Legislative and regulatory framework for starting the NIS2 compliance process in Romania

Legislative and regulatory framework for starting the NIS2 compliance process in Romania and the calendar for compliance with national legislative provisions

Government Emergency Ordinance no. 155 of December 30, 2024, on the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace, approved by Law no. 124 of July 7, 2025 represents the transposition into Romanian legislation of the European Directive 2022/2555 NIS2. Together, the two acts specify in stages the requirements that essential and important entities must meet for compliance.

In addition, on August 20, 2025, two orders of the director of the National Directorate of Cyber Security (DNSC) regarding the rules for the application of this law were published in the Official Gazette of Romania:

• Order of the Director of DNSC no. 1/2025 for the approval of the Requirements regarding the notification process for registration and the method of transmission of information, link: https://legislatie.just.ro/Public/DetaliiDocument/301473
• Order of the Director of DNSC no. 2/2025 for the approval of the Criteria and thresholds for determining the degree of disruption of a service and the Methodology for assessing the level of risk of entities, link: https://legislatie.just.ro/Public/DetaliiDocument/301475 .

At the same time, DNSC has also made available, the official online registration tool NIS2@RO, available here: NIS2@RO tool .

Therefore, the legislative and regulatory framework currently exists to start the process of compliance with the local legislative provisions of the NIS2 directive, according to the following schedule:

• T1 = September 22 → DNSC notification by entities for registration,
• T2 = T1 + max. 60 days for essential entities) / max. 150 days for important entities → Entity registration by DNSC,
• T3 = T2 + max. 30 days → The management bodies of the entities designate those responsible for the security of networks and information systems,
• T4 = T2 + max. 60 days → Transmission to the DNSC of the entity’s risk level assessment,
• T5 = T4 + max. 60 days → Submission to the DNSC of the self-assessment of the maturity level of the cybersecurity risk management measures,
• T6 = T5 + max. 30 days → Submission to the DNSC of the plan of measures to remedy the identified deficiencies.

Failure by entities subject to NIS2 to notify within the 30-day period, calculated from 20.08.2025, constitutes a contravention and is sanctioned with a fine from RON 1,000 to RON 300,000 for important entities, respectively with a fine from RON 1,500 to RON 500,000 for essential entities.

Irrespective of these deadlines, entities covered by the Directive:

• through the management bodies, which must undergo specific professional training, approve cybersecurity risk management measures and supervise their implementation;
• regularly ensures the professional training of all staff in order to ensure a sufficient level of cybersecurity knowledge and skills;
• have incident management obligations and early reporting (within max. 24h) to the DNSC of incidents that have a significant impact on the provision of their services. In this regard, the ordinance mentions in art. 30 that essential and important entities may set up their own or sectoral security incident response teams (CSIRTs) or may purchase services from CSIRT-specific service providers, authorized by the DNSC.
• must support the supervision, verification and control activities (requests for information, audits, scans, etc.) ordered by the DNSC.

Safetech Innovations supports organizations in the sectors covered by the NIS2 Directive in the compliance process, providing the expertise and experience gained in the field of cybersecurity and risk management in almost 15 years of activity and in over 100 projects for the implementation of the previous directive, NIS1.

Through staff certified in the field according to the highest international standards, Safetech Innovations provides complete support – from the notification phase to the implementation of technical and organizational measures, reporting and audit preparation – so that essential and important entities meet legal requirements and strengthen their cyber resilience. In particular, Safetech offers dedicated packages for:

• training of staff and management bodies of entities covered by the Directive;
• subscriptions of virtual CISO consulting services to support in a flexible manner a full range of governance, risk management and compliance activities;
• provision of cybersecurity systems necessary for compliance with NIS2 requirements, commissioning and integration into the customer’s network and processes, training for the use and administration of systems;
• preparation for the audit or conducting an audit by auditors certified by the DNSC.Safetech is registered in the National Register of Cybersecurity Auditors, appearing as a certified legal entity (valid until 25.08.2027) in the most recent List of Certified Cybersecurity Auditors (LASC), published by the National Directorate of Cybersecurity, at position 6 (six);
• CSIRT service subscriptions, through its own CERT STI center founded 10 years ago and accredited Trusted Introducer, which offers security incident monitoring, detection and response services, with 24×7 coverage.

To quickly verify your organization’s compliance with the requirements of the NIS2 Directive, Safetech provides you with an online questionnaire.