Romania is among the quickest countries to implement the EU’s updated cybersecurity requirements. For the country’s digital infrastructure, critical industries, and public sector, the transposition of the Network and Information Security Directive 2 (NIS2) signals a dramatic operational shift—one that can’t be ignored by any organization that falls within its scope.
Without further ado, let’s dive into where things currently stand, how Romania is adapting to the directive, and what it means for companies navigating this new cyber-regulatory terrain.
Key takeaways from Romania’s NIS2 implementation
Romania has moved quickly compared to many EU peers. The transposition of the NIS2 Directive—officially Directive (EU) 2022/2555—was enacted through Emergency Ordinance (OUG) 155/2024, replacing the previous Law 362/2018. This ordinance entered into force on 2 January 2025, bringing a new wave of responsibilities and penalties for businesses and institutions alike.
The Directoratul Național pentru Securitate Cibernetică (DNSC) now serves as the lead national authority, handling everything from incident reporting to supervision and sanctions. This framework covers an estimated 12,000–15,000 entities, a massive leap from the roughly 1,000 regulated under NIS1.
This transition isn’t just bureaucratic—it’s transformative. With tight deadlines, director-level accountability, and stringent security requirements, organizations have little time to adapt.
Romania’s NIS2 implementation timeline
Romania’s approach to NIS2 transposition has been methodical, with clear governmental milestones already achieved. The following table outlines the major dates and phases in the rollout.
| Date | Milestone | Status |
| 17 Jan 2023 | NIS2 becomes EU law | ✔︎ |
| May 2024 | First public draft of cybersecurity ordinance released | ✔︎ |
| 30 Dec 2024 | Government adopts OUG 155/2024 | ✔︎ |
| 2 Jan 2025 | Ordinance enters into force | ✔︎ |
| Mar – Jun 2025 | DNSC expected to issue reporting & registration norms (120–180 days) | Pending |
| 30 Jan – Feb 2025 | Entities self-assess and register on ATHENA / NIS2@RO platform | Pending |
| Mid-2025 | Parliament to ratify OUG into law (with possible amendments) | Pending |
PRO TIP
Don’t wait for Parliament to ratify the ordinance. The law is already in force—compliance begins the moment DNSC’s secondary norms are published. Use this window to gather your business identifiers (CUI, CAEN code) and nominate a security contact.
Structure and content of the new regulatory framework
OUG 155/2024 is not just a technical formality—it redefines cybersecurity oversight in Romania. Its chapters mirror the key provisions of the EU directive, while also incorporating specific national mechanisms such as offline tools and e-signature mandates.
| Chapter | Key provisions |
| I–II | Defines EE/EI thresholds; confirms DNSC as competent authority |
| III | Establishes risk management measures (MFA, crypto, BCM, etc.) |
| IV | Incident notification steps: 24 hours, 72 hours, 30 days |
| V | Grants DNSC supervision powers; allows audits and public warnings |
| VI | Details fines and liability, including joint director accountability |
| Transitional | Repeals prior law; mandates secondary norms within 180 days |
The ordinance’s Article 21 risk catalogue aligns closely with the EU directive, requiring controls like supply-chain risk management, multi-factor authentication, and cryptographic safeguards. Organizations must also prepare coordinated vulnerability disclosures and reporting playbooks.
Sanctions, fines, and liabilities
The stakes are high. The fines under NIS2 are substantial and tiered by entity classification. Public institutions may be exempt from monetary penalties but can still face reputational damage through corrective actions and public exposure.
| Entity type | Maximum fine | Notable provisions |
| Entități esențiale (EE) | €10 million or 2% of global turnover | Joint director liability; fines can be doubled |
| Entități importante (EI) | €7 million or 1.4% of global turnover | Same liability rules apply |
| Public bodies | No fines; only corrective actions | Subject to public naming in case of non-compliance |
The directive employs a graduated enforcement ladder: starting with warnings and corrective plans, escalating to periodic penalties, and culminating in potential domain suspension.
