Cybersecurity regulation in Moldova (2026)

Published in the Official Gazette 2023, no. 151-153, art. 225, and effective 1 January 2025. Transposes Articles 3 and Annexes I–II of EU NIS2 Directive (2022/2555), establishing scