NIS 2 status in Hungary
What the directive requires, how Hungary transposes it, and where SZTFH and NKI sit inside the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including Hungary, with one cybersecurity floor for essential and important entities. Hungary has to put that floor into Hungarian law and run a supervision regime under it.
Hungary transposes NIS 2 mainly through Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision (2023. evi XXIII. torveny), together with later implementing decrees. The act predates the directive's October 2024 deadline by design and is the framework SZTFH uses to run supervision today.
SZTFH (Szabalyozott Tevekenysegek Felugyeleti Hatosaga, Supervisory Authority of Regulated Activities) is the lead supervisor for cybersecurity oversight, certification and audits. The national CSIRT is NKI (Nemzeti Kibervedelmi Intezet), which sits inside the Special Service for National Security under the Cabinet Office of the Prime Minister. On 7 May 2025 the European Commission sent Hungary a reasoned opinion for failure to notify full transposition, so further national measures are still expected.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Hungary without national transposition.
Hungarian transposition
Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision
The Hungarian NIS 2 transposition. Government decrees and SZTFH guidance fill in the operational detail. Article 32(2) of the act names the NIS 2 directive as the EU instrument it serves. The Commission reasoned opinion of 7 May 2025 indicates further measures may still be needed for full transposition.
Act XXIII of 2023
Carries the NIS 2 obligations into Hungarian law. Defines the cybersecurity supervision regime, certification, audit duties, and supervisory fees. Most operational detail is delegated to government decrees and to SZTFH guidance. The act entered into force in 2023 and was rolled out in phases.
SZTFH as supervisor, NKI as CSIRT
SZTFH runs supervision, certification, audits and fees for affected entities. NKI is the national CSIRT, operating inside the Special Service for National Security under the Cabinet Office of the Prime Minister. The two functions, supervision and incident response, sit in different institutions, unlike in France or Germany.
Registration and reporting
Affected entities self-classify and register with SZTFH. Significant incidents follow the directive's 24 hour early warning, 72 hour notification and one-month final report cadence. Specific Hungarian portal names and exact registration deadlines are governed by SZTFH guidance and should be checked against the current SZTFH publications.
Local law applies inside Hungary
Operations on Hungarian territory follow the Hungarian transposition. A German parent running a Hungarian subsidiary reads Act XXIII of 2023 for that subsidiary, not the German BSIG. The directive obligations are the same. The procedure, the supervisor and the sanctions live in Hungarian law.
Hungary cannot go below the EU floor
The directive is a minimum harmonisation instrument. Hungary can go stricter, and in practice SZTFH already runs additional certification and audit duties on top. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability. That is what the Commission reasoned opinion of 7 May 2025 is testing.
SZTFH
Lead competent authority for cybersecurity supervision under Act XXIII of 2023. Runs supervision, audits, certification and the supervisory fee regime. Publishes the Hungarian operational guidance for affected entities.
NKI
National CSIRT. Operates inside the Special Service for National Security under the Cabinet Office of the Prime Minister. Receives incident notifications, coordinates technical response, and acts as the Hungarian contact point in EU-level CSIRT cooperation. Reachable at csirt@nki.gov.hu.
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Hungarian entities. That is SZTFH.
Our German parent already has BSIG covered, so the Hungarian subsidiary is fine.
The directive obligations are the same, but the supervisor, the procedure and the sanctions live in Hungarian law. A Hungarian subsidiary registers with SZTFH, files incident reports through NKI, and follows Act XXIII of 2023 deadlines. BSIG sign-off in Bonn does not substitute for Hungarian registration.
Hungary missed the October 2024 deadline, so nothing is in force yet.
Act XXIII of 2023 was in place before the directive's transposition deadline. SZTFH supervision is already running. The Commission reasoned opinion of 7 May 2025 is about gaps in full transposition, not about whether the supervisor exists. Entities cannot wait for further legislation to act.
Only the eleven CER sectors trigger NIS 2 in Hungary.
The size and sector tests run off the NIS 2 directive's Annexes I and II, eighteen sectors in total. CER scope is narrower and sits in its own national framework. Confusing the two is a common reason entities self-classify wrong.
Most Hungarian operators we talk to assume NIS 2 starts when a new omnibus law is passed. It does not. SZTFH supervision under Act XXIII of 2023 is already active, audits are happening, and the management body sign-off is already a question SZTFH can ask. The Commission reasoned opinion of 7 May 2025 raises the political pressure but it does not push the supervisor's start date back.
The practical move is the same as everywhere else in the EU. Confirm scope under the directive, register with the national supervisor (here SZTFH), set up the four continuous obligations (registration upkeep, incident reporting via NKI, supply chain risk, management body oversight), and document the minimum. Hungarian sector regulators stay competent where lex specialis applies, finance under MNB in particular.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Hungarian subsidiary under Act XXIII of 2023, a German parent under BSIG, and a French sister under Ordonnance n. 2024-1093. Article references switch per locale. The substantive obligations do not.
For Hungarian scope you start with the applicability check, then move to incident reporting cadence with NKI, supply chain clauses and management body sign-off. Where SZTFH publishes sector guidance, we reference it. We do not duplicate it.
- Directive (EU) 2022/2555 (NIS 2), EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision (2023. evi XXIII. torveny), Nemzeti Jogszabalytar
- SZTFH (Szabalyozott Tevekenysegek Felugyeleti Hatosaga), official site, sztfh.hu
- NKI (Nemzeti Kibervedelmi Intezet), national CSIRT, nki.gov.hu
- European Commission, NIS 2 transposition status, Hungary, reasoned opinion of 7 May 2025
- MNB (Magyar Nemzeti Bank), competent authority for DORA in the financial sector