How Did Hungary Change the NIS 2 Playing Field-and Where Is Your Organisation Now at Risk?
Hungary’s approach to NIS 2 is more than a legislative update-it represents a fundamental re-mapping of who must comply and how digital resilience is documented nation-wide. With Act LXIX/2024, Hungary triggers a cascade of new obligations that directly affect a massive swathe of previously out-of-scope companies, from healthcare and logistics to cloud infrastructure and digital service providers. The result: any executive or department head who has not rechecked their sector status or registration requirements is abruptly facing a compressed compliance window and a new regulatory burden.
The greatest risk isn’t a breach-it’s being silent when the regulator comes knocking.
NIS 2 in Practise: Expanded Scope, Hard Deadlines, and Real Enforcement
Hungary’s law does not quietly echo Brussels; it brings sharp-edged changes for 2024:
- Broader sector sweep: Utility companies, logistics, cloud providers, digital market players, and supply chain operators are all newly captured in Annexes I & II. Even “important” entities who thought of themselves as too small are now in scope.
- Mandatory registration: Any business meeting sector × size criteria must register by June 30, 2024-no extensions, no safe harbour for startups or ‘borderline’ cases.
- Strict incident reporting: The days of informal reporting or post-incident clean-up are gone. Within 24 hours of a qualifying incident, initial notification must hit both national (NKI) and sectoral authorities-backed by detailed logs within 72 hours.
- Regulatory bite: New maximum fines reach €10M or 2% of global turnover, with explicit multipliers for repeat failings or systemic neglect.
The language of “wait and see” or “plausible deniability” no longer applies. For every Hungarian organisation, a rapid eligibility check-followed by prompt registration and documentation-is now mandatory risk governance, not optional hygiene.
Dont Bet Your Reputation on Assumptions
Hungarian auditors and the National Cyber Security Centre (NKI) have signalled a clear message: ambiguity will never be accepted as a defence. If your organisations sector, size, or principal activity falls within the reference lists published by the SZTFH and Hungarian government, there is now a positive, inspectable duty to register and comply.
Fail to act, and key business risks appear:
- Blocked contracts: where tenders or partners require evidence of registration.
- Audit interruption: and enforced operational reviews-sometimes with little notice.
- Reputational loss: from regulator inquiries publicised on sector lists.
If your organisation is unclear, leverage the governments self-assessment tools and document every query to sector authorities, keeping evidence for any audit or procurement review (nki.gov.hu, enisa.europa.eu).
Book a demoWhich Hungarian Regulator Should You Report To? The Authority Map Unveiled
In the new NIS 2 regime, failing to identify your designated regulatory authority is not merely a technicality-it can trigger double reporting, duplicate audits, and confused responsibilities. Hungary’s system maps “lead regulators” by sector:
| Sector/Domain | Lead Regulator | CSIRT/Incident Link |
|---|---|---|
| Digital Infrastructure, Utilities | SZTFH (National Authority for Cyber-Security) | NKI (National Cyber Security Centre) |
| Banking, Finance | NBH (Central Bank of Hungary) | NKI |
| Privacy-Centric Entities | NAIH (Data Protection Authority) | NKI |
| Public Administration, Defence | Ministry of Defence | NKI |
| Hybrid/Multi-Sector | Confirm with SZTFH, NBH | NKI |
A single misfiled report or missed registration can compound risk. Hybrid companies need formal sign-off from every relevant authority.
Navigating the Multi-Sector Maze
For companies straddling several domains-say, a data centre with both healthcare and logistics clients-hybrid status is common. In this case:
- Formally declare your “principal activity”: (where most revenue/staff sit) when registering.
- File cross-sector documentation: and explicitly request confirmation of lead authority.
- Retain all correspondence with sectoral regulators: -auditors will verify clear communication if disputes arise.
Hungary’s regulatory system demands proactivity: sit on the fence, and you could see both deadline slippage and, worse, cross-border investigation if an incident arises where roles are unclear.
Best Practises for Compliance Leaders
- Designate a compliance champion-formally named, internally and to your lead regulator.
- Document escalation and communication chains; roles must be unambiguous across IT, legal, and C-suite.
- Cross-border operations? Keep a jurisdiction mapping matrix to avoid gaps if serving clients in multiple EU states.
