The National Cyber Security Directorate (DNSC) recently published a draft order for public consultation, which outlines the notification process for registration and the method of transmitting information.

This long-awaited order implements the obligation for essential and important entities to register with the DNSC, which was specified under Government Emergency Ordinance No. 155/2024 (GEO 155).

GEO 155, which entered into force at the end of 2024, transposes the NIS2 Directive into Romanian law. The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU.

Initially, under GEO 155, entities were required to register with the DNSC by the end of January 2025. Since the registration process, however, depends on implementing DNSC orders, which were not adopted in time, the DNSC stated in several press releases that registration would only commence after these orders are issued.

In this context, the DNSC published the draft order for public consultation.

Draft order’s key provisions

The draft order outlines the registration process, which will be mainly conducted via the ATHENA platform, accessible at platformanis2.ro. Entities will need to create a user account to complete the registration.

If the ATHENA platform is unavailable, entities must use an alternative instrument, NIS2@RO, by downloading the required form from the DNSC websites. In such cases, notification must be submitted via email to the DNSC or physically at its headquarters.

Additionally, the draft order specifies the required information to be included in the notification (i.e. the notification form can be found in Annex 1).

Public consultation and next steps

This draft order is currently open for public consultation, allowing stakeholders to provide feedback and suggestions on its content.

To access the full document and learn more about the public consultation process, visit the official DNSC website at https://dnsc.ro/pagini/transparenta-decizionala.

The registration process is a key obligation under the NIS2 Directive, a first step in the journey to ensure critical and important entities comply with cybersecurity regulations. Given its importance, affected entities should closely monitor developments and prepare for the official issuance of the order to meet their compliance requirements in a timely manner.

Cristina Popescu, Partner CMS Cameron McKenna Nabarro Olswang LLP SCP
Carmen Turcu, Associate CMS Cameron McKenna Nabarro Olswang LLP SCP