NIS2 Romania

NIS2 Romania: NIS2 Directive, national implementation and compliance requirements

The NIS2 Directive (EU) 2022/2555 strengthens cybersecurity requirements across the European Union and significantly expands the scope and obligations for organisations operating in critical and important sectors.
Compared to the former NIS1 Directive, NIS2 introduces stricter risk management measures, mandatory incident reporting and stronger supervisory powers.

In Romania, the NIS2 Directive has been transposed into national law through Emergency Ordinance No. 155/2024, establishing the legal framework for the cybersecurity of networks and information systems in the national civilian cyberspace.
This legislation defines which organisations fall within scope, which cybersecurity measures are required and how supervision and enforcement are organised.

Wondering whether your organisation is subject to NIS2 in Romania and what concrete steps you need to take?
On this page, we explain the Romanian NIS2 legal framework, the role of the competent authorities, the key compliance obligations and how organisations can prepare in a structured and proportionate way.

Scope of NIS2 Romania

The Romanian cyber security law applies to both legal entities and natural persons (collectively referred to as entities) that are registered in Romania and provide products and/or services in one or more EU Member States.
In terms of scope, the Romanian cyber security law closely follows the rules laid down in the NIS2 Directive.

The legislation explicitly defines which public and private entities are subject to cybersecurity obligations.
For this purpose, a distinction is made between essential entities and important entities.
When determining the classification of an entity, factors such as the services provided, the size of the entity and the place of establishment are taken into account.

The scope of NIS2 in Romania therefore depends on a cumulative assessment of sector, size and establishment.
In general, your organisation falls within the scope of the Romanian cyber security law if all of the following conditions are met:

  • Your organisation provides services within a sector listed in Annex I or Annex II of the Romanian cyber security law;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is established in Romania (with specific exceptions for certain electronic communications providers).

Criterion 1: Services provided

Annex I and Annex II of the Romanian cyber security law describe the sectors that fall within its scope.
It is therefore essential to carefully analyse the services your organisation provides to third parties, including the relevant (sub)sector.

Annex I: Very critical sectorsAnnex II: Other critical sectors

If your organisation provides one or more services listed above, it may fall within the scope of the Romanian cyber security law.

Criterion 2: Company size

In addition to the services provided, the size of the entity is a key factor in determining whether NIS2 obligations apply.
Click here to determine whether your organisation qualifies as a small, medium-sized or large enterprise.

As a general rule, medium-sized and large enterprises must comply with the obligations under the Romanian cyber security law.

Regardless of size, the law also applies to the following entities:

  • Providers of public electronic communication networks or services
  • Central government bodies
  • Providers of trust services
  • Managers of domain name registries
  • DNS service providers

Furthermore, entities may fall within scope irrespective of their size if their activities are considered crucial to society or the economy, for example when:

  • They provide services essential for critical social or economic functions that cannot be substituted
  • A disruption of their services would significantly affect public order, security or public health
  • An incident could generate systemic risks with cross-border implications
  • They are of strategic or vital importance at national or regional level due to dependencies in other sectors

Criterion 3: Establishment in Romania

In principle, the Romanian cyber security law applies to entities established in Romania.
By way of exception, the following entities are also subject to the law:

  • Providers of public electronic communication networks or services offering services in Romania;
  • DNS service providers, top-level domain registries, domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers and managed security service providers, as well as providers of online marketplaces, online search engines or social networking platforms, where their headquarters or EU legal representative is located in Romania;
  • Public bodies established by Romania.

Both essential entities and important entities are subject to NIS2 obligations.
However, the level of supervision and enforcement may differ depending on the classification of the entity.

Finally, when assessing the scope of the Romanian cyber security law, it should be noted that organisations not directly qualifying as NIS2 entities may still be affected.
This may occur where the national authority designates an organisation as an essential or important entity, or where the organisation forms part of the supply chain of an in-scope NIS2 entity.

Not sure how these criteria apply in practice?
A structured scope assessment can help confirm whether your organisation is in scope and translate legal criteria into clear next steps.

NIS2 obligations for organisations in Romania

1. Registration with the national authority

The National Cyber Security Directorate (DNSC) maintains a register of essential and important entities. If your organisation falls within the scope of the Romanian cyber security law, you must register with DNSC within:

  • 30 days after the cyber security law enters into force; or
  • 30 days after meeting the conditions of an essential or important entity pursuant to Article 5 and Article 6 of the Romanian cyber security law.

