The SZTFH Regulation on NIS2 Audit Fees Has Been Published: What Can We Expect?
The SZTFH Regulation on NIS2 Audit Fees Has Been Published: What Can We Expect?
Although months later than expected, the regulation by the SZTFH regarding the cybersecurity audit procedure and its maximum fees has finally been published. It precisely outlines the audit costs that affected organizations should anticipate. Annex 3 of the 1/2025 (I. 31.) SZTFH regulation provides a detailed description of how cybersecurity audit fees are calculated and the maximum costs companies undergoing a NIS2 audit may face.
Audit Fees — As Previously Expected
The fees depend on the organization's annual revenue and the number of electronic information systems (EIRs) as well as their security classification. The regulation assigns a multiplier value to these factors, which adjusts a base amount of HUF 1,750,000 depending on the company's specific characteristics. Let's look at the details:
Calculation of the Maximum Cybersecurity Audit Fee According to the SZTFH Regulation
Multiplier Based on the Net Revenue of the Previous Business Year:
Net Revenue of the Previous Business Year | Multiplier |
Revenue ≤ HUF 1 billion | 0,9 |
HUF 1 billion < Revenue ≤ HUF 5 billion | 1,1 |
HUF 5 billion < Revenue ≤ HUF 10 billion | 1,9 |
HUF 10 billion < Revenue ≤ HUF 15 billion | 2,5 |
HUF 15 billion < Revenue ≤ HUF 25 billion | 2,75 |
HUF 25 billion < Revenue ≤ HUF 40 billion | 3 |
Revenue > HUF 40 billion | 4 |
Multiplier Based on the Number of EIRs:
Number of EIRs | Multiplier |
1-5 | 1 |
6-15 | 2,5 |
16 or more | 4 |
Multiplier Based on EIR Security Classification:
Security Classification | Multiplier |
Only "BASIC" | 1 |
At least one " SUBSTANTIAL" | 3 |
At least one "HIGH" | 5 |
The maximum cybersecurity audit fee, excluding VAT, is calculated by multiplying the values above by HUF 1,750,000.
Based on these criteria, even for an average medium-sized company — with a revenue multiplier of 2.75, 1-5 EIRs, and a "BASIC" security classification — the first NIS2 audit could cost nearly HUF 5 million + VAT. This explains the effort to undergo the NIS2 audits with fewer, clearly defined EIRs and, if possible, a lower security classification.
Not sure about the security classification of your company's EIR? Consult our advisors!
With no further obstacles to contracting auditors, companies can now begin selecting suitable auditors from the SZTFH registry and preparing quickly and efficiently to complete the first cybersecurity audits by the December 31, 2025, deadline.
*Source: KSH