NIS2 DIRECTIVE TRANSPOSITION: KEY OBLIGATIONS FOR ROMANIAN COMPANIES

In a context of increasingly complex risks, particularly in terms of cybersecurity, as a result of the growing use of emerging technologies, the Government Emergency Ordinance No. 155/2024, in force since December 31, 2024, transposes the European Directive 2022/2555 ¹ ("NIS2 Directive") into national law. The Directive requires that a set of measures and mechanisms is adopted to ensure the cybersecurity of companies operating in key sectors, such as energy, transport, healthcare, finance, and digital infrastructure. These companies are required to implement advanced cybersecurity measures to protect their networks and IT systems. These measures are aimed at strengthening the national capacity to respond effectively to regional and global developments in cybersecurity.

We shall detail in the following, the legal and institutional framework, as well as the measures and mechanisms to be adopted by the relevant entities in Romania, in accordance with the GEO No. 155/2024.

Entities concerned

Pursuant to the new legal text, entities subject to NIS 2 regulations are those meeting cumulatively the following conditions:

1) Are registered and duly incorporated in Romania - Are considered essential or important entities, regardless of their size and scope of activity:

• Operate in sectors of "high critical importance" such as: energy (distribution and transmission operators, producers, designated electricity market operators, charging point operators, concessionaires and developers of thermal power plants etc.), oil (transmission pipeline operators, production facility operators, storage plants), gas (suppliers, distribution, transmission and storage operators, LNG system and refinery operators), hydrogen, transport (air, rail, maritime, road), banking, healthcare, finance, digital infrastructure, space, public administration, water treatment, and ICT service management

Or

• Operate in "critical" sectors, such as postal and courier services, waste management, manufacturing, production, and distribution of chemical substances, food production and distribution, manufacturing (medical devices, computers, electronic and optical products, transportation equipment), digital service providers (online marketplaces, search engines, social media platforms), and research - research entities.

Essential entities include central government entities, those in sectors identified as "high critical importance" and "critical importance" mentioned above, as well as critical entities, as well as DNS service providers, qualified trust service providers, and TLD domain name registries, regardless of their size. Large companies (with more than 250 employees or with an annual net turnover higher than €50 million or assets valued at more than €43 million) operating in "high critical importance" sectors are also considered essential.

Important entities are those qualifying as large and medium-sized enterprises operating in sectors of "high critical importance" and "critical importance", which are not considered essential according to Article 5 of the GEO No. 155/2024.

Thus, to determine whether a company falls within the scope of this legislation, it is necessary to first examine its scope of business, then its size.

The GEO does not apply to institutions in the field of defense, public order, and national security, in accordance with the provisions of Article 6 of Law No. 51/1991 on National Security of Romania. It also does not apply to the Ministry of Foreign Affairs, the Office of the National Registry of State Classified Information, and law enforcement entities, including those involved in the prevention, investigation, and prosecution of offenses. Information technology and communications systems processing classified information are also excluded from its scope.

Obligations of entities concerned by NIS2

In accordance with the GEO No. 155/2024, the entities concerned must implement cybersecurity measures proportionate to the risks to which they are exposed.

The main obligations include:

• Registration with the DNSC (National Directorate for Cyber Security): each entity must submit a file containing information on its name, address, legal representative, sector of activity, and the Member States where it provides services, including its public IP addresses (for certain IT providers), including any changes to its data.
• Risk assessment: entities must identify, assess, and manage the security risks related to their networks and IT systems.
• Cybersecurity audits: entities must undergo cybersecurity audits regulated by the competent authority and report to the DNSC the list of their assets and identified risks, as well as other requested documents (information on cloud service providers, data centres, etc.).
• Protective measures: this includes the protection of computer networks and systems, cyber incident management, and crisis management.
• Identification and reporting of cybersecurity incidents: any incident with significant impact on service delivery must be reported within a maximum of 6 hours to the National Cybersecurity Incident Response Team. Entities must also notify their customers if a significant incident risks to affect their services. An incident is considered significant if: a) it has caused or is likely to cause a major interruption of services or financial losses for the entity, or b) it has affected or is likely to affect other natural or legal persons causing significant material or immaterial damage. Incidents are reported via the National Cybersecurity Incident Reporting Platform, in accordance with Article 20 of Law No. 58/2023.
• Staff training: Companies must train their employees, including members of management, in the prevention and management of cyber risks and designate a person responsible for the security of their networks and IT systems (except for SMEs governed by Law No. 346/2004).

Sanctions for incompliance

Failure to comply with these obligations may result in sanctions, ranging from a warning to fines of up to €10 million or up to 1.4% or 2% of net turnover (whichever is higher), depending on the nature of the entity and the violations identified.

Upon a decision by the Director of the DNSC, steps can be taken to notify the competent authorities, institutions, or entities with a view to temporarily suspending the certifications or authorizations of the company concerned, which may impact all or part of its core activities. This notification may include a temporary ban on exercising management functions (executive manager or legal representative) within the entity concerned.

Note

1. DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) 018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)