EU’s new directive also affects Hungarian companies: how to prepare for NIS2

Portfolio.hu interviewed Máté Uzsoki, the Managing Director of Serpentarius Software Ltd., a company specialising in information security and software development, about the concrete steps that companies need to take to prepare for NIS2. We also discussed why information security is becoming a critical factor in supplier relations, how custom software development can help and the role of artificial intelligence in this process.

What concrete steps can companies take to prepare for NIS2 compliance?

Máté Uzsoki: The first step is to determine whether the company falls under the scope of the Hungarian legislation implementing the NIS2 Directive, based on sector classification (e.g., energy, transport, healthcare, digital services) and company size. Affected companies have already been required to register with the competent authority, which in most cases is the Supervisory Authority for Regulated Activities (known in Hungarian as SZTFH).

Next, a risk-based information security assessment must be conducted to identify vulnerabilities and define the necessary technical and organizational measures. Compliance also includes developing a detailed incident management plan to ensure rapid detection, investigation, and reporting of security events.

Hungarian law requires affected organizations to demonstrate compliance through certification, which can only be carried out by an auditor recognized by the SZTFH.

It is advisable to select a NIS2-preparation consultant at an early stage,

who will prepare the necessary documentation, help request quotes for the audit, and coordinate the entire process.

Certification is valid for a limited period; audits must be repeated at least every two years, but the authority or auditor may also impose extraordinary audits.

How does the regulation affect SMEs that are not directly subject to NIS2?

Companies that are not directly covered by NIS2 due to their size or activities are currently not obligated, though the SZTFH may designate them at a later stage.

However, indirect effects are already being felt, especially through supply chains.

Larger, NIS2-regulated companies increasingly require their partners to comply with information security standards, often as contractual conditions. This is particularly relevant for IT providers, software developers, cloud service providers, operators, and other technology suppliers.

For them, cybersecurity is no longer just a technical matter but a market expectation and potential competitive advantage.

Given the changing business environment, it is wise for even non-obligated companies to voluntarily establish a basic cybersecurity control system. Measures such as access management, incident response protocols, data backup, and staff training not only make operations safer but also improve the company’s reputation among partners and clients—especially in export-driven, competitive markets.

How can companies select the most suitable auditor from those recognized by the SZTFH?

The SZTFH’s list of accredited auditing firms is public, but selection must consider both the auditor’s accreditation scope and the company’s classification (significant or high). A key factor is the limited number of auditors: thousands of companies await audits, but only 10 firms are currently authorized to perform the broadest, “basic” classification audits.

In practice, the choice should be guided by the consultant’s recommendation, as well as audit costs, auditor availability, and any previous cooperation.

What types of cyberattacks most frequently target Hungarian companies, and how well are corporate IT systems prepared?

Cyberattacks against Hungarian companies are becoming increasingly targeted and sophisticated.

The most common threats include

• phishing attacks: fraudulent, often seemingly authentic emails designed to steal sensitive data or login credentials;
• ransomware: attackers encrypt company data and demand payment for release, often threatening to leak the data publicly; and
• social engineering: manipulation of employees or users with access rights, tricking them into making transfers or disclosing credentials through urgency, trust-building, or deception.

NIS2, however, addresses more than just cyberattacks, it also assesses whether IT systems are properly designed and operated.

This protects owners and executives by identifying weaknesses that could disrupt operations and cause financial losses.

For example, if a server failure results in data loss, or if websites, email, or ERP systems are down for days, these indicate deficiencies that should have been mitigated by IT operations. Identifying and fixing such gaps not only improves audit results but also ensures more reliable business operations.

What exactly does social engineering mean, and how much does employee training matter in defense?

Social engineering is not limited to digital channels. Common methods include attempts at unauthorized physical access—such as pretending to be an inspector or subcontractor—to access internal systems, steal storage devices, or plant surveillance tools. Phone-based manipulation is also widespread, with attackers impersonating system administrators, customer support staff, or partners to extract sensitive information.

Defending against such attacks requires not only technical safeguards but also employee awareness, supported by regular training.

How does NIS2 affect companies that already have advanced cybersecurity systems?

Organizations with certified information security management systems (e.g., ISO/IEC 27001) are typically in a stronger starting position for NIS2 compliance. However, even existing systems must be reviewed to ensure alignment with NIS2 requirements. Measures must be properly documented, up to date, and regularly reviewed. Special attention must be paid to incident reporting, supplier risk management, organizational responsibilities, and certification requirements.

NIS2’s uniqueness lies in requiring not just technical measures, but also organizational, managerial, and legal compliance. Thus, even companies with mature cybersecurity cultures may need further development.

