NIS2 Directive comes with new rules for digital security in the EU, but they don’t have to be difficult to understand. We have summarized the most important information for you: who is affected, what obligations arise and how you can protect your organization effectively.
NIS2 is the European Directive that sets mandatory cybersecurity requirements for companies and institutions considered critical to the economy and society.
In Romania, NIS2 applies to medium and large companies (more than 50 employees or turnover over €10 million) in key or important sectors – directly or through the supply chain.
Organizations are required to implement a formal framework for identifying, assessing and addressing cybersecurity risks, including for suppliers and the supply chain, with direct management involvement.
Significant incidents must be reported to the DNSC within strict deadlines (initial alert, intermediate notification and final report), usually within 24 hours, together with information on the impact and remedial measures.
NIS 2 requires the implementation of appropriate technical and organizational measures, such as security policies, access control, multi-factor authentication, encryption, tested backups, continuous monitoring and business continuity plans.
The organization’s management has direct responsibility for approving, overseeing, and enforcing cybersecurity measures, including participation in mandatory NIS 2 training.
Organizations should assess the risks posed by suppliers, subcontractors and service providers and introduce cybersecurity contractual clauses as required by NIS 2.
Documented and regularly tested plans for business continuity, disaster recovery and cyber incident response are mandatory.
Organizations must be able to demonstrate, through clear documentation and records, that the NIS 2 measures are in place and functional, including in the context of controls carried out by the authorities.
Non-compliance with NIS 2 requirements can lead to significant fines in relation to overall turnover, mandatory corrective measures and, in certain situations, personal liability for members of management.
The DNSC is the lead competent authority for NIS2 in Romania, responsible for coordinating implementation, oversight and compliance. It administers the registry of critical and important entities, the registration platform and manages major cyber incidents as the national CSIRT, with the obligation to report within 24 hours.
In the electronic communications sector, NIS2 applies to providers of electronic communications networks and services. ANCOM supervises the application of cybersecurity requirements for telecom operators and ensures their alignment with specific regulations in the field, in collaboration with the DNSC.
In the energy sector, NIS2 applies to entities in generation, transmission, distribution and supply. ANRE coordinates the implementation of the Directive’s requirements at sectoral level and collaborates with the DNSC for the supervision of essential and important energy entities.
For the transport sector, NIS2 applies to air, rail, road and maritime transport operators and related critical infrastructure. The Ministry of Transport and Infrastructure enforces the requirements of the Directive and coordinates critical infrastructure operators in cooperation with DNSC.
In the health sector, NIS2 applies to health facilities and critical care providers. The Ministry of Health coordinates the implementation of cybersecurity requirements and collaborates with the DNSC to manage incidents with public health impact.
In applying NIS2, the DNSC cooperates with the ANSPDCP for personal data protection issues, as well as with the SRI and SIE for the protection of national cyber security and critical infrastructures with strategic relevance or external dimension.
The NIS2 Directive is formally transposed into Romanian law as of October 17, 2024, by Law no. 333/2024 and Government Decision no. 1087/2024, becoming mandatory for essential and important entities.
The official deadline to register with DNSC was September 19, 2025, but a significant number of organizations did not complete this process by the deadline.
The good news is that it’s not too late for compliance. The DNSC has communicated publicly and in writing that the authority’s priority in the first part of 2026 is voluntary compliance and helping companies, not the immediate enforcement of maximum fines.
Organizations that register during this period and submit a realistic compliance plan may benefit from additional implementation deadlines, procedural tolerance and, in the event of an inspection, the possibility of a reduction of penalties of up to 50%.
An entity is subject to the NIS2 Directive if it meets at least one of the following criteria:
and carry out direct or indirect activities in one of the regulated sectors.
NIS 2 not only covers organizations that operate directly in the regulated sectors, but also companies that provide essential services, products or support to them. Thus, an organization may fall within the scope of the Directive even if its role is that of a supplier, subcontractor or critical partner.
