{"id":26669,"date":"2025-01-20T12:52:51","date_gmt":"2025-01-20T10:52:51","guid":{"rendered":"https:\/\/safetech.ro\/deadlines-established-by-geo-155-2024-regarding-the-application-in-romania-of-the-nis2-directive\/"},"modified":"2025-01-20T16:48:04","modified_gmt":"2025-01-20T14:48:04","slug":"deadlines-regarding-nis2-in-romania-geo-155-2024","status":"publish","type":"post","link":"https:\/\/safetech.ro\/en\/deadlines-regarding-nis2-in-romania-geo-155-2024\/","title":{"rendered":"Deadlines established by GEO 155\/2024 regarding the application in Romania of the NIS2 Directive"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"26669\" class=\"elementor elementor-26669 elementor-26663\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-15c54c3 e-flex e-con-boxed e-con e-parent\" data-id=\"15c54c3\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7bd2ac8 elementor-widget elementor-widget-ld_breadcrumb\" data-id=\"7bd2ac8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"ld_breadcrumb.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"lqd-breadcrumb-wrapper\"><nav role=\"navigation\" aria-label=\"Breadcrumbs\" class=\"breadcrumbs\"><ol class=\"breadcrumb reset-ul inline-nav inline-ul comma-sep-li\"><li class=\"breadcrumb-item active\"><a href=\"https:\/\/safetech.ro\/en\/\" rel=\"home\"><span>Home<\/span><\/a><\/li><\/ol><\/nav><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d1e304 elementor-widget elementor-widget-text-editor\" data-id=\"4d1e304\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Deadlines established by GEO 155\/2024 regarding the application in Romania of the NIS2 Directive<\/h3><p>According to Emergency Ordinance no. 155\/2024, issued by the Romanian Government, which transposes the provisions of the NIS2 Directive into Romanian law, essential and important entities have a series of specific obligations to ensure cybersecurity, with clear deadlines for compliance. These measures are intended to align Romania with European cybersecurity standards.<\/p><p><strong>To facilitate the information of all stakeholders, we present below the obligations applicable to essential and important entities and the deadlines provided for them:<\/strong><\/p><p><strong>1. Notification and identification<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Term: 30 days from the entry into force of the ordinance<\/strong> or 30 days from the issuance by the <br \/>National Cyber Security Directorate (DNSC) of the requirements regarding the notification process for registration and the method of transmitting information.<\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Entities must notify the National Cyber Security Directorate (DNSC) for registration in the register of essential\/important entities.<\/p><p><strong>2. Implementation of risk management measures<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Term: 6 months from registration in the DNSC registry.<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Conducting a risk analysis.<\/p><p style=\"padding-left: 80px;\">o Implementation of technical and organizational measures to manage risks associated with networks and information systems.<\/p><p><strong>3. Incident reporting<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Term:<\/strong><\/p><p style=\"padding-left: 80px;\"><strong>o 24 hours <\/strong>for initial notification to DNSC in case of major incidents.<\/p><p style=\"padding-left: 80px;\"><strong>o 72 hours <\/strong>to submit a detailed report.<\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Reporting incidents that have a significant impact on the services provided.<\/p><p><strong>4. Developing security policies<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Term: 120 days from registration.<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Developing and adopting an internal cybersecurity policy, according to the norms approved by DNSC.<\/p><p><strong>5. Security audit<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Term: 1 year after registration<\/strong> and <strong>every 2 years thereafter<\/strong>.<\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Conducting an external audit on the state of cybersecurity.<\/p><p style=\"padding-left: 80px;\">o Transmitting the audit report to DNSC.<\/p><p><strong>6. Designation of a cybersecurity officer<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Term: 30 days from registration.<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Appointing a person responsible to coordinate cybersecurity measures and processes.<\/p><p><strong>7. Staff training<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Term: 12 months from registration.<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Regularly organize training sessions for employees on cyber risk protection and management.<\/p><p><strong>8. Participation in cybersecurity exercises<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Deadline: According to the calendar established by DNSC.<\/strong><\/p><p style=\"padding-left: 40px;\"><strong>\u2022 Obligation:<\/strong><\/p><p style=\"padding-left: 80px;\">o Participation in simulations or exercises coordinated by DNSC to test incident response capacity.<\/p><p>GEO 155\/2024 provides for a series of sanctions for failure to comply with obligations:<\/p><p style=\"padding-left: 40px;\">\u2022 Administrative fines calculated based on the severity of the violation and the impact on national security.<\/p><p style=\"padding-left: 40px;\">\u2022 Suspension of activity in cases of serious or continuous non-compliance with the imposed measures.<\/p><p>Also, GEO 155\/2024 establishes a series of deadlines that the National Directorate of Cyber Security (DNSC) must respect in order to implement and supervise cybersecurity measures at national level.