Romania has taken another step in aligning its national legislation with EU norms by transposing the Directive on Network and Information Security (NIS2), which updates and enhances measures in the field of cybersecurity. The transition from NIS1 to NIS2 involves several transformations in the regulation and management of cybersecurity.
Thus, the Romanian Government adopted Emergency Ordinance no. 155/2024 for the transposition into national legislation of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity in the Union (NIS2 Directive). This directive is a key pillar of the European Union’s strategy for increasing cyber resilience and was designed to address the growing vulnerabilities and increasingly complex threats in the digital space.
Through Emergency Ordinance no. 155/2024, Romania has harmonized its national legislation with these provisions, thus strengthening the protection of critical infrastructures and networks essential for the functioning of the economy and society. Additionally, OUG 155/2024 repeals and replaces, with the exception of two chapters, the previous provisions of Law no. 362/2018, which regulated the implementation of the NIS1 Directive.
The main provisions of Emergency Ordinance no. 155/2024 address:
- Expansion of scope: The introduction of an extended list of sectors and subsectors subject to cybersecurity requirements. Cybersecurity rules are mandatory in the following sectors:
- Critical sectors (11 sectors and 9 subsectors): energy (electricity, centralized heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road), the banking sector, financial markets, health, drinking water, wastewater, digital infrastructure, public administration, ITC service management (B2B), and space activities.
- Major importance sectors (7 main sectors and 6 subsectors): postal and courier services, waste management, the manufacture, production, and distribution of chemicals, food production, processing, and distribution, general manufacturing (medical devices, computers, electronic and optical products, electrical equipment, machinery and equipment, vehicles, trailers and semi-trailers, transport equipment), digital providers (marketplaces, search engines, social networking platforms), and research.
NIS2 divides the targeted entities into two categories:
- Essential entities: Entities in central public administration, DNS service providers, qualified trust service providers, and any other entity classified as essential by the ordinance annexes (e.g., energy, transport, banking sector, financial market infrastructure, health, water supply, digital infrastructure, etc.).
- Important entities: Entities organized by size (large and medium) that provide critical services but do not fall into the essential entities category (e.g., waste management operators, postal and courier services, food production, etc.).
- Increased obligations for essential operators and digital service providers, who must implement advanced systems for cyber risk management, business continuity and recovery plans, and measures to report security incidents within a maximum of 24 hours of their discovery.
- Establishment of a cybersecurity cooperation framework, involving a national coordination mechanism through the National Authority for Administration and Regulation in Communications (ANCOM) and the National Cybersecurity Incident Response Center (CERT-RO), as well as collaboration with other EU member states through the CSIRTs network (Cybersecurity Incident Response Teams).
DNSC (National Cybersecurity Directorate) remains the national authority with primary responsibilities in cybersecurity. DNSC’s role includes coordinating, monitoring, and ensuring the implementation of NIS2 directive measures, evaluating the compliance of essential and important entities, managing cybersecurity incidents, and applying penalties in cases of non-compliance.
- Stricter penalties for non-compliance: If requirements are not met, DNSC and other competent authorities may impose fines of up to 1.4% of the annual turnover for important entities and 2% for essential ones, with maximum limits of €7,000,000 and €10,000,000, respectively. Additional measures may also be taken, such as temporary suspension of certain activities, provisional prohibition from holding management positions, or the obligation to remedy identified vulnerabilities and inform affected clients.
- Mandatory education and training in cybersecurity: Both public institutions and private entities must organize regular training programs for their employees to raise awareness of risks and the importance of cybersecurity, implement tested fundamental protection practices, increase public awareness of cyber risks (including phishing attacks), constantly reevaluate their cyber defense capabilities, and integrate advanced technological solutions, such as artificial intelligence, to strengthen internal network and information system security.
- Addressing supply chain security, recognizing that cyber risks do not originate only within organizations but also from relationships with suppliers and business partners, especially in the ITC sector.
- Enhanced organization of an internal security management system, which includes the obligation to report cybersecurity incidents significantly affecting service continuity within 24-72 hours of identifying a relevant incident, and a final evaluation after 30 days through the national platform for reporting cybersecurity incidents (PNRISC). Additionally, the transposed directive establishes several parameters (number of users affected, duration, impact area) to determine whether an incident is significant enough to report. Given the directive’s emphasis on cooperation and information sharing, the final notification must provide a detailed description of the incident, including its severity and impact, threat type, causes, and measures adopted to resolve the situation.
Entities will also need to appoint a person responsible for the security of networks and information systems. Audit obligations are also established, including periodic cybersecurity audits (or ad hoc, at DNSC’s request) for the entities concerned.
Adopting Emergency Ordinance no. 155/2024 comes in the context of an increasingly complex and threatening cyber landscape, aiming to contribute to increasing the level of protection for critical infrastructures and essential services, reducing the impact of cyberattacks on the economy and society, and aligning Romania with European and international standards in digital security.
Although transposing the NIS2 Directive through Emergency Ordinance no. 155/2024 involves significant challenges, from high costs for implementing cybersecurity measures to the need to develop technical skills and qualified human resources, with the proper application of the new regulations, Romania’s system will become more resilient to cyberattacks and more competitive in the digital field at the European level.
For further information or any additional inquiries, please do not hesitate to contact us:
➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro
We are here to assist and provide legal support for all your needs. We look forward to discussing with you.
Mihaela Murariu – Attorney at Law