Correct NIS 2 compliance determines legal obligations, level of supervision and financial risks. A wrong or ignored classification can lead to sanctions, operational bottlenecks and legal exposure for management.
An entity is subject to the NIS2 Directive if it meets at least one of the following criteria:
and carry out direct or indirect activities in one of the regulated sectors.
NIS 2 not only covers organizations that operate directly in the regulated sectors, but also companies that provide essential services, products or support to them. Thus, an organization may fall within the scope of the Directive even if its role is that of a supplier, subcontractor or critical partner.
Correct NIS2 compliance determines legal obligations, level of supervision and financial risks. A wrong or ignored classification can lead to sanctions, operational bottlenecks and legal exposure for management.
The energy sector includes entities involved in the production, transmission, distribution and supply of electricity, as well as oil, natural gas, hydrogen, district heating and energy market infrastructures. Unavailability or compromise of these systems has a direct impact on national security and the continuity of essential services.
NIS 2 applies to operators in air, rail, sea and road transport and their critical infrastructures. Cybersecurity in transportation is essential for the safety of passengers, the security of goods and the functioning of supply chains.
Credit institutions and banking service providers are considered essential entities because of their role in financial stability. NIS2 requires strict measures to protect IT systems, transactions and customer data, in addition to existing financial regulations.
This category includes exchanges, central counterparties and central depositories, whose secure functioning is essential for financial markets. A major cyber incident in this sector could have systemic effects at national and European level.
The healthcare sector includes hospitals, clinics, medical laboratories as well as manufacturers of critical medicines and medical devices. NIS2 aims to protect healthcare systems, patient data and continuity of care, where the unavailability of IT systems can have serious consequences for public health and life.
The entities responsible for the supply and distribution of drinking water are considered essential as they provide a vital service to the population. Cyber security is critical to prevent disruption or contamination of supply systems.
Wastewater collection and treatment systems are part of critical environmental and public health infrastructure. The NIS2 requires the protection of these systems against cyber incidents that can generate major environmental and health risks.
This category includes DNS and TLD service providers, cloud, data centers, data centers, electronic communication networks and qualified trust services. Digital infrastructures are the backbone of the digital economy and a major vector of cyber risk.
NIS2 applies to specifically designated central and local public authorities providing essential public services. The protection of government IT systems is crucial for the continuity of public services and citizens’ trust and confidence.
The space sector includes operators of critical ground infrastructure supporting space activities (e.g. communications, navigation, observation). Although it is a less visible sector, the impact of a cyber incident can be cross-sectoral and cross-border.
NIS 2 applies to postal and courier service operators delivering critical goods, documents and products. These services are essential to the functioning of commercial and logistic chains and cyber incidents can affect deliveries, personal data and business continuity.
Entities managing waste with an impact on public health, the environment or national security fall under NIS 2. The protection of IT and OT systems in this sector is essential for the prevention of incidents with major impacts on the environment and the public.
Organizations involved in the production, handling, storage or distribution of hazardous chemicals are considered important entities because of the high associated risks. NIS 2 requires strict cyber security measures to prevent incidents with industrial, environmental or health impacts.
The food sector includes operators that produce, process or distribute food on a large scale. NIS 2 aims to protect food supply chains against cyber incidents that may affect food safety and continuity of supply.
This category includes manufacturers of medical devices and equipment, pharmaceuticals, electrical and electronic equipment, as well as critical industrial machinery and equipment, vehicles and automotive components, and other critical transportation equipment. NIS 2 aims to protect industrial processes and production chains against cyber-attacks with major economic impact.
Digital service providers, such as online marketplaces, search engines and social networks, are covered by NIS 2 due to the large volume of users and the potential impact of incidents on the digital economy and public trust.
This category includes managed services and managed security services providers that provide critical IT support to other organizations. Because of their position in the digital supply chain, an incident at this level can affect a large number of customers simultaneously.
Research organizations involved in strategic areas or with an impact on national or economic security are considered as important entities. NIS 2 requires the protection of research results, IT infrastructures and sensitive data against unauthorized access or compromise.
