Audit41Readiness
🇭🇺Hungary

NIS2 in Hungary: What your organisation must do.

Act LXIX of 2024 on Cybersecurity · In force January 1, 2025

Hungary has transposed the EU NIS2 Directive. If your organisation operates in a covered sector, you are likely in scope and must comply with SZTFH (Supervisory Authority for Regulated Activities) requirements.

96d 9h 9m

First audit deadline

First mandatory cybersecurity audit must be completed by June 30, 2026.

Check your NIS2 scope — free →See Audit41 Readiness →

Entity classification

Are you an Essential or Important Entity?

Essential Entity

Annex I sectors + large enterprise (250+ employees or €50M+ turnover)

Penalties: up to €10M or 2% of global turnover

Proactive supervision — authorities can audit at any time

Important Entity

Annex I medium enterprise or Annex II medium/large enterprise

Penalties: up to €7M or 1.4% of global turnover

Reactive supervision — investigated when non-compliance is indicated

Not sure which classification applies to your organisation? The free self-check takes 3 minutes and tells you exactly where you stand — including Hungary-specific rules. Start free self-check →

What Hungary requires

Your obligations under Act LXIX of 2024 on Cybersecurity.

1

Register with SZTFH (registration was due June 2024 — register immediately if not done)

2

Classify electronic information systems as basic, significant, or high security

3

Sign contract with SZTFH-certified auditor within 120 days of registration

4

Complete first cybersecurity audit by June 30, 2026

5

Implement NIST SP 800-53 rev.5 security controls mapped to your security class

6

Pay annual cybersecurity supervisory fee to SZTFH

7

Appoint a Cybersecurity Officer (CISO equivalent)

8

Report to EU member states where services are provided

ISO 27001 in Hungary

Hungary uses NIST SP 800-53 rev.5 as the technical framework. ISO 27001 provides useful preparation but does not replace the mandatory SZTFH-certified audit.

Sectors in scope in Hungary

EnergyTransport(including public transport — expanded beyond EU baseline)HealthDrinking water and wastewater(merged into one sector)Digital infrastructureICT service managementPublic administrationManufacturing(including cement, lime, plaster — expanded beyond EU baseline)Food productionElectronic communications services

What makes Hungary different

Hungary went beyond the EU baseline — public transport and cement/lime/plaster manufacturing are explicitly in scope.

The auditor must be from the official SZTFH Auditors Registry — unlicensed auditors do not count.

Finance in Hungary is supervised by the National Bank of Hungary (NBH), not SZTFH.

Security classification determines your required controls: basic, significant, or high security levels.

Fines reach up to €10 million or 2% of global turnover for essential entities.

Know exactly where you stand on NIS2 in Hungary.

The free self-check takes 3 minutes. It applies Hungary-specific rules, tells you your entity type, and recommends the right assessment plan.

Start Hungary self-check — free →