Regulatory ambiguity is a risk you create for yourself-and one that never passes an audit.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What Are the CSIRT Links and Incident Reporting Realities Under Hungary’s NIS 2 Law?
An ignored or misunderstood incident response pathway is the single most common source of audit failure and regulatory intervention. Hungary’s centrepiece: the National Cyber Security Centre (NKI/NCSC Hungary) is your primary conduit for all incident notifications-covering both local and cross-border events.
Key Incident Response Requirements
- Register your incident responder.: Identify and document, with NKI in advance, the responsible staff and their notification credentials.
- Rehearse your reporting flow.: Practise with dry run incidents and file simulation results as audit evidence.
- Meet timelines ruthlessly:
- *Initial alert*: 24 hours from detection
- *Detailed update*: within 72 hours
- *Final close-out*: within 30 days
| Step | Deadline | Where to File |
|---|---|---|
| 1. Initial alert | 24 hours | incident@nki.gov.hu |
| 2. Update | 72 hours | NKI portal + sectoral regulator |
| 3. Final report | 30 days | NKI, archived on platform |
- Retain logs: Hungary mandates full documentation of “reportable and non-reportable” incidents-timing, actions, and communication must be audited.
- Cross-border incidents: Where obligations cross national lines, file with both NKI and the corresponding EU-wide CSIRT channel.
You build trust with the regulator not by hiding imperfection, but by surfacing and fixing issues faster than anyone expects.
Enforcement & Audit Culture
Hungarian auditors expect not just evidence of incidents reported, but proof that teams simulated incidents and documented learnings into the ISMS. “Invisible” incident processes-undocumented, untested-are flagged as control weaknesses.
How Do Hungary’s NIS 2 Deadlines, Audit Requirements, and Logs Affect You?
Unlike legacy compliance frameworks, Hungary’s approach to NIS 2 is deadline-centric and ruthlessly documentary. The authorities demand evidence chains that cover:
- Registration: File before June 30, 2024.
- Internal self-assessment: Due end of 2024; standards mapped directly to Hungarian law and ISO 27001.
- External audit nomination: Provide the name of your external auditor before the end of 2024.
- Audit & re-audit cycles: Complete audits by December 2025 (with SME extensions possible only by formal approval).
It isn’t compliance until it’s documented, reviewed, and logged. Audit trails are your first and last line of defence.
Audit-Essential Documents:
- Registration receipts, proof of scope mapping
- Internal and external audit logs, communications, and approvals
- Policy Packs acknowledgments and training logs
- Incident rehearsals and response logs
- Supplier engagement and stretch logs
- Management review minutes and living gap trackers
ISO 27001 Audit-Bridge Table
| Expectation | How You Operationalise | Clause/Control |
|---|---|---|
| Detect incidents | 24×7 monitoring, instant alerts | A.8.15, A.8.16 |
| 3rd-party assurance | Supplier due diligence & docs | A.5.19, A.5.20, A.5.21 |
| Staff awareness trace | Policy Pack tracking | A.6.3, A.7.7 |
| Respond to CSIRT | Workflow, live log | A.5.24, A.5.26 |
| Close gaps | Continuous logs, mgmt review | A.5.36, Clause 9.3 |
Traceability Mini-Table
| Trigger | Risk Update | Control / SoA Link | Evidence Logged |
|---|---|---|---|
| Phishing email | Create risk, update register | A.8.15, SoA section 8 | Incident log, staff record |
| Vendor breach | Third-party score update | A.5.19, SoA section 5 | Vendor comms, audit trail |
| Outage event | BCP review, update log | A.8.13, SoA, BCP | Recovery plan, log |
Build these tables into your ISMS-Hungary’s external auditors use them as reference points, expecting not just the document, but the logging of its live lifecycle.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Navigating Exemptions, Extensions, and Sector Variability Under Hungary’s NIS 2
SMEs and certain non-critical sectors are not automatically exempt from NIS 2-relief is possible only through formal, documented approval. The process is as rigorous as for any large corporation, with the burden of proof always on the organisation.
Securing Valid Compliance Relief
- Exemption must be written.: Only sector authority (MKIK or regulatory lead) can issue an official exemption letter-retain this with all correspondence.
