NIS2 Compliance Preparation for Accreditation

What is the NIS2 directive?

As cyber threats become increasingly prevalent across Europe, the security of digital infrastructures has become a critical priority. To address these growing challenges and vulnerabilities, the European Union has adopted the Directive on Security of Network and Information Systems (NIS2). This new directive builds on the original NIS Directive and introduces more robust protection measures for critical sectors and essential services.

NIS2 aims to strengthen cybersecurity across the EU by introducing stricter requirements, expanding the scope of covered sectors, and implementing more effective enforcement mechanisms. It ensures that EU member states are better equipped to respond to and prevent cyber threats.

What does the NIS2 directive mean?

NIS2 is the updated EU regulation designed to manage cybersecurity risks in critical sectors. It replaces the 2016 NIS Directive, incorporating lessons learned from its implementation and adapting to the evolving threat landscape.

The directive mandates the implementation of cybersecurity measures across a broader range of sectors and organizations. It harmonizes risk management procedures, incident reporting obligations, and resilience protocols throughout the EU.

Key requirements

With the transposition of the NIS2 Directive into Hungarian law, the previous "Cybersecurity Act" has been replaced by Act LXIX of 2024 on Hungary’s Cybersecurity. Implementation and technical requirements are defined by Government Decree 418/2024 and Decree 7/2024 (MK).

Organizations falling under the directive must ensure the protection of the information systems they operate, in proportion to the potential damage that cyber threats could cause.

The cybersecurity framework must cover the following areas:

• General information security management, including risk management frameworks
• Handling of cybersecurity and operational incidents
• Application of administrative, logical, and physical security measures according to system classifications
• Business continuity planning
• Procurement, development, and operation of related software and hardware
• Extension of security requirements to all parties involved in system creation, operation, maintenance, or repair

The protection measures are primarily based on the principles outlined in NIST SP 800-53 Rev.5.

Covered sectors

The NIS2 Directive applies to both public and private sector entities that qualify at least as medium-sized enterprises and provide services or conduct business within the EU.

In certain critical sectors, the directive applies regardless of company size, even to small businesses if their operations have significant cybersecurity relevance.

Risk-sensitive sectors include:

• Postal and courier services
• Food industry (production, processing, and distribution)
• Waste management
• Chemical industry
• Manufacturing, including medical devices, computers, electronics, optics, machinery, vehicles, and transport equipment
• Digital service providers (online marketplaces, search engines, social media platforms)
• Research institutions
• Local municipalities

Highly critical sectors include:

• Energy (electricity, heating, oil, gas, hydrogen)
• Transport (air, rail, water, road, public transport)
• Healthcare
• Drinking water supply and wastewater management
• Digital infrastructure
• Outsourced ICT services
• Space-based services

Deadlines and penalties

The NIS2 Directive sets strict deadlines for compliance. Organizations must meet all requirements by the specified dates.

• Dec 14, 2022 – NIS2 Directive adopted at EU level
• May 15, 2023 – Hungary enacts the new cybersecurity law
• Jan 1, 2024 – Classification of organizations begins
• June 30, 2024 – Mandatory registration deadline
• Oct 18, 2024 – Implementation of required internal measures
• Dec 31, 2024 – Deadline for contracting an accredited auditing organization
• Dec 31, 2025 – First official audit must be completed

Supervisory authorities may impose sanctions, including warnings, mandatory remediation, suspension of high-risk activities, or fines of up to €10 million or 2% of global annual turnover. Organizations may also be required to notify customers of relevant threats.

Cybersecurity risk management measures under NIS2

Organizations must demonstrate compliance with the following protocols through independent audits every two years:

• Site security analysis – assessment of threats and vulnerabilities
• Policy development – establishment of risk assessment and IT security protocols
• Incident handling – detection, response, and recovery procedures
• Regulatory incident reporting – authority notification mechanisms
• Business continuity planning – crisis management and recovery strategies
• Supply chain security – protection of IT supply chains and third-party collaboration
• Security awareness and training – ongoing education for stakeholders
• System integrity assurance – ensuring resilience of information systems

Steps to achieve NIS2 compliance

• Assessment and situation analysis – evaluate current compliance with NIS2 requirements
• Setting objectives – define measurable goals for compliance
• Detailed risk analysis – identify vulnerabilities and threats to IT systems
• Modernizing security protocols – update policies, encryption, and access control
• Training and awareness raising – educate employees on NIS2 protocols
• Incident response plan – create and document response strategies
• Supplier compliance – ensure third-party standards are met
• Continuous monitoring and auditing – regular review of systems
• Developing communication protocols – establish internal and external reporting mechanisms

What does a gap analysis mean in the field of IT?

An IT security GAP analysis compares the current state of information security measures with the optimal state, identifying gaps and opportunities for development. Based on the results, well-founded decisions can be made to align IT security, efficiency, and business goals.

• Mapping data protection and security measures
• Analyzing the operation, reliability, and efficiency of IT systems
• Identifying risk factors such as data loss and vulnerabilities
• Defining steps to improve information security or obtain certification

The GAP analysis is not just a technical review—it is a strategic tool that helps companies comply with international standards, meet market expectations, and address client requirements. Independent expert reviews ensure secure, transparent, and efficient operations, while minimizing risks to data integrity and business continuity.

Contact us with confidence to strengthen your company’s cybersecurity and achieve full NIS2 compliance! We are here to help you meet regulatory requirements and manage risks effectively.