Written by János Szendi-Joó, CISM, Lead Consultant
Information Security in 2026: What Every Hungarian SME Needs to Know
Our article has been prepared in light of the cybersecurity landscape in Hungary in 2026 and the applicable regulatory framework (in particular the AI Act and NIS2), with a specific focus on the needs and capabilities of domestic small and medium-sized enterprises (SMEs).
Summary
In our view, for Hungarian SMEs, information security has evolved by 2026 from a purely technical issue into a core priority for business continuity and regulatory compliance.
The primary threat vectors are AI-driven phishing and ransomware, while the EU AI Act and the Hungarian implementation of the NIS2 Directive (Act LXXV of 2025) impose increasingly strict requirements, despite the continuously evolving regulatory environment.
In this context, the foundations of effective defence lie in adopting a Zero Trust approach and strengthening employee awareness.
It is also important to highlight that under NIS2 regulations, company executives may bear personal financial liability for failures in information security.
Overall, in 2026, security is no longer optional but a prerequisite for market survival for Hungarian SMEs. At the same time, compliance with the AI Act should be seen not only as a burden, but also as an opportunity to strengthen trust-based customer relationships.
Key Threats Facing Hungarian SMEs
Due to the industrialisation of cybercrime, domestic small businesses have become targets of automated attacks. Cybercriminals no longer search for victims manually; instead, they use AI-driven bots to scan Hungarian IP ranges. If a company lacks, for example, centralised log collection and expert monitoring, the average dwell time of an attack (the period during which an attacker remains undetected within the network before taking action) can be as long as 30–60 days. During this time, given modern data transfer speeds, an organisation’s entire data assets may be exfiltrated. The primary threats affecting SMEs in 2026 include:
- AI-driven Social Engineering: Attackers use generative AI to create highly convincing phishing emails in flawless Hungarian, as well as “deepfake”-based voice scams (e.g. fake executive instructions).
- Ransomware 2.0: The objective is no longer limited to encrypting data, but also includes data exfiltration and the threat of public disclosure (double extortion).
- Supply chain attacks: SMEs are targeted as the “weak link” providing access to larger partner organisations.
- Shadow AI: Employees use free AI tools (e.g. the free version of ChatGPT) without corporate oversight, potentially uploading sensitive company data, customer information or source code into public models.
Core Principles for Building a Security Framework
SMEs should not aim to build a “fortress”, but rather a resilient system, based on the following principles:
- Zero Trust (Never trust, always verify): No user, device, or application should be granted implicit trust, even within the internal network. Every access request must be individually authenticated.
- Defense in Depth: If one layer of defence (e.g. a firewall) is compromised, the next layer (e.g. endpoint protection) must be capable of stopping the attack.
- Risk-based protection: Not all assets require the same level of protection. Organisations must identify their “crown jewels” (such as customer data and intellectual property) and apply the highest level of protection to these, taking a cost–benefit approach. This requires conducting a Business Impact Analysis followed by a risk assessment.
- Asset Management:Maintaining an up-to-date inventory is fundamental. All existing and newly introduced assets must be fully documented within the system.
- Privacy by Design: Data protection considerations must be embedded from the outset when introducing any new process or software, ensuring alignment with both GDPR and the AI Act.
- Employee awareness: One of the most cost-effective yet, according to experts, most impactful security measures is raising and maintaining employee awareness through structured and continuous initiatives.
Key Measures and Recommended Toolset
The following overview is not exhaustive, but focuses on the most critical day-to-day operational measures.
Technical measures
- Multi-factor authentication (MFA): Mandatory for all cloud services (Microsoft 365, Google Workspace, ERP systems).
- Endpoint protection (EDR/XDR): Replace traditional antivirus solutions with systems that use behavioural analysis.
- Regular backups (3-2-1 rule): Maintain 3 copies of data, on 2 different media, with 1 stored in a physically separate location (offline or cloud).
- Patch management: Ensure immediate updates of software (Windows, browsers, etc.).
Access Management and Password Practices
Human access remains one of the weakest points in information security. By 2026, static passwords alone no longer provide adequate protection, making it essential to rethink existing policies.
Access Management Principles
- Least Privilege: Each employee should only have access to the data and systems strictly necessary for their role.
- Role-Based Access Control (RBAC): Permissions should be assigned to roles (e.g. “Finance”, “Marketing”) rather than individuals. This helps prevent “permission creep” (where long-standing employees accumulate unnecessary access rights) and simplifies offboarding.
- Just-In-Time (JIT) access: Elevated (admin-level) privileges should only be granted temporarily for specific tasks and automatically revoked afterwards.
Password management guidelines in 2026
- Length over complexity: Instead of passwords like “P@ssw0rd123”, use passphrases consisting of 4–5 random words (e.g. blue-table-winter-cloud-26!).
- Using a password manager: Implement and mandate the use of a corporate password manager (e.g. Bitwarden, KeePassXC), allowing employees to remember only one master password while all others can be 20+ character unique strings.
- MFA (Multi-Factor Authentication): Wherever possible, use biometric authentication (fingerprint, Face ID), authenticator apps, or hardware tokens instead of SMS-based codes, as the latter are more vulnerable to compromise.
