NIS2 Country Guide

NIS2 Hungary: Cybersecurity Act, Authorities & Key Requirements

Understand how Hungary implements the NIS2 Directive (EU) 2022/2555 through the new Cybersecurity Act, which entities are in scope, how registration and mandatory audits work, who supervises compliance, and what steps you should take to get ready.

Get Ready Checklist Get Consultation
Hungary Cybersecurity Act in force: 1 Jan 2025 Mandatory audits & supervisory fees apply

Introduction: NIS2 Directive & the Hungarian context

Hungary has moved from a fragmented cybersecurity framework to a single, comprehensive Cybersecurity Act that implements the NIS2 Directive and extends obligations to a wide range of public and private entities. If you operate critical or important services in Hungary, you are likely subject to strict registration, audit and incident-reporting rules.

Quick link: For a general overview, read “What is NIS2?” and “NIS vs NIS2” before diving into Hungary-specific requirements.

NIS2 Directive implementation in Hungary

Hungary initially implemented NIS2 through Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision. This has now been replaced and consolidated by Act LXIX of 2024 on the cybersecurity of Hungary (the “Cybersecurity Act”), in force since 1 January 2025, together with detailed rules in Government Decree 418/2024.

Status

NIS2 is transposed. The unified Cybersecurity Act has applied since 1 Jan 2025.

Official law

The main instrument is Act LXIX of 2024 on the cybersecurity of Hungary, supplemented by Government Decree 418/2024 on implementation and several SZTFH decrees (e.g. on audits and supervisory fees).

Registration & audits

Entities classified as essential or important must register with the national cybersecurity authority and are subject to regular cybersecurity audits by accredited auditors, plus an annual cybersecurity supervisory fee.

The Act covers high-risk and at-risk sectors very similar to Annex I and II of NIS2, and also extends obligations to a wider set of organisations that support critical state and municipal functions.

NIS2 Hungary: what you need to know about compliance & audits

Hungary combines NIS2’s “essential / important” model with national classifications of “high-risk” and “at-risk” sectors, backed by mandatory audits and supervisory fees.

Scope & in-scope entities

  • Service providers in sectors listed as high-risk (Annex 1) or at-risk (Annex 2) under the Act.
  • Medium-sized and larger organisations (≥50 employees or ≥€10m turnover), plus certain entities in key sectors regardless of size.
  • Public bodies and operators of electronic information systems critical to state and municipal functions.

Core obligations

  • Implement risk-management and security measures for all in-scope electronic information systems.
  • Register with the cybersecurity authority and keep data up to date.
  • Conclude a contract with a registered cybersecurity auditor and undergo regular audits.
  • Report significant cybersecurity incidents to the National Cyber Security Center (NCSC Hungary) within tight deadlines.
  • Pay an annual cybersecurity supervisory fee to the authority.

Standards & certification

The Act does not mandate a single standard (such as ISO/IEC 27001), but allows regulators to require use of ICT products and services certified under Hungarian or European cybersecurity certification schemes. Aligning with recognised frameworks (ISO 27001, NIST CSF, IEC 62443, etc.) is strongly advised.

Audit requirement: in-scope entities must contract an accredited cybersecurity auditor and complete regular audits (typically every two years). Missing audit or registration deadlines can trigger substantial fines and follow-up inspections.

Competent authorities & CSIRT

Supervisory powers are centralised but incident handling is carried out by the national cyber security centre.

RoleAuthorityNotes
National cybersecurity authority / supervisor Supervisory Authority of Regulated Activities (SZTFH) Primary supervisory authority for most essential and important entities; oversees registration, audits, supervisory fees and enforcement of the Cybersecurity Act.
National CSIRT National Cyber Security Center of Hungary (NKI / NCSC Hungary) Operates the national incident reporting platform and handles significant cybersecurity incidents (including NIS2-related incidents) 24/7.
Other sectoral bodies Sector-specific regulators & ministries For certain sectors (e.g. defence, specific public bodies), supervisory roles may be exercised by the Minister of Defence or other designated authorities in coordination with SZTFH and NCSC.

National NIS2 timeline & key dates (Hungary)

27 Dec 2022 — NIS2 Directive (EU) 2022/2555 is published in the EU Official Journal.
23 May 2023 — Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision is adopted, starting Hungary’s NIS2 transposition.
30 Jun 2024 — Initial registration deadline for affected entities under the 2023 cybersecurity regime.
20 Dec 2024 — Act LXIX of 2024 on the cybersecurity of Hungary (“Cybersecurity Act”) is adopted.
1 Jan 2025 — Cybersecurity Act and Government Decree 418/2024 enter into force, repealing the previous cybersecurity laws and consolidating NIS2 implementation.
31 Dec 2025 — Deadline for completion of the first mandatory cybersecurity audit for entities registered before 2025.

