What is NIS2? Definition and legal basis
NIS2is the European Union’s cybersecurity directive (EU) 2022/2555, in force since 16 January 2023 and applicable across member states since 18 October 2024. It obliges medium and large companies in 18 sectors to register with a national authority, implement security measures, report incidents within 24 hours, and undergo recurring audits — with fines up to EUR 10 million or 2% of worldwide turnover.
NIS2 (Network and Information Security 2) replaces the original 2016 NIS directive, which covered far fewer organizations and was enforced unevenly. The sequel fixes both: it widens scope roughly tenfold, harmonizes fine levels EU-wide, and makes company management personally accountable. Adopted on 14 December 2022, member states had until 17 October 2024 to transpose it into national law.
Because NIS2 is a directive, the operational details — registration procedures, audit schedules, exact fine brackets — live in national law. This article uses Hungary as the worked example, one of the earliest and strictest implementations: Act LXIX of 2024 (the Hungarian Cybersecurity Act, effective 1 January 2025, replacing the interim Act XXIII of 2023), enforced for private-sector entities by the SZTFH (Regulated Activities Supervisory Authority), with fine schedules set by Government Decree 418/2024 (XII. 23.). If you operate a Hungarian subsidiary, this is the regime that applies to it.
Who does NIS2 apply to? Sectors and size thresholds
Two conditions must hold at the same time: your company operates in a listed sector, and it is at least a medium-sized enterprise. NIS2 splits sectors into two risk tiers, which determine how strict the obligations and penalties are:
| Category | Sectors | EU fine cap |
|---|---|---|
| Essential entities (Annex I) — in Hungarian law: 'highly critical' | Energy (electricity, gas, oil, district heating, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), space, public administration | EUR 10 million or 2% of worldwide annual turnover (whichever is higher) |
| Important entities (Annex II) — in Hungarian law: 'critical' | Postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (online marketplaces, search engines, social platforms), research | EUR 7 million or 1.4% of worldwide annual turnover (whichever is higher) |
The size threshold follows the EU SME definition: 50 or more employees, or annual revenue or balance sheet total above EUR 10 million. Two traps catch companies out repeatedly:
- Group figures are aggregated. A 20-person local subsidiary is in scope if the group behind it crosses the threshold. This is the single most common reason companies wrongly assume they are exempt.
- Some providers are in scope regardless of size: electronic communications providers, trust service providers, DNS service providers, TLD registries and domain registrars.
One carve-out worth knowing: banks and financial market infrastructure are Annex I sectors, but their cybersecurity obligations are governed by the DORA regulation and supervised by financial authorities (in Hungary, the central bank MNB) rather than the general NIS2 authority. Unsure where you land? Our 2-minute NIS2 applicability quiz walks you through it question by question.
NIS2 deadlines: the timeline from 2024 to 2026
Hungary rolled the directive out in stages — and extended two deadlines along the way. The full timeline:
| Date | Milestone | Status |
|---|---|---|
| 30 June 2024 | Registration with the SZTFH (for entities already operating before 2024) | Passed |
| 18 October 2024 | EU-wide application date — security measures enforceable from here | Passed |
| 1 January 2025 | Act LXIX of 2024 (Hungarian Cybersecurity Act) enters into force | In force |
| 31 August 2025 | Deadline to contract a registered auditor (extended from 31 Dec 2024) | Passed |
| 30 June 2026 | First mandatory cybersecurity audit (extended from 31 Dec 2025) | Passed — enforcement has started |
| 31 December 2026 | First mandatory cybersecurity training for executives (min. 8 hours, then 4 hours yearly) | Active deadline |
2,520
entities registered with the SZTFH (July 2026)
2,132
completed their first audit on time
~400
companies now at direct risk of fines
Companies entering scope now — say, by crossing the size threshold or opening a Hungarian entity — face rolling deadlines instead: 30 days to register from the day they fall in scope, 120 days to contract a registered auditor, and 2 yearsto complete the first audit, repeated every two years after that. Incident reporting runs on the directive’s clock everywhere in the EU: 24 hours for an early warning, 72 hours for the incident notification, and one month for the final report.
Fines and management liability
On top of the EU-level caps (EUR 10M / 2% and EUR 7M / 1.4%), national law defines per-violation brackets. Hungary’s schedule, set by Government Decree 418/2024, is a useful benchmark for how concrete the risk gets:
| Violation | Fine (Hungary) |
|---|---|
| Failure to register | Min. 0.5% of prior-year net revenue (at least HUF 1M ≈ EUR 2,500), max. 2% of revenue, capped at HUF 150M (≈ EUR 380,000) |
| Missing or late mandatory audit | From HUF 1M up to 2% of annual net revenue, capped at HUF 150M (≈ EUR 380,000) |
| Failure to contract a registered auditor | HUF 1–15M (≈ EUR 2,500–38,000) |
| Failure to report an incident | HUF 500k–5M (≈ EUR 1,250–12,600) |
Two features make this regime harder-edged than typical regulatory practice. First, repeat violations remove all discretion: the authority must impose a fine, with no leniency option. Second, personal management liability: an executive who fails to ensure compliance can be fined personally — in Hungary up to HUF 15 million (about EUR 38,000) — and, at essential entities, temporarily banned from exercising managerial functions. NIS2 deliberately moves cybersecurity from the IT department to the boardroom: management must approve the risk measures, attend training, and answer for failures.
