Companies May Have Six More Months to Comply with the NIS2 Directive

NIS2 aimed at ensuring the cybersecurity of key sectors across the EU through harmonized regulations in light of the growing number of cyber threats. A key part of the directive will be a cybersecurity audit, intended to confirm that the IT systems of affected companies operate securely. The audit must be carried out every two years, and only by entities that meet the specific requirements for auditors.

The system is based on two pillars: cybersecurity certification and cybersecurity supervision. Certification ensures that a particular IT product or service used by individuals or companies meets specified security requirements. Supervision, on the other hand, targets the overall security of companies operating in high-risk or critical sectors, rather than specific products or services. The security of the IT systems of affected organizations may be assessed by auditors authorized by SZTFH.

SZTFH, in cooperation with the Hungarian Chamber of Commerce and Industry (MKIK), proposes that the deadline for completing the cybersecurity audit is extended by six months to 30 June 2026, and also that the affected companies should sign a contract with an authorized auditor until 31 August 2025.

However, critics argued that the current end-of-year deadline was unrealistically tight, the audit methodology is unnecessarily strict, the compensation for auditors is too low, and there is a shortage of qualified auditors to perform the required assessments.

In addition to the extension of deadlines, further assistance is planned to support companies, especially small businesses, in their preparations. MKIK will provide personal and online advisory services, helping businesses prepare for the audit and clarify any questions. Official statements addressing the most frequently asked questions, in coordination with SZTFH, are also expected to be published.

By Lilla Majoros, Attorney at Law, KCG Partners Law Firm