appforge
Dir. 2022/2555 · HU Act LXIX of 2024 · in force 2026-01-06

NIS2 checklist for IT leaders 10 + 7 steps to compliance

Hungary's NIS2 transposition — Act LXIX of 2024 — entered into force on 6 January 2026. The checklist below maps the ten Article 21(2) measures and the seven action steps to register with the Hungarian authority, document the management body and operationalise incident reporting. Last updated: 2026-05-04.

Request a NIS2 gap audit
30-min consultation

TL;DR

  • Hungarian transposition in force 6 January 2026 (Act LXIX of 2024).
  • Maximum fine for essential entities: at least €10M or 2% of global turnover (Art. 34). Important entities: €7M or 1.4%.
  • Hungarian cybersecurity supervisory fee: up to 0.015% of prior-year net revenue, capped at HUF 10M per entity, HUF 50M per group.
  • Incident reporting: 24h early warning · 72h notification · 1-month final report (Art. 23).
  • The ten Article 21(2)(a)–(j) measures apply proportionally to size and exposure.

Sectors in scope — Annex I (essential) and Annex II (important)

Annex I — essential

  • · Energy
  • · Transport
  • · Banking
  • · Financial market infrastructure
  • · Health
  • · Drinking water
  • · Wastewater
  • · Digital infrastructure
  • · Public administration
  • · Space
  • · ICT service management

Fines: ≥€10M or 2% of global turnover.

Annex II — important

  • · Postal & courier services
  • · Waste management
  • · Chemicals
  • · Food (production, processing, distribution)
  • · Manufacturing (industrial)
  • · Digital service providers (online marketplace, search engine, social network)
  • · Research

Fines: ≥€7M or 1.4% of global turnover.

Source: Directive (EU) 2022/2555 Article 3 and Annexes I/II, EUR-Lex.

Article 21(2) — the ten minimum measures

Source: NIS2 Directive Art. 21. Proportionality (Art. 21(1)) — by size and exposure.

  1. (a)

    Risk analysis & infosec policies

    ISO/IEC 27005-style risk register, infosec policy management-board approved.

  2. (b)

    Incident handling

    IR playbook (NIST 800-61), CSIRT contact, 24/72-hour reporting flow.

  3. (c)

    Business continuity

    BCP + DR (RTO, RPO), backup-restore tested at least annually.

  4. (d)

    Supply chain security

    Vendor due-diligence, contractual security clauses, vendor risk register.

  5. (e)

    Secure development

    Secure SDLC, code review, vulnerability management (CVE tracking, patch SLA).

  6. (f)

    Effectiveness assessment

    KPIs, internal audit, tabletop exercises, threat-led pen-test.

  7. (g)

    Cyber hygiene + training

    Phishing simulation, mandatory annual training, role-specific.

  8. (h)

    Cryptography policies

    TLS 1.2+, AES-256 at-rest, key management procedure (KMS).

  9. (i)

    HR + access control + asset management

    RBAC, leaver process, asset inventory, BYOD policy.

  10. (j)

    MFA + secure communications

    Phishing-resistant MFA, S/MIME or E2E secure messaging for admin comms.

Article 23 — incident reporting timeline

T+24 hours

Early warning

Initial notification to CSIRT/competent authority of a suspected significant incident, with cross-border impact concern.

T+72 hours

Incident notification

Severity assessment, indicators of compromise, affected population, cross-border effects.

T+1 month

Final report

Root cause, mitigations applied, impact assessment. Status updates required for ongoing incidents.

Article 34 — penalty thresholds

EntityMaximum (at least)Or
Essential€10M2% of global turnover
Important€7M1.4% of global turnover

Hungarian Act LXIX of 2024 adds a cybersecurity supervisory fee: up to 0.015% of prior-year net revenue, capped at HUF 10M per entity, HUF 50M per corporate group.

