NIS2 Hungary Multi-Authority Enforcement Guide: NBI Sectoral Oversight, NKH Coordination, and Cross-Authority Compliance for 2026

Hungary’s NIS2 transposition through Act LXIX of 2024 on the Cybersecurity of Hungary created much more than a single-regulator compliance regime. While SZTFH (Supervisory Authority for Regulated Affairs) serves as the primary supervisory authority and NKI (National Cyber Security Centre / NCSC Hungary) acts as the Single Point of Contact and national CSIRT, enforcement is distributed across a multi-authority model that assigns sectoral competent authorities with distinct — and sometimes overlapping — supervisory powers. For entities operating across multiple Hungarian sectors, navigating this cooperative regime presents unique compliance challenges that go well beyond the single-authority models found in smaller EU states.

This complementary guide to our main Hungary NIS2 compliance guide focuses specifically on the multi-authority enforcement dimension: how NBI (Nemzeti Biztonsági Hatóság / National Security Authority) exercises sectoral oversight in defence and national security contexts, how NKH (Nemzeti Közegészségügyi Hivatal / National Public Health Center) coordinates NIS2 compliance for the health sector, and how all sectoral authorities interact with SZTFH and NKI in Hungary’s cooperative supervisory framework.

Hungary’s Multi-Authority Enforcement Model: Where Things Stand

Why a Multi-Authority Model Matters

Unlike Malta or Cyprus, where a single competent authority handles nearly all NIS2 supervision, Hungary’s institutional design distributes enforcement based on sectoral expertise and existing regulatory mandates. This reflects Hungary’s larger economy and more complex critical infrastructure landscape — but it means that:

• Multi-sector entities may report to two, three, or more regulators simultaneously
• Incident reporting may follow different procedural expectations depending on the sectoral authority
• Supervisory fees may be assessed by multiple authorities
• Audit requirements may be interpreted differently across sectors
• Cooperative enforcement actions may involve joint investigations by SZTFH and sectoral authorities

The main SZTFH/NKI framework is covered in detail in our primary Hungary guide. This guide examines the inter-agency dimension — how NBI, NKH, and other sectoral authorities exercise NIS2 powers and what this means for compliance strategy.

The Legal Foundation for Multi-Authority Enforcement

Act LXIX of 2024 explicitly establishes the cooperative supervisory framework:

• § Section 6 designates SZTFH as the primary supervisory authority for entities without alternative sectoral legislation
• § Section 7 assigns sectoral competent authorities (szakági hatóságok) for specific sectors where existing regulatory infrastructure exists
• § Section 8 establishes the obligation for sectoral authorities to cooperate with SZTFH and share supervisory information
• § Section 9 requires inter-authority coordination on cross-sectoral incidents
• Government Decree 418/2024 provides the detailed framework for inter-agency data sharing, joint enforcement actions, and coordinated penalty assessment

Key Dates and Timeline for Multi-Authority Enforcement

Milestone	Date	Status
Act LXIX of 2024 enters into force	January 1, 2025	Complete
SZTFH begins entity registration	January 2025	Complete
Sectoral authorities receive entity lists from SZTFH	March 2025	Complete
NBI internal NIS2 coordination unit established	Q2 2025	Complete
NKH health sector compliance guidance issued	Q3 2025	Ongoing
First mandatory cybersecurity audit deadline	June 30, 2026	Upcoming
SZTFH-sectoral authority coordination framework finalized	Q2 2026	In progress
First cross-authority enforcement actions expected	Q3–Q4 2026	Expected

Comparison with Other Multi-Authority EU Countries

Hungary’s multi-authority model is comparable to several EU states across our guide series:

• Hungary (SZTFH/NKI — Primary Guide): The companion guide covering SZTFH’s primary supervisory role and NKI’s SPOC/CSIRT functions
• Croatia (NCSC-HR/CERT.hr): Similar dual-CSIRT structure with multiple sectoral authorities
• Slovakia (NBU/SK-CERT): Neighboring Visegrád state, comparable multi-authority approach under NBU
• Czech Republic (NUKIB): Similar Visegrád model with sectoral authorities and central coordination
• Romania (ANSI): Also uses sectoral competent authorities alongside a central coordinator
• Germany (BSI): Most complex multi-authority model in the EU — useful reference for structuring cross-authority compliance

