NIS2 in Romania

1. Quick SME Applicability Snapshot in Romania

Does NIS2 apply to SMEs in Romania?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Romania and, in certain cases, foreign digital providers serving the Romanian market.

SMEs should assess qualification under Romania's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Romania

Romania has transposed NIS2 through Government Emergency Ordinance No. 155/2024 (GEO 155/2024), adopted on 30 December 2024 and in force since 31 December 2024, replacing the prior NIS1 framework. This was refined by Law No. 124/2025 (in force 10 July 2025), which expanded the healthcare scope to include pharmaceutical sectors and retail pharmacies.

The framework was operationalized through DNSC Order No. 1/2025 (registration procedure) and Order No. 2/2025 (risk assessment methodology), both entering into force on 20 August 2025. The framework aligns Romania's regime with Directive (EU) 2022/2555 and introduces several national specifics beyond the Directive baseline.

DNSC has the power to double the maximum fines (including the €10 million / 2% caps) in certain aggravated cases. Entities must register via the NIS2@RO platform, complete a risk-level self-assessment, then a cybersecurity maturity self-assessment within 60 days of risk assessment submission, and submit a remediation plan within 30 days of the maturity assessment — creating a structured four-step compliance chain. Entities must also designate a person responsible for cybersecurity who operates independently from the operational head of IT.

3. Scope of Application in Romania

Romania's scope expands beyond the Directive minimum. Law No. 124/2025 explicitly extended the healthcare sector to include pharmaceutical supply chain entities and retail pharmacies (NACE 4773). Entities in national defence, public order, national security, the Ministry of Foreign Affairs, and law enforcement are excluded from the scope of GEO 155/2024.

4. Size Thresholds and SME Applicability in Romania

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity — for example, if they are the sole provider of a critical service, or if disruption of their services would have a significant impact on public safety, the economy, or national security. Romanian authorities retain formal designation powers where systemic risk justifies inclusion.

Entities should assess their status by examining sector affiliation, size thresholds, and the criticality of the services they provide.

5. Entity Classification Framework in Romania

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Romania follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Romania

Romania's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Romania risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Romanian cybersecurity guidance is encouraged.

7. Management Liability and Governance in Romania

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Romania's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence. GEO 155/2024 requires management to undergo cybersecurity training in the prevention and management of cyber risks. Entities must also designate a person responsible for cybersecurity who operates independently from the operational head of IT.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Romania expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Romania

9. Supervisory Authorities and Enforcement Model in Romania

Primary authority: National Cyber Security Directorate (DNSC).

Romania operates a centralized supervisory model coordinated by the DNSC, with sector-specific regulators involved where required.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Romania

Romania applies Directive-aligned administrative penalties.

NIS2 fines Romania enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers
• Doubled maximum fines: in certain aggravated cases, DNSC may impose up to double the standard maximum fine thresholds (including the €10 million / 2% caps for essential entities)

11. NIS2 Supply Chain and Vendor Security in Romania

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Romania's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Romania

Entities within scope must:

• Register with the DNSC via the NIS2@RO platform (platformanis2.ro). The initial registration deadline was approximately 19 September 2025 (30 days after DNSC Order 1/2025 entered into force on 20 August 2025) — this has now passed. Only registrations submitted after 20 August 2025 are legally valid. Entities not yet registered should treat this as an urgent priority.
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts

Following registration confirmation from DNSC, entities must complete a risk-level self-assessment per Order No. 2/2025, then a cybersecurity maturity self-assessment within 60 days, followed by a remediation plan submission within 30 days of the maturity assessment. DNSC will issue a formal decision classifying the entity as essential or important.

Self-identification is mandatory. Entities should conduct a service disruption impact assessment per Order No. 2/2025 criteria (impact on fundamental rights, economy, health, finances, national security) as part of their registration submission.

13. Interaction With GDPR and Other Laws in Romania

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination

14. Cross-Border Applicability

Entities with their main establishment in Romania are supervised by Romanian authorities for cross-border services.

Foreign digital providers offering services in Romania may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Romanian market.

15. Implementation Timeline in Romania

• Directive adoption: 2022
• National legislative amendments: GEO 155/2024 adopted 30 December 2024 (in force 31 December 2024); Law No. 124/2025 in force 10 July 2025 (refining GEO 155/2024 and expanding healthcare/pharma scope); DNSC Order No. 1/2025 (registration) and Order No. 2/2025 (risk assessment) both in force 20 August 2025
• Entry into force: 31 December 2024 (GEO 155/2024); sanction provisions from 30 January 2025; DNSC implementing orders from 20 August 2025
• Commission notification: Romania completed transposition via GEO 155/2024; not subject to an outstanding EC reasoned opinion on the primary legislation
• Compliance milestone: Registration deadline approximately 19 September 2025 (passed); risk-level self-assessment within 60 days of DNSC registration confirmation; cybersecurity maturity self-assessment within 60 days of risk assessment submission; remediation plan within 30 days of maturity assessment

Romania completed NIS2 transposition on 31 December 2024, ahead of many EU peers. All initial compliance milestones — including the registration deadline of approximately 19 September 2025 — have now passed. Entities not yet registered with the DNSC via the NIS2@RO platform should treat registration as an immediate priority and begin the subsequent risk assessment and maturity assessment chain without delay.

16. Key Takeaways for SMEs in Romania

• Medium-sized entities in covered sectors are automatically within scope. GEO 155/2024 has been in force since 31 December 2024. Romania's scope also extends beyond the Directive to include pharmaceutical and retail pharmacy sectors (Law 124/2025).
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory. Management must undergo cybersecurity training under GEO 155/2024, and entities must designate a person responsible for cybersecurity independent of the operational IT head.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover. Romania additionally permits DNSC to double the maximum fine in aggravated cases.
• Vendor risk management is required.
• The registration deadline (~19 September 2025) has passed — entities not yet registered with the DNSC via the NIS2@RO platform should act immediately. After registration, complete the risk-level self-assessment, then the cybersecurity maturity assessment (within 60 days of risk assessment), and submit a remediation plan (within 30 days of maturity assessment).

FAQ: NIS2 Romania SME Guide