NIS2 Romania: Compliance, Authorities & Key Requirements
Understand how Romania implements the NIS2 Directive (EU) 2022/2555, which entities are in scope, how registration works, who supervises compliance, and the key steps to get ready.
Introduction: NIS2 Directive & the Romanian context
Romania implemented NIS2 via Government Emergency Ordinance (OUG) 155/2024, effective early January 2025, subsequently approved and amended by Law 124/2025. The framework replaces Law 362/2018 and brings expanded scope, clearer governance duties, and stronger enforcement.
NIS2 Directive implementation in Romania
Romania transposed NIS2 through OUG 155/2024 (in force from January 2025), later approved with amendments by Law 124/2025.
Status
Transposed; in force since Jan 2025; consolidated by Law 124/2025.
Legal instruments
OUG 155/2024 (NIS2 framework) + Law 124/2025 (approval & amendments).
Operational orders
On 20 Aug 2025 the DNSC issued Order 1/2025 (registration & notification rules) and Order 2/2025 (incident disruption thresholds & risk assessment methodology).
| Category | Notes |
|---|---|
| Essential sectors | Energy, transport, banking & FMIs, health, drinking & wastewater, digital infrastructure, public admin, etc. |
| Important sectors | Postal & courier, waste, food, manufacturing/chemicals, digital providers, research, etc. |
| Size criteria | General NIS2 baseline: medium-size and above (≥50 employees or ≥€10m). Some providers are in scope regardless of size. |
| Recent expansion | Law 124/2025 adds categories (e.g., certain pharma distributors/resellers via NACE codes) broadening Annex I/II coverage. |
NIS2 Romania: what you need to know about compliance & certification
Romania applies the two-tier model (Essential / Important) with management accountability and detailed reporting mechanics.
Obligations
- Risk management & security policy across IT/OT
- Incident handling & reporting windows: 24h early warning, 72h initial, 1 month final
- Business continuity & crisis management
- Supply-chain security & vendor risk
- Vulnerability disclosure (VDP) & secure development
- Executive/board accountability & training
Registration & tools
DNSC provides NIS2@RO tools for scoping and notification, plus an onboarding & cooperation platform (Platforma NIS2@RO).
Evidence & audits
Maintain policies, risk registers, supplier due diligence, incident logs, training records, and internal audit results to demonstrate compliance.
National NIS2 timeline & key dates
Sector-specific notes (Romania)
- Health & pharma: Law 124/2025 expands the scope to include certain distributors and resellers, identifies through specific NACE codes.
- Finance/energy/digital infrastructure: NIS2 applies alongside parallel EU regimes (e.g., DORA) and relevant sector-specific supervisory guidance.
- Public administration: generally covered, with exclusions for entities operating in defence, law enforcement and national security.
Penalties for non-compliance
Turnover-based fines in line with NIS2:
- Essential entities: up to €10m or 2% of global turnover (whichever higher).
- Important entities: up to €7m or 1.4% of global turnover (whichever higher).
Supervisory powers include audits, binding remediation orders, and — in serious cases — service restrictions.
How to prepare for NIS2 in Romania
- Determine scope: confirm Annex I/II services and size thresholds; classify EE/IE.
- Register: use NIS2@RO platform to submit the notification and complete registration in accordance with DNSC Order 1/2025
- Governance: secure board-level accountability and budget for cybersecurity.
- Risk management: map and implement controls aligned to Article 21 (IT/OT, VDP, BC/DR).
- Supply chain: assess MSPs/MSSPs and critical suppliers; add contractual security requirements.
- Incident readiness: implement detection, escalation and 24/7 reporting workflow to DNSC (24h/72h/1-month).
- Train & evidence: leadership training, staff awareness, and auditable records.