Hungarian registration deadlines (Act LXIX of 2024)

  • · 30 days from becoming in-scope: register / notify the authority
  • · 90–180 days: implement risk-management framework
  • · 180 days: assign security classification
  • · 2 years from registration: complete first cybersecurity audit

Supervision split: SZTFH for entities under section 1(1)(d)–(e); national cybersecurity authority (designated by government decree) for section 1(1)(a)–(c).

17-step action list for IT leaders

  1. 01.

    Scope analysis (in / out)

    Group structure, size, sector against Act LXIX of 2024 + Annex I/II.

    T-180
  2. 02.

    Authority registration

    Within 30 days of becoming in-scope.

    T-180 / +30 days
  3. 03.

    Asset and data map

    Inventory critical systems, data flows, integration points.

    T-150
  4. 04.

    Risk analysis (Art. 21(2)(a))

    ISO 27005 or ENISA methodology, documented risk register.

    T-150
  5. 05.

    Infosec policy + management approval

    Approval by the management body.

    T-130
  6. 06.

    Incident response playbook

    24/72/30-day flow, CSIRT contacts documented.

    T-120
  7. 07.

    Backup + DR test

    RTO/RPO targets documented, restore drill at least annually.

    T-110
  8. 08.

    Supply chain security programme

    Vendor due-diligence, clauses, vendor risk register.

    T-100
  9. 09.

    Secure development (SDLC)

    Code review, SAST/DAST, vulnerability management SLA.

    T-90
  10. 10.

    Cyber hygiene + training

    Phishing simulation, annual mandatory training, role-specific.

    T-80
  11. 11.

    Cryptography & KMS policy

    TLS 1.2+, AES-256 at-rest, key rotation procedure.

    T-70
  12. 12.

    RBAC + leaver process

    JML (joiner-mover-leaver), asset return, BYOD.

    T-60
  13. 13.

    MFA + secure comms

    Phishing-resistant MFA, role-tiered enforcement.

    T-50
  14. 14.

    Management body documentation (Art. 20)

    Board training + approvals.

    T-30
  15. 15.

    Internal audit + tabletop

    Mock authority inspection.

    T-15
  16. 16.

    Authority reporting flow drill

    24h early warning + 72h notification template.

    T-7
  17. 17.

    Go-live + ongoing compliance

    Annual review, biennial threat-led pen-test, doc refresh.

    T+0 / Ongoing

What does a NIS2 project cost?

  • · Medium organisation (50–249 staff, important): gap analysis + 10 measures + IR + documentation + training — 4–7 months, €47k–€118k
  • · Essential entity (≥250 staff or critical sector): 6–12 months, €92k–€237k
  • · Ongoing retainer: review, doc refresh, biennial threat-led pen-test — €2.1k–€6.6k / month
  • · Gap audit + roadmap only: 4–6 weeks, €8k–€18k

Talk to us in person

Call +36 30 098 0767, write to balint@appforge.hu, or visit us in person.

Budapest office: Szabadság tér 7., 1054 Budapest (Bank Center), 1st floor, office 112 · Mon–Fri 9:00–18:00 by appointment.

Official sources

Last updated: 2026-05-04. This page does not constitute legal advice.

GYIK

NIS2 — frequently asked

Act LXIX of 2024 (the Hungarian NIS2 transposition) entered into force on 6 January 2026. Supervision is split: the SZTFH (Regulated Activities Supervisory Authority) covers entities under section 1(1)(d)–(e) of the Act; the national cybersecurity authority designated by government decree covers section 1(1)(a)–(c) entities. Registration is required within 30 days of becoming in-scope; risk-management framework within 90–180 days; security classification within 180 days; first cybersecurity audit within 2 years of registration.

Kapcsolódó megoldások

Related topics

NIS2 rarely stands alone — typically paired with EU AI Act, DORA and our vertical offerings.

Start the NIS2 gap audit

A 30-min scoping call maps your in-scope status and produces a concrete project timeline.

Request a NIS2 gap auditFree 30-min consultation
Start a project