NIS2 Hungary Compliance Guide: Act LXIX of 2024, SZTFH Enforcement, and NKI Requirements for 2026

Hungary transposed the EU NIS2 Directive into national law through Act LXIX of 2024 on the Cybersecurity of Hungary (a.k.a. the Cybersecurity Act), which entered into force on 1 January 2025. The law replaced the earlier 2023 certification law and the 2013 Information Security Act, creating a unified framework covering both public and private sectors. Hungary was among the later EU Member States to complete transposition — the European Commission opened infringement proceedings and issued a reasoned opinion in May 2025 for failure to notify full transposition measures. The regime is now fully operational, with the first mandatory cybersecurity audit deadline of 30 June 2026 approaching fast.

This guide covers Hungary’s NIS2 transposition, the role of SZTFH (Supervisory Authority for Regulated Affairs) as the primary regulator, NKI (National Cyber Security Centre / NCSC Hungary) as the national CSIRT and Single Point of Contact, entity classification, the mandatory audit system, NIST SP 800-53-based risk classification, penalties, implementation milestones, and practical steps for compliance.

Hungary’s NIS2 Transposition: Where Things Stand

The Legal Framework

Hungary took a two-stage legislative approach before arriving at a consolidated framework:

• Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision (Stage 1, May 2023): Partial NIS2 implementation. Entities were required to register with authorities by 30 June 2024. Widely viewed as incomplete.
• Act LXIX of 2024 on the Cybersecurity of Hungary (Stage 2, December 2024): Full consolidated transposition replacing both the 2023 Act and the 2013 Information Security Act. Adopted by Parliament on 20 December 2024, entering into force on 1 January 2025.
• Government Decree 418/2024: Sets detailed penalty structures and fine schedules (in force).
• MK Decree 7/2024: Establishes the three-tier information system security classification framework (Basic/Significant/High) based on NIST SP 800-53 Rev. 5.
• January 2026 Amendment (effective 6 January 2026): Revised size thresholds excluding entities that only qualify as large due to their corporate group structure. Entities must now independently meet ≥50 staff OR (≥€10M turnover AND ≥€10M balance sheet total) to fall under the Act.

Key Dates and Timeline

Milestone	Date	Status
NIS2 Directive adopted	January 2023	—
NIS2 transposition deadline	October 17, 2024	Missed
EC infringement proceedings opened	November 2024	Active
Act LXIX of 2024 adopted	December 20, 2024	Complete
Act enters into force	January 1, 2025	Complete
EC reasoned opinion	May 7, 2025	Issued
Auditor contract deadline	August 31, 2025	Passed
First mandatory cybersecurity audit	June 30, 2026	Upcoming
Size threshold amendment effective	January 6, 2026	Complete

Comparison with Other EU Countries

Hungary’s consolidated one-act approach is comparable to other EU states in our country guide series:

• Romania (ANSI): Balkan neighbor, similar multi-authority model and late transposition timeline
• Czech Republic (NUKIB): Central European model, comparable mandatory audit system
• Austria (NISG 2026): Similar one-act amendment approach and early 2026 implementation
• Slovakia (NBU/SK-CERT): Regional neighbor, similar central European approach
• Poland (NCSA): Comparable late transposition and phased enforcement approach

Key Regulatory Bodies

SZTFH — Supervisory Authority for Regulated Affairs

SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága) is Hungary’s primary supervisory authority for cybersecurity regulation:

• Maintains the national registry of essential and important entities
• Oversees the mandatory cybersecurity audit system
• Has power to reclassify an organization’s system risk levels if it believes entities are underreporting
• Sets and collects the annual cybersecurity supervisory fee
• Operates the SZTFH portal for entity registration and communication
• May enact decrees requiring specific entities to use certified ICT products/services/processes

Contact: sztfh.hu | Registry of certified auditors available at sztfh.hu/nyilvantartasok/auditorok/

NKI — National Cyber Security Centre (NCSC Hungary)

NKI (Nemzeti Kibervédelmi Intézet) serves as Hungary’s Single Point of Contact (SPOC) and National CSIRT:

• SPOC for EU-level NIS2 coordination and cross-border incident reporting
• National CSIRT for incident response, threat intelligence, and vulnerability coordination
• Primary contact for 24-hour early warning incident notifications
• Operates the incident reporting portal
• Participates in the EU CSIRTs Network

