Hungary NIS2 Penalties Explained: €10M vs €7M Fine Split, SZTFH Enforcement Timeline, and Director Ban Mechanism
Hungary’s NIS2 enforcement regime became fully operational in April 2025, when the Supervisory Authority for Regulated Activities (SZTFH) issued Decree 3/2025 formalising inspection procedures and extraordinary audit powers. The legislative foundation — Act LXIX of 2024 — had been in force since 1 January 2025. With SZTFH now running both a scheduled annual inspection plan and unannounced extraordinary inspections, the compliance window has closed.
This article maps the complete penalty framework: what the Directive requires Hungary to enforce, how Hungary’s own implementing decrees add a separate HUF-denominated fine structure on top of the headline euro caps, what the SZTFH supervisory escalation ladder looks like from first documentation request through to management ban, and what the director prohibition mechanism actually requires before it can be triggered. All fine amounts are given in both EUR and approximate HUF equivalents at current exchange rates.
Who Is at Risk: Understanding Hungary’s Entity Classification
Hungary’s NIS2 transposition — Act LXIX of 2024, in force since 1 January 2025 — divides regulated organisations into two categories that carry different fine caps, different supervision intensity, and different obligations. Which category applies to your organisation determines everything about the penalty exposure you are reading this article to understand.
| Criterion | Essential Entity | Important Entity |
|---|---|---|
| Sectors | Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space | Postal and courier, waste management, chemicals, food production, manufacturing (including cement as a Hungarian extension), digital providers, research |
| Size thresholds (from January 2026) | All three simultaneously: 50+ employees AND €10M+ annual turnover AND €10M+ balance sheet total | Same three-condition test; Important entities are those meeting thresholds but outside essential sectors |
| Supervision type | Proactive and ongoing — SZTFH monitors continuously regardless of incidents | Ex-post and reactive — SZTFH acts when non-compliance is suspected or an incident occurs |
| Max fine (entity) | €10M or 2% of global annual turnover | €7M or 1.4% of global annual turnover |
| Management ban available | Yes | Yes (indirectly, via national law) |
A January 2026 amendment changed how size thresholds work: all three conditions — headcount, turnover, and balance sheet — must be met simultaneously. Organisations that were previously caught by meeting just one or two thresholds can apply to de-register, though that process itself requires SZTFH approval. Hungary also extends the essential entity scope beyond the Directive’s minimum: cement manufacturers and sole providers in certain sectors are classified as essential regardless of size.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
The primary competent authority is the Supervisory Authority for Regulated Activities (SZTFH) for most private-sector entities. Exceptions: the National Security Authority (NBH) supervises entities in financial services; the Ministry of Defence covers the defence sector. All organisations — whichever authority they fall under — report cybersecurity incidents to the National Cybersecurity Incident Response Centre (NKI).
The Two-Tier Fine Structure: €10M vs €7M
Article 34 of Directive (EU) 2022/2555 establishes two penalty tiers that Hungary’s Act LXIX of 2024 transposes directly. Both tiers use a “whichever is higher” rule: SZTFH applies the larger of the flat euro ceiling or the turnover percentage. For a company with €200M in global annual revenue, 2% of turnover (€4M) sits below the €10M cap — so the flat cap applies. For a multinational with €2 billion in revenue, 2% produces €40M — far above the cap — meaning the cap is irrelevant and the percentage governs.
| Fine Parameter | Essential Entity | Important Entity |
|---|---|---|
| Maximum flat fine | €10,000,000 | €7,000,000 |
| Maximum turnover-based fine | 2% of global annual turnover | 1.4% of global annual turnover |
| Rule applied | Whichever is higher | Whichever is higher |
| Approximate HUF equivalent of cap (at ~400 HUF/EUR) | ~HUF 4 billion | ~HUF 2.8 billion |
| Triggers | Violations of Articles 21 (security measures) or 23 (incident reporting) of the Directive | Same |
| Supplementary measures | Fines are additive to other SZTFH enforcement actions | Same |
The Directive requires all administrative fines to be “effective, proportionate and dissuasive.” Hungary’s penalty structure is broadly in line with the EU-wide NIS2 penalty framework, but the domestic implementing decrees add a separate HUF fine ladder on top of these headline caps — covered in the next section. In practice, this means SZTFH will weigh the seriousness and duration of the infringement, whether it was intentional or negligent, prior violations, the financial capacity of the entity, and the entity’s level of cooperation with supervisory inquiries. An organisation that self-discloses an incident, cooperates fully with the investigation, and demonstrates a remediation plan in place will face a materially different fine outcome than one that conceals a breach.