<\/p><p>The main <strong>deadlines provided for the DNSC activities<\/strong> are:<\/p><p><strong>\u2022 15 days from the entry into force of the ordinance:<\/strong><\/p><p style=\"padding-left: 40px;\">o Establishing requirements for the registration notification process and the method of submitting information.<\/p><p><strong>\u2022 20 days from the entry into force of the ordinance:<\/strong><\/p><p style=\"padding-left: 40px;\">o Development and approval of the list of sectors, subsectors and types of essential and important entities.<\/p><p><strong>\u2022 60 days from receipt of registration notification:<\/strong><\/p><p style=\"padding-left: 40px;\">o Issuance of the decision to identify and register essential entities.<\/p><p><strong>\u2022 150 days from receipt of registration notification:<\/strong><\/p><p style=\"padding-left: 40px;\">o Issuance of the decision to identify and register important entities.<\/p><p><strong>\u2022 120 days from the entry into force of the ordinance:<\/strong><\/p><p style=\"padding-left: 40px;\">o Development and approval of the following rules and regulations:<\/p><p style=\"padding-left: 80px;\">&#8211; Risk management measures.<\/p><p style=\"padding-left: 80px;\">&#8211; Methodological norms regarding incident reporting.<\/p><p style=\"padding-left: 80px;\">&#8211; Technical rules on the compatibility and interoperability of systems, procedures and methods used by CSIRTs and the criteria for determining the number of qualified persons.<\/p><p style=\"padding-left: 80px;\">&#8211; The minimum package of CSIRT services.<\/p><p style=\"padding-left: 80px;\">&#8211; Regulation on the authorization and verification of CSIRTs, the validity conditions for the granted authorizations and the topics for training CSIRT staff.<\/p><p style=\"padding-left: 80px;\">&#8211; Implementing rules and methodology for risk-based prioritization of supervision, verification and control activities.<\/p><p style=\"padding-left: 80px;\">&#8211; Regulation on the authorization, verification and revocation of cybersecurity training service providers for auditors and CSIRTs and the validity conditions for the authorizations granted to them.<\/p><p style=\"padding-left: 80px;\">&#8211; Rules for the implementation of the provisions on supervision, verification and control for CSIRTs, CSIRT-specific service providers, as well as for cybersecurity auditors.<\/p><p style=\"padding-left: 80px;\">&#8211; Regulation on the certification and verification of cybersecurity auditors and the validity conditions for the certificates granted.<\/p><p><strong>\u2022 180 days from the entry into force of the ordinance:<\/strong><\/p><p style=\"padding-left: 40px;\">o Development and approval of the national peacetime cybersecurity crisis management plan.<\/p><p style=\"padding-left: 40px;\">o Approval of topics for auditor specialization for certification.<\/p><p style=\"padding-left: 40px;\">o Approval of topics for the specialization of CSIRT staff for authorization.<\/p><p><strong>\u2022 3 months after the adoption of the national cybersecurity strategy:<\/strong><\/p><p style=\"padding-left: 40px;\">o Transmission of the strategy to the European Commission.<\/p><p>Safetech specialists are at your disposal with a complete portfolio of <a href=\"https:\/\/safetech.ro\/en\/safetech-solutions-and-services-for-nis2-compliance\/\"><strong>services and solutions to ensure compliance with the NIS2 Directive<\/strong><\/a>.<\/p><p>To quickly verify your organization&#8217;s compliance with the requirements of the NIS2 Directive, <a href=\"https:\/\/safetech.ro\/evaluati-conformitatea-organizatiei-cu-directiva-nis2\/\"><strong>Safetech provides you with two online questionnaires<\/strong><\/a>. The first questionnaire assesses whether or not the organization falls under the scope of the NIS2 Directive and the second assesses the degree of readiness of an organization for compliance with the NIS2 Directive.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-09a13c7 elementor-widget elementor-widget-image\" data-id=\"09a13c7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"780\" height=\"576\" src=\"https:\/\/safetech.ro\/wp-content\/uploads\/2024\/10\/formular-NIS2-2-1024x756.webp\" class=\"attachment-large size-large wp-image-25412\" alt=\"\" srcset=\"https:\/\/safetech.ro\/wp-content\/uploads\/2024\/10\/formular-NIS2-2-1024x756.webp 1024w, https:\/\/safetech.ro\/wp-content\/uploads\/2024\/10\/formular-NIS2-2-300x222.webp 300w, https:\/\/safetech.ro\/wp-content\/uploads\/2024\/10\/formular-NIS2-2.webp 1600w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03b54c8 elementor-widget elementor-widget-text-editor\" data-id=\"03b54c8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>For information about ensuring compliance with the NIS2 Directive, please contact us at sales @ safetech.ro or by phone at +40 21 316 0565.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Deadlines established by GEO 155\/2024 regarding the application in Romania of the NIS2 Directive<\/p>\n","protected":false},"author":2,"featured_media":25395,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[101],"tags":[105,108,110],"class_list":["post-26669","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology-news","tag-compliance","tag-nis-en","tag-risk-management"],"_links":{"self":[{"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/posts\/26669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/comments?post=26669"}],"version-history":[{"count":5,"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/posts\/26669\/revisions"}],"predecessor-version":[{"id":26679,"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/posts\/26669\/revisions\/26679"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/media\/25395"}],"wp:attachment":[{"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/media?parent=26669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/categories?post=26669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/safetech.ro\/en\/wp-json\/wp\/v2\/tags?post=26669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}