Hungary extends cybersecurity registration obligations for entities falling under NIS2

The Hungarian Supervisory Authority for Regulatory Affairs (SARA), which oversees Hungary’s compliance with the EU’s Network and Information Security Directive 2 (NIS2), has issued a decree (SARA Decree No. 8/2025., VIII. 21.) extending the scope of information that entities must provide during NIS2 registration. The change affects both new and existing registrations.

The following article summarises the new requirements and provides practical steps to achieve compliance in Hungary.

New registration requirements

The Decree amends the information that entities are required to submit on the registration application.

Starting 22 August 2025, entities registering with the SARA must submit the total number of electronic information systems under their control in addition to the information already required. This number is relevant for statutory internal documentation purposes, and for the calculation of the maximum fee of the mandatory cybersecurity audit.

Most companies appear to have difficulty establishing the exact number of electronic information systems under their control. The statutory definition is considerably vague and the SARA does not provide an official guidance in the matter. The case is even more complex for Hungarian subsidiaries of multinational companies where electronic information systems are under HQ control.

Entities already registered with the SARA must submit the number of electronic information systems under their control before 31 December 2025. The SARA has yet to publish the updated versions of the online forms used for registration.

Background on the registration obligation

Under the Hungarian Cybersecurity Act, entities falling under NIS2 obligations must register with the SARA. The mandatory information for registration includes identification and contact data of the entity and the person responsible for the security of electronic information systems and the technical information on the publicly available services provided by the entity. Other mandatory information includes the entity’s IP addresses, domain names and IT subcontractors. The exact data necessary for registration can be found in SARA Decree No. 23/2023. (XII.19.).

Next steps

While new registration requirements will enhance compliance with NIS2, companies may face uncertainty from the lack of clear definitions and official guidance. As deadlines approach, companies should await further instructions from the SARA in order to ensure compliance with the amended registration process.

The official text of the Hungarian Cybersecurity Act is available here and the SARA decree containing the amended registration requirements can be found here (in Hungarian). The registration form is available here (in Hungarian).

For advice on Hungarian cybersecurity obligations and for assistance in completing SARA registration procedures, contact your CMS client partner or these CMS experts.

The article was co-authored by János Bálint and Barnabás Czakó.