Contact: spoc@ncsc.gov.hu | incident@nki.gov.hu | +36 (1) 336-4840

Sectoral Competent Authorities

Hungary uses a multi-authority model with sectoral regulators holding supervisory authority over entities in their sectors:

Authority	Sectors
SZTFH / NKI	Digital infrastructure, Energy, Healthcare, Transport, Water, Waste
Magyar Nemzeti Bank (MNB)	Banking, Financial market infrastructures, Payment services
Ministry of Defence	Defence-related entities
NAIH (Data Protection Authority)	Privacy-centric entities
Ministry of Interior	Law enforcement

Multi-sector entities must formally declare their “principal activity” (where most revenue/staff sit) when registering and retain all correspondence with every relevant sectoral regulator.

Which Entities Are Affected?

Essential Entities (alapvető fontosságú entitások)

Under NIS2, Hungary designates essential entities in these sectors:

Sectors without alternative legislation:

• Energy (electricity, hydrogen, oil, gas, LNG, district heating)
• Transport (air, rail, water, road)
• Banking
• Financial market infrastructures
• Health (hospitals, laboratories, medical device manufacturers)
• Drinking water supply and distribution
• Wastewater management
• Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
• ICT service management (managed security, managed IT, B2B)
• Space

Entities covered regardless of size:

• Qualified trust service providers
• Top-level domain name registries
• DNS service providers
• Public electronic communications network/service providers
• Public administration bodies
• Critical entities under Directive (EU) 2022/2557

Important Entities (fontos entitások)

Hungary identifies important entities from additional sectors:

• Postal and courier services
• Waste management
• Chemical manufacturing and distribution
• Food production, processing, and distribution
• Manufacturing of critical products (medical devices, electronics, machinery, automotive)
• Digital providers (online marketplaces, search engines, social networks)
• Scientific research organisations
• Specific niches explicitly added: public transport, cement, and plaster manufacturing

Size Thresholds (January 2026 Amendment)

Following the 6 January 2026 amendment, entities must independently meet one of the following:

Criterion	Threshold
Employees	≥50
Annual turnover AND balance sheet total	Both >€10 million

Important change: For these thresholds, the staff headcount, annual turnover, and annual balance sheet total of linked and partner enterprises are no longer relevant. Entities that qualified solely because of their corporate group structure may now be exempt and should re-assess.

Exceptions (size threshold does NOT apply):

• Trust service providers
• Public electronic communications providers
• Top-level domain registries
• DNS service providers
• Sole providers of an essential service (regardless of size)
• Entities whose disruption could significantly impact public safety, security, or health

”Sole Provider” Rule

Hungary goes beyond NIS2 minimum standards: if an organization is the only one in Hungary providing a specific essential service, it falls under NIS2 scope regardless of its size — a unique extension in the Hungarian transposition.

Hungary-Specific Requirements (Beyond NIS2 Minimums)

Hungary adds several distinctive requirements beyond the NIS2 Directive minimums:

Mandatory National Cybersecurity Audit System

Hungary’s most distinctive feature: a national mandatory audit system requiring entities to:

• Contract a certified auditor from the official SZTFH Auditors Registry (by August 31, 2025 — deadline passed)
• Complete full cybersecurity audits every two years (biennial cycle)
• First mandatory audit deadline: 30 June 2026

Auditors must be registered with SZTFH — self-assessment alone is insufficient for compliance. This goes significantly beyond NIS2’s Article 32 requirements.

NIST SP 800-53 Risk Classification

Unlike most EU Member States that reference ISO 27001, Hungary requires entities to classify their information systems into three security tiers per MK Decree 7/2024, based on NIST SP 800-53 Rev. 5:

1. High — A breach would cause a national crisis or massive service failure
2. Significant — Major operational impact, but not a national crisis
3. Basic — Standard systems with lower risk profiles

Security controls must follow the NIST framework appropriate to each classification. This is a fundamentally different risk management framework than most other EU countries.

Three-Tier Incident Reporting

Hungarian entities must report cybersecurity incidents to NKI through a three-stage process:

Stage	Deadline	Action
Initial alert	24 hours	Early warning to incident@nki.gov.hu — whether incident is suspected unlawful/malicious and whether cross-border impact is possible
Update	72 hours	Initial assessment: severity, impact, available technical information via NKI portal + sectoral regulator
Final report	30 days	Detailed description, root cause analysis, cross-border impact, remediation measures, archived on NKI platform

Entities must pre-register their incident responder with NKI and retain logs of both reportable AND non-reportable incidents as audit evidence.