NIS 2 applies not only to critical and important entities, but also to companies in the supply chain that provide critical services, products or operational support to them. In Romania, the supply chain is the most common mode of entry under NIS 2, as the cybersecurity obligations extend to suppliers and partners on which the regulated entities are operationally dependent.
According to Directive (EU) 2022/2555 and OUG 155/2024, NIS 2 entities are obliged to manage supplier risks through assessments, contractual clauses and security controls. Furthermore, DNSC can directly designate as NIS 2 entity any organization with a critical role in the supply chain, even if it does not meet the size criteria.
In practice, deficiencies in the supply chain are considered as one of the main grounds for sanctions from 2026 onwards, in the context of the intensified NIS 2 controls.
Real examples from practice – how organizations under NIS 2 enter the supply chain
In practice, very many organizations fall under NIS 2 not through direct classification as essential or important entities, but through their operational role in the supply chain of regulated entities. Below are the most common situations encountered.
Please note: This is not an exhaustive list, only relevant examples from practice.
IT companies that manage or have access to systems used by NIS 2 entities may become regulated entities.
Concrete example:
Transportation and logistics operators become part of NIS 2 when they provide critical deliveries for essential or important entities.
Concrete example:
Companies that have physical or logical access to sensitive infrastructures are considered risk vectors.
Concrete example:
Suppliers supporting the operation of critical food businesses enter the regulated chain.
Concrete example:
Healthcare facilities that use advanced devices or serve public hospitals may fall under NIS 2.
Concrete example:
HoReCa falls under NIS 2 when it directly supports critical activities.
Concrete example:
Fines are set at the higher of the fixed ceiling or the percentage of annual global turnover, and for many Romanian companies they can amount to hundreds of thousands or millions of euros.
Serious infringements: up to €10 million or 2% of global turnover (whichever is higher).
In case of failure to comply with critical obligations – such as lack of risk management (Art. 21), failure to report major incidents within 24 hours, lack of continuity plans (BCDR), exposure of OT/SCADA systems or ignoring supply chain risks In addition to a fine, authorities can order suspension of critical activities for up to 2 years, a ban on holding management positions for up to 5 years, forced remediation and publication of the incident.
Medium violations – can be sanctioned with fines between 1,500 and 500,000 lei.
Procedural violations, such as failure to register with the DNSC, failure to update risk registers or failure to carry out incident drills.
In these situations, mandatory annual audits, remediation plans and ongoing supervision by the DNSC may be required.
Minor infringements – fines between 1,000 and 100,000 lei, accompanied by warnings and the obligation to correct immediately, at the risk of escalation of sanctions.
(Reporting errors or documentary non-conformities.)
Serious infringements – fines of up to €7 million or up to 1.4% of annual global turnover, whichever is higher.
In the case of major non-compliances, such as lack of security policies, failure to implement multi-factor authentication (MFA), failure to report incidents within the legal deadline of 24 hours or ignoring DNSC requests and controls.
In addition to a fine, the authorities can order a suspension of up to one year, a ban on holding management positions for up to 2 years, forced remediation of deficiencies and public notification of affected customers.
Medium infringements – can be sanctioned with fines between 1,000 and 300,000 lei.
These include misconduct such as failure to register with the DNSC, delays in reporting incidents, failure to comply with procedural requirements or administrative violations.
In such situations, mandatory audits borne by the organization, repeated warnings and increased monitoring may be imposed.
Minor violations – fines between 1,000 and 100,000 lei, accompanied by administrative corrections and continuous monitoring.
These may relate to documentation non-compliance, lack of staff training or cybersecurity awareness deficiencies.
Compliance with NIS 2 is a mandatory and continuous cyber risk management process.
Taken in an unorganized or delayed approach, compliance can take 12-24 months, involve high costs and expose the organization to fines of millions of euros. Taken in a structured approach, the process can be completed in 4-9 months, with controlled costs, operational continuity and legal predictability.
Below, we present the 3 essential steps to be taken to correctly comply with NIS 2 before the first controls.