Registration must be completed by submitting the official registration form to DNSC. The following information must be provided:

  • Name of the entity
  • Address of the main registered office, e-mail address, telephone number and other contact details
  • Addresses of other registered offices in the EU, if applicable
  • Contact details of the communications officer
  • Contact details of the representative, if the entity is not located in the EU
  • Sector and subsector
  • List of Member States where the entity provides services
  • IP address range
  • Evidence that the conditions for categorisation as an essential or important entity have been met

Any changes to this information must be reported without delay and no later than two weeks after the change.

In addition, essential and important entities must perform an annual self-assessment to determine the maturity of their cybersecurity risk management measures. This self-assessment must be submitted to DNSC. Essential entities must also prepare a remediation plan within 30 days after completing the self-assessment, describing how identified gaps will be addressed, and submit this plan to DNSC.

2. Cybersecurity risk management measures

If your organisation qualifies as an essential or important entity, you are responsible for implementing appropriate technical and organisational measures to manage cybersecurity risks and protect your network and information systems.

These cybersecurity risk management measures must cover at least the following areas:

  • Policies and procedures for risk analysis and information system security, including periodic evaluation
  • Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  • Policies and procedures governing the use of cryptography and, where appropriate, encryption
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure
  • Security aspects relating to personnel, access control and asset management
  • Incident management
  • Business continuity, crisis management and, where necessary, secure backup systems
  • Cyber hygiene practices and cybersecurity training
  • The use of multi-factor or continuous authentication solutions, and secure internal emergency communications where applicable

For specific categories of digital and trust service providers, the European Commission has further specified minimum cybersecurity measures in Implementing Regulation (EU) 2024/2690. These provisions apply, among others, to DNS service providers, cloud computing providers, data centre service providers, managed service providers and trust service providers.

3. Reporting significant incidents

Essential and important entities are required to notify the Romanian CSIRT when a significant incident occurs. Where the incident affects service delivery within the Annex I or Annex II sectors, affected service recipients must also be informed.

Under the Romanian cyber security law, an incident is considered significant if it:

  • has caused or may cause serious operational disruption or financial loss for the entity; or
  • has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

Significant incidents must be reported via the PNRISC platform in accordance with the following timeline:

  1. Within 24 hours of becoming aware of the incident: submission of an early warning, including probable cause and potential cross-border impact;
  2. Within 72 hours: submission of an incident notification with updated information and an initial assessment;
  3. At the request of CSIRT: submission of an interim report;
  4. No later than one month after the incident notification: submission of a final report, including:
    1. A detailed description of the incident and its impact;
    2. The likely threat or root cause;
    3. Mitigation measures applied or ongoing;
    4. Any cross-border impact.
  5. If the incident is ongoing after one month: submission of a progress report, followed by a final report within one month after resolution.

For certain digital and trust service providers, the criteria for determining whether an incident is significant are further specified in Implementing Regulation (EU) 2024/2690. Where applicable, these EU rules prevail over national provisions.

Entities that do not fall within the scope of the Romanian cyber security law may also voluntarily report significant incidents, cyber threats or near-misses via the same platform. More information on incident reporting is available here.

4. Responsibilities of management

The governing bodies of essential and important entities are ultimately responsible for compliance with the Romanian cyber security law. Their obligations include, among others:

  • Approving cybersecurity risk management measures
  • Ensuring that management follows appropriate training to acquire sufficient knowledge and skills to identify risks and assess the effectiveness of measures
  • Ensuring continuous cybersecurity training for employees

Members of governing bodies may be held personally liable in cases of non-compliance with the Romanian cyber security law.

5. Cooperation with authorities

Essential and important entities are expected to cooperate with national authorities. This includes sharing relevant information on network and information system security, complying with supervisory activities, reporting incidents and cooperating with inspections and investigations.

Would you like to translate these legal obligations into a practical compliance roadmap? A structured readiness or gap assessment can help prioritise actions and demonstrate compliance in a proportionate way.

How can I demonstrate compliance with the NIS2 legislation in Romania?

The Romanian cyber security law requires essential and important entities to be able to demonstrate compliance with the applicable cyber security obligations. As part of the supervisory and compliance verification framework, entities may be subject to periodic cyber security audits. During such audits, policies, procedures and security measures within the IT and network environment are evaluated in a structured manner.

In addition to periodic audits, ad hoc audits may also be carried out, for example following a significant incident or where there are concrete indications that an entity is not complying with the Romanian cyber security law.

