
The amendments to Act LXIX of 2024, which entered into force on May 31, 2025, introduced significant changes to the compliance obligations under the NIS2 Directive. The aim of the amendment is to provide organizations subject to NIS2 with a clear and achievable timeline for meeting the cybersecurity requirements introduced by the Directive.
NIS2 deadlines every company should know about
Contracting with a cybersecurity auditor – August 31, 2025.
All organizations subject to NIS2 requirements must, by this deadline at the latest, sign a written contract with a cybersecurity auditor registered by the Hungarian Supervisory Authority for Regulated Activities (SZTFH). The purpose of this agreement is to ensure that the appointed auditor can carry out a comprehensive cybersecurity audit by 2026.
Why is this important? This is not just an administrative formality – it marks the official start of the preparation process. Those who fall behind not only risk non-compliance, but may also find themselves without an available auditor in time.
The first cybersecurity audit – June 30, 2026.
The first audit should be completed by this date with an auditor. The purpose of the cybersecurity audit is to determine whether the organization meets the requirements corresponding to its assigned security classification.
Audit entails:
- the review of technical and organizational measures,
- the assessment of policies, procedures, logs, and reports,
- and the evaluation of incident response and vulnerability management mechanisms.
Need help with NIS2 preparation?
NIS2 Readiness – Step by Step
Cybersecurity compliance is not just a technical task – it requires the development of a documented, repeatable, organization-wide operational model. The following steps outline a structured approach:
- Identifying affected EIRs (Electronic Information Systems)
Determine which systems support your organization’s core activities and how they relate to data, processes, and external partners. - Security Classification
Classify the identified EIRs into the appropriate security category (basic, significant, or high) according to Government Decree 7/2024. This classification determines the set of applicable requirements. - Requirement Mapping
Based on the classification, define which organizational and system-level measures must be implemented, including documenting any deviations. - GAP Analysis
- Developing a Risk Management Framework
Define key rules, roles, and responsibilities for managing internal risks. - Risk Assessment and Action Plan
Conduct a detailed risk assessment for systems, data, and operational processes, and develop an action plan based on the findings. - Drafting Required Policies and Procedures
This includes an information security policy, access management procedures, incident response protocols, and logging and backup policies. - Implementing Logical, Physical, and Administrative Security Controls
Examples include access control, encryption, system logging, authentication rules, patching procedures, and physical protection – based on the assigned security classification - Training and Awareness
Organize documented and recurring training for executives and staff, including awareness campaigns and simulations. - Audit Preparation
Review all documentation and the current status of systems in anticipation of the June 30, 2026 audit.
Assess your current cybersecurity maturity and identify the critical areas that need extra attention during the preparation phase.
What should you do now to prepare for NIS2?
Prepare not only from a legal standpoint, but also organizationally. The law imposes obligations not only on IT leaders, but also on management, HR, and internal audit departments.
Working with an experienced partner can be key to successful compliance. At RSM Hungary, we provide comprehensive support through our NIS2 advisory services, including:
RSM provides full support in this process:
- initial status assessment and security classification
- development of a tailored action plan
- drafting of required documentation
- support in selecting and contracting an auditor
- preparatory training sessions
- support throughout the audit process
Why Start Now?
Although the deadlines may seem far off,
NIS2 compliance requires several months of thorough preparation and internal coordination.
Starting your NIS2 readiness journey early ensures not only legal compliance but also reduces business and operational risks – and ultimately strengthens your organization’s overall security posture.
Get in touch with us - we’ll guide your company through the entire process from the first step to audit readiness!