Cybersecurity Audit – Deadlines
The cybersecurity audit mandated by the Cybersecurity Act (Act LXIX of 2024 on Hungary’s Cybersecurity) may only be conducted by auditors listed in the register maintained on the SZTFH website. For organizations subject to NIS2 that were registered last year, the audit deadline is 31 December 2025. Companies that registered this year have two years to complete their first cybersecurity audit. Under the now-repealed Cybersecurity Certification Act, all NIS2-covered organizations were required to contract a cybersecurity auditor by 31 December 2024. However, since the regulation defining the audit methodology and price cap was not published last year, the Supervisory Authority of Regulated Activities (SZTFH) issued a statement:
However, due to the absence of the SZTFH regulation, the affected companies will not be disadvantaged for missing the […] deadline through no fault of their own, and the authority will not impose any sanctions in such cases.
Under the new Cybersecurity Act, organizations registered after January 2025 have 120 days from the issuance of their registration decision to sign a contract, whereas entities registered under the previous Cybersecurity Certification Act are not subject to a contracting deadline.
Cyber security audit methodology
On 3 February 2025, SZTFH issued regulation No. 1/2025, detailing the procedure for conducting cybersecurity audits and setting the maximum audit fee.
The cybersecurity audit covers:
- the risk management framework,
- classification of electronic information systems (EIS) into security categories,
- verification of the Security controls implemented.
The audit may involve document review, interviews, testing, and security assessments, including internal IT security assessments, remote vulnerability testing, penetration testing, cryptographic compliance checks, and security source code reviews under Section 22 (1) of the Cybersecurity Act. At least 40% of EIS’s are audited for a low security class, 60% for a moderate security class and 70% for a high security class.
The cybersecurity regulation specifies which Security controls apply at the organizational level and which at the EIS level. It also identifies assurance and supporting controls and establishes that certain security controls cannot be excluded (e.g. the appointment of a responsible person for electronic information system security).
Cybersecurity Audit: Pass or Fail
If the auditor determines that an entity has been classified in an inappropriate security category, they must recommend a new classification according to MK decree No. 7/2024. However, the requested audit is conducted based on the security category assigned by the organization.
Under the audit methodology, each protective measure (Security controls )constitutes a requirement group, which consists of fundamental requirements. The evaluation of these requirements may result in one of three categories: not applicable (NA) not compliant (NC) or compliant (C). A requirement group is considered met if all fundamental requirements are either met (compliant) or not applicable.
In the case of non-compliance for a requirement group, the auditor must assess the non-compliance, the extent of which is influenced by the number of fundamental non-compliant ratings, the possibilities from the attacker's side, the level of system knowledge required by the attacker, the level of access required, the level of necessary qualified knowledge, and the constraints on attack time requirements. Based on these aspects, deviations of negligible, minor, significant, and critical extent can be determined. A gap may be considered critical if the non-compliance significantly increases the likelihood of occurrence, for example, of a breach of the confidentiality of personal data, personal injury, or damage to national data assets.
Result of the cybersecurity audit
During the cybersecurity audit, two types of compliance indices are calculated: the Cybersecurity Compliance Index (VMI) for each EIS and the organization-level value, i.e., the Organizational Resilience Index (SZEKI). For the calculation of VMI, numerical values are assigned to each requirement group as follows: 0 for compliance, 1 for negligible deviation, 4 for minor deviation, 10 for significant deviation, and 1000 for critical deviation. The following formula is applied to determine the VMI:
If a system's VMI value does not reach 70, the given EIS receives a non-compliant rating. However, the audit result is determined not by VMI but by SZEKI, which is the average VMI value of the examined EISs. Therefore, a non-compliant EIS does not necessarily result in a non-compliant audit outcome. The following formula is applied to determine SZEKI:
Preparing for the Cybersecurity Audit
Preparing for cybersecurity audits is not an easy task, and it is advisable to seek the assistance of external experts. The new SZTFH regulation no. 1/2025 has introduced a strict and detailed audit methodology, making thorough preparation essential for successful compliance. The experts at RSM are ready to effectively prepare your organization to meet cybersecurity requirements. Entrust them with the preparation so you can confidently face the challenges of the audit.