Cyber security audits are conducted by an accredited conformity assessment body (CAB). Based on this independent compliance assessment, an entity may obtain a certificate or audit report that serves as supporting evidence of compliance with the Romanian cyber security law towards stakeholders and supervisory authorities. Such certification does not replace supervisory oversight and does not constitute a formal NIS2 certification.

Although the Romanian cyber security law does not prescribe a specific framework, several national and international standards and schemes are accepted to support NIS2 compliance. Two commonly used approaches are explained below.

How to demonstrate NIS2 compliance in Romania

Demonstrating compliance with the Romanian cyber security law is not a one-off exercise. It requires a structured and repeatable approach that enables organisations to show, at any moment, that appropriate cybersecurity measures are implemented and maintained.

  1. Confirm applicability and scope
    Determine whether your organisation qualifies as an essential or important entity and document the scope of your obligations.
  2. Implement cybersecurity risk management measures
    Establish and maintain technical and organisational measures aligned with NIS2 requirements.
  3. Document evidence
    Maintain policies, procedures and records demonstrating implementation, monitoring and periodic review.
  4. Undergo independent assessment
    Have cybersecurity measures assessed through audits or certification by an independent and competent body.
  5. Continuously improve
    Use audit outcomes, incidents and management reviews to improve cybersecurity maturity.

CyberFundamentals label

The Centre for Cybersecurity Belgium (CCB) has developed the CyberFundamentals Framework, which consists of concrete measures aimed at protecting data, reducing the risk of common cyber attacks and increasing cyber resilience.

Based on the severity of the threats an organisation is exposed to, the framework distinguishes between the starting level Small and three assurance levels: Basic, Important and Essential. For each level, the CyFun Framework defines a corresponding set of management measures.

According to ECSO, the CyberFundamentals framework is recognised by the Romanian authority as a framework that can be used to support compliance with the Romanian cyber security law. Its use is voluntary and does not constitute a legal obligation.

To obtain the CyFun label, the following steps are typically followed:

  1. Determine the applicable CyFun assurance level through a risk assessment, for example using the CyFun Selection Tool.
  2. Complete a self-assessment and implement corrective measures.
  3. Have the self-assessment and implemented measures verified or certified by a CAB.
  4. Apply for the CyFun label via the Safeonweb@work portal.

ISO/IEC 27001 certification

Another widely used approach to support NIS2 compliance is ISO/IEC 27001 certification. ISO/IEC 27001 is the internationally recognised standard for information security and specifies requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

ISO/IEC 27001 certification is not mandatory under NIS2, but is commonly used by organisations to structure cybersecurity measures and to demonstrate compliance in a consistent and auditable manner.

To achieve ISO/IEC 27001 certification, organisations typically follow these steps:

  1. Acquire knowledge of ISO/IEC 27001 requirements, for example through training.
  2. Implement the ISMS in accordance with the standard.
  3. Conduct internal audits.
  4. Have management review audit results and take corrective actions where necessary.
  5. Engage an accredited CAB to perform the external certification audit.

Would you like to discuss which compliance route best fits your organisation? You can schedule an appointment with an expert here.

Enforcement and penalties

The competent authority (in practice, the DNSC) may conduct inspections to verify entities’ compliance with the requirements stipulated in the Romanian cyber security law. For this purpose, a distinction is made between essential and important entities:

  • Essential entities may be inspected both proactively (ex-ante) and reactively (ex-post) and may be required to undergo periodic compliance verification.
  • Important entities are in principle monitored primarily reactively, for example following an incident or where there are indications of non-compliance with the law.

The Romanian cyber security law provides for sanctions for entities that do not comply with the legal provisions. These sanctions vary depending on the nature and severity of the breach and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include:

  • Issuing warnings
  • Temporarily prohibiting the performance of managerial functions
  • Requiring the entity to take specific corrective measures
  • Other measures provided for under the Romanian cyber security law

Administrative fines are also laid down by law and can amount to:

  • €10,000,000 or 2% of the essential entity’s total annual global turnover
  • Up to €7,000,000 or 1.4% of the important entity’s total annual global turnover

These administrative fines are imposed by the DNSC.

Not sure what level of enforcement exposure applies to your organisation? A structured compliance and evidence review can help you confirm your classification, identify gaps and prepare for supervisory inspections in a proportionate way.

NIS2 implementation timeline in Romania

Below is an overview of the key milestones related to the implementation of the NIS2 Directive and the Romanian cyber security law. These dates are relevant for organisations that may fall within scope and need to plan their compliance activities.

