Szerző Moore Hungary

Guide to NIS2 compliance: risks, actions, deadlines

Companies that do not comply with legislation incorporating the NIS2 cybersecurity guidelines risk fines of up to €10 million or up to 2% of annual turnover. While some in the domestic business community are up in arms about the pace of implementation and the difficulty of meeting deadlines, no one disputes that the business damage from cyber-attacks is more dangerous than the fines.

NIS2 (Network and Information Security), a cybersecurity directive covering all EU countries that will come into force in 2024, is the European Union's self-defence reflex to curb the spectacular rise in cybercrime. Replacing NIS1, the directive is the EU's attempt to keep pace with cyber threats, some of which are on a scale that threatens the normal functioning of a country or even the EU as a whole.
The common cybersecurity regulatory framework set out in the NIS2 Directive aims to increase the level and capabilities of cybersecurity, introducing risk management measures, incident reporting. „The aim is not to avoid punishment, but to establish cybersecurity protocols for cooperation, information exchange, monitoring and enforcement,” stresses Ákos Boross, managing partner of Moore Hungary.

Moreover, Hungary is well placed compared to EU countries in this area, as cybersecurity in the public sector is already mandatory and controlled. Moreover, since each EU Member State has been given the opportunity to adapt the NIS2 directives to its own image, Hungary has been able to react quickly. The domestic rules were based on the US standard NIST 800-53, which is also applied to the public sector. Ákos Boross considers the expectation to reach this level of maturity to be very justified. Even though a good part of the business community, including one half of the cyber defence profession, is up in arms about the pace of implementation: not enough audit firms, last-minute details making it difficult to meet deadlines.

However, no one disputes that affected businesses need to reach this level, as there is a growing recognition that the business damage from a cyber-attack is far more dangerous than the fines.


Tasks and deadlines

Legislation on domestic cybersecurity regulation (see KERETES), NIS2 covered entities have already had to go through the registration procedure with the Regulated Activities Supervisory Authority (RSA), notify the identity of the IBF (Information Security Officer) to the authority, and provide a list of the EU Member States in which they provide services.

Under the legislation, each covered entity is required to contract a mandatory cybersecurity audit with an auditor listed in the register of the SAO within 120 days of its registration. For organisations that commence operations before 1 January 2025, the audit must be completed by 31 December 2025.

Otherwise, they can expect sanctions from the STCFH. The first of these is a warning: the authority gives the head of the organisation a time limit to remedy the shortcomings, requiring him to put an end to the infringement and to refrain from repeating it. If necessary, the PSCA may take official action: it may refer the matter to a supervisory body or appoint an information security officer at the organisation's expense.

If an organisation fails to comply with security requirements, remediate deficiencies or take necessary action, the cybersecurity authority can impose fines of up to €10 million or 2% of annual turnover, as described earlier.


Fees and payments

The entities concerned are required to pay a cybersecurity monitoring fee for the cybersecurity monitoring activities of the CSA, based on their net turnover in the previous year. The legislator fixed the amount of this fee at 0.00015 percent of the net turnover, with a ceiling of no more than HUF 10 million.
The fee for the cybersecurity audit is set out in Decree 1/2025 (I. 31.) SZTFH. It is calculated on the basis of the maximum basic net fee of HUF 1 750 000, multiplied by three factors: the net turnover of the organisation in the previous year, the number of classified electronic information systems and the security class of these systems.


The key is preparation

In order for a company to be prepared and able to implement NIS2-related rules as soon as possible, and to effectively counter the risks of cyber threats that arise on a daily basis, the first important step is a gap analysis: a specialised consultancy firm will assess the maturity level of the company's organisation and electronic information system. „The sooner it becomes clear how prepared an organisation affected by NIS2 is, the better the chances of correcting any problems or errors that arise,” says Ákos Boross, who says that practice shows a mixed picture: there are companies that are ready for the audit and others that have a serious backlog to catch up. It is also essential that the consultant accompanies the company through the audit process, as the answer to a highly IT-specific question can make a big difference whether the answer comes from an IT specialist or someone with only marginal knowledge of the field. According to Ákos Boross' experience, in many cases it is possible to solve a problem immediately and cheaply: he has already had several partners where the expert support consisted of the consultant's competent and professional drafting of the internal rules required by law.

Legal background
In order to modernise the previous legal framework and to increase the overall level of cybersecurity in the EU, NIS2, in force since last year, entered the Hungarian legal system with Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision. The legislation, which expired on 31 December 2024, was replaced by Act LXIX of 2024 on Cyber Security in Hungary from the beginning of this year. As a result, the scope of the legislation extends beyond the organisations covered by the NIS2 Directive to the stakeholders defined by Act L of 2013 on the Electronic Information Security of State and Local Government Bodies.
The detailed rules for the implementation of the Cybersecurity Act are set out in Government Decree 418/2024 (XII. 23.) on the implementation of the Cybersecurity Act of Hungary. The requirements for security classification and the specific protection measures to be applied for each security class are set out in MK Decree No. 7/2024 (VI. 24.). The fee and methodology for the mandatory cybersecurity audit are set out in Decree No 1/2025 (31 I) of the Ministry of Finance and the method and maximum amount of the surveillance fee are set out in Decree No 2/2025 (31 I) of the Ministry of Finance and the Ministry of Finance.

The hierarchy of legislation governing cybersecurity in Hungary is illustrated in the following diagram:


Moore Hungary

Moore Global, which started in a London office more than 110 years ago, is now one of the world's leading consulting and audit networks. Present in over 110 countries worldwide, the network has more than 550 independent offices and over 37,000 employees. The group's turnover for the last financial year exceeded $4.5 billion.
With a team of nearly 200 experts, Moore Hungary offers a full range of consulting services in the fields of business, finance, M&A, legal, tax, accounting, hotel and tourism, ESG, NIS2 industry consulting and auditing.
In our fast-changing world, Moore provides strategic guidance and practical advice to help clients navigate and understand the complex regulatory and changing market environment and industry conditions, and thereby find the best solutions.
More information about Moore Hungary and its services is available on the consultant's website: www.mooreglobal.hu.

Follow us on LinkedIn for more news!