Romania launches orders to implement the NIS2 framework, 30 day registration deadline in effect

Cristina Popescu
Cristina Popescu
Carmen Turcu
Carmen Turcu
Andrei Constantin
Andrei Constantin

Romania is now aligning its national cybersecurity framework with the EU’s NIS2 Directive, which aims to strengthen the cybersecurity posture of essential and important entities across the EU. The Directive was transposed into national law through Government Emergency Ordinance no. 155/2024 (GEO 155/2024), adopted at the end of 2024. Full application, however, will come when National Cybersecurity Directorate (DNSC) adopts secondary legislation.

On 20 August 2025, two pivotal orders surrounding the NIS2 transposition law appeared in the Official Gazette and entered into force:

  • Order 1/2025, approving the requirements for the notification process for registration and the method of information transmission;
  • Order 2/2025, establishing criteria and thresholds for determining the degree of disruption of a service, and the methodology for assessing the risk level of entities.

Most importantly, the publication of the Order 1 deadline for entities falling within the scope of GEO 155/2024 calls for their registration with the DNSC.

Order 1: Notification process for registration

All entities operating in the sectors listed in Annex 1 or Annex 2 to GEO 155/2024 must notify the DNSC for registration within 30 days of Order 1’s entry into force.

Registration can be completed via the following:

  • the NIS2@RO Platform, once operational;
  • the NIS2@RO Tool, in the interim; or
  • physical submission, if neither electronic option is available.

Entities using the Tool (point two above) must download and complete a notification form and submit it by email. Once the platform is launched, these entities will also need to create a platform account.

Among the information required in the notification form, entities are required to include results of the following self-assessments:

  • the impact of service disruption made in accordance with Order 2;
  • whether the entity qualifies as a critical entity under resilience legislation;
  • whether the provision of services depend on information and communications infrastructure of national interest as per art. 9(d) of GEO 155/2024;
  • whether the entity is the sole provider of a service that is essential for supporting critical social and economic activities, as per art. 9(a) of GEO 155/2024.

The DNSC will review all notifications and supporting documents (possibly requesting clarifications) and will issue a formal decision identifying and registering the entity as essential or important where applicable.

Order 2: Criteria and thresholds for determining the degree of disruption of a service and methodology for assessing risk level of entities

Entities not already classified as essential or important in accordance with Article 5(1)(a) and (c) to (f) and (2) to (4), Article 6(1) and (2)(b) and (c) and Article 9(a) and (d) of GEO 155/2015 must self-assess the potential disruption of services they provide. Under Order 2, service disruption is defined as the interruption or impairment of service functionality or confidentiality

Annex 1 of Order 2 sets the criteria and thresholds for determining whether disruption has a low, medium or high impact, based on factors such as fundamental rights, economy, health, finances, national security and cross-border effects. The completed self-assessment must be submitted alongside the registration form provided under Order 1.

Annex 2 of Order 2 sets out the methodology for calculating an entity’s cybersecurity risk level, using attack types, threat actors, entity size, and impact/probability, resulting in a score that determines whether the entity must implement basic, important or essential cybersecurity measures.

Entities must upload their self-assessment via:

  • the NIS2@RO Platform; or
  • the ENIRE@RO Tool, if the NIS2@RO Platform is unavailable or if a preliminary assessment of an entity’s risk level is needed. If an entity has not used the NIS2@RO Platform in the risk assessment process due to its unavailability, the entity is required to complete and upload the report and supporting documents, as applicable, within a maximum of 20 days from the date the platform becomes available.

According to art. 18(6) of GEO 155/2024, this self-assessment must be filed within 60 days of the DNSC’s communication identifying the entity as essential or important.

Next steps for entities

All entities subject to GEO 155/2024 must:

  • Conduct the required self-assessments mandated by the notification form, including on service disruption, as per Annex 1 of Order 2.
  • Register with the DNSC within 30 days as of 20 August 2025, submitting the completed notification form and the supporting documentation as per Order 1.

Failure to comply within the 30-day window may result in heavy penalties: fines of up to RON 300,000 for important entities and RON 500,000 for essential entities.

Beyond registration, companies identified as important or essential must comply with the full set of obligations under GEO 155/2024. This includes conducting the risk-level self-assessment provided for in Annex 2 of Order 2. Failure to meet this obligation is subject to the same sanctioning regime as non-registration with fines of up to RON 300,000 for important entities and RON 500,000 for essential entities.

Cristina Popescu, Partner CMS Cameron McKenna Nabarro Olswang LLP SCP
Carmen Turcu, Associate CMS Cameron McKenna Nabarro Olswang LLP SCP
Andrei Constantin, Lawyer CMS Cameron McKenna Nabarro Olswang LLP SCP