NIS2 Romania: what you need to know about compliance and certification

NIS2 Romania

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU.
Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and the Council of 14 December 2022,
which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 Directive was transposed into Romanian law through the Emergency Ordinance 155/2024 establishing a framework for the cyber security of networks and information systems in national civilian cyberspace 30 December 2024.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how to prepare for the new regulations.

NIS2 Entities

The Romanian cyber security law is relevant to both legal entities and natural persons (collectively referred to as ‘entities’) registered in Romania that provide products and/or services in an EU country. The Romanian cyber security law adopts the rules in terms of scope of application of the European NIS2 Directive. The cyber security law explicitly defines which public and private entities are subject to cyber security obligations. For this purpose, a distinction is made between essential entities and important entities. To categorise entities, the services offered, the size of the entity and the location of the entity are taken into account. Basically, your entity falls under Romania’s cyber security law when:
  • Your organisation provides services within a sector listed in Annex I and Annex II of the Romanian cyber security law;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is established in Romania (except for providers of public electronic communication networks and providers of public electronic communication services. These are covered by the Romanian cyber security law if they provide services on Romanian territory).

Criteria 1: Services provided

Annex I and II of the Romanian cyber security law describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse your delivered services to third parties by (sub)sector.
Annex I: Very critical sectors Annex II: Other critical sectors
Energy • Electricity • District heating and cooling • Oil • Gas • Hydrogen • Beneficiaries of projects financed from non-repayable funds, and the type of entity that will have the following content Postal and courier services
Transport • Air • Rail • Water • Road Waste management
Banking Manufacture, production and distribution of chemicals
Financial market infrastructures Manufacture, processing and distribution of food products
Healthcare Manufacture • Medical devices and in vitro diagnostic medical devices • Computer, electronic and optical products • Electrical equipment • Machinery and equipment n.e.c. • Motor vehicles, trailers and semi-trailers • Other transport equipment
Drinking water Digital providers
Waste water Research
Digital infrastructure
Management of ICT services (business-to-business
Government
Space
If your organisation provides a service from the above list, your organisation may fall within the scope of the cyber security law.

Criteria 2: Company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Romanian cyber security law. Click here to determine whether your organisation is a small, medium or large enterprise. In principle, medium-sized and large enterprises must comply with the obligations under the cyber security law. In addition, the law also applies to the following specific providers, regardless of the size of the entity. They are:
  • Providers of public electronic communication networks or services
  • Central government agencies
  • Providers of trust services
  • Managers of domain name registries
  • DNS providers
Moreover, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:
  • They provide services essential for critical social or economic functions that are not provided by other providers
  • A disruption of their services would have a significant impact on public order, security or public health
  • An incident at their premises could cause systemic risks with cross-border implications
  • They are of strategic or vital importance on a national or regional level, for example due to dependencies in other sectors

Criteria 3: Entity based in Romania

In principle, the Romanian cyber security law can only apply to entities with an establishment in Romania. However, exceptionally, the following entities are subject to the Romanian cyber security law:
  • Providers of public electronic communication networks or providers of public electronic communication services offering their services in Romania;
  • DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines or platforms for social networking services, if they have their headquarters in Romania or their legal representative for the EU in Romania in case they do not have an establishment within the EU;
  • Public bodies established by Romania.
In addition to the 3 criteria above, when analysing the scope of the cyber security law, one should take into account that as a non-NIS2 organisation, one can still be affected by the cyber security law due to the fact that the national authority designates the entity as an essential or important entity or that the non-NIS2 organisation belongs to the supply chain of an NIS2 organisation.

What does this mean for my business?

1. Registration

DNSC maintains a list of essential and important entities. If your organisation falls within the scope of the Romanian cyber security law, you must register your organisation with DNSC within 30 days of the cyber security law coming into force or within 30 days of meeting the conditions of an essential or important entity according to Art. 5 and Art. 6 of the Romanian cyber security law, respectively. Registration can be done by filling in a form. The following information should be submitted by the entity to DNSC:

  • Name of the entity
  • Address of the main registered office, e-mail address, telephone number and other contact details
  • Addresses of other registered offices in the EU, if applicable
  • Contact details of the communications officer
  • Contact details of the representative, if the entity is not located in the EU
  • Sector and subsector
  • List of Member States where the entity provides services
  • IP address range
  • Evidence that the conditions for categorisation as an essential or important entity have been met

Changes to the above information should be reported immediately and within 2 weeks of the change.

Annually, essential and important entities should conduct a self-assessment to determine the maturity level of cyber security risk management measures. This annual self-assessment is submitted by the entity to the DNSC. Essential entities prepare a plan 30 days after the completion of the self-assessment on how the identified deviations will be corrected. This is also provided to the DNSC.

2. Management measures

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cyber security management measures cover at least:

  • Policies and procedures regarding risk analysis and security of information systems and their periodic evaluation
  • Policies and procedures to assess the effectiveness of cyber security risk management measures
  • Policies and procedures regarding the use of cryptography and, where applicable, encryption
  • Supply chain security
  • Security in acquiring, developing and maintaining network and information systems, including vulnerability response and disclosure
  • Security aspects relating to personnel, access management policies and asset management
  • Incident management
  • Business continuity and crisis management and, where necessary, the use of secure back-up systems
  • Security aspects regarding cyber hygiene and cyber security training
  • Use of multi-factor authentication or continuous authentication solutions for voice, video and text communications, secure emergency communication systems within the entity if applicable.

The European Commission elaborated in the implementing regulation 2024/2690 the minimum cyber security measures for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers.

3. Reporting obligation of significant incidents

Important and essential entities are obliged to notify the Romanian CSIRT when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services concerning the Annex I and II (sub-)sectors.