NIS2 compliance checklist in 6 steps
Compliance is an operating system, not a one-off project — but it breaks down cleanly into steps. This is the practical order:
- Determine applicability.Sector plus size, counting group companies. Document the assessment in writing — “we didn’t know we were in scope” is not a defence. Start with the applicability quiz.
- Register with the national authority. In Hungary: with the SZTFH, within 30 days of falling in scope. Registration starts the supervisory relationship and an annual, revenue-proportional supervision fee (capped at HUF 10M).
- Classify systems and assess risk. Hungarian law requires every in-scope IT system to be classified into a basic, significant or high security class — the class determines which controls are mandatory.
- Implement the security measures. Administrative, logical and physical controls: incident response process, business continuity plan, backups, multi-factor authentication, encryption, access management, supply chain security — plus a designated information security officer.
- Contract an auditor and pass the audit. Within 120 days of registration, sign with a registered auditor; the first audit is due within 2 years for new entrants, then repeats every two years.
- Run it continuously. Incident reporting (24h / 72h / 1 month), executive training by 31 December 2026 and annually after, 20 hours of yearly training for the security officer, annual reviews and living documentation.
We maintain a detailed, IT-leader-level version separately: NIS2 checklist for IT leaders. A pattern we see often: the real blocker is a legacy internal system that can no longer be patched — in which case NIS2 doubles as the business case for replacing it.
Next step: find out in 2 minutes whether you are in scope
The most expensive NIS2 mistake is delay: most deadlines have already passed, enforcement is live, and repeat violations carry mandatory fines. The first step costs nothing and takes 2 minutes — the NIS2 applicability quiz tells you whether you are in scope and in which category. If you are, our NIS2 compliance service takes you from gap analysis to audit readiness.
Does NIS2 apply to my company?
NIS2 applies if your company operates in one of the listed sectors (energy, transport, health, manufacturing, food, waste management, digital services and more) AND is at least medium-sized: 50+ employees or annual revenue above EUR 10 million. Group figures count — a 20-person subsidiary falls in scope if its parent group crosses the threshold. Some providers (telecoms, trust services, DNS, domain registrars) are in scope regardless of size.
How high are the NIS2 fines?
The directive sets EU-wide caps: up to EUR 10 million or 2% of worldwide annual turnover for essential entities, and EUR 7 million or 1.4% for important entities — whichever is higher. National implementations add their own schedules; in Hungary, for example, missing the mandatory audit or registration costs up to 2% of annual revenue, capped at HUF 150 million (about EUR 380,000), and executives can be fined personally up to HUF 15 million (about EUR 38,000).
What are the NIS2 deadlines in 2026?
The EU-level transposition deadline (17 October 2024) has long passed, so obligations are live across member states. In Hungary, the first mandatory cybersecurity audit was due by 30 June 2026 — of 2,520 registered entities, 2,132 met it, and enforcement against the rest has started. The next fixed Hungarian date is 31 December 2026, by which executives must complete their first 8-hour cybersecurity training.
What should we do first?
Confirm whether you are in scope: check your sector against Annex I and II and your size including group companies — our free 2-minute applicability quiz walks you through it. If you are in scope, register with your national authority (in Hungary: SZTFH, within 30 days), classify your systems, then run a gap analysis against the required security measures.
What is the difference between NIS2 and GDPR?
GDPR protects personal data; NIS2 protects the security of network and information systems. They overlap but do not replace each other, and different authorities enforce them. A data breach typically triggers both: a 72-hour notification to the data protection authority under GDPR, and a 24-hour early warning to the cybersecurity authority under NIS2.
Who enforces NIS2?
Each member state designates its own supervisory authorities. In Hungary, private-sector entities are supervised by the SZTFH (Regulated Activities Supervisory Authority), while public bodies fall under the National Cybersecurity Authority. Mandatory audits may only be performed by auditors registered with the authority.
We missed the Hungarian audit deadline of 30 June 2026 — what now?
Do not wait for an inspection. For a first offence the authority may issue a warning instead of a fine, but for repeat offences a fine is mandatory with no discretion. Sign an auditor contract immediately, build a remediation plan for the missing controls, and document everything — demonstrated good faith is your best argument for a reduced penalty.
If compliance requires development work — access management, logging, an internal system that supports incident response — book a free consultation: in 30 minutes we map where you stand and the shortest path to compliance. For the wider regulatory picture, see our EU AI Act + GDPR guide — the three regimes together form the 2026 compliance map.



