Hungarian fintech regulatory calendar 2026 · what MNB, NAV, and NAIH actually require this year

If your fintech operates in Hungary, three regulators matter: MNB (financial supervision), NAV (tax + e-invoice), NAIH (data protection). Each has a 2026 calendar worth blocking in Notion · miss a reporting window and the fine is material.

MNB · financial supervision

Quarterly liquidity reporting

Quarterly COREP + FINREP submissions for regulated entities. Deadline: last working day of the month after quarter close. Q1 2026 filings due April 30, 2026. Late filing: automatic supervisory fine, typically 200-500k HUF for SMB fintechs.

ICT risk reporting · new for 2026

The DORA (Digital Operational Resilience Act) transposition adds ICT risk reporting effective January 17, 2025. Annual report due end of Q1 each year · first full cycle was Q1 2025, Q1 2026 is the second. Covers incident classification, third-party ICT vendor inventory, resilience testing.

AML/CFT reporting

Monthly SAR (Suspicious Activity Report) filings if triggered. Annual AML risk assessment due end of March. AML inspections typically annual · expect a 2-3 day on-site review.

NAV · tax + e-invoice

Online Invoice 3.0

All B2B invoices > 100 HUF must be reported to NAV's Online Invoice (Online Számla) API in real-time, XML-schema v3.0 as of 2024. Schema v3.1 expected Q4 2026 · watch for breaking changes.

VAT OSS filings

Cross-border EU B2C: quarterly One-Stop Shop (OSS) filings, due 30 days after quarter close. Q1 2026: April 30, 2026.

Society tax + KIVA

KIVA (small business tax) opt-in reviewed annually. Default 9% corporate tax otherwise. 2026: no rate changes announced, but thresholds indexed to inflation · verify your ceiling in Q1.

NAIH · data protection

Data breach notification

72-hour breach notification (GDPR Art. 33). Hungarian NAIH has explicit forms · use them, not generic GDPR template. 2025 enforcement shifted · NAIH now actively audits fintech incident response, not just waits for reports.

DPIA obligations for AI

Any AI system processing personal data must have a DPIA per GDPR Art. 35. NAIH guidance (late 2024) makes explicit that LLM-powered support bots count. Update your DPIA every 12 months or on significant feature change.

Register of processing activities

Article 30 register must be up to date and producible to NAIH within 24 hours of request. The common audit finding: old vendors still listed, new vendors missing.

EU-level additions hitting HU fintechs in 2026

• EU AI Act · full application from August 2026 for general-purpose AI; high-risk AI system obligations kick in.
• MiCA · crypto-asset service providers need CASP authorisation; transitional period ended December 30, 2024.
• DORA · now in full force, with 2026 being the second full reporting cycle.
• Instant Payments Regulation · SEPA instant credit transfers required by October 9, 2025; 2026 sees SCT Inst monitoring.