Key Sectoral Authorities in Hungary’s NIS2 Framework

NBI — National Security Authority (Nemzeti Biztonsági Hatóság)

The Nemzeti Biztonsági Hatóság (NBI) plays a distinctive role in Hungary’s NIS2 enforcement ecosystem:

• Sectoral oversight for defence-related entities and national security critical infrastructure
• Security clearance coordination for personnel in NIS2-designated entities in the defence sector
• Classified information systems — NBI maintains the national register of classified information systems under Act XXV of 2009 on the Protection of Classified Information
• Vetting authority — NBI conducts personnel security checks for entities handling classified information, which intersects with NIS2’s supply chain security requirements
• Cross-authority liaison — serves as the bridge between national security and cybersecurity supervision when incidents have potential security-of-supply or foreign interference dimensions

NBI’s NIS2-specific powers include:

Power	Scope
Demand classified system audit reports	Defence and security sector entities
Initiate joint investigations with SZTFH	Any entity where national security concerns arise
Issue binding security directives	Classified information system operators
Restrict foreign vendor access	Entities with access to classified national assets
Coordinate with NATO cybersecurity channels	Cross-border incidents affecting allied infrastructure

Contact: NBI operates through the Ministry of Interior framework. NIS2-specific coordination requests should be routed through SZTFH’s inter-agency desk.

NKH — National Public Health Center (Nemzeti Közegészségügyi Hivatal)

The Nemzeti Közegészségügyi Hivatal (NKH) serves as the sectoral competent authority for the health sector under NIS2:

• Competent authority for hospitals, clinical laboratories, medical device manufacturers, and pharmaceutical distributors designated as essential or important entities
• Health-specific risk assessment — NKH maintains health-sector-specific cybersecurity risk profiles that supplement SZTFH’s general NIST SP 800-53 classification
• Medical device cybersecurity — coordinates with the National Institute of Pharmacy and Nutrition (OGYEI) on medical device security requirements that overlap with NIS2
• Patient data protection interface — works with NAIH (Data Protection Authority) where GDPR and NIS2 obligations intersect in health sector entities
• Incident escalation — healthcare incidents with clinical safety implications follow a dual-reporting path to both NKI (for NIS2) and NKH (for patient safety)

NKH’s NIS2-specific responsibilities include:

Responsibility	Detail
Health entity registration verification	Confirming SZTFH registry entries for health sector entities
Medical device vulnerability coordination	Working with OGYEI on device-specific security advisories
Clinical cybersecurity guidance	Sector-specific security control recommendations
Healthcare incident impact assessment	Evaluating clinical impact of cybersecurity incidents on patient care
Pandemic preparedness integration	Ensuring health sector NIS2 plans align with epidemic response frameworks

Contact: NKH health sector NIS2 inquiries should be directed through the NKH institutional secretariat with reference to Act LXIX of 2024 Section 7 designation.

Other Sectoral Competent Authorities

Hungary’s full multi-authority framework extends beyond NBI and NKH:

Authority	Sectors	NIS2 Role
MNB (Magyar Nemzeti Bank)	Banking, financial market infrastructures, payment services	Full supervisory authority for financial sector NIS2 compliance
Ministry of Defence (Honvédelmi Minisztérium)	Defence industry, military critical infrastructure	Coordinates with NBI on classified system requirements
NAIH (National Authority for Data Protection)	Privacy-critical entities, data processors	Interface between GDPR and NIS2 obligations
Ministry of Interior (Belügyminisztérium)	Law enforcement, internal security	Coordinates with NBI on security-clearance-adjacent entities
HEA (Hungarian Energy Authority / MEH)	Electricity, gas, oil, district heating	Sectoral competent authority for energy
Ministry of Construction and Transport (ÉKM)	Road, rail, air, waterway transport	Sectoral competent authority for transport

How SZTFH Coordinates Multi-Authority Enforcement

SZTFH is not merely one authority among many — it functions as the coordinating hub for Hungary’s NIS2 enforcement:

1. Entity registry management — SZTFH maintains the master national registry and distributes entity lists to sectoral authorities
2. Audit coordination — SZTFH’s certified auditors may be required to address sectoral authority concerns during biennial audits
3. Penalty harmonization — where multiple authorities could impose penalties for the same violation, SZTFH coordinates to avoid double jeopardy
4. Information sharing — Act LXIX of 2024 Section 8 mandates that sectoral authorities share supervisory findings with SZTFH
5. Incident coordination — for cross-sectoral incidents, SZTFH chairs the inter-authority incident coordination group

Which Entities Face Multi-Authority Oversight?

