NIS2 Romania: GEO 155/2024, DNSC 30-Day Registration Window, and Compliance Requirements

At a glance: Government Emergency Ordinance No. 155/2024 and its parliamentary approval through Law No. 124/2025 are Romania’s NIS2 transposition instruments. The National Cybersecurity Directorate (DNSC) oversees registration, audits, and enforcement; CERT-RO handles incident response coordination. Registration opened via the NIS2@RO Tool following DNSC’s implementing orders on 20 August 2025 — entities had 30 days. Post-registration obligations run for approximately 90–150 days through a sequenced cascade of officer designation, risk assessment, maturity review, and remediation planning.

Romania completed NIS2 transposition on 31 December 2024 — among the first EU member states to do so. When DNSC’s implementing orders activated the registration clock on 20 August 2025, in-scope entities had exactly 30 days to register via the NIS2@RO Tool. That 30-day activation-to-registration interval was among the shortest seen anywhere in the EU. This guide explains what Romania’s two-phase NIS2 framework requires, how DNSC and CERT-RO divide responsibilities, how the registration process works, and what the post-registration compliance cascade looks like.

Romania’s NIS2 Legislative Framework: GEO 155/2024 and Law 124/2025

Romania transposed the NIS2 Directive in two legislative steps. Government Emergency Ordinance No. 155/2024 (GEO 155/2024) was adopted on 30 December 2024 and entered into force on 31 December 2024. It replaced Law No. 362/2018 — Romania’s NIS1 transposition — and established DNSC as the primary competent authority for the new cybersecurity framework.

Parliament subsequently approved and amended GEO 155/2024 through Law No. 124/2025, which entered into force on 10 July 2025. Law 124/2025 made several substantive changes beyond codification:

• Pharmaceutical sector expansion: Added pharmaceutical distributors (NACE 4646) and retail pharmacies (NACE 4773) to the healthcare sector — categories not explicitly covered in the EU Directive’s original Annex
• Digital infrastructure update: Replaced “content broadcasting network providers” with “content delivery network providers” (CDNs), aligning the law with technical practice
• Food sector broadened: The food sector now covers entities performing any one of production, processing, or distribution — not all three simultaneously as in the original draft
• Incident significance threshold clarified: An incident is significant if at least one statutory threshold condition is met; conditions are alternatives, not cumulative requirements
• New standalone offences: Failure to implement required measures within committed deadlines, and failure to notify DNSC or provide documents on time, are now distinct punishable offences with fines of approximately €600–€120,000

For compliance planning, entities in Romania should reference the consolidated framework of GEO 155/2024 as amended by Law 124/2025. Law 362/2018 is largely repealed, though certain provisions under its Chapters IV and V remain temporarily in force pending revision.

DNSC: Romania’s NIS2 Competent Authority — and CERT-RO’s Separate Role

The National Cybersecurity Directorate (Directoratul Național de Securitate Cibernetică — DNSC) is Romania’s central NIS2 competent authority. Established through Emergency Ordinance 104/2021, DNSC consolidated cybersecurity supervisory functions previously distributed across multiple state bodies. Under GEO 155/2024, DNSC:

• Maintains the official registry of essential and important entities
• Conducts proactive, scheduled document-based and on-site inspections of essential entities
• Oversees important entities reactively — triggered by incidents, complaints, or sector risk escalation
• Issues binding regulatory orders and guidance (including Orders 1/2025 and 2/2025)
• Imposes administrative sanctions: warnings, corrective mandates, operational restrictions, and fines

CERT-RO (Romania’s national Computer Security Incident Response Team) is a separate body with a distinct mandate: operational incident-response coordination, cross-border cyber threat escalation, and the national incident-reporting platform (PNRISC). Cybersecurity incident reports from in-scope entities go to CERT-RO — not DNSC.

This DNSC-CERT-RO division mirrors the supervisory/CSIRT split envisaged by NIS2 Article 8 and it matters operationally. DNSC investigates compliance failures and manages the registration regime. CERT-RO coordinates live incident response. During a significant incident, both are engaged: CERT-RO immediately for operational response, DNSC subsequently for any compliance investigation. Confusing the two channels — reporting to DNSC instead of CERT-RO for incidents — is a common procedural error that can delay mandatory reporting timelines.

Does NIS2 Apply to Your Romanian Organisation?