The first essential step in complying with NIS 2 is to correctly categorize whether it is a critical entity, a significant entity or a supply chain entity. Many medium and large companies fall under NIS 2 indirectly, through their operational role vis-à-vis energy, banking, healthcare or telecom entities.
Rapid clarification is needed on size criteria, membership of Annex I and II sectors and role in the supply chain, where DNSC can designate the entity even without meeting the classic criteria. Without this step, there is a risk of applying the wrong measures or missing critical obligations.
Until the first DNSC audit, organizations must demonstrate the implementation of the 8 mandatory categories of cybersecurity measures in proportion to their risk and maturity:
NIS 2 requires proof of compliance, not just formal implementation of measures. Management-approved policies, risk assessments, evidence of testing (backup, phishing, BCP/DR), incident reports and training records must be presented at the audit. Lack of documentation and testing is one of the most common causes of sanctions, including for large entities
Acting now enables NIS 2 compliance to be achieved quickly, in a controlled and cost-optimized manner, while delaying significantly increases the risk of proactive controls and penalties from Q2-Q3 2026 onwards, as the official period of forbearance and accommodation by the authorities closes.
The DNSC is currently in a phase of transition and accommodation of the NIS 2 framework, providing real and active support to organizations through detailed public guidance, written clarifications, rapid operational responses, and a national series of free workshops dedicated to implementation. According to official communications sent to registered entities and public announcements, large-scale proactive controls are planned to start from Q2-Q3 2026, which creates a clear window of several months for voluntary compliance without immediate sanctioning pressure.
Those who start complying now benefit from a favorable context that is difficult to replicate later:
Time is limited, but compliance can be done correctly, predictably and to the benefit of the organization if the process is started now.
According to NIS 2 (transposed by OUG 155/2024), responsibility for cybersecurity is not only institutional but also personal. Governing bodies (directors, managing directors) must approve and supervise risk management measures, participate in accredited training and are directly liable for violations, and can be sanctioned with personal fines and temporary bans from management positions until non-compliances are fully remedied.
Reduction of penalties by up to 50% is only possible if the fine is paid within 15 days of notification (not necessarily conditional on immediate cooperation, but cooperation and remediation may influence the DNSC’s decision on further action). Postponement or partial cooperation eliminates this possibility and may aggravate sanctions
The level of supervision varies according to the category of employment, but the requirements remain high in all cases:
Some areas, such as national defense, national security (including SRI/SIE), foreign affairs (MAE), classified information and central banks (BNR), are totally or partially excluded from the application of this regime, according to the legal provisions (art. 2 of GEO 155/2024). Entities under DORA (Reg. (EU) 2022/2554) have limited application.
If there are many “no’s”, compliance should be started in stages, prioritizing critical requirements.
NIS2 is not “just IT”: it includes processes, people, governance and suppliers.
NIS2 is not solved with a set of “form” documents: it is the actual proof and functioning that counts in the control.
NIS2 is not “buy a tool and that’s it”: without processes and accountability, tools don’t help.
NIS2 does not only apply to ‘very large’ entities: many companies enter through the supply chain.
NIS2 is not a “one-off” project: it requires review, testing, reporting and continuous improvement.
Yes. The obligation remains in force. Late registration is preferable to non-registration, especially if accompanied by a realistic plan for compliance.
Yes, through the supply chain: if you provide critical services/processes for an NIS 2 entity, you may be contractually required, audited by customers or even appointed, under certain conditions, as legally required.
In general: existence of risk management framework, minimum technical measures, governance, providers, suppliers, continuity, incident reporting and, in particular, evidence that these are implemented and tested
The major difference is the supervisory regime: essential – more proactive, important – more reactive; but the basic obligations remain serious in both cases.
The major difference is the supervisory regime: essential – more proactive, important – more reactive; but the basic obligations remain serious in both cases.
Lack of testing (backup, DR, incident drills) and lack of records are among the most common vulnerabilities to controls.
Management has approval, oversight and resource obligations. Implementation is through clearly defined internal accountabilities and a demonstrable governance model.
