFH, which manages registration, the auditor registry, supervisory fees, and enforcement. Sector-specific authorities — including the National Bank of Hungary and the Ministry of Defence — supervise designated sectors.

Supervisory powers include:

• Requests for documentation and information
• Security audits — conducted by SZTFH-registered auditors only
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Hungary

Hungary applies Directive-aligned administrative penalties.

NIS2 fines Hungary enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Hungarian legislation.

11. NIS2 Supply Chain and Vendor Security in Hungary

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Hungary's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Hungary

Entities within scope must:

• Register with SZTFH within 30 days of becoming subject to the Act; pre-2025 entities had to register by 30 June 2024 (passed); EU country-of-service list was due 15 February 2025 (passed).
• Provide corporate identification details
• Disclose sector classification and assigned security tier (Basic, Significant, or High)
• Maintain updated reporting contacts and notify SZTFH of any material changes within two weeks

In-scope entities must contract an SZTFH-registered cybersecurity auditor within 120 days (pre-2025 entities had until 31 August 2025 — passed). The first cybersecurity audit must be completed by 30 June 2026 for pre-2025 entities, or within two years from registration for new entities. An annual cybersecurity supervisory fee applies.

Self-identification is mandatory where entities meet statutory thresholds. Each entity must determine its three-tier security classification (Basic, Significant, or High) per NIST SP 800-53 as a prerequisite to contracting an auditor and implementing the corresponding security controls.

13. Interaction With GDPR and Other Laws in Hungary

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Hungarian cybersecurity legislation

A single cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Hungary are supervised by Hungarian authorities for cross-border services.

Foreign digital providers offering services in Hungary may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Hungarian market.

15. Implementation Timeline in Hungary

• Directive adoption: 2022
• National legislative amendments: Act LXIX of 2024 adopted 20 December 2024, repealing Act XXIII of 2023 and Act L of 2013; supplemented by Government Decree 418/2024 (XII.23.) and the audit-procedure decree of 31 January 2025.
• Entry into force: 1 January 2025; security measures and incident reporting applied from 18 October 2024 under prior Act XXIII; January 2026 amendment narrows the corporate-group exclusion.
• Commission notification: European Commission issued a reasoned opinion on 7 May 2025 for incomplete notification; assessment ongoing.
• Compliance milestone: Registration deadline 30 June 2024 (passed); auditor contract deadline 31 August 2025 (passed); first cybersecurity audit due 30 June 2026 — the most immediate remaining obligation.

Hungary completed primary transposition with Act LXIX of 2024 in force since 1 January 2025. All registration and auditor-contracting deadlines have passed; the first cybersecurity audit by 30 June 2026 is the most immediate remaining obligation for in-scope entities.

16. Key Takeaways for SMEs in Hungary

• Medium-sized entities in covered sectors are automatically within scope; banking, financial market infrastructure, and public administration are excluded from Hungary's scope.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• All registration and auditor-contract deadlines have passed; the first cybersecurity audit is due by 30 June 2026; audits must be conducted by SZTFH-registered auditors; entities must self-assign to a three-tier security classification (Basic, Significant, High) and pay an annual cybersecurity supervisory fee.

FAQ: NIS2 Hungary SME Guide