appforge
EU 2022/2555 · Act XXIII of 2023 (HU) · National authority

NIS2 compliance and cybersecurity for European companies

NIS2 audit + roadmap in 4-6 weeks, fixed-price project. Full implementation (SIEM, MFA, IR playbook, BCP, training) in 6-9 months for a mid-sized company. CISO-as-a-Service if no in-house cybersecurity leader is available. Fines reach €7-10M — preparation is a fraction of that.

Request a NIS2 audit
30-min gap analysis
Scope

Who is in scope of NIS2?

Size threshold: medium-sized company (50+ staff or €10M annual turnover) and large enterprise. Authority: national cybersecurity regulator (in Hungary the National Cyber Defence Authority). 18 sectors in two categories.

Essential sectors
Energy, transport, banking / financial services, healthcare, drinking water, digital infrastructure (DNS, IXP, TLD), public administration, space. Fines: up to €10M or 2% of global turnover.
Banking / finance
Credit institutions, investment firms — applies in parallel with DORA.
Healthcare
Hospitals, pharmaceutical manufacturers, medical device makers, laboratories.
Logistics & transport
Air, rail, water, road transport. Postal and parcel services (important sector).
Manufacturing (important sector)
Medical devices, vehicles, machinery, chemicals. Fines up to €7M or 1.4%.
Digital service providers
Cloud, online marketplace, search engine, social media, MSP / MSSP — thousands of companies across the EU.
Compliance checklist

The 8 critical clauses regulators ask for first

EU Directive 2022/2555 and the Hungarian Act XXIII of 2023 most often fail audits on these points. The key term is highlighted next to each clause.

  • Art. 21(1)

    Risk management

    Risk analysis

    Documented cybersecurity risk analysis for critical systems. Threat modelling, business impact analysis, prioritisation of controls.

  • Art. 21(2)(c)

    Business continuity

    RTO / RPO

    BCP + DRP with RTO and RPO values, documented and tested annually. Backups must be verified by an actual restore.

  • Art. 23(1)

    Incident notification

    24h / 72h / 1 month

    Early warning to the authority within 24 hours, intermediate report within 72 hours, final report within 1 month. The process must be documented in advance and run on a tested channel.

  • Art. 21(2)(e)

    Supply chain security

    Supplier audit

    Supplier and service-provider security audit. Cloud providers, SaaS tools, third-party access mapped and contractually covered.

  • Art. 21(2)(h)

    Access control (MFA, SSO)

    MFA everywhere

    Multi-factor authentication for every administrative access. SSO, RBAC, least-privilege principle. Access logged and reviewed periodically.

  • Art. 21(2)(j)

    Encryption (TLS, at-rest)

    TLS + at-rest

    Encryption of data in transit (TLS 1.2+) and at rest (AES-256). Key rotation, KMS-based key management, pseudonymisation of sensitive data.

  • Art. 20

    Management responsibility

    Personal liability

    Senior management is personally accountable for NIS2 compliance. Hungarian implementation: in extreme cases a ban from management positions.

  • Art. 20(2)

    Training & awareness

    Phishing simulation

    Regular cybersecurity training, phishing simulations, management training. Technology is roughly 40% of NIS2; the remaining 60% is process and culture.

Sanctions

What is at stake? — fine ranges

The fine itself is just the visible part. Reputation damage, business interruption and litigation risk after an incident typically add up to 3-5x the fine.

CategoryUpper limitOr %Example sectors / note
Essential entities€10 millionor 2% of global annual turnoverEnergy, banking, healthcare, public administration, digital infrastructure
Important entities€7 millionor 1.4% of global annual turnoverManufacturing, food, postal services, chemicals, waste management
Hungarian specific (Art. 20)Management liabilityPersonal sanctionIn extreme cases a ban from management positions for non-compliance
Implementation phases

NIS2 programme — 6-9 months with fixed milestones

The Hungarian implementation provides a transition period, but the regulator is already running checks in 2025-2026. The curve is rising — start now.

0–6 weeks — NIS2 audit

Gap analysis: where you stand against NIS2 requirements. Risk assessment, map of critical systems, list of missing controls. Output: a NIS2 compliance roadmap, fixed price €4,000–€10,500.

  • · Stakeholder interviews (CEO, CISO, IT, legal)
  • · Information asset inventory, criticality classification
  • · Control map along the NIS2 articles
  • · Prioritised roadmap with budget

1–3 months — Technical foundations

Access control (SSO + MFA), security monitoring (SIEM — Wazuh / Splunk / Elastic Security), patch management, audit logging, backup and DR. WAF, DDoS protection, endpoint security.

  • · SSO + MFA on every administrative access
  • · SIEM deployment, log aggregation
  • · Endpoint detection & response (EDR)
  • · Backups verified by actual restore

2–4 months — Processes & documentation

Incident response procedure (IR playbook), business continuity plan (BCP), disaster recovery plan (DRP), supplier audit process, training materials. The process layer is at least 60% of NIS2.

  • · IR playbook + 24-hour notification channel
  • · BCP / DRP with RTO + RPO values
  • · Supplier security questionnaire + audit
  • · Annual tabletop exercise

3–9 months — Training & culture

Regular cybersecurity training, quarterly phishing simulations, documented cybersecurity responsibility for management. Article 20 places personal liability on senior management — this must be assessed and documented.

  • · Onboarding + annual mandatory training
  • · Phishing simulation (Gophish / KnowBe4)
  • · Management training and responsibility matrix
  • · Internal security communication

Ongoing — monitoring & CISO-aaS

Monthly SIEM monitoring, quarterly penetration testing, annual audit refresh, regulatory tracking. External CISO-as-a-Service is available where no in-house specialist exists (€530–€2,100 / month).

  • · 24/7 SIEM + alert triage
  • · Quarterly pentest, annual red team
  • · Board-level cybersecurity report
  • · Incident-response liaison with the regulator
GYIK

NIS2 compliance — frequently asked questions

NIS2 (Network and Information Security 2) is EU Directive (EU) 2022/2555, harmonising cybersecurity requirements across the union. In Hungary it is in force from October 2024 via Act XXIII of 2023. It applies to medium and large companies (50+ staff or €10M annual turnover) across 18 sectors: energy, banking, healthcare, transport, digital infrastructure, manufacturing, food, chemicals, waste management, postal services, public administration and others.

Related solutions

Related solutions

NIS2 is rarely a standalone topic — these typically come together.

Request a NIS2 audit + roadmap

4-6 weeks, fixed-price project. Output: a precise gap list, prioritised roadmap and budget. With this you can negotiate the board and the regulator on solid ground.

Request a NIS2 audit30-min free consultation
Start a project