Romania is among the quickest countries to implement the EU’s updated cybersecurity requirements. For the country’s digital infrastructure, critical industries, and public sector, the transposition of the Network and Information Security Directive 2 (NIS2) signals a dramatic operational shift—one that can’t be ignored by any organization that falls within its scope.
Without further ado, let’s dive into where things currently stand, how Romania is adapting to the directive, and what it means for companies navigating this new cyber-regulatory terrain.
Key takeaways from Romania’s NIS2 implementation
Romania has moved quickly compared to many EU peers. The transposition of the NIS2 Directive—officially Directive (EU) 2022/2555—was enacted through Emergency Ordinance (OUG) 155/2024, replacing the previous Law 362/2018. This ordinance entered into force on 2 January 2025, bringing a new wave of responsibilities and penalties for businesses and institutions alike.
The Directoratul Național pentru Securitate Cibernetică (DNSC) now serves as the lead national authority, handling everything from incident reporting to supervision and sanctions. This framework covers an estimated 12,000–15,000 entities, a massive leap from the roughly 1,000 regulated under NIS1.
This transition isn’t just bureaucratic—it’s transformative. With tight deadlines, director-level accountability, and stringent security requirements, organizations have little time to adapt.
Romania’s NIS2 implementation timeline
Romania’s approach to NIS2 transposition has been methodical, with clear governmental milestones already achieved. The following table outlines the major dates and phases in the rollout.
Implementation timeline of the NIS2 directive in Romania
| Date | Milestone | Status |
| 17 Jan 2023 | NIS2 becomes EU law | ✔︎ |
| May 2024 | First public draft of cybersecurity ordinance released | ✔︎ |
| 30 Dec 2024 | Government adopts OUG 155/2024 | ✔︎ |
| 2 Jan 2025 | Ordinance enters into force | ✔︎ |
| Mar – Jun 2025 | DNSC expected to issue reporting & registration norms (120–180 days) | Pending |
| 30 Jan – Feb 2025 | Entities self-assess and register on ATHENA / NIS2@RO platform | Pending |
| Mid-2025 | Parliament to ratify OUG into law (with possible amendments) | Pending |
Structure and content of the new regulatory framework
OUG 155/2024 is not just a technical formality—it redefines cybersecurity oversight in Romania. Its chapters mirror the key provisions of the EU directive, while also incorporating specific national mechanisms such as offline tools and e-signature mandates.
Overview of OUG 155/2024 structure
| Chapter | Key provisions |
| I–II | Defines EE/EI thresholds; confirms DNSC as competent authority |
| III | Establishes risk management measures (MFA, crypto, BCM, etc.) |
| IV | Incident notification steps: 24 hours, 72 hours, 30 days |
| V | Grants DNSC supervision powers; allows audits and public warnings |
| VI | Details fines and liability, including joint director accountability |
| Transitional | Repeals prior law; mandates secondary norms within 180 days |
The ordinance’s Article 21 risk catalogue aligns closely with the EU directive, requiring controls like supply-chain risk management, multi-factor authentication, and cryptographic safeguards. Organizations must also prepare coordinated vulnerability disclosures and reporting playbooks.
Sanctions, fines, and liabilities
The stakes are high. The fines under NIS2 are substantial and tiered by entity classification. Public institutions may be exempt from monetary penalties but can still face reputational damage through corrective actions and public exposure.
Sanctions under Romania’s NIS2 directive
| Entity type | Maximum fine | Notable provisions |
| Entități esențiale (EE) | €10 million or 2% of global turnover | Joint director liability; fines can be doubled |
| Entități importante (EI) | €7 million or 1.4% of global turnover | Same liability rules apply |
| Public bodies | No fines; only corrective actions | Subject to public naming in case of non-compliance |
The directive employs a graduated enforcement ladder: starting with warnings and corrective plans, escalating to periodic penalties, and culminating in potential domain suspension.
Industry-specific impacts
Romania’s industry landscape is undergoing a seismic shift under the directive. Many sectors previously outside the scope of regulation are now covered, and even those already regulated face stricter obligations.
Sector-specific changes under NIS2 Romania
| Sector | Change vs NIS1 | New responsibilities |
| Manufacturing (auto, medtech) | Newly regulated as EI if thresholds met | OT/IT segmentation, annual pen-tests, supplier controls |
| Energy & utilities | Expanded to include hydrogen and heating | Continuous monitoring, SBOM, board reporting |
| Healthcare | Expanded from 60 to ~300 facilities | ISO 27001 alignment, 90-day backup drills |
| Digital infrastructure | Now in-scope regardless of size | 24/7 SOC, zero-trust roadmap, DNS data obligations |
| Finance | Adds DNSC requirements to existing ones | Supply-chain controls, dual-reporting to NBR & DNSC |
| Public administration | >50k cities now regulated | DNSC baseline, CISO role, only corrective enforcement |
What Romanian companies should do now
Many organizations are understandably anxious about the new rules. But proactive engagement is the best defense. The DNSC has published a self-assessment grid to determine whether an entity qualifies as EE or EI, a critical first step in the process.
Companies should:
- Complete their classification and register via ATHENA or NIS2@RO within 30 days of DNSC rules coming into force.
- Conduct a gap analysis against Article 21 requirements, starting with MFA, data backups, and third-party risk controls.
- Draft a robust incident reporting protocol that aligns NIS2 timelines (24h/72h/30d) with GDPR breach notifications.
- Prepare the board of directors for their new responsibilities, including training sessions and formal approval of cybersecurity programs.
These aren’t optional steps—they’re now essential parts of regulatory compliance in Romania.
Are you ready for NIS2?
NIS2 is more than a European cybersecurity regulation—it’s a watershed moment in Romania’s digital resilience strategy. From Emergency Ordinance 155/2024 to the DNSC’s authority, the groundwork is laid. But organizations are the ones who must now build upon it.
Companies must act decisively: register, assess, prepare, and engage leadership. The next few months will be critical, not just for compliance, but for securing Romania’s place in a more resilient European digital economy.
For a deeper dive into implementation guidance, consult the DNSC portal or HotNews.ro’s comprehensive reporting on this transformative regulation.
Let’s not wait for the next breach to become the catalyst for action—NIS2 demands preparedness today.