System Security Officer Requirement

Act LXIX of 2024 requires the head of each entity to designate a person responsible for electronic information system security within the organization — either an internal employee or contracted managed security service provider.

SME Audit Extension

Less critical SMEs may qualify for an extension until June 30, 2026 (with written regulatory relief from SZTFH), but all other obligations — risk assessment, incident reporting, evidence logging — remain active during any deferral period.

Penalties and Enforcement

Entity-Level Fines

Hungary’s penalties are aligned with NIS2 maximum thresholds, set out in Government Decree 418/2024:

Violation	Minimum Fine	Maximum Fine
Failure to register / late registration	HUF 1,000,000 (€2,500) / HUF 50,000 (€125)	HUF 150,000,000 (€375,000) / HUF 15,000,000 (€37,500)
No risk management framework	HUF 1,000,000 (~€2,500)	NIS2 maximum (€10M essential / €7M important)
Late auditor contract	HUF 1,000,000 (~€2,500)	HUF 15,000,000 (~€37,500)
Late cybersecurity audit	HUF 1,000,000 (~€2,500)	HUF 50,000,000 (~€125,000)
Failure to notify incidents	HUF 500,000 (~€1,250)	HUF 5,000,000 (~€12,500)
Failure to pay supervisory fee	HUF 500,000 (~€1,250)	10x supervisory fee (up to HUF 500,000,000/~€1,250,000)

For essential entities: fines up to €10 million or 2% of global annual turnover, whichever is higher. For important entities: fines up to €7 million or 1.4% of global annual turnover, whichever is higher.

Personal Liability for Management

Act LXIX of 2024 introduces personal liability for managers:

Violation	Fine
Willful disregard of compliance obligations (recurring infringements)	Up to HUF 15,000,000 (~€37,500)
Payment deadline	Within 8 days of decision becoming final
Re-imposition	After 2 months from notification of final decision

Managers can also face operational bans for non-compliance.

Enforcement Posture

SZTFH has stated publicly it prefers a cooperative approach initially, but as the June 2026 audit deadline approaches, enforcement is expected to intensify. Organizations that have not yet contracted a certified auditor or begun audit preparation should expect regulatory scrutiny.

Compliance Requirements

Article 21 Risk Management Measures

Hungarian essential and important entities must implement measures covering all 10 NIS2 Article 21 areas, mapped to NIST SP 800-53 controls:

1. Risk analysis and information system security policies (NIST SP 800-53: RA, SC)
2. Incident handling (detection, response, recovery) (NIST SP 800-53: IR)
3. Business continuity (crisis management, disaster recovery) (NIST SP 800-53: CP)
4. Supply chain security (vendor risk management) (NIST SP 800-53: SR)
5. Security in network and information systems (acquisition, development, maintenance) (NIST SP 800-53: SA)
6. Vulnerability handling and disclosure (NIST SP 800-53: VAD)
7. Cryptography (encryption, key management) (NIST SP 800-53: SC)
8. Employee training and cybersecurity awareness (NIST SP 800-53: AT)
9. Access control including multi-factor authentication for privileged users (NIST SP 800-53: AC)
10. Physical security of premises and data centers (NIST SP 800-53: PE)

Plus Hungary-specific:

• System classification into Basic/Significant/High per MK Decree 7/2024
• Designated security officer (internal or managed security provider)
• Third-party contractual requirements — entities must ensure cybersecurity requirements are binding on all contributors (auditors, maintenance, data processors)

Incident Reporting Requirements

All in-scope entities must report cybersecurity incidents to NKI (National Cyber Security Centre):

Entities must also notify service recipients where appropriate, and for cross-border incidents, file with both NKI and the corresponding EU-wide CSIRT channel.

Supply Chain Security

NIS2 requires Hungarian entities to assess and manage cybersecurity risks across their supply chain — particularly given the mandatory audit system’s focus on contracted third parties (auditors, maintenance providers, incident managers, data processors). All such relationships must have binding cybersecurity contractual obligations.

This aligns with our guide on NIS2 supply chain and third-party risk management.