- Full documentation.: All requests, paperwork, and approvals must be maintained within your ISMS, available for any future audit.
- Extensions = Active compliance.: SME audit relief typically extends the full audit deadline to June 2026, but *only* if approved, and you must continue self-assessment, incident reporting, and log retention throughout (mkik.hu, mondaq.com).
Compliance pressure is lower only for those able to prove it-assumed exemption is an audit finding, not a safe zone.
Use checklists provided by MKIK and NKI. Smaller organisations should use out-of-the-box templates to avoid gaps; custom approaches rarely satisfy auditors unless impeccably documented.
How Does Hungary Benchmark Against Austria, Slovakia, and Poland-and Why Should You Care?
NIS 2 is an EU directive, but Hungary’s rules-not its neighbours’-define your regulatory reality if based in Budapest, Debrecen, or Pécs. Yet supply chains, outsourcing, and pan-European customer contracts frequently mean parallel obligations with different windows and reporting formats.
| Country | Registration Deadline | Regulator/Authority | CSIRT / National CERT |
|---|---|---|---|
| Hungary | June 30, 2024 | SZTFH / sector leader | NKI |
| Austria | May 31, 2024 | BMI (Interior) | CERT.at |
| Slovakia | July 15, 2024 | NBU (Security Office) | CSIRT.SK |
| Poland | June 30, 2024 | NASK | CERT.PL |
Compliance is as much about cross-border diligence as local registration. If you export, stay alert to the tightest window and trace all reporting chains.
What this Means for You
If your organisation operates across borders or serves multi-national clients:
- Map all deadlines: for every national authority in your supply and partner chain.
- Assign a “compliance map” owner: -someone who has authority to collect evidence and maintain this live document.
- Upload ENISA EU NIS 2 cross-jurisdiction guides: to your staff and contractor onboarding packs.
Failure to distinguish between local audit expectations and client country rules often leads to last-minute fire drills or, worse, missed contracts and regulatory fines (enisa.europa.eu, enisa.europa.eu/csirt-network).
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Why ISMS.online Delivers a Living NIS 2 Compliance Roadmap for Hungary
NIS 2 compliance is a continuous process-Hungary’s live law, sectoral mapping, and audit schedules mean companies can no longer blueprint, then forget their obligations. ISMS.online empowers organisations to operationalise compliance with sector-specific templates, audit-ready evidence tools, and a knowledge base continuously updated with law and regulator guidance.
- Sector mapping tools: Instantly clarify your in-scope status and regulatory authority to avoid registration errors or audit confusion.
- Automated law feeds & templates: Country-specific updates, guides, and deadline checklists always at your fingertips.
- Audit chain tracking: Build, log, and update evidence chains with embedded SoA control links and timestamped management reviews.
- Incident & simulation reporting: Assign compliance champions, file incident rehearsals, and log every NKI interaction-reducing audit day scramble.
- SME and large-entity support: ISMS.online delivers tailored workflows, dual-language assets, and out-of-the-box evidence lists for every compliance tier.
Real digital resilience is built one logged control, deadline, and learning at a time. Compliance is a living system-never ‘tick and forget’.
If you want assurance that you’re not just checking boxes for NIS 2 in Hungary, but building a system that continuously proves compliance to regulators, auditors, customers, and your own board-ISMS.online is the right partner for your journey.
Ready to turn compliance from risk into a competitive advantage? Map your Hungarian obligations, automate your evidence trails, and build a platform for lasting trust.
Frequently Asked Questions
How can you confirm which Hungarian regulator is responsible for NIS 2 compliance in your sector?
You confirm your NIS 2 regulator in Hungary by first identifying your legal entity type (essential or important entity) and your industry sector-then referencing the assignments published by Hungarian authorities. For information and communication sectors, healthcare, energy, and public administration, supervision typically falls to either the National Cyber Security Centre (NKI/NCSC Hungary, Nemzeti Kibervédelmi Intézet) or the Supervisory Authority for Regulated Activities (SZTFH). Finance and insurance are overseen by the National Bank of Hungary (NBH), while critical defence organisations report to the Ministry of Defence. However, hybrid cases-such as firms providing critical digital infrastructure but also offering telecom or health services-should always obtain a written confirmation from NKI or SZTFH. Regulator assignments can shift as legislation evolves; logging and archiving all correspondence about your regulator status within your ISMS not only clarifies accountability, but can protect your organisation against dual audits or compliance disputes should authorities’ responsibilities be updated.
