NIS 2 Directive in Romania: Corporate Cybersecurity

Introduction: NIS 2 Directive in Romania

At the end of 2024, Romania reflected the NIS 2 Directive (Directive (EU) 2022/2555) into national law through Government Emergency Ordinance No. 155/2024 (GEO 155/2024).

This legal framework introduces a harmonized approach to cybersecurity of networks and information systems within Romania’s civil cyberspace. It enforces strict obligations on businesses regarding cyber risk management, incident reporting, cybersecurity governance, and executive accountability.

Furthermore, Order No. 1/2025, issued on 20 August 2025 in the Official Gazette, set forth the procedure for DNSC registration (National Cybersecurity Authority), an essential compliance requirement for companies.

Who Must Comply with GEO 155/2024?

Under Romania’s new cybersecurity law, entities are divided into two categories:

Essential Entities

Critical sector organizations, including:

• energy, transport, and banking,

• financial market infrastructures,

• healthcare, drinking water, wastewater,

• digital infrastructure, ICT service management (B2B),

• public administration.

Full definition available under Article 5 of GEO 155/2024.

Important Entities

Medium-sized and large enterprises in:

• digital services and IT providers,

• waste management, food production,

• postal and courier services,

• entities in the above critical sectors not classified as essential.

Definitions:

• Medium-sized enterprises employ 50–249 staff and have turnover ≤ EUR 50 million or assets ≤ EUR 43 million.

• Large enterprises exceed these thresholds.

Note: Micro-enterprises are not automatically excluded.

Both essential and important entities are subject to mandatory cybersecurity audits.

Key Cybersecurity Obligations under GEO 155/2024

1. DNSC Registration and Notification

• Entities carrying out activities listed in Annexes 1 & 2 of GEO 155/2024 must register with the DNSC within 30 days.

• Final notification deadline: 19 September 2025, in light of Order No. 1/2025, which sets out the DNSC notification procedure.

2. Cyber Risk Management and Governance

• Implement technical and organizational cybersecurity measures according to risks, in line with Article 11.

• Embrace internal cybersecurity policies and procedures, formally approved by senior management.

3. Cybersecurity Audits and Self-Assessments

• Conduct periodic cybersecurity audits, as required by Article 11(5).

• Perform annual self-assessments of cybersecurity maturity and submit results to the DNSC and, where applicable, sectoral authorities.

4. Incident Reporting Obligations

• Report major cybersecurity incidents to the DNSC within 24–72 hours, based on the level of severity.

• Submit a final incident report within 1 month.

• Notify affected users/clients when incidents directly impact them.

Sanctions for Non-Compliance

Non-compliance with GEO 155/2024 may trigger severe financial penalties:

• Essential entities: fines between RON 10,000 – EUR 10,000,000 or up to 2% of worldwide annual turnover.

• Important entities: fines between RON 5,000 – EUR 7,000,000 or up to 1.4% of worldwide annual turnover.

Beyond fines, reputational damage and operational risks represent significant consequences of non-compliance.

Schedule a Compliance Assessment

or

Recommended Compliance Roadmap for Businesses

✅ Assess whether your company qualifies as an essential or important entity.

✅ Complete DNSC registration and comply with statutory deadlines.

✅ Implement internal cybersecurity policies and governance measures.

✅ Carry out periodic audits and annual self-assessments.

✅ Train management and staff on cybersecurity awareness.

✅ Establish a rapid incident reporting and response mechanism.

Conclusion: Cybersecurity Compliance as a Strategic Investment

GEO 155/2024 represents a landmark development in Romania’s cybersecurity compliance framework.

Companies falling within the scope of GEO 155/2024 must approach these obligations with the utmost seriousness

Effective implementation is not only a legal necessity under the NIS 2 Directive, but also a strategic investment in resilience, business continuity, and client trust.