Multi-Sector Entities

Entities operating across multiple sectors in Hungary face the most complex compliance landscape. Common examples include:

Entity Type	Authorities Involved	Compliance Complexity
Defense contractor with IT services	NBI + SZTFH + MNB (if financial)	High — classified system rules + NIS2 controls + financial regulation
Hospital with research lab	NKH + SZTFH + NAIH	High — patient data + medical devices + NIS2 controls
Energy company with financial operations	HEA + MNB + SZTFH	Medium — energy directives + banking + NIS2 baseline
Transport operator with digital infrastructure	ÉKM + SZTFH	Medium — transport safety + NIS2 baseline
University research institution	NKH (if health research) + SZTFH	Medium — academic + potential health classification

The “Principal Activity” Declaration

Act LXIX of 2024 requires multi-sector entities to formally declare their “principal activity” (főtevékenység) when registering with SZTFH. This determines:

• Which authority has primary supervisory jurisdiction
• Where the entity’s mandatory cybersecurity audit is primarily directed
• How supervisory fees are allocated between authorities

Critical: Declaring a principal activity does NOT exempt the entity from compliance obligations in other sectors. All sectoral obligations apply regardless of the principal activity designation. The entity must maintain correspondence with every relevant sectoral authority.

Entities in Classified Information Systems

For entities that operate classified information systems (regulated by Act XXV of 2009), NBI oversight creates an additional compliance layer:

• Dual audit requirements — entities must satisfy both the NIS2 mandatory audit (SZTFH-certified auditors) and classified system security audits (NBI-accredited assessors)
• Vendor restrictions — NBI may prohibit certain foreign vendors from accessing classified systems, which overrides open procurement policies
• Personnel vetting — NBI security clearance requirements for classified system operators exceed standard NIS2 background check obligations
• Incident classification — cybersecurity incidents affecting classified systems may be classified under national security law, restricting how they can be reported through standard NIS2 channels

Cross-Authority Compliance Requirements

NIST SP 800-53 Across Authoritites

Hungary’s adoption of NIST SP 800-53 Rev. 5 (per MK Decree 7/2024) as the baseline risk management framework provides a common compliance language across all sectoral authorities:

Security Tier	SZTFH Baseline	NBI (Defence) Additional	NKH (Health) Additional
High	Full NIST 800-53 Rev. 5 High baseline	Classified system controls overlay	Clinical safety impact requirements
Significant	Moderate baseline	Personnel security controls	Medical device cybersecurity standards
Basic	Low baseline	Access control enhancements	Patient data protection controls

Practical impact: An entity classified as “High” under SZTFH that also operates classified systems will need to implement NIST High controls plus NBI-specific classified information controls — effectively two layered compliance programmes.

Incident Reporting in a Multi-Authority Context

Hungarian entities must navigate parallel reporting channels depending on their sectoral authorities:

Reporting Stage	Primary Channel	Sectoral Authority Channel	Timeline
Early Warning	NKI (incident@nki.gov.hu)	Sectoral authority (if required by sectoral regulation)	24 hours
Update Report	NKI portal	Sectoral authority portal or direct contact	72 hours
Final Report	NKI platform	Sectoral authority archive	30 days

NBI-specific reporting: Incidents affecting classified information systems must be reported to NBI simultaneously with the NKI report. NBI may classify the incident, restricting what information can be shared through the standard NIS2 reporting channel.

NKH-specific reporting: Healthcare incidents with clinical safety implications must follow the NKH clinical impact assessment procedure in addition to the standard NIS2 timeline. NKH requires a clinical impact statement within 48 hours.