Securing formal regulator recognition early limits future compliance risk and eliminates ambiguity across audits or enforcement reviews.
Hungarian NIS 2 Regulator Overview Table
| Sector / Industry | Entity Type | Regulator(s) | Source / Contact |
|---|---|---|---|
| Digital/ICT, Energy | Essential/Important | SZTFH / NKI | / |
| Finance, Insurance | Essential | NBH | |
| Public, Healthcare | Essential/Important | SZTFH / NKI | As above |
| Defence | Essential | Defence Ministry | |
| Multi-sector/Hybrid | Varies | Confirm with NKI | Initiate enquiry with NKI |
Always archive regulator assignment confirmations and maintain a live register of sectoral contacts in your ISMS, especially during mergers or business model changes.
What are Hungary’s NIS 2 incident reporting requirements and how should escalation be managed?
Under NIS 2, essential and important entities in Hungary must report any significant cyber-security incident to the National Cyber Security Centre (incident@nki.gov.hu) within 24 hours of discovery, using the official reporting template. A detailed follow-up-including technical context, impact, and corrective action-must then be submitted within 72 hours. A closure report summarising lessons learned and residual risk must be filed within 30 days of incident confirmation. Hungary’s NKI acts as both your national CSIRT and primary point-of-contact with the ENISA network, handling European notifications and coordination across borders. All stages of the reporting and evidence collection process-time stamps, correspondence, impact logs, and technical evidence-are audit requirements, not merely procedural suggestions. Late or incomplete notifications may result in fines or enforcement even if the cyberattack itself originated externally.
Incident reporting speed and documentation are the strongest ISMS signals to both auditors and regulators-acting fast (even if initially incomplete) is always better than waiting for perfection.
Incident Reporting Timeline in Hungary
| Reporting Step | Timeline | Summary |
|---|---|---|
| Initial notification | ≤ 24 hours | Email incident@nki.gov.hu; submit basic facts |
| Detailed incident report | ≤ 72 hours | Technical root cause, response steps |
| Closure report | ≤ 30 days | Remediation, review, outcomes |
| EU coordination | As needed via NKI | NKI forwards to ENISA/CSIRTs if required |
Regularly conduct tabletop exercises of incident response and reporting-these are increasingly reviewed during annual audits to evidence readiness, not just “tick-box” activity.
What is the 2024–2025 NIS 2 compliance timeline for organisations in Hungary?
To achieve and maintain NIS 2 compliance in Hungary, organisations must follow a staged schedule:
- June 30, 2024: Register your entity and provide responsible contacts to your regulator (SZTFH, NKI, or sector-specific).
- October 18, 2024: Complete implementation of technical and organisational security controls, referencing Act LXIX/2024 and ISO 27001/Annex A.
- December 31, 2024: Sign a contract with a certified external cyber-security auditor.
- December 31, 2025 (core sectors): Undergo and complete first formal external audit; less critical SMEs may qualify for an extension until June 30, 2026 (with written regulatory relief).
- Ongoing: Routinely maintain your ISMS, update the evidence base, conduct annual self-audits, and rehearse incident reporting.
Missing or delaying any of these checkpoints increases legal and business risk: monetary penalties can reach €10 million or 2% of global revenue, and regulator scrutiny typically intensifies.
Treat NIS 2 as a living evidence chain-when you keep compliance ‘warm,’ audit surprises vanish and management gains real confidence.
NIS 2 Compliance Milestone Table
| Milestone | Deadline | Evidence to Maintain |
|---|---|---|
| Registration | 30 June 2024 | Regulator confirmation, filed entity profiles |
| Controls active | 18 October 2024 | ISMS records, SoA, system logs |
| Auditor contracted | 31 December 2024 | Signed engagement letter, audit scope |
| Audit finished | 31 December 2025/26 | Full audit report, findings, remediation log |
| Self-review | Ongoing | Evidence log, updated gap/risk analysis, drills |
Bookmark NKI, sector regulator, and ISMS.online update feeds; rules and official clarifications may “shift under your feet” quarterly.