What role do suppliers and partners play in a company’s cybersecurity strategy?

Supply chain security is often underestimated, yet NIS2 explicitly makes companies responsible for the cybersecurity of their supply chains. This means contracts increasingly include cybersecurity clauses, audit rights, and liability statements. Security maturity has become a selection criterion alongside price and performance.

For partners with access to company systems or data, particularly strict controls are needed. Implementing a supplier risk assessment system that continuously evaluates partners’ cybersecurity reliability is recommended. This approach is essential not only for regulatory compliance but also for managing real risks and protecting reputation.

What responsibilities do company executives bear for NIS2 compliance?

NIS2 names executive-level responsibility as a concrete legal obligation. Senior management (executive board, directors, or CEO) must ensure the organization meets information security requirements. Compliance cannot be delegated solely to IT or an appointed expert: leaders must actively participate in risk assessments, approve measures, and allocate resources.

What typical mistakes do companies make at the start of NIS2 preparations?

A common mistake is treating compliance solely as an IT project, while

NIS2 requires organizational transformation: leadership commitment, supply chain oversight, incident management capabilities, and documented processes.

Other frequent errors include uncertainty about applicability, starting preparations too late, neglecting risk-based thinking, overlooking supplier dependencies, or having only “paper” incident response plans with no tested scenarios.

The biggest mistake, however, is treating compliance as a one-off “tick-the-box” project instead of integrating it into daily operations.

The key is to approach preparation as systemic transformation: determine applicability early, appoint responsible persons, map risks, and establish processes. This makes certification smoother and security more genuine.

Does NIS2 also affect the use of cloud services and external IT providers?

Yes. NIS2 extends responsibility to external providers, including cloud solutions and managed IT services. Outsourcing infrastructure or operations does not eliminate liability; the organization remains ultimately responsible. Contracts with providers must clearly stipulate security requirements, audit rights, incident reporting obligations, and minimum service security levels.

Outsourced services must also be assessed during risk analysis—especially when providers have access to sensitive data or critical systems. In cloud models (IaaS, PaaS, SaaS), particular attention must be paid to the shared responsibility principle, clarifying which layers are managed by the company versus the provider.

How can companies effectively communicate compliance to clients?

Cybersecurity compliance is increasingly a market differentiator, but communication is only credible if backed by genuine, regularly verified compliance. Ways to communicate include:

• Publishing certifications on websites, proposals, or corporate documents.
• Updating privacy and IT security statements to detail compliance measures.

How can NIS2 requirements be integrated into an existing ISO-based compliance system?

NIS2 requirements can be effectively integrated into ISO/IEC 27001-based information security systems, as both frameworks share a risk-based, continuous improvement approach emphasizing leadership commitment and documented, verifiable controls. Compliance usually requires targeted extension rather than starting from scratch.

The first step is a thorough gap analysis to identify overlaps and missing elements. ISO 27001 is flexible, while NIS2 prescribes specific measures, such as regulatory incident reporting or stricter supplier controls. These should be integrated seamlessly into governance structures without creating redundant processes.

Can tailored IT solutions help companies meet the requirements?

Yes. For organizations using custom-built systems or integrated applications, compliance often requires technological adaptation. Our team at Serpentarius has both compliance and software engineering expertise. With 20 years of experience in custom software development, we can embed cybersecurity requirements directly into client systems—whether by adding logging functions, implementing incident detection logic, fine-tuning access control modules, or developing compliant reporting features. This ensures security is realized not only on paper but within the systems themselves.

How does the rise of artificial intelligence impact compliance and information security?

AI brings new challenges. While NIS2 does not explicitly mention AI, its risk-based approach, incident reporting, and supply chain security extend to it.

Generative AI, especially large language models (LLMs), poses particular risks: employees may inadvertently input sensitive or trade-secret data into public AI systems, which could later become accessible through model training.

The regulatory landscape is also evolving: the EU recently recognized ISO/IEC 42001 as the new international AI management system standard. Similar to ISO 27001, it provides a framework for transparent, safe, and responsible AI use, complementing NIS2’s risk-based approach and control requirements.

At Serpentarius, we address these challenges by offering private AI server hosting, enabling clients to use AI in a closed, controlled environment aligned with their data protection rules. We are also building competencies aligned with ISO/IEC 42001 to ensure clients can leverage AI opportunities with maximum data security—integrated into existing business systems or as standalone solutions.

SPONSORED CONTENT - Published with the support of Serpentarius Software Ltd.

Cover photo: Portfolio