Audit Coordination Across Authorities

The mandatory biennial cybersecurity audit system introduced by Act LXIX of 2024 creates coordination challenges for multi-sector entities:

1. Single audit, multiple audiences — SZTFH-certified auditors must address concerns from all relevant sectoral authorities in a single audit cycle
2. Sectoral audit annexes — NBI and NKH may require supplementary audit evidence beyond the standard SZTFH audit template
3. Timing alignment — entities should coordinate their audit schedule to align with all sectoral authority deadlines
4. Remediation tracking — audit findings may need to be reported to multiple authorities with different remediation timelines
5. Cost allocation — supervisory fees and audit costs may be apportioned across sectoral authorities

Supply Chain Security in a Multi-Authority Context

NIS2’s supply chain security requirements (Article 21(8)) become particularly complex when multiple authorities impose different vendor requirements:

• NBI may restrict foreign vendors for classified systems — conflicting with open procurement in other sectors
• NKH requires specific medical device cybersecurity certifications for vendors in the health supply chain
• MNB imposes financial sector vendor risk management standards that exceed the NIS2 baseline
• SZTFH requires that all third-party contracts include binding cybersecurity obligations per Act LXIX Section 12

Practical recommendation: Multi-sector entities should develop a unified vendor risk management framework that satisfies the most stringent authority’s requirements, then demonstrate compliance equivalency to other sectoral authorities.

Penalties and Cross-Authority Enforcement

Coordinated Penalty Assessment

Act LXIX of 2024 and Government Decree 418/2024 establish that joint enforcement actions may be initiated when:

• An entity fails to comply with requirements from multiple sectoral authorities
• A cross-sectoral incident reveals systemic governance failures
• SZTFH and one or more sectoral authorities identify correlated violations

Key principle: Hungary applies a no-double-jeopardy rule — an entity cannot be fined twice for the same violation by different authorities. However, different violations identified by different authorities can each carry separate penalties.

Enforcement Scenario	Penalty Approach
Single authority identifies violation	That authority imposes penalty per standard schedule
Multiple authorities identify same violation	SZTFH coordinates — single penalty, highest applicable amount
Multiple authorities identify different violations	Each authority may impose separate penalties
Cross-sectoral systemic failure	SZTFH chairs joint investigation — coordinated penalty package

NBI-Specific Enforcement Powers

Beyond standard NIS2 penalties, NBI can exercise additional enforcement measures for entities handling classified information:

• Security clearance revocation for personnel found to pose cybersecurity risks
• System access restriction — prohibiting vendor or personnel access to classified systems
• Operational freeze on classified processing pending security remediation
• Referral to prosecutorial authorities where national security law violations are suspected

NKH-Specific Enforcement Measures

For health sector entities, NKH can impose:

• Clinical operations restrictions — limiting or suspending clinical services where cybersecurity failures create patient safety risks
• Mandatory medical device security audits — at the entity’s expense
• Coordination with OGYEI for medical device-specific enforcement, including device withdrawal from market

Implementation Roadmap for Multi-Authority Compliance

Phase 1: Authority Mapping (January–March 2026)

• Identify all applicable sectoral authorities — determine which authorities have competent jurisdiction over your entity
• Map authority-specific requirements — create a compliance matrix showing SZTFH baseline + sectoral authority overlays
• Register with all relevant authorities — ensure entity profile is current with SZTFH and each sectoral authority
• Declare principal activity — formally designate your principal activity with SZTFH while maintaining correspondence with all sectoral authorities
• Establish inter-authority communication channels — identify contact persons at each relevant authority

Phase 2: Unified Compliance Programme (April–June 2026)

• Conduct unified gap analysis — assess compliance against the most stringent applicable standard across all authorities (see our NIS2 gap analysis guide)
• Contract SZTFH-certified auditor — ensure auditor is briefed on multi-authority requirements and sectoral audit annexes
• Prepare audit documentation — organize evidence to satisfy SZTFH baseline plus NBI/NKH sectoral requirements
• Establish multi-channel incident reporting — set up procedures for simultaneous reporting to NKI and relevant sectoral authorities
• Review supply chain contracts — ensure vendor agreements meet the most stringent sectoral requirements
• Complete first mandatory cybersecurity audit by June 30, 2026

Phase 3: Ongoing Multi-Authority Compliance (Post-June 2026)

• Address audit findings across all authorities — prioritize remediation based on severity and authority requirements
• Maintain biennial audit cycle — coordinate audit timing with all sectoral authority deadlines
• Monitor regulatory updates from SZTFH, NBI, NKH, and other relevant authorities
• Participate in cross-authority information sharing as authorized under Act LXIX Section 8
• Review cyber insurance for multi-authority liability exposure — see our insurance buying guide
• Prepare for expert supervision — SZTFH and sectoral authorities may conduct on-site inspections
• See our NIS2 audit preparation guide for detailed documentation strategies

