Q3 2026 was the quarter the calendar caught up with the consulting deck. SZEP card 2.0 went live in September. NAV Online Invoice v3 became mandatory in early Q3. The EU AI Act hit full effect on August 2. OWASP refreshed the LLM Top 10 to v2 mid-quarter. None of these were surprises · they have been on the calendar for at least eighteen months. The market reaction said otherwise.
This roundup goes in five parts: what is trending in AI / agentic, what we shipped this quarter, what the Hungarian-market reads like up close, what is broken industry-wide (the strong-opinion section), and what we are watching for Q4.
Trending in AI / agentic
OWASP LLM Top 10 v2 landed. Agentic risk got its own entry, supply chain expanded to model and dataset provenance, embedding security joined the list. Our default playbook moved with it · see the v2 walk-through we shipped this quarter.
MCP audit became a first-line ask in CISO conversations. The 'tool listing plus auth flow plus lateral-movement audit' triad is now the table-stakes question on RFPs.
Prompt caching matured further. Hit rates above 70% are the norm on production agents we ship; cost guardrails per user (not just per tenant) became a default control.
On-device LLM benchmarks for Hungarian content settled. Gemini Nano and Apple Intelligence Foundation lead at roughly 80-85% acceptable summarisation; locally fine-tuned Mistral 7B catches up on narrow domains.
Agentic SDK convergence held. The portable tool-plus-state-plus-memory shape we predicted in Q2 is now a consultancy talking point, not just a vendor claim.
OpenAI, Anthropic and Google all shipped capability scoping primitives natively. Less custom wrapping, more standard `permissions[]` shape on tool definitions.
What we shipped this quarter
Twelve client engagements, three production SZEP card 2.0 integrations on top of the sandbox work we did in Q2. The normalisation layer over OTP, MKB and K&H paid off · launch-day issues were minor, not catastrophic.
Two NAV Online Invoice v3 cutovers for Hungarian SaaS clients. Async reporter behind a queue, retry on transient errors, ops dashboard for persistent ones. No customer-facing outages.
Default LLM controls updated to match OWASP LLM Top 10 v2. Model SBOM step in the build pipeline, agent eval suite split out, system-prompt-leakage probe as a default eval.
Long-form posts: server vs. client components decision tree, our annotated CSP, BRIN vs. B-tree benchmarks on a 200M-row table, Stripe Tax + HU VAT playbook, OWASP LLM Top 10 v2 field guide.
Two cyber-side engagements moved from advisory to embedded · we now run the security review for every release on those products. The shape is sustainable; we will probably do two or three of these next year.
Studio infrastructure is still on the monorepo plus Bun plus Drizzle stack. Drizzle 1.x landed mid-quarter; the migration was a single afternoon, no rewrites.
Hungarian market pulse
SZEP card 2.0 launched in September. Vendors who started in Q2 sandbox shipped on time. Vendors who started in August did not. The split was visible at the issuer-side dashboards.
NAV Online Invoice v3 cutover went smoother than we expected. The v3 endpoint was stable; the failures clustered around vendors who had not implemented retry properly.
EU AI Act August 2 enforcement: most Hungarian SaaS vendors are below the high-risk threshold, but documentation requirements bit harder than the RFI process predicted. Risk-management plans, not just risk-assessment notes.
MNB instant payments 2.0 specification is final. Webshop integrations should start design now; QR and request-to-pay land in 2027 but the data-shape is set.
Engineering market: senior AI integration plus Hungarian language is still premium. Rates flat versus Q2 (which was already up 18-22% year-over-year). Demand is steady, supply did not catch up.
Consultancy consolidation continued. The Q2 trend held · last year's solo-AI-consultants are folding into delivery shops or finding a non-AI niche.
What is broken · strong-opinion section
The Q3 strong-opinion section writes itself · half the consulting tier was surprised by deadlines that were public eighteen months in advance. Three concrete things to call out.
EU AI Act August 2 came as a surprise to vendors who had been told 'you are not high-risk'. Even non-high-risk vendors have transparency, documentation, and incident-response obligations. We watched two clients scramble in late July when their security team finally read the law.
SZEP card 2.0 launch caught vendors who had skipped the Q2 sandbox window. The 'we will integrate when production is up' plan left them shipping in October instead of September · a real revenue gap during the autumn travel season.
OWASP LLM Top 10 v2 dropped, and the responses split sharply. Teams that had been treating v1 as a checklist breezed through. Teams that had been treating it as 'I read it once' had to re-do their threat models in flight.
NAV Online Invoice v3 retries were the single biggest outage class we saw in Hungarian fintech this quarter. Async reporter without retry budget is not async, it is silent failure plus an audit finding.
On the regulatory-vendor side, two Hungarian compliance-as-a-service vendors quietly stopped publishing SLAs. If your provider does not have a number on the response time, you do not have a provider, you have a phone number.
On the 'not broken' side: Hungarian webshop performance held the Q2 gains. CWV measurements stayed 12-15% above 2025 baseline through the quarter, which means the wins were structural (Speculation Rules, on-demand image optimisation, edge SSR) rather than benchmark-month theatre.
What we are watching for Q4
EU AI Act enforcement actions. The first concrete cases will define how aggressive supervisory authorities are willing to be. Hungarian SaaS vendors should follow the EDPB and the Hungarian NAIH closely.
Next.js 16 GA stability. Turbopack default, 'use cache' production rollout, React Compiler at scale. The migration cost is real; do not push it into 2027.
SZEP card 2.0 winter season. The autumn launch was the first half of the volume; the November-December peak is the real test.
Hungarian fintech cybersecurity audit framework finalisation. The MNB-NHH joint guideline draft is in consultation; the final text is expected before year-end.
Postgres 18 GA in Q4. Async I/O, the new TOAST framework, and asynchronous replication improvements. We will benchmark on the same 200M-row table we used for the BRIN post.
Drizzle 1.x ecosystem maturity. Full RLS support, migration tooling improvements, observability. We are still on Drizzle as default; this is the quarter Prisma's 'we caught up' message gets tested.
Q4 is the 'finish what we started' quarter. Anything you want live in early 2027 needs to be shipping in November. Anything regulatory needs to be in operations by mid-December · the holiday gap is the wrong place to find a bug.
Q3 in one sentence: the quarter the calendar arrived. The consulting tier got a clear signal · public deadlines are real deadlines. We are going to keep shipping the bill-shaped numbers next quarter, the same way.