The HUF Ladder: Operational Fines for Specific Violations
The headline €10M/€7M caps attract most attention, but Hungary’s implementing legislation — Government Decree 418/2024 and Government Decree 189/2025 — creates a separate, HUF-denominated fine structure for specific operational failures. These fines apply independently of the main entity-level penalties and can stack. Missing your auditor contract deadline, failing to complete your first audit, and not reporting an incident are three distinct violations, each carrying its own fine range.
| Violation | Fine Range (HUF) | Approx. EUR Equivalent | Legal Basis |
|---|---|---|---|
| Failure to register with SZTFH by deadline | HUF 50,000 – 15,000,000 | ~€125 – €37,500 | Act LXIX of 2024 |
| Failure to conclude auditor contract | HUF 1,000,000 – 15,000,000 | ~€2,500 – €37,500 | Gov. Decree 418/2024 |
| Failure to complete first cybersecurity audit by 30 June 2026 | 2% of prior-year revenue; min HUF 1,000,000; max HUF 150,000,000 | ~€2,500 – €375,000 | Gov. Decree 189/2025 |
| Failure to report significant incident to NKI | HUF 500,000 – 5,000,000 | ~€1,250 – €12,500 | Act LXIX of 2024 |
| Failure to pay annual supervisory fee | HUF 500,000 to 10× the supervisory fee owed | Variable | Gov. Decree 418/2024 |
The audit execution fine deserves special attention: at up to HUF 150,000,000 (≈€375,000), it applies a revenue-based formula rather than a flat rate, which means larger organisations face proportionally larger exposure even from this single missed procedural step. For context, a Hungarian mid-size company with HUF 2 billion in prior-year revenue would face a fine of up to HUF 40 million (€100,000) for missing the June 2026 audit deadline alone — before any entity-level fine for the underlying security failures that audit was supposed to catch.
EUR equivalents above use an approximate rate of 400 HUF/EUR and are illustrative. The actual exchange rate applied will be the official rate at the time of fine imposition, which SZTFH determines based on Hungarian National Bank rates.
SZTFH’s Supervisory Escalation Ladder
SZTFH Decree 3/2025, issued on 17 April 2025 and in force the following day, formalized Hungary’s cybersecurity inspection framework. The decree introduces two inspection tracks: a planned annual inspection schedule that SZTFH publishes in advance, and an extraordinary inspection that SZTFH can launch at any time based on incident reports, complaints, or risk signals. There is no advance notice requirement for extraordinary inspections.
The enforcement sequence runs through up to seven levels, with SZTFH able to apply multiple measures simultaneously rather than being required to exhaust lower levels first:
- Documentation request. SZTFH demands access to cybersecurity policies, implementation records, audit results, and data relevant to oversight. Refusal or delays are themselves a triggering event for escalation.
- Formal warning. A written notice specifying which obligations have been violated. The warning creates an official record and starts the clock on remediation expectations.
- Binding instruction. A mandatory order to remedy the identified deficiency within a specified timeframe. Unlike a warning, this is legally enforceable and failure to comply is an independent violation.
- Cease order. SZTFH orders the entity to stop the specific conduct that constitutes the violation. This can apply to ongoing system configurations, data practices, or third-party arrangements that breach the Directive.
- Mandatory public disclosure. SZTFH requires the entity to inform affected customers or the public of the cybersecurity threat or infringement. Reputational consequences are immediate and beyond the organisation’s control once this step is triggered.