What are Hungary’s audit evidence standards and SME audit deferral rules under NIS 2?
SMEs in Hungary are only eligible for audit date deferral if they operate outside the core “critical” sectors (digital infrastructure, energy, finance, health). If eligible, you must obtain a formal, written exemption from your sector regulator or the National Chamber of Commerce (MKIK); this exemption defers the external audit to June 30, 2026. Crucially, all other NIS 2 obligations (risk assessment, incident reporting, evidence logging, self-assessment) remain active-a deferral is not a freeze. File every exemption or extension in both Hungarian and English within your evidence pack, and reconfirm with authorities if your status or ownership changes. Assumed exemptions are a frequent audit failure point.
Documentation is the difference between a compliant SME and one exposed to late audits, preventable fines, or public embarrassment.
Audit Evidence & Exemption Matrix
| Entity Type | Sector | Audit Deferral? | Must-Have Documentation | Final Audit Deadline |
|---|---|---|---|---|
| SME (critical) | Core sectors | No | N/A | 31 Dec 2025 |
| SME (other sectors) | With written relief | Yes | Regulatory letter, logged approval | 30 June 2026 |
| Large / Strategic | All | Not eligible | N/A | 31 Dec 2025 |
Upon organisational or scope changes, request and log updated regulator confirmation and exemption status to prevent future disputes.
How should firms with cross-border EU operations handle NIS 2 in Hungary and neighbouring states?
If your company operates across Hungary and other EU countries (e.g., Austria, Slovakia, Poland), each state’s NIS 2 regime must be addressed separately. Registration, security controls, incident reporting, and audit requirements apply per country-even if your group operates under a single “European” management structure. Hungary’s regulator assignments and deadlines do not “passport” into other member states: update a master “compliance map” tracking each jurisdiction’s regulator, CSIRT contacts, reporting addresses, current audit status, and next key date. Review and update this at least quarterly, or whenever any jurisdiction issues a significant legal interpretation. ENISA and the EU CSIRT network synchronise templates and disclosure standards, but national obligations are concrete and enforceable.
Compliance without borders is an illusion-missing one regulator or deadline can create audit findings and fines that reverberate across your entire group.
Example Multinational Compliance Map
| Country | Regulator | Incident CSIRT | Audit Deadline | Guidance Link |
|---|---|---|---|---|
| Hungary | SZTFH/NKI | NKI/NCSC | 31 Dec 2025/26 | |
| Austria | Sector-specific | CERT.at | Sector deadline | |
| Slovakia | Authority-per-sector | SK-CERT | Sector deadline | |
| Poland | Sector authority | CERT Polska | Sector deadline |
Assign a compliance owner for each region, with documented board review at least once a year and version-controlled register.
How can ISMS.online make NIS 2 compliance continuous and audit-ready for Hungarian organisations?
ISMS.online turns NIS 2 from a set of annual checklists into an always-on compliance system by:
- Automating sector and regulator mapping: Your company type, country, and exemptions are mapped to the correct Hungarian regulator, with all registration and reporting contacts embedded.
- Real-time legal tracker and document centre: Teams receive targeted updates on new laws, guidance, and deadlines-issued in Hungarian and English, and mirrored across other EU branches.
- Evidence chain and audit-ready dashboards: Every incident report, audit action, policy change, and correspondence is logged-creating a permanent audit trail mapped to NIS 2 and ISO 27001 controls.
- Sector-and SME-support packs: Tailored skill checklists and exemption request templates address the most common gaps for your business type.
- Scenario onboarding and “live fire” tests: Built-in modules help you simulate incidents, rehearse reporting cycles, and collect proof of actual compliance exercises.
- Multilingual, multi-country scaling: Once digital compliance is systemized in Hungary, you can clone best practise to Austrian, Slovakian, and Polish branches, ensuring group-wide resilience.
Resilience is no longer a slogan-when your evidence, reporting history, and legal tracking are living, digital, and documented, you turn audit risk into operational confidence.
Move beyond “scramble-mode” compliance. Request ISMS.online’s Hungary NIS 2 pack or personalised platform walkthrough (https://isms.online/hu/) and set your audit process to always-on-across borders, languages, and reporting windows.
