On May 31, 2025, significant amendments to Act LXIX of 2024 entered into force, introducing a structured and enforceable roadmap for Hungarian companies required to comply with the EU’s NIS2 Directive on cybersecurity.
The legislative update addresses a growing need for enhanced cyber resilience across key sectors. Organizations classified as essential or important entities under the NIS2 framework must now adhere to strict timelines and implement comprehensive cybersecurity controls.
🔒 Compliance Timeline: Key Dates to Know
The amendment outlines two non-negotiable deadlines:
- August 31, 2025
By this date, all affected organizations must sign a formal agreement with a cybersecurity auditor registered with Hungary’s SZTFH (Supervisory Authority for Regulated Activities). This step signifies the official launch of the NIS2 compliance journey and ensures a designated expert is available for the required audit. - June 30, 2026
The deadline for completing the first comprehensive cybersecurity audit. This evaluation determines whether the organization meets the specific controls and safeguards mandated by its assigned security classification (basic, substantial, or high).
Failing to meet these deadlines risks not only regulatory penalties but also operational vulnerabilities and reputational damage.
📋 Preparing for NIS2 – Beyond IT
Complying with NIS2 is not merely an IT project—it’s an organization-wide effort involving leadership, HR, legal, and internal audit functions. The process requires creating a documented, repeatable, and risk-based operational model.
Here’s how companies can prepare effectively:
Identify Critical Systems
Determine which electronic systems are essential to core operations and assess how they interact with data, processes, and external partners.
Assign Security Classification
Classify these systems according to Hungarian Decree 7/2024 as “basic,” “substantial,” or “high,” which defines the applicable requirements.
Define Control Requirements
Based on classification, document the necessary technical and organizational controls and note any gaps or deviations.
Conduct Gap Analysis and Risk Assessment
Establish a risk management framework, define internal responsibilities, and conduct a cybersecurity risk analysis. Use the findings to create an action plan.
Develop Policy Documentation
Implement internal policies for information security, access control, incident response, system logging, and backups.
Implement Technical and Administrative Controls
Apply security measures such as encryption, access control, authentication protocols, physical security, and system updates, tailored to the risk classification.
Train and Educate
Deliver awareness programs and role-specific training for leadership and staff. Regular refreshers and simulations are essential.
Prepare for Audit
Audit success depends on readiness. Organizations should begin reviewing documentation and system statuses well ahead of mid-2026.
Why Early Action Matters
Though 2026 may seem far off, the reality is that true compliance takes months of preparation. Delays may limit access to qualified auditors and increase risk exposure.
Early preparation does more than meet legal obligations—it improves operational security, reduces business risk, and demonstrates regulatory maturity to clients and partners.
Comments are closed.