- Suspension or restriction of certification or authorisation. For entities whose operations depend on SZTFH-issued certifications — including entities operating under security certification schemes — SZTFH can suspend those authorisations, effectively halting part or all of their regulated activities.
- Temporary management ban. SZTFH can temporarily prohibit a natural person exercising managerial functions — typically the CEO or legal representative — from those activities. This is the directive’s most severe individual sanction and is addressed in detail below.
The distinction between essential and important entities is most visible at the supervision tier rather than the fine tier. Essential entities are subject to proactive, ongoing supervision — SZTFH monitors continuously and can conduct on-site inspections and random checks regardless of whether an incident has occurred. Important entities face ex-post, reactive supervision: SZTFH acts when it has reason to believe non-compliance exists or after a reportable incident. The practical implication is that an essential entity in healthcare or energy should assume it can be inspected at any point, while an important entity faces lower ambient inspection risk but still carries full financial liability once a violation is found.
Management Personal Liability and the Director Ban Mechanism
Article 20 of the NIS2 Directive requires management bodies to approve cybersecurity risk-management measures and oversee their implementation. It also establishes that management bodies “can be held liable for infringements” — a principle that Hungary’s Act LXIX of 2024 implements with two distinct personal consequences.
Personal fines: A natural person exercising managerial functions who wilfully ignores compliance obligations can be fined up to HUF 15,000,000 (≈€37,500 at current rates). This is a personal fine, separate from any corporate fine imposed on the entity. It cannot be covered by company insurance as a corporate liability; it is paid by the individual.
Temporary management ban: Article 32(5)(b) of the Directive enables competent authorities to request that the relevant bodies temporarily prohibit any natural person responsible for carrying out the duties at CEO or legal representative level from exercising managerial functions. Hungary’s implementation makes a three-year prohibition available for persistent non-compliance. The ban applies to the individual, not to a specific company, meaning a prohibited director cannot step into an equivalent role at another entity covered by the Act during the prohibition period.
Three points matter for understanding when this mechanism is actually triggered. First, it applies to persistent non-compliance — a single incident is unlikely to produce a ban without prior warnings or binding instructions that were ignored. Second, Article 32 includes procedural safeguards: the authority must follow administrative due process, and the prohibition must be proportionate to the individual’s actual role and responsibility. Third, public administration entities are explicitly excluded from management prohibitions under the Directive, though Hungary’s national law for public bodies may apply separate accountability mechanisms.
The management ban creates a liability profile that goes beyond traditional corporate compliance risk. A board that formally approves the cybersecurity risk-management programme, receives the required Article 20 training, and actively monitors implementation is in a fundamentally different position than one that delegates this entirely and cannot demonstrate oversight. SZTFH’s annual inspection plan will include entities where management-level engagement with cybersecurity governance is visible — or visibly absent.
Key Deadlines for 2025–2026
| Deadline | Obligation | Consequence of Failure |
|---|---|---|
| Passed (Aug–Oct 2024) | Registration with SZTFH and initial system classification | HUF 50,000–15,000,000 registration fine; continued non-registration triggers escalation |
| 15 February 2025 | Previously registered entities submit list of EU member states where they operate | Enforcement action; cross-border cooperation trigger |
| 31 August 2025 | Conclude contract with SZTFH-accredited cybersecurity auditor | HUF 1,000,000–15,000,000 fine |
| 15 September 2025 | Report the concluded auditor contract to SZTFH | Enforcement notice; fine for non-compliance with binding instruction |
| Within 24 hours of detection | Report significant cybersecurity incidents to NKI | HUF 500,000–5,000,000 incident reporting fine |
| 30 June 2026 | Complete first cybersecurity audit by SZTFH-accredited auditor | 2% of prior-year revenue; min HUF 1,000,000; max HUF 150,000,000 |
| January 2027 (expected) | ISO/IEC 27001 certification for essential entities | Non-certification is an Article 21 compliance gap subject to full enforcement ladder |
The August 2025 auditor contract deadline is the most immediately actionable item for organisations that have registered but not yet concluded an auditor agreement. The pool of SZTFH-accredited auditors is finite and demand is concentrated: leaving this until August creates scheduling risk on top of legal risk. The September 2025 reporting deadline to SZTFH means the contract must be in place before you can notify the authority. For a step-by-step walkthrough of what inspectors look for, see the NIS2 audit preparation guide.