According to the Romanian cyber security law, an incident is considered significant when it:

  • caused or may cause serious operational disruption of services or financial losses for the entity concerned; or
  • affected or may affect other natural or legal persons by causing significant material or immaterial damage

The significant incident is reported by the essential and important entity through the PNRISC form according to the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, reporting probable cause and any transboundary impact;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity communicates an incident notification that includes an information update and an initial assessment of the incident;
  3. at the request of the relevant CSIRT, the entity submits an interim report;
  4. No later than 1 month after the incident report, the entity shall submit a final report indicating:
    1. A detailed description of the incident, as well as its severity and consequences;
    2. The type of threat or root cause likely to have led to the incident;
    3. Risk mitigation measures applied and ongoing;
    4. The cross-border impact of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity shall submit a progress report and a final report shall be submitted within one month of the incident resolution.

The European Commission has defined the criteria for a significant incident in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the Romanian cyber security law, can voluntarily report (significant) incidents, cyber threats and near-incidents via the online form.

More information regarding incident reporting can be found here.

4. Obligations and responsibilities of management

The governing bodies of essential and important entities are responsible for complying with the cyber security law and must fulfil several obligations including:

  • Approving cyber security management measures
  • Following training to have sufficient knowledge and skills to identify risks and assess management measures and their impact on their services
  • Continuous training of the entity’s employees on cyber security.

Governing bodies are liable in case of non-compliance with the Romanian cyber security law.

5. Cooperating with authorities

Essential and important entities should cooperate with national authorities. Covers sharing information on network and information system security, incident reporting, cooperation with the inspectorate and so on.

How can I demonstrate that my company complies with the NIS2 legislation?

The Romanian cyber security law stipulates that essential and important entities must undergo periodic cyber security audits. During such audit, policies, procedures and security measures within the IT and network environment are evaluated in a structured manner. In addition, ad hoc audits can also be carried out, for example after a significant incident has occurred or when there are concrete indications that the entity is in breach of regulations.

The cyber security audit is conducted by an accredited CAB. Based on this independent compliance assessment, the entity can obtain a certificate, demonstrating compliance with the cyber security law to stakeholders. Although the Romanian cyber security law does not mandate a specific framework, several national and international standards are accepted.

An important international standard that can be used for this purpose is ISO/IEC 27001. In addition, ECSO communicates that the Belgian framework CyberFundamentals is recognised by the Romanian authority. Both alternatives are explained below:

CyberFundamentals label

The Centre for Cyber security Belgium (CCB) has developed a framework consisting of concrete measures aimed at better protecting data, reducing the risk of the most common cyber attacks and increasing an organisation’s cyber resilience.

Based on the severity of the threat an organisation is exposed to, it distinguishes between the starting level Small and 3 assurance levels Basic, Important and Essential. The CyFun Framework contains a set of management measures for each level.

To obtain the CyFun label, the following steps should be taken by you:

  1. Determine the CyFun assurance level by conducting a risk assessment. For this, you can use the CyFun Selection Tool.
  2. Complete a Self Assessment and implement corrective measures.
  3. Have the Self Assessment and the implemented measures verified or certified by a CAB.
  4. Apply for the CyFun label via the Safeonweb@work portal.

ISO/IEC 27001 certification

Another option to demonstrate compliance with NIS2 is the ISO/IEC 27001 certificate. ISO/IEC 27001 is the globally recognised standard for information security and describes the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

To achieve ISO 27001 certification, the following steps should be taken:

  1. Acquire the necessary knowledge about ISO/IEC 27001, through training, for example.
  2. Implement the ISO 27001 management system in accordance with the standard requirements in your organisation.
  3. Conduct internal audits.
  4. Have management review the results of the internal audit and take corrective action if necessary. Record the conclusion on compliance in the management review.
  5. Contact an accredited CAB to conduct an external audit.

If you need more information on certification, you can make an appointment with an expert here.

Enforcement and penalties

The competent authority conducts inspections on cyber security entities’ compliance with the requirements stipulated in the cyber security law. For this purpose, a distinction must be made between essential and important entities:

  • Essential entities are inspected both proactively (ex-ante) and reactively (ex-post) and are required to have regular compliance assessments.
  • Important entities are in principle only monitored reactively, following an incident or suspected non-compliance with the law.

The Romanian cyber security law provides for specific sanctions for entities that do not comply with the legal provisions. These sanctions vary according to the nature and severity of the breach and are divided into administrative measures and administrative fines.

Possible administrative measures that can be imposed include:

  • Issuing warnings
  • Temporarily prohibiting the performance of managerial functions
  • Requiring the entity to take certain measures
  • And so on

Administrative fines that can be imposed are also laid down by law and can amount to:

  • €10,000,000 or 2% of the essential entity’s total annual global turnover
  • Up to €7,000,000 or 1.4% of the important entity’s total annual global turnover

These administrative fines are imposed by the DNSC.

Timeline

  • 17 October 2024: initial deadline for EU member states to transpose NIS2 directive into national legislation
  • 30 December 2024: Romanian cyber security law is passed by parliament
  • 31 December 2024: Romanian cyber security law enters into force
  • 31 January 2025: entity must register with the DNSC
  • Within 6 months after registration: implementation of risk management measures
  • Within 1 year after registration: conduct external cyber security audit

Competent authorities

The main competent authority for implementing the NIS2 Directive in Romania is the National Cyber Security Directorate (DNSC), in Romanian Direcția Națională de Securitate Cibernetică. The DNSC is officially designated as the central body responsible for coordinating, supervising and enforcing cyber security measures stemming from Romania’s cyber security law. In addition, the DNSC also performs the function of the national Cyber Security Incident Response Team (CSIRT).