NIS2 Applicability – Smaller Organizations
In Hungary, the scope of the NIS2 directive is defined by Cybersecurity Act (Act LXIX of 2024),the Decree No. 418/2024. (XII. 23.),which outlines the affected entities based on sector-specific and size-related criteria.
If an organization operates in a sector listed in Annex II or III of the Cybersecurity Act, it may fall under the regulation — regardless of business operation or the number of employees. For example, a solar park operator engaged in electricity generation is considered part of a high-risk sector, thereby meeting the sector-specific eligibility criteria.
Once sectoral relevance is confirmed, the next step is to determine whether the organization reaches the size criteria limits:
- More than 50 employees, OR
- Annual net turnover over 10 million EUR (converted to HUF).
This is particularly relevant, as many organizations with limited business activity or minimal IT infrastructure may still be subject to NIS2 compliance based solely on their revenue.
NIS2 Compliance – Minimum business operations, strict compliance requirements
For businesses with few employees but high turnover, it is common for them not to have their own electronic information system (EIR),it is usually operated by an external service provider. This raises valid questions about compliance responsibilities in such cases. However, outsourcing system operations does not exempt the organization from its obligations — it just requires a different approach.
In such cases, the focus should be on organizational-level security measures, as outlined in Decree No. 7/2024, for example:
- developing appropriate cybersecurity policies,
- defining roles and responsibilities,
- developing internal procedures (e.g. incident management, access management),
- conducting trainings and awareness programs.
In the case of security measures relating to electronic information systems, it is advisable to contractually enforce them with the partners operating the systems, as the compliance of the systems is primarily the responsibility of the organization that has the right to control the EIR.
NIS2 Risk Management: Cornerstone of Compliance
One of the most important - and often overlooked - elements in this type of company is risk management. The legislation clearly requires organizations to identify and document the information security risks they face and put in place measures to manage them.
In practice, this does not necessarily mean complex and costly solutions - often a well thought-out, professional management system and a few strategic decisions can be enough to ensure that an organization meets the essential requirements.
NIS2 Compliance Is Not Optional
Compliance with the NIS2 requirements is mandatory for these “smaller” but affected firms, and there are also serious sanctions for non-compliance during official inspections. However, with a conscious and well-structured advisory process, compliance can be achieved in a transparent, step-by-step manner and the organization can become more secure in the face of increasing cyber threats. Contact our expert colleagues and look forward prepared to your first cybersecurity audit.