PRO TIP
Director liability is real. Ensure that your board not only approves your cybersecurity strategy but also receives annual updates and training. This protects both the organization and individual executives from legal risk.
Industry-specific impacts
Romania’s industry landscape is undergoing a seismic shift under the directive. Many sectors previously outside the scope of regulation are now covered, and even those already regulated face stricter obligations.
| Sector | Change vs NIS1 | New responsibilities |
| Manufacturing (auto, medtech) | Newly regulated as EI if thresholds met | OT/IT segmentation, annual pen-tests, supplier controls |
| Energy & utilities | Expanded to include hydrogen and heating | Continuous monitoring, SBOM, board reporting |
| Healthcare | Expanded from 60 to ~300 facilities | ISO 27001 alignment, 90-day backup drills |
| Digital infrastructure | Now in-scope regardless of size | 24/7 SOC, zero-trust roadmap, DNS data obligations |
| Finance | Adds DNSC requirements to existing ones | Supply-chain controls, dual-reporting to NBR & DNSC |
| Public administration | >50k cities now regulated | DNSC baseline, CISO role, only corrective enforcement |
PRO TIP
If you’re a data center, software vendor, or DNS provider—even with just 10 employees—you’re likely classified as essential under the new law. Entity size is no longer your shield.
What Romanian companies should do now
Many organizations are understandably anxious about the new rules. But proactive engagement is the best defense. The DNSC has published a self-assessment grid to determine whether an entity qualifies as EE or EI, a critical first step in the process.
Companies should:
- Complete their classification and register via ATHENA or NIS2@RO within 30 days of DNSC rules coming into force.
- Conduct a gap analysis against Article 21 requirements, starting with MFA, data backups, and third-party risk controls.
- Draft a robust incident reporting protocol that aligns NIS2 timelines (24h/72h/30d) with GDPR breach notifications.
- Prepare the board of directors for their new responsibilities, including training sessions and formal approval of cybersecurity programs.
These aren’t optional steps—they’re now essential parts of regulatory compliance in Romania.
Accelerate Romania’s NIS2 readiness with CyberUpgrade
Romania’s Emergency Ordinance 155/2024 swept 12,000–15,000 entities into scope as of January 2, 2025, with DNSC’s self-assessment and registration portal opening in early 2025 and first audits following mid-2025. CyberUpgrade maps its turnkey workflows directly to OUG 155/2024’s EE/EI thresholds, 24 h/72 h/30-day reporting steps, and DNSC’s risk-management catalogue—so you can start remediating gaps today, not tomorrow.
Our Slack and Teams chatbot walks every team member through live, Article 21–aligned checks keyed to your CUI and CAEN codes, automatically capturing evidence in a central, regulator-ready vault. Layer in continuous vulnerability scans, penetration tests, SBOM exchanges and real-time monitoring, and you’ll spot and contain threats long before they trigger fines up to €10 million or joint director liability.
Pair that with our EU-based CISO-as-a-Service for hands-on support—from gap analyses and board-level policy sign-off to pre-built incident-response playbooks—and you’ll offload 80 % of your compliance work, save over €60K annually, boost your security culture, and stay focused on growth while Romania’s audits loom. Let CyberUpgrade turn Romania’s NIS2 compliance complexity into your compliance advantage.
Are you ready for NIS2?
NIS2 is more than a European cybersecurity regulation—it’s a watershed moment in Romania’s digital resilience strategy. From Emergency Ordinance 155/2024 to the DNSC’s authority, the groundwork is laid. But organizations are the ones who must now build upon it.
Companies must act decisively: register, assess, prepare, and engage leadership. The next few months will be critical, not just for compliance, but for securing Romania’s place in a more resilient European digital economy.
For a deeper dive into implementation guidance, consult the DNSC portal or HotNews.ro’s comprehensive reporting on this transformative regulation.
Let’s not wait for the next breach to become the catalyst for action—NIS2 demands preparedness today.