Sector-specific requirements (Hungary)

  • High-risk sectors: energy, transport, banking and financial market infrastructures, health, drinking water, wastewater, digital infrastructure and ICT service management, public administration and others broadly aligned with NIS2 Annex I.
  • At-risk sectors: postal and courier services, waste management, food production and distribution, manufacturing of key products (e.g. medical devices, pharmaceuticals, electronics), and certain digital services, reflecting Annex II of NIS2.
  • State & municipal bodies: the Cybersecurity Act also captures many public bodies that operate critical electronic information systems, with specific duties for information security officers and system classification.

Penalties for non-compliance

Hungary’s regime closely follows (and in some cases sharpens) NIS2’s penalty levels. Administrative fines are imposed by SZTFH (or the relevant authority) and can be combined with orders to remediate, increased supervision or, in severe cases, restrictions on activities.

  • For essential entities, fines can reach the HUF equivalent of EUR 10 million or 2% of worldwide annual turnover, whichever is higher.
  • For important entities, caps are generally up to the HUF equivalent of EUR 7 million or 1.4% of worldwide annual turnover, whichever is higher.
  • Specific breaches (e.g. failing to register, missing an audit deadline, not operating a risk-management framework, or not paying the supervisory fee) have their own fine ranges in HUF, and repeated non-compliance can lead to re-imposed or escalated fines.
  • In serious or repeated cases, fines may also be imposed personally on the head of the organisation, alongside organisational penalties.

How to prepare for NIS2 in Hungary

  1. Confirm scope: map your services and electronic information systems against the high-risk and at-risk sector lists and determine whether you are an essential or important entity.
  2. Register (or update data): ensure your organisation is correctly registered with the competent cybersecurity authority and that all mandatory data (including cross-border service locations) is up to date.
  3. Classify systems: perform the required classification of electronic information systems, using the national security classes and templates referenced in the Cybersecurity Act and related decrees.
  4. Contract an auditor: select a registered cybersecurity auditor, sign the mandatory audit contract and plan your audit timeline so you meet statutory deadlines.
  5. Strengthen risk management: implement or enhance controls in line with recognised frameworks (ISO 27001 / NIST CSF / IEC 62443, etc.), covering IT and OT systems where applicable.
  6. Build incident readiness: set up monitoring, escalation and incident response processes that meet Hungarian incident reporting timelines to NCSC Hungary.
  7. Budget for supervisory fees: factor the cybersecurity supervisory fee and audit costs into your compliance budget and establish internal ownership for payments and declarations.
  8. Train leadership & staff: brief executives on their responsibilities (including potential personal liability) and roll out regular awareness training and exercises.
Run Eligibility Check Start Readiness Test

Official links & resources

📘  Act LXIX of 2024 on the cybersecurity of Hungary (official text, Hungarian)
🧭  Supervisory Authority of Regulated Activities (SZTFH) — official site
🛡️  National Cyber Security Center of Hungary (NKI / NCSC Hungary)
📚 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Hungary

What law implements NIS2 in Hungary?
NIS2 is implemented mainly through Act LXIX of 2024 on the cybersecurity of Hungary, supported by Government Decree 418/2024 and several SZTFH decrees on audits and supervisory fees.
Who is the main NIS2 supervisory authority?
The primary supervisory authority is the Supervisory Authority of Regulated Activities (SZTFH), which oversees registration, audits, supervisory fees and most enforcement actions under the Cybersecurity Act.
Where do I report cybersecurity incidents?
Significant cybersecurity incidents affecting in-scope services must be reported to the National Cyber Security Center of Hungary (NKI / NCSC Hungary) via the national incident reporting channels within the deadlines set by law.
Are cybersecurity audits really mandatory?
Yes. In-scope entities must conclude a contract with an accredited cybersecurity auditor and complete periodic audits. Missing audit deadlines is itself a breach and can lead to substantial fines.
Do Hungarian rules go beyond the basic NIS2 requirements?
In several areas, yes. Hungary adds a supervisory fee, strong audit requirements and detailed fine ranges, and extends parts of the regime to additional public-sector entities and information systems that support critical state and municipal functions.
Information provided for general guidance; consult official Hungarian sources and legal counsel for up-to-date details.