Logging and Analysis (Log Management)
By 2026, information security extends beyond protecting servers. With the introduction of the AI Act, organisations are also responsible for how the algorithms they use process data. Logging and operating a SOC (Security Operations Centre), or outsourcing such services, is no longer a “luxury”, but a core element of responsible corporate governance. It helps protect both the organisation and its executives from significant penalties resulting from security failures. Logging is therefore not merely “storage overhead”, but the foundation for incident detection and legal evidence.
What Should Be Logged?
- Successful and failed login attempts: Especially those occurring outside working hours or from unusual locations.
- Data access events: Who accessed, modified or deleted critical files.
- System events: Privileged (admin) actions, software installations, firewall rule changes.
Levels of Log Analysis
- Reactive: Logs are only reviewed after an incident has occurred (common among SMEs, but high risk).
- Proactive (SIEM): An automated Security Information and Event Management (SIEM) system collects and analyses logs in real time and triggers alerts—for example, if 50 failed login attempts occur from the same IP address within one minute.
External SOC (Security Operations Centre)
SMEs can rarely afford to maintain an in-house, multi-person security analyst team operating 24/7. A practical solution is to utilise an external SOC service provided by an MSSP (Managed Security Service Provider).
Benefits of an External SOC
- Continuity: 24/7 monitoring, including weekends and public holidays.
- Expertise: Systems are monitored by senior security analysts whom an SME would not typically be able to employ full-time.
- Rapid response: Automated systems can immediately block suspicious activities (e.g. the spread of ransomware within the network).
- Compliance: Supports NIS2 and other regulatory audits by providing the necessary evidence and documentation.
Estimated Costs (Hungarian Market)
Costs are typically based on the number of endpoints (computers/servers) or users. The figures below are indicative only.
Company size | Service level | Estimated net monthly cost |
|---|---|---|
Micro enterprise (5–15 employees) | Basic endpoint monitoring (MDR) | HUF 50,000 – 150,000 |
Small enterprise (15–50 employees) | EDR + SOC monitoring | HUF 150,000 – 450,000 |
Medium enterprise (50–250 employees) | Full SIEM/SOC + Incident Response | From HUF 500,000 Ft to several million |
Organisational measures
- Security Awareness Training: Regular (e.g. quarterly) training sessions for employees on the latest fraud techniques. This should ideally include periodic internal phishing simulations.
- Incident Response and Business Continuity Planning: Clearly defined, documented, and tested procedures answering the question: “Who does what when an incident occurs?”
Toolset
To support the activities outlined above, the following examples (non-exhaustive) illustrate commonly used solutions:
Tool | Type | Technical requirements | Cost | When to use |
|---|---|---|---|---|
Microsoft Defender for Business | EDR | Low (cloud-based) | ~HUF 1,100–1,400 per user/month (included in Business Premium) | If you already have a Microsoft 365 subscription |
OpenVAS | Network scanner | High (Linux, manual configuration) | Free (paid options available) | If managed by a dedicated IT specialist |
Nessus Essentials | Network scanner | Medium | Free (up to 16 IP addresses) | If scanning a smaller number of devices regularly |
Wazuh | SIEM+XDR | High (Linux, manual configuration) | Free (cloud-based version also available) | If log management and continuous monitoring are required |
OpenCVE | CVE monitoring | Low | Free / subscription-based | If only vulnerability alerts are needed |
Category | Recommended Solution Type |
|---|---|
Identity management | Password Manager (e.g. Bitwarden, 1Password) |
Network | Next-Generation Firewall (NGFW) + VPN |
Data protection | Cloud-based encrypted backup (e.g. Veeam, Azure Backup) |
AI Control | Enterprise AI subscription with data protection guarantees |
Artificial Intelligence: Risks and the AI Act
Risks of AI Usage
For SMEs, one of the most significant risks is data leakage. If an employee copies a legal contract or financial report into a public chatbot, the data may potentially be used for model training and could become indirectly accessible to third parties.
Impact of the EU AI Act (as of 2026)
The AI Act introduces a risk-based regulatory framework. Most Hungarian SMEs will fall under the role of “deployer”, with key compliance deadlines expected by August 2026 (e.g. in cases such as customer service chatbots or the use of generative AI for images and text).
- Risk classification: Organisations must assess which category their AI systems fall into (Prohibited, High-risk, Limited-risk, Minimal-risk).
- Transparency obligation: If a company uses an AI chatbot in customer service, users must be clearly informed that they are interacting with a machine. AI-generated content (images/text) must also be appropriately labelled.
- AI Literacy: The regulation requires organisations to ensure that employees are adequately trained in the safe and responsible use of AI tools.
- Penalties: Non-compliance may result in significant fines (up to 7% of global annual turnover or €35 million). However, authorities (in Hungary, the Ministry for National Economy and the National Authority for Data Protection and Freedom of Information – NAIH) are expected to take company size and good faith into account in the case of SMEs.
Practical Recommendations for SMEs
- Create an AI inventory: Identify which AI tools employees are using.
- Establish an AI usage policy: Define what data can and cannot be uploaded.
- Prefer enterprise-grade solutions: Use paid, business versions of AI tools that provide clear data protection guarantees, rather than free public alternatives.
Don’t wait for attackers to make the first move. Get in touch with us,and let’s build a security framework that provides long-term protection for your organisation. Let’s take action against cyber threats together.