Cyber Insurance Implications for Multi-Authority Compliance

Why Multi-Authority Entities Need Enhanced Cyber Insurance

Entities operating under Hungary’s multi-authority NIS2 regime face compounded liability exposure:

• Multiple authority penalties — different violations can result in separate fines from SZTFH and sectoral authorities, potentially exceeding the NIS2 maximum threshold in aggregate
• NBI enforcement overlay — classified system violations can trigger both NIS2 penalties and national security law penalties simultaneously
• NKH operational impacts — clinical operations restrictions can cause business interruption losses not typically covered by standard policies
• Joint investigation costs — defending against coordinated multi-authority investigations requires specialized legal counsel
• Double supervisory fees — entities may owe fees to SZTFH and one or more sectoral authorities
• Contractor liability — supply chain failures may create liability to sectoral authorities even when the failure originates with a third party

What Underwriters Should Ask About Multi-Authority Entities

Cyber insurance underwriters assessing Hungarian multi-sector entities should ask:

1. How many sectoral authorities have competent jurisdiction over the entity?
2. Has the entity declared a principal activity and what are the implications for other sectors?
3. Does the entity operate classified information systems subject to NBI oversight?
4. Does the entity operate in the health sector subject to NKH coordination?
5. What is the entity’s system security classification under MK Decree 7/2024 — and does it differ across authorities?
6. Has the entity established multi-channel incident reporting procedures that satisfy NKI and all sectoral authorities?
7. What vendor restrictions apply from NBI, NKH, or other sectoral authorities?
8. Has the entity experienced cross-authority enforcement or joint investigations previously?
9. What is the entity’s approach to unified vendor risk management across authority boundaries?
10. Are supervisory fees allocated across multiple authorities — and what is the total fee burden?

Coverage Considerations

For Hungarian multi-authority entities, ensure the policy covers:

• Regulatory investigation costs for multi-authority enforcement actions and joint investigations
• Penalty coverage for fines from multiple authorities (aggregate exposure)
• Business interruption from sectoral authority operational restrictions (especially NKH clinical operations)
• NBI-specific costs — security clearance revocations, classified system remediation, restricted vendor replacement
• Joint defense costs — legal counsel experienced in multi-authority cybersecurity enforcement
• Audit costs for SZTFH-mandated audits plus sectoral authority supplementary audits
• Management liability — D&O coverage for personal fines under both NIS2 and sectoral-specific provisions
• Supply chain losses from vendor incidents or NBI-imposed vendor restrictions
• Supervisory fee disputes — legal costs for challenging fee assessments from multiple authorities

Use our cyber insurance buying guide to compare coverage options and our NIS2 compliance checker to assess your current compliance status.

Key Takeaways

1. Hungary operates a multi-authority NIS2 enforcement model — SZTFH is the primary regulator, but NBI, NKH, MNB, and other sectoral authorities hold independent supervisory powers
2. NBI (National Security Authority) oversees defence and classified information system entities, adding security clearance requirements and vendor restrictions on top of NIS2 baselines
3. NKH (National Public Health Center) coordinates NIS2 compliance for the health sector, with clinical impact assessment requirements and medical device cybersecurity overlay
4. Multi-sector entities must declare a principal activity but remain accountable to ALL relevant sectoral authorities — the declaration does not reduce compliance obligations
5. Incident reporting may follow parallel channels — entities must report to NKI as the central CSIRT AND to sectoral authorities where required
6. The no-double-jeopardy rule prevents duplicate fines for the same violation, but different violations by different authorities can each carry separate penalties
7. NIST SP 800-53 provides a common compliance language across authorities, but each authority may layer additional sector-specific controls on the baseline
8. Cyber insurance must address compounded liability — multi-authority entities face aggregate penalty exposure, joint investigation costs, and sector-specific operational restrictions

---

This guide complements our primary Hungary NIS2 guide covering SZTFH and NKI. For more NIS2 compliance resources, explore our NIS2 compliance checklist, penalties guide, and technical measures requirements. Compare your country’s approach with our essential vs important entity classification guide.