Implementation Roadmap for Hungarian Entities

Phase 1: Immediate Actions (January–March 2026)

• Re-assess scope under the January 2026 size threshold amendment — determine if your entity is still in scope
• Verify SZTFH registry status — ensure entity registration is current and complete
• Conduct preliminary gap analysis against NIST SP 800-53 control requirements for your security tier
• Map information systems to Basic/Significant/High classification tiers
• Identify any “sole provider” status considerations

Phase 2: Audit Preparation (April–June 2026)

• If not already done: contract a certified auditor from the SZTFH Auditors Registry immediately
• Complete pre-audit remediation — close gaps identified in readiness assessments
• Prepare system classification documentation as a mandatory prerequisite
• Establish documented incident response procedures for the 24/72-hour reporting timeline
• Ensure security officer designation is formalized and documented
• Begin third-party contract review to ensure cybersecurity requirements are included

Phase 3: Full Compliance (Post-June 2026)

• Complete first mandatory cybersecurity audit by June 30, 2026
• Address audit findings and remediate identified gaps
• Enter the biennial audit cycle (next audit due within 2 years)
• Maintain continuous compliance with risk management and incident reporting obligations
• Review cyber insurance coverage for NIS2-related exposures
• See our NIS2 gap analysis guide for detailed readiness steps

Cyber Insurance Implications for Hungarian Entities

Why Hungarian Entities Need Cyber Insurance

NIS2 creates significant new liability exposure for Hungarian organizations:

• Fines up to €10M for essential entities — insurance can cover defense costs and regulatory investigation expenses
• Mandatory audit costs — conducting the June 2026 audit and remediating findings can be costly; insurance can offset these expenses
• Business interruption from mandatory system shutdowns during incident response or corrective orders
• Third-party claims from customers affected by data breaches or service disruptions
• Personal liability for managers — D&O insurance must be reviewed for cyber exclusion clauses
• Supervisory fee penalties — even procedural breaches can trigger significant HUF-denominated fines

What Underwriters Should Ask About Hungarian Entities

Cyber insurance underwriters assessing Hungarian risks should ask:

1. Entity classification — Is the insured designated as essential or important entity?
2. Registry status — Has the entity completed SZTFH registration and is it current?
3. System classification — Have information systems been classified as Basic/Significant/High per MK Decree 7/2024?
4. Audit status — Has a certified auditor been contracted? What is the audit readiness posture?
5. Incident history — Any incidents reported to NKI in the past 3 years?
6. Security officer — Has a responsible person for electronic information system security been formally designated?
7. Third-party contracts — Do all contributor relationships include binding cybersecurity obligations?
8. Size threshold re-assessment — Has the entity re-assessed scope under the January 2026 amendment?

Coverage Considerations

For Hungarian entities, ensure the policy covers:

• Regulatory investigation costs under NIS2 enforcement actions
• Business interruption during SZTFH-mandated reviews or corrective orders
• Notification costs for multi-stage incident reporting (24h/72h/30-day)
• Crisis management and reputational harm
• Audit costs when mandated by SZTFH
• Management liability — D&O coverage for personal fines up to HUF 15M
• Supply chain losses from vendor incidents
• NIS2-related penalties coverage for entity-level fines

Use our cyber insurance buying guide to compare coverage options and our NIS2 compliance checker to assess your current compliance status.

Key Takeaways

1. Hungary transposed NIS2 through Act LXIX of 2024, which entered into force on 1 January 2025 — replacing the earlier 2023 law and 2013 Information Security Act with a unified framework for both public and private sectors
2. SZTFH is the primary regulator while NKI (NCSC Hungary) serves as both the Single Point of Contact and National CSIRT for incident reporting
3. Mandatory national audit system is Hungary’s most distinctive feature — entities must contract certified SZTFH auditors and complete audits on a biennial cycle, with the first deadline of June 30, 2026 approaching
4. NIST SP 800-53 Rev. 5 is the mandatory risk management framework — entities must classify systems as Basic, Significant, or High and apply corresponding controls
5. January 2026 size threshold amendment changed the calculus — entities must now independently meet thresholds without counting linked/partner enterprise figures
6. “Sole provider” rule extends scope to unique essential service providers regardless of size
7. Penalties reach NIS2 maximums — up to €10M or 2% global turnover for essential entities, plus personal manager liability up to HUF 15M
8. Cyber insurance is essential for Hungarian entities — covering regulatory fines, mandatory audit costs, business interruption, and personal management liability

---

For more NIS2 compliance resources, explore our NIS2 compliance checklist, penalties guide, and technical measures requirements. Compare your country’s approach with our essential vs important entity classification guide.