By 30 June 2026, thousands of Hungarian companies will be required to complete their first NIS2 audit. Over the past year, we have supported numerous clients throughout their preparation process, from the initial assessment phase to the successful completion of the audit. During these projects, it became increasingly clear how the Hungarian NIS2 system operates in practice, what challenges it creates for companies, and where compliance begins to diverge from genuine information security.

An ambitious local implementation

NIS2 (Network and Information Security Directive 2) is the second generation of the European Union’s cybersecurity directive, which Hungary was among the first to transpose into national law through Act LXIX of 2024, commonly referred to as the Cybersecurity Act.

The Hungarian regulation attracted significant attention from the outset, partly because of the rapid implementation and partly because of the complexity of the regulatory environment.

A complex and multilayered regulatory framework

The system is built on four main pillars:

• the Cybersecurity Act itself,
• the decree on security classification and protective measures,
• the regulation governing auditors,
• and the decrees defining the audit methodology, fees and supervisory fee obligations.

Together, these form a regulatory framework spanning several hundred pages that is difficult to process from both technical and legal perspectives. Even understanding the requirements themselves required substantial resources from the affected companies.

An American framework in a Hungarian environment

The Hungarian implementation is based on the NIST SP 800-53 rev. 5 control framework, originally developed for US federal institutions and their suppliers.

The framework is internationally recognised and built on strong professional foundations, but in the private sector it is typically used on a voluntary basis. In Hungary, however, it became a mandatory legal requirement for many companies, including environments where operations heavily rely on cloud services or industrial control technologies.

High administrative costs

Companies faced significant costs already at the beginning of the preparation process. Supervisory fees appeared alongside the cost of the first audit and, in many cases, the need for external expert support.

The issue is not only the amount of these costs, but also the fact that a substantial portion of the resources is spent on administrative compliance rather than on actual technological or organisational security improvements.

Audit optimisation instead of security

Many affected companies encountered deeper information security requirements for the first time. In practice, however, the focus often shifted away from understanding risks or improving defensive capabilities, and towards finding ways to successfully complete the audit.

As a result, the central question was no longer “What threats are we facing?” but rather “What documents and evidence will we need during the audit?”. Consequently, many companies started building compliance programmes instead of security programmes.

The audit as the central organising principle

Within the Hungarian system, the role of the audit extends beyond simple verification: in many cases it became the primary driver of the entire preparation process.

A significant portion of corporate resources was consumed by preparing regulatory documents, collecting evidence and administratively fulfilling detailed audit requirements. As a result, the focus can easily shift towards proving compliance instead of developing actual security maturity.

EIR mathematics

The logic used to calculate audit costs further reinforced this optimisation mindset. Under the regulation, companies became financially incentivised to minimise the number of EIRs.

As a result, professionally difficult-to-justify system consolidations emerged in many cases, where the primary objective was not greater transparency or stronger security, but rather simplifying and reducing the cost of the audit process.

The greatest risk: a false sense of security

One of the greatest dangers of the system is that it can easily create a false equivalence between compliance and security.

A successful audit, proper documentation and collected evidence do not automatically mean that a company has become more resilient against cyberattacks. In many cases, what emerges instead is a well-auditable operating model that complies with administrative expectations but does not necessarily improve real defensive capabilities proportionally.

What should companies keep in mind?

1. Take documentation seriously – but understand why it matters.

The Hungarian NIS2 system is highly documentation-centric, yet most requirements are clearly defined and predictable. If a company understands what documents and evidence the auditor is looking for, preparation becomes significantly more transparent and efficient.

2. Clearly define the boundaries of the IT environment.

It is essential to clearly document responsibilities for systems, services and operational areas, especially in parent-company or cloud-service-provider environments. Well-defined roles and system boundaries simplify not only the audit itself, but also future security operations.

3. Accept that the audit is a mandatory milestone – but do not stop there.

A successful audit alone does not represent genuine information security maturity; it is merely an important compliance milestone. Long-term value is created when companies build real security improvements on the processes and controls established during the audit.

***

NIS2 compliance is no longer purely a technological or legal issue, but also a long-term operational and risk management decision. In our experience, companies gain the greatest advantage from the preparation process when they view the audit not as an end goal, but as the starting point of a more conscious and mature information security operation.

Our experts provide support in NIS2 preparation, the interpretation of documentation and audit requirements, as well as the development of practical information security operations.