When Hungary rolled out its original cyber-security framework under the first Network and Information Security Directive (NIS), it impacted only a select number of public service providers. Fast-forward to 2025, and the landscape has radically changed. With the European Union’s second-generation legislation—NIS2, short for the Directive on measures for a high common level of cybersecurity across the Union—the scope and stakes are dramatically higher.
Hungary has now fully transposed the directive through Act LXXXIX of 2024 on Cyber-Security, which came into force on 1 April 2025. From vastly expanded sectoral coverage to more stringent obligations and severe sanctions, the new regulatory terrain presents both challenges and opportunities for organizations across the country. Without further ado, let me guide you through the key aspects of NIS2 Hungary implementation, breaking down the legal framework, timelines, affected sectors, and what it all means for compliance teams and decision-makers.
Where Hungary stands now with NIS2
Hungary is among the more proactive EU member states in transposing the NIS2 directive. It has replaced its previous cyber regulation framework with a robust, all-encompassing act that closely mirrors the European mandate while incorporating localized standards and enforcement nuances.
At the heart of the transposition lies Act LXXXIX of 2024, which replaces the 2018 NIS legislation and sets forth a comprehensive cybersecurity regime. The act went through public consultation in April 2024, was adopted by parliament in December 2024, and officially entered into force on 1 April 2025. It’s complemented by Government Decree 8/2025, detailing implementation specifics such as registration procedures and use of the NKI (National Cyber Security Center) portal.
Let’s take a closer look at the regulatory milestones and rollout phases in Hungary.
Hungary’s NIS2 implementation timeline
The following table outlines the key dates in the Hungary NIS2 transposition process:
| Date | Milestone |
| 18 Apr 2024 | Draft Act released for consultation |
| 27 Oct 2024 | Bill T/8773 submitted to Parliament |
| 19 Dec 2024 | Act LXXXIX adopted (143 yeas / 29 nays) |
| 30 Dec 2024 | Act published in Magyar Közlöny |
| 14 Feb 2025 | Government Decree 8/2025 issued |
| 1 Apr 2025 | Act in force; registration period opens |
| 1 Oct 2025 | First official FS/KFS list published |
| Q4 2025 | Supervisory audits begin |
This structured rollout is designed to ensure clarity while giving organizations a limited but critical window to comply—underscoring the importance of proactive action, particularly for those unsure of their classification or preparedness.
Expanded scope and entity classifications
Perhaps the most transformative aspect of the Hungary NIS2 directive is its scope expansion. Previously, only around 600 entities were covered; now, an estimated 7,500 organizations across 18 sectors fall within regulatory reach.
Entities are classified into two tiers:
- Kiemelten fontos szervezet (KFS) – “Essential entities,” typically large organizations with ≥250 employees or €50 million turnover.
- Fontos szervezet (FS) – “Important entities,” generally mid-sized businesses with ≥50 employees or €10 million turnover.
Crucially, some providers—such as telecoms, DNS, cloud, and electronic trust services—are subject to the rules regardless of size, given their systemic importance.
This classification system forms the backbone for determining reporting obligations, supervision intensity, and potential sanctions.
What the new act contains: core obligations
The law mirrors key principles of the NIS2 directive but also brings in local cybersecurity standards, such as Hungary’s Általános Kiberbiztonsági Keretrendszer (General Cybersecurity Framework). It mandates risk management, formal reporting protocols, and specific oversight procedures.
The table below outlines the main components of Act LXXXIX of 2024:
| Chapter | Content summary |
| I–II | Scope definitions and inclusion of research institutions (a Hungarian-specific addition) |
| III | Risk management obligations aligned with EU Article 21 and domestic frameworks |
| IV | Multi-stage incident reporting: 24-hour alert, 72-hour update, 30-day closure |
| V | Supervision mechanisms involving NKI and sector-specific regulators |
| VI | Sanctions, including public naming, fines, and management bans |
| Transitional | Existing operators auto-transition to KFS; six-month grace period for newcomers |
Mandatory ISO/IEC 27001 certification (or national equivalent) for essential entities by 2027 stands out as one of the more rigorous requirements compared to other EU member states.
Sanctions and executive accountability
Hungary’s enforcement approach is phased but firm. Initial non-compliance is met with warnings and corrective planning, but persistent or egregious violations carry heavy consequences.
Fines are structured based on the entity class:
| Entity Type | Maximum fine |
| KFS | €10 million or 2% of global turnover |
| FS | €7 million or 1.4% of global turnover |
| Procedural breaches | HUF 50–800 million (€130k–€2m) |
| Exceptional threat | HUF 1 billion (~€2.6m) |
In addition, executives may face personal liability for repeated negligence under Hungary’s corporate code, including a three-year ban from leadership positions. Public sector bodies are immune from monetary penalties but must comply with enforceable corrective orders from NKI.
How industries are affected
The impact of Hungary NIS2 implementation is sector-dependent but consistently expansive. New obligations have been layered onto a variety of critical sectors—from manufacturing to healthcare and finance—bringing thousands of previously unregulated entities into the fold.
Here’s a summary of changes across key sectors:
| Sector | New inclusion / impact | Key compliance requirements |
| Manufacturing | Previously unregulated mid-size firms now covered | Pen-testing, supply chain clauses, annual audits |
| Energy & utilities | Adds hydrogen, LNG, district heating | SBOM exchange, quarterly board-level reporting |
| Healthcare | Expands to over 250 providers | ISO 27001, backup drills, 24-hour incident reports |
| Digital infrastructure | In scope regardless of size | 24×7 Security Operations Center, vendor registry |
| Finance | Overlaps with DORA regulation | Threat-led penetration testing (TLPT), dual reporting lines |
| Public administration | Larger towns and counties now KFS | Appoint CISO, adhere to NKI standards, no monetary fines |
What companies should know and do now
For companies trying to navigate the regulatory shift, clarity begins with classification and registration. Entities must determine whether they are FS or KFS, and register accordingly on the NKI portal using their company identifiers and cyber contacts.
From there, organizations should conduct a comprehensive Article 21 gap analysis, focusing on practical controls like multi-factor authentication, backup regimes, and third-party risk evaluations.
Crucially, cyber teams must integrate reporting protocols with existing GDPR processes to avoid fragmented compliance and liability. Briefing the board and ensuring executive ownership of cybersecurity programs is also essential, both for practical governance and legal protection.
Are you ready for regulatory resilience?
The Hungary NIS2 directive introduces more than just compliance checklists—it signals a long-term transformation in how organizations view cyber risk and operational resilience. For many, it means maturing internal cybersecurity programs. For others, especially newly in-scope entities, it marks the beginning of a comprehensive culture shift.
As the registration window closes in June 2025 and audits commence later in the year, the time to act is now. Companies that embrace the directive not just as a mandate but as a framework for proactive defense will emerge stronger, more resilient, and better prepared for the challenges of an interconnected Europe.
For further reference on NIS2 across Europe, see the European Commission’s NIS2 overview and updates from Hungary’s National Cyber Security Center.
