NIS2: The road to compliance and lessons learned from the first audits in Hungary

Lesku Gergely

Hungary’s early NIS2 audits reveal key lessons in compliance—from system security planning to digital readiness—proving regulation can drive real cybersecurity advancement.

The introduction of the NIS2 Directive is a milestone in the regulation of cyber security in Europe - and thus in Hungary. Although challenging for many organizations, domestic practice shows that with proper preparation, this challenge can actually become a significant opportunity for improvement. In the following article, GRC consultancy practice, experiences from audits so far and some lessons learned will be shared.

The impact of NIS2 in Hungary

Hungarian early adopters have been preparing intensively for NIS2 compliance since 2022. Capacity is extremely scarce, with more than 4,000 organizations affected by regulation. For example, only ten audit firms are available for auditing - so it is not surprising that the processes around auditing are often hectic.

However, SOCWISE's information security consultants were able to add value early on: through training, GAP analyses and dozens of regulatory projects, they built up a deep professional knowledge and experience. A central element of this: incident management.

Key elements of the preparation

The compliance process follows the following main steps:

Analysis and planning: assessing existing systems and policies, rethinking incident management processes.
Establishing rules and regulations: defining manuals, procedures, roles - e.g. assigning responsibilities based on position.
Technical preparation: setting up the systems and tools used, optimizing the EIRs (electronic information systems).
Launching long-term projects: some developments can take up to 1-2 years, e.g. IT asset management, endpoint protection, log management.
Internal self-checking and audit: self-auditing is also a prerequisite for a successful audit, but it is important to understand what to expect during the audit.

What are the main technology gaps?

A range of technological solutions can help organizations in their preparations. We have highlighted the following because they are the ones that can make the most progress towards NIS2 compliance, as they can be used to meet a number of controls. However, they are also essential for a modern and secure operation:

GRC platforms: although everything can be done on paper in Excel, regulatory complexity has reached a level where it is almost impossible to maintain a transparent system without digital support.
Log and incident management systems: these controls are often missing or insufficient - even though incident reporting has been mandatory for NIS2 obligated parties since October 2024.
Endpoint protection: although it is widespread, many critical devices still do not have up-to-date protection, so the question must be asked: which machines do not have it and why?
User and privilege management: permissions, access, exceptions - one of the most common and "spoiling" deficiencies when there is no controlled and traceable, accountable IAM/IDM system. The reverse is also true: if you have one, it helps with almost everything else.

Audit experience: what to expect?

Although relatively few audits have yet taken place, some lessons are already emerging. The process is always one of submitting EIRs and answering a number of questions, communicating data to the auditor, followed by their evaluation and a personal interview/audit. In some cases, they may also look into the systems and even expect testing. Some common points:

Documentation is crucial: the existence and quality of regulatory controls - such as TSIs, procedures, safety plans - is often a decisive factor.
A logical justification for exceptions is important: not all controls are feasible, but documenting them in a substantiated way makes a difference in the evaluation.
Focus on operational controls: the audit scoring system favours operational controls.
Audit methods may differ: e.g. some auditors are flexible, giving time to correct errors by suspending the audit for a few weeks in a company with a good chance, while others rigidly follow the methodology.
Digital data storage helps to react quickly: a GRC software is also a competitive advantage here - not only for the auditor, but also for the company.

The security plan - the key to the audit

One of the most important documents that almost all organizations have encountered is the lack of a system security plan. It is not just a formal requirement, but a technical document to the extent that its mere preparation can raise significant security issues, and it is no coincidence that audits can fail.

This was also highlighted by the auditors as a critical compliance point in their interpretation of the regulation - it is the level of "how to protect", not just "what to do".

The future of digital compliance: it won't work without AI

Regulations - be it NIS2, the AI Act or the forthcoming Cyber Resilience Act - point in a clear direction: digital compliance is not only an expectation, but also a survival imperative. Attackers are already using AI - defending against it cannot be paper-based.

NIS2 is therefore not only a compliance constraint, but also an opportunity. If used wisely, it could be the occasion to finally deliver the long-awaited information security leap forward for domestic organizations.

Concluding thoughts

The Hungarian market has done an exemplary job in recent times - in terms of compliance processes, audit preparation and technological developments. The deadline of 30 June 2025 has passed - but the opportunity is still here: let's build durable, digital and adaptive protection!