Three cumulative criteria determine whether an organisation falls within NIS2 scope in Romania:

Criterion	Requirement
Sector	Provides services in an Annex I (essential) or Annex II (important) sector under GEO 155/2024
Size	Exceeds the medium enterprise threshold: 50+ employees or €10M+ annual turnover or balance sheet total
Establishment	Registered in Romania, or providing services to Romanian recipients under specified conditions for cross-border digital service providers

Certain categories are in scope regardless of size:

• Providers of public electronic communications networks or services
• Trust service providers and top-level domain (TLD) registries
• DNS service providers
• Central public administration bodies
• Entities that are the sole provider of a critical service with no viable substitute

Essential entities (Annex I) include: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. They face proactive, periodic DNSC inspections on a scheduled cycle.

Important entities (Annex II) include: postal and courier services, waste management, chemicals manufacturing, food (production, processing, or distribution), manufacturing of certain goods (medical devices, computers, motor vehicles, machinery), digital providers (online marketplaces, online search engines, social networking platforms), and research organisations. Important entities face reactive oversight, escalating to active inspections if an incident occurs or sectoral risk warrants it.

DNSC classifies entities based on registration data. The risk-level score produced under Order 2/2025 then determines whether basic, intermediate, or advanced cybersecurity measures apply — a tiering mechanism unique to Romania’s implementation that goes beyond the essential/important binary.

DNSC Registration: The NIS2@RO Tool and the 30-Day Window

Romania’s registration regime activated not on the law’s entry into force but when DNSC’s implementing orders took effect. On 20 August 2025, DNSC published Orders 1/2025 and 2/2025 in the Official Gazette (No. 776/2025). These orders triggered a 30-day registration window ending on 19 September 2025.

Registration is processed through the NIS2@RO Tool at the DNSC portal. Where the NIS2@RO Platform (the fuller portal version) is unavailable, email submission or physical delivery to DNSC’s offices is accepted as a fallback. The registration notification must include:

• Organisational identification and primary contact information for cybersecurity matters
• Sector classification and entity category (essential or important)
• IP address ranges and relevant technical footprint
• Self-assessed service disruption impact score (per Order 2/2025, Annex 1)
• Self-calculated cybersecurity risk level (per Order 2/2025, Annex 2 — based on attack exposure, threat actors, entity size, and service impact)

The risk-level score is not a pass/fail binary. It produces a classification — basic, intermediate, or advanced — that determines which tier of security requirements applies. Entities scoring at higher risk levels face correspondingly more demanding technical and organisational controls under GEO 155/2024.

The September 2025 registration deadline has passed. Entities that have not yet registered should contact DNSC directly. Under Law 124/2025, failure to register is a standalone offence attracting separate administrative sanctions independent of any substantive compliance audit.

The Post-Registration Compliance Cascade

Registration opens a sequenced cascade of compliance obligations. Romania’s post-registration framework is more structured than most EU member states — it extends onboarding into an active risk documentation and remediation process spanning 90–150 days:

Timeline	Obligation
Within 30 days of DNSC registration decision	Management body designates a cybersecurity-responsible person (officer) for networks and information systems
Within 60 days of submitting risk level assessment	Complete cybersecurity maturity self-assessment against the applicable tier of requirements
Within 30 days of completing maturity assessment	Submit corrective action (remediation) plan to DNSC
Within 5 days of completing corrective actions	Notify DNSC with supporting documentation and evidence of completion

Law 124/2025 added an explicit offence for failure to implement corrective measures within committed deadlines — not just for missing plan submission, but for missing the implementation itself. The 5-day completion notification is also mandatory: DNSC must receive documentary evidence within five days, not during a later audit. Organisations that submit a remediation plan and then fail to notify completion within the five-day window face the new procedural sanctions of approximately €600–€120,000.