  • 17 October 2024: deadline for EU Member States to transpose the NIS2 Directive into national legislation
  • 30 December 2024: adoption of the Romanian cyber security law
  • 31 December 2024: Romanian cyber security law enters into force
  • 31 January 2025: deadline for in-scope entities to register with the DNSC
  • Within six months after registration: implementation of required cybersecurity risk management measures
  • Within one year after registration: external cyber security audit or compliance assessment, where applicable

Please note that specific deadlines may depend on the classification of the entity and the instructions of the competent authority. Organisations are therefore advised to assess their individual timeline carefully.

Unsure which of these milestones apply to your organisation? A structured readiness or planning assessment can help you translate this timeline into concrete and prioritised actions.

Competent authorities

The main competent authority responsible for the implementation of the NIS2 Directive in Romania is the National Cyber Security Directorate (DNSC) (Direcția Națională de Securitate Cibernetică).

The DNSC is formally designated as the central authority responsible for coordinating, supervising and enforcing the cybersecurity obligations laid down in the Romanian cyber security law. This includes oversight of essential and important entities, monitoring compliance and imposing enforcement measures where necessary.

In addition, the DNSC also performs the function of the national Cyber Security Incident Response Team (CSIRT). In this capacity, the DNSC is responsible for receiving and handling incident notifications, coordinating responses to significant cyber incidents and sharing relevant information at national and European level.

In practice, organisations may interact with the DNSC in several situations, including:

  • Registration as an essential or important entity
  • Submission of incident notifications and reports
  • Participation in inspections, audits or supervisory activities
  • Requests for information or corrective actions following supervisory findings

Unsure how to engage with the DNSC or what is expected during supervision? A structured compliance approach can help you prepare documentation, reporting processes and internal responsibilities in line with supervisory expectations.

Frequently asked questions about NIS2 Romania

Does NIS2 apply to my organisation in Romania?

NIS2 applies to organisations that qualify as essential or important entities under the Romanian cyber security law.
This depends on the sector in which the organisation operates, the services it provides, its size and whether it is established in Romania.
In certain cases, organisations may also be designated by the national authority or be affected through supply-chain relationships.

What is the difference between essential and important entities?

Essential entities are organisations whose disruption would have a significant impact on society, the economy or national security.
Important entities operate in relevant sectors but are generally subject to a less intensive supervisory regime.
Both categories must comply with NIS2 obligations, although supervision and enforcement may differ.

Which authority is responsible for NIS2 supervision in Romania?

The National Cyber Security Directorate (DNSC) is the main competent authority responsible for implementing and enforcing NIS2 in Romania.
The DNSC also performs the role of the national Cyber Security Incident Response Team (CSIRT).

Do organisations need to register under NIS2 in Romania?

Yes. Organisations that fall within the scope of the Romanian cyber security law must register with the DNSC.
Registration must take place within 30 days after the law enters into force or within 30 days after meeting the criteria of an essential or important entity.

What cybersecurity measures are required under NIS2?

Essential and important entities must implement appropriate technical and organisational measures to manage cybersecurity risks.
These measures include, among others, risk analysis, incident management, supply-chain security, business continuity, access control and cybersecurity training.

Are organisations required to report cyber incidents?

Yes. Essential and important entities must report significant incidents to the Romanian CSIRT via the PNRISC platform.
In certain cases, service recipients must also be informed if the incident affects service provision.

When is an incident considered significant?

An incident is considered significant if it causes or may cause serious operational disruption or financial loss, or if it affects other persons by causing significant material or immaterial damage.
Additional criteria apply to certain digital and trust service providers under EU implementing regulation 2024/2690.

Are organisations required to undergo audits?

As part of the supervisory and compliance verification framework, organisations may be subject to periodic or ad hoc cybersecurity audits.
These audits assess policies, procedures and security measures and may be triggered by incidents or indications of non-compliance.

Is there an official NIS2 certification?

No. NIS2 does not introduce a formal certification obligation.
However, independent audits or certifications, such as ISO/IEC 27001 or recognised frameworks like CyberFundamentals, can serve as supporting evidence of compliance.

What penalties apply in case of non-compliance?

Non-compliance with the Romanian cyber security law may result in administrative measures or administrative fines imposed by the DNSC.
Fines can reach up to €10,000,000 or 2% of global annual turnover for essential entities, and up to €7,000,000 or 1.4% for important entities.

When do organisations need to be compliant with NIS2?

The Romanian cyber security law entered into force on 31 December 2024.
In-scope entities must register by 31 January 2025 and implement cybersecurity risk management measures within defined timeframes following registration.