Deadline approaches: NIS2 registration and risk evaluation in Romania

New DNSC orders clarify NIS2 obligations. Failure to register by 22 September may expose entities to sanctions

New cybersecurity rules require urgent action from Romanian businesses.

Romania has recently enacted two key secondary legislative instruments under the NIS2 framework, triggering immediate compliance obligations for entities covered by Government Emergency Ordinance (GEO) no. 155/2024, which transposes the NIS2 Directive into national law. The National Cybersecurity Directorate (DNSC) has introduced mandatory registration and risk assessment procedures for in-scope entities.

In this update, we explain:

• What key requirements are introduced by the two new DNSC orders;
• Which entities must register with DNSC and by when; and
• Practical steps companies should take to prepare.

1. In-scope NIS2 entities must register with the DNSC by 22 September 2025

DNSC Orders 1/2025 and 2/2025 operationalise NIS2 obligations.

On 20 August 2025, the DNSC enacted Order no. 1/2025 and Order no. 2/2025, which implement the registration and risk assessment obligations under GEO 155/2024:

• Order No. 1/2025 – Registration process:
  • Establishes the notification procedure and information transmission method.
  • Registration must be completed via:
    • the NIS2@RO Tool (currently active);
    • the NIS2@RO Platform (once launched); or
    • physical submission if digital options are unavailable.
      
• Order No. 2/2025 – Risk assessment methodology:
  • Establishes criteria and thresholds for determining service disruption.
  • Sets out the methodology for assessing entities’ risk level.

GEO 155/2024 categorises organisations into two main groups based on their role in critical infrastructure and societal impact:

i. Essential Entities

These are organisations operating in sectors considered vital to national and EU-level resilience. They include:

• Energy: electricity, oil, gas, hydrogen providers, district heating or cooling operators
• Transport: air, rail, water and road transport operators
• Banking and financial-market infrastructure
• Health: hospitals, clinics and pharmaceutical distributors
• Drinking water and wastewater
• Digital infrastructure: data centers, cloud services, DNS providers
• Public administration
• Space sector

ii. Important Entities

These entities are also critical but operate in sectors with slightly lower systemic impact. They include:

• Postal and courier services
• Waste management
• Food production and distribution
• Chemical manufacturing
• Manufacturing of medical devices
• Manufacturing of computers, electronic and optical products
• Electrical equipment manufacturing
• Automotive manufacturers
• Digital providers: online marketplace providers, online search engine providers and online social networking platform providers
• Research

In-scope NIS2 entities are classified based on:

• Sector of activity (as listed in Annexes 1 and 2 of GEO 155/2024)
• Size and scale of operations
• Criticality of services provided (e.g., sole provider status or dependency on national infrastructure)
• Potential impact of service disruption on public safety, economy or national security

Only registrations submitted after 20 August 2025 are valid

The DNSC has clarified that notifications submitted prior to 20 August 2025 are not legally valid. Only notifications made in accordance with Order No. 1/2025 will be recognised. For this purpose, the DNSC has provided a notification instrument/form, in Romanian, available on the DNSC webpage.

2. New methodology for assessing service disruption and risk levels

Order No. 2/2025 introduces structured self-assessment requirements.

In-scope NIS2 entities must evaluate their exposure to service disruption and cybersecurity risks using the methodology outlined in Order No. 2/2025:

• their service disruption impact (Annex 1 of Order No.2/2025);
• their cybersecurity risk level (Annex 2 of Order No. 2/2025); and
• whether they are a sole provider of critical service.

The risk level assessment must be submitted within 60 days from the communication of DNSC’s decision regarding the entity’s identification and registration in the registry of essential and important entities.

Furthermore, in-scope NIS2 entities must:

• Conduct a maturity self-assessment of their cybersecurity measures within 60 days after the submission to the DNSC of the risk level assessment; and
• Submit a remediation plan to the DNSC within 30 days of completing the maturity assessment.

3. What should companies do next?

To ensure timely and effective compliance with the new NIS2 obligations, Romanian businesses should take the following steps:

• Identify applicability:
  • Review Annex 1 and Annex 2 of GEO 155/2024 to determine whether they qualify as an “essential” or “important” entity.
• Register with the DNSC:
  • Use the official notification instrument provided by the DNSC to submit the registration no later than 22 September 2025.
  • Ensure the submission is made in accordance with Order No. 1/2025, as prior notifications are not valid.
• Conduct risk and maturity assessments:
  • Follow the methodology in Order No. 2/2025 to assess the risk of service disruption, cybersecurity exposure and the company’s role as a sole provider of critical services.
  • Submit the risk-level assessment within 60 days of the DNSC’s registration confirmation.
  • Complete a maturity self-assessment of cybersecurity measures within 60 days of the risk-assessment submission.
• Develop a remediation plan based on the maturity assessment and identify gaps in cybersecurity risk management. The plan should be submitted to the DNSC within 30 days of the self-assessment.
• Establish internal governance:
  • Assign internal responsibility for NIS2 compliance (e.g. a dedicated compliance officer or cybersecurity lead).
  • Set up internal tracking systems for deadlines and documentation.

4. Conclusion

The enactment of DNSC Orders No. 1/2025 and No. 2/2025 marks an important step in Romania’s implementation of the NIS2 Directive, introducing immediate and structured compliance obligations for a wide range of entities. With tight deadlines and clearly defined procedures, organisations must act swiftly to assess their status, complete registration and carry out risk and maturity evaluations. Early preparation and proactive engagement with the new requirements will not only ensure compliance but also strengthen overall cybersecurity resilience in an increasingly regulated digital landscape.