What Each Role Needs to Do Now
Hungary’s enforcement framework places different obligations on different organisational roles. The following matrix maps the most time-sensitive actions to the role responsible for them:
| Role | Immediate Actions (by September 2025) | Medium-Term Actions (by June 2026) |
|---|---|---|
| Board / C-Suite | Formally approve the Article 21 cybersecurity risk-management programme in board minutes; attend (and document) cybersecurity training session | Review and sign off on first audit scope; ensure ISSO reports to board-level governance; confirm personal liability insurance review completed |
| Compliance Officer / Legal | Confirm entity classification is correct under January 2026 threshold rules; prepare registration documentation; map obligation calendar to internal approval workflows | Build SZTFH inspection-ready evidence pack: policies, risk register, incident logs, training records, RACI assignments |
| CISO / IT Security Manager | Classify all systems per NIST SP 800-53 Rev.5 tiers; select and contract an accredited auditor; ensure incident reporting pipeline to NKI is live and tested | Close all Article 21(2) gaps identified in the gap analysis; deliver audit evidence; prepare ISO 27001 certification roadmap for essential entities |
| SME Owner | Verify whether the January 2026 three-condition size test changes your classification; if in scope, register with SZTFH and appoint an Information Security Officer (ISSO) with the required legal competency | Complete first audit by June 30 2026 — the audit execution fine is revenue-based, so the smaller your company, the more proportionally damaging a last-minute failure becomes |
Frequently Asked Questions
What does SZTFH stand for and what does it actually do?
SZTFH is the Supervisory Authority for Regulated Activities (Szabályozói Hatóságok Felügyeletéért Felelős Hatóság in Hungarian). It is Hungary’s primary NIS2 competent authority, responsible for registering regulated entities, conducting inspections, issuing fines, and administering the management ban mechanism. It publishes its annual inspection schedule, meaning regulated entities can anticipate — but not avoid — supervisory scrutiny.
How does SZTFH calculate the actual fine for a specific company?
SZTFH starts with the higher of the flat cap or the turnover percentage, then applies proportionality factors: seriousness and duration of the infringement, whether it was intentional, prior violations, actual damage caused, and the organisation’s cooperation level. Companies that self-report, co-operate fully, and demonstrate remediation in progress typically receive lower fines. SZTFH has discretion within the ranges set by law — these are maximum figures, not automatic outcomes.
Can a director appeal a personal fine or ban?
Yes. Hungarian administrative law provides appeal rights against SZTFH enforcement decisions. Decisions can be challenged through administrative proceedings and, if unsuccessful, through the courts. However, appealing does not automatically suspend enforcement, meaning a ban may be in effect during the appeal process depending on the procedural rules applicable to the specific decision.
Does the January 2026 size threshold change mean we might leave scope?
Possibly. If your organisation previously met only one or two of the three conditions (employees, turnover, balance sheet), the new “all three simultaneously” rule may mean you no longer qualify as essential or important. However, de-registration is not automatic: you must apply to SZTFH, which evaluates the application and can reject it or impose conditions. Until SZTFH confirms de-registration, you remain in scope.
Sources
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
- NIS2 Directive (EU) 2022/2555, Article 34 — Administrative Fines
- NIS2 Directive (EU) 2022/2555, Article 32 — Supervisory and Enforcement Measures for Essential Entities
- NIS2 Directive (EU) 2022/2555, Article 33 — Supervisory and Enforcement Measures for Important Entities
- NIS2 Directive (EU) 2022/2555, Article 20 — Governance
- Schönherr: Cybersecurity in Hungary — How to Avoid Million-Forint Fines in 2025
- Mondaq: New Hungarian Cybersecurity Law in 2025 — Key Takeaways
- Copla: NIS2 Directive Regulations and Implementation in Hungary
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
