The EU’s NIS2 Directive entered into force in January 2023 and seeks to achieve a high common level of cybersecurity protection across the Union. The Directive must be implemented by Member States by 17 October 2024 and Hungary has been one of the earliest movers, with its first substantive obligations already in effect: covered entities were required to register with the national authorities by 30 June 2024.

You can find more information on the Hungarian cybersecurity requirements in this detailed article. The key practical learnings from implementation in Hungary are set out below.

  • Determining whether a multinational organisation is in scope of national implementing legislation can be complex, and will require a jurisdiction-by-jurisdiction analysis: covered sectors and definitions of key concepts are not consistent between the Hungarian implementing legislation and the Directive.
  • Identifying the right individual(s) to take responsibility for compliance may be a challenge, particularly when ICT services are outsourced or managed by an affiliate outside the jurisdiction.
  • Local regulatory processes developed with domestic companies in mind may not work well in practice for multinationals. However, there is still scope to engage with local regulators to influence how NIS2 is implemented and embedded in national law and practice.

Csaba Vári is head of the Privacy practice for Baker McKenzie in Hungary and a member of the Intellectual Property and Technology group. He provides comprehensive advice to clients on privacy and cybersecurity matters, from European data protection regulations and local privacy laws to e-commerce and cloud services regulation. His work focuses on advice and support to clients regarding data protection impact assessments, data security incident reporting, and responding to queries from data subjects, as well as representation before regulatory authorities and courts.


Andras Gaal is an attorney in Baker McKenzie's Budapest office.