The cybersecurity clock is ticking

The cybersecurity clock is ticking

At the end of August 2025, many companies were required to comply with the Cybersecurity
Act, which transposes the NIS 2 Directive into Hungarian law. Under the Act, the first set of
obligations had to be fulfilled by August 31, 2025.

But what is NIS 2?
After GDPR and ESG, yet another EU acronym has been unsettling market players since the adoption of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (the NIS 2 Directive). The NIS 2 Directive was first transposed into Hungarian law by the short-lived Act XXIII of 2023, and subsequently by Act LXIX of 2024 on Cybersecurity (the Cybersecurity Act), which replaced it.
The aim of the NIS 2 Directive, as well as the Hungarian legislation implementing it, is to ensure the continuity of services in critical sectors and to safeguard cybersecurity.

Who is subject to the regulation?
In addition to the public sector, the regulation also applies to certain market players engaged in high-risk activities, such as companies involved in activities related to national defense, regardless of their size, as well as to medium-sized or large enterprises conducting activities specified in the annexes of the Cybersecurity Act. This may include pharmaceutical wholesalers, as well as actors in the transport sector or energy sector. Therefore, the scope of the regulation is far from limited to national defense or purely cyberspace service providers.

What actions should be taken?
If our company operates in any of the relevant sectors and falls under the scope of the regulation – whether due to the nature of the service, or the type of activity and the size of the organization – it will be required to register with the Supervisory Authority for Regulatory Affairs of Hungary (SZTFH), as highlighted by Dr. Péter Weidinger, LL.M., attorney at act legal Hungary.
It is important to note, however, that the SZTFH is not always the supervisory authority, it may also be the national cybersecurity authority or the defense cybersecurity authority.
The essence of the regulation is that the affected entities must conduct a cybersecurity audit, which must then be repeated every two years.

The first audit
Affected organizations are required to enter into an agreement with an auditor listed in the SZTFH registry to carry out the cybersecurity audit within 120 days following their registration, and the cybersecurity audit must be conducted for the first time within two years of registration.
The most important deadline for companies that have been operating even before 2025, which expired a few days ago, was August 31, 2025. By this date, an agreement had to be made with an auditor to carry out the cybersecurity audit.
It is important to note, however, that this can only be done after registration, so companies must urgently consider whether they are affected. If they are, they should initiate the registration process with the SZTFH as soon as possible, which can only be done using the SZTFH’s electronic form, said Dr. Péter Weidinger, LL.M., partner at act legal Hungary. Only after this can they engage an auditor, who will carry out the first cybersecurity audit.
It is worth highlighting that the transitional provisions of the Cybersecurity Act also specify that affected organizations – those that have been operating even before 2025 – are required to carry out the first cybersecurity audit by June 30, 2026. In their case, the general two-year deadline does not apply; instead, they must complete the first cybersecurity audit already in the next year.
It is therefore highly advisable to consult with experts on the subject to ensure whether our company is affected, and if so, it is important to take the necessary steps with the SZTFH and the auditors as soon as possible, concluded Dr. Péter Weidinger, LL.M., expert at act legal Hungary.