Core Security Obligations Under GEO 155/2024

GEO 155/2024 mirrors the risk-management measures in NIS2 Article 21. In-scope entities must implement proportionate technical, operational, and organisational controls covering:

• Risk analysis and security policies — board-approved, documented, and subject to annual review
• Incident management — detection, response, and mandatory reporting procedures aligned with CERT-RO timelines
• Business continuity — backup systems, disaster recovery, and tested crisis-management procedures
• Supply chain security — written security requirements and assessments for direct suppliers and service providers
• Access control and multi-factor authentication — MFA mandatory for all privileged and administrative access
• Cryptography and encryption — documented policies covering data in transit and at rest
• Cybersecurity training — mandatory for staff; board members must complete NIS2 awareness training
• Secure development and procurement practices — for organisations developing or procuring software systems

Board approval of risk-management measures is not a formality. DNSC’s enforcement philosophy, as observed across comparable EU supervisory frameworks, treats the absence of documented board-level engagement — missing approval records, unsigned policy sign-offs, no board training evidence — as a primary compliance failure independent of technical controls. Maintain timestamped, version-controlled evidence chains for all governance activities.

Incident Reporting to CERT-RO: Timelines and the Significance Threshold

Significant cybersecurity incidents must be reported to CERT-RO via the PNRISC platform. The reporting timeline mirrors NIS2 Article 23:

Stage	Deadline	Content Required
Early warning	Within 24 hours of awareness	Nature of incident, affected systems, initial containment steps
Incident notification	Within 72 hours of awareness	Updated assessment, impact scope, initial mitigation measures
Final report	Within 30 days of incident notification	Root cause, full impact analysis, remediation completed and planned

Under Law 124/2025, an incident is significant when at least one of the statutory threshold conditions is met — conditions are alternatives, not a cumulative test. An incident causing serious operational disruption, significant financial loss, or material harm to other persons triggers mandatory reporting regardless of whether other thresholds are also crossed. This alternative-test approach is stricter in practice than cumulative frameworks: a single qualifying factor is enough.

Delays in the 24-hour early warning trigger standalone penalties under DNSC’s draft enforcement order (published October 2025). Late notification is treated as a separate offence from substantive non-compliance with security measures — fines apply even where no underlying security failure caused the incident.

Penalties and Management Personal Liability

Romania applies the NIS2 two-tier penalty framework:

Entity Type	Maximum Fine
Essential entities (Annex I)	Up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher
Important entities (Annex II)	Up to €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher

Law 124/2025 added two new offence categories — failure to implement measures within committed deadlines, and failure to notify DNSC or provide required documents on time — carrying fines of approximately €600 to €120,000. Both increase by 50% for repeat violations.

Fines are calculated on worldwide revenue, not local subsidiary turnover. A Romanian subsidiary of a global group generating €2B in worldwide revenue could face an essential-entity fine calculated against that global figure — a significant exposure for groups with even small Romanian operations classified as essential entities.

Management personal liability is explicit under GEO 155/2024. Directors and board members face personal responsibility for compliance failures, including temporary prohibition from exercising management functions in cases of severe or repeated non-compliance. Business partners suffering losses from inadequately prevented incidents may also pursue civil damage claims independently of regulatory enforcement.

Romania’s Broader Cybersecurity Ecosystem: Law 58/2023 and the CER Framework

NIS2 obligations sit alongside a broader national cybersecurity and cyberdefense framework in Romania. Law No. 58/2023 on the cybersecurity and cyberdefense of Romania establishes the legal architecture for national-level cybersecurity activities — covering public authorities, public institutions, and private entities operating public networks and computer systems. Law 58/2023 assigns coordination responsibilities to DNSC and the Romanian Intelligence Service (SRI) and defines the framework for national threat assessment, incident escalation to national-security level, and cyberdefense activities. For critical-sector organisations, Law 58/2023 obligations may run parallel to NIS2 requirements, each with distinct reporting channels.

Romania is also implementing the Critical Entities Resilience (CER) Directive alongside NIS2. For organisations in energy, transport, health, and banking, both frameworks apply simultaneously: NIS2 addresses cybersecurity risk management; CER addresses resilience against physical threats, natural hazards, sabotage, and terrorism. Organisations in these dual-scope sectors should coordinate their compliance documentation strategies to avoid duplication and ensure alignment between DNSC and CER-designated competent authorities.

The layered result: GEO 155/2024/Law 124/2025 for NIS2 cyber obligations; Law 58/2023 for national security-adjacent cyber requirements; the forthcoming CER transposition for physical critical infrastructure resilience. Each framework has distinct registration, reporting, and audit obligations.

Key Takeaways

• Legal basis: GEO 155/2024 (in force 31 December 2024) consolidated by Law 124/2025 (in force 10 July 2025) — reference both when planning compliance. Note: searches for “Legea 362/2023” and “NIS2” reflect market confusion; the NIS2 transposition is GEO 155/2024, not any “362” law. Law 362/2018 was the repealed NIS1 framework.
• DNSC is Romania’s NIS2 supervisory authority and entity registry; CERT-RO is the national CSIRT for incident response — incident reports go to CERT-RO, compliance inspections involve DNSC
• Registration: The 30-day window ran from 20 August to 19 September 2025 via the NIS2@RO Tool; late registration is a standalone offence
• Cascade: Registration → 30-day officer designation → 60-day maturity assessment → 30-day remediation plan submission → 5-day completion notification
• Penalties: Up to €10M/2% for essential entities; +50% uplift for repeat violations; management personal liability applies; fines calculated on worldwide revenue
• Romania-specific: Pharmaceutical sector expanded (NACE 4646/4773); alternative (not cumulative) incident significance threshold; risk-score tiering (basic/intermediate/advanced); Law 58/2023 and CER Directive add parallel obligations for critical-sector entities

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Frequently Asked Questions

Is NIS2 law in Romania?

Yes. Romania transposed the NIS2 Directive through Government Emergency Ordinance No. 155/2024, adopted on 30 December 2024 and effective from 31 December 2024. Parliament subsequently approved and amended GEO 155/2024 through Law No. 124/2025, which entered into force on 10 July 2025. These instruments replaced the prior NIS1 framework under Law No. 362/2018.

Who is the NIS2 competent authority in Romania?

The National Cybersecurity Directorate (DNSC — Directoratul Național de Securitate Cibernetică) is Romania’s NIS2 supervisory authority. DNSC maintains the entity registry, conducts compliance audits, and imposes administrative sanctions. CERT-RO handles operational incident response coordination separately. When reporting a significant cybersecurity incident, organisations file with CERT-RO via the PNRISC platform; when facing registration requirements or compliance inspections, they engage DNSC.

What was the NIS2 registration deadline in Romania?

The registration deadline was 19 September 2025 — 30 days after DNSC Orders 1/2025 and 2/2025 entered into force on 20 August 2025. Registration is processed via the NIS2@RO Tool at the DNSC portal. Entities that have not yet registered should contact DNSC directly; failure to register is a standalone offence under Law 124/2025.

What are the NIS2 penalties in Romania?

Essential entities (Annex I) may face fines up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Important entities (Annex II) face fines up to €7,000,000 or 1.4% of worldwide turnover. Law 124/2025 added procedural fines of approximately €600–€120,000 for failure to meet implementation deadlines or notification requirements, increasing 50% for repeat violations. Directors and board members face personal liability for compliance failures.

What obligations follow after DNSC registration?

Post-registration obligations follow a cascade: designate a cybersecurity-responsible officer within 30 days of the DNSC registration decision; complete a cybersecurity maturity self-assessment within 60 days of submitting the risk level assessment; submit a corrective action (remediation) plan to DNSC within 30 days of completing the maturity assessment; notify DNSC with supporting documentation within 5 days of completing corrective actions.

Does Romania have cybersecurity laws beyond NIS2?

Yes. Law No. 58/2023 on the cybersecurity and cyberdefense of Romania establishes a national framework covering public authorities and private entities operating public networks, with DNSC and the Romanian Intelligence Service (SRI) assigned coordination responsibilities. Romania is also implementing the Critical Entities Resilience (CER) Directive. Organisations in energy, transport, and health sectors may face concurrent obligations under all three frameworks.

Sources

• Kinstellar: Cybersecurity — Romania transposes the NIS2 Directive. What’s next?
• Wolf Theiss: Deadline approaches — NIS2 registration and risk evaluation in Romania
• Clifford Chance Badea: Navigating NIS2 — cybersecurity compliance obligations for Romanian companies
• NNDKP Privacy Out Loud: Law 124/2025 approves with amendments the NIS2-transposing ordinance in Romania
• NIS2 Certification: NIS2 Romania — compliance, scope and obligations
• ISMS.online: NIS2 Romania — DNSC Authority, CSIRT Response, Audit and Enforcement
• Copla: NIS2 Romania Compliance — Timelines, Fines, and Roadmap
• SafeTech: Legislative and regulatory framework for starting the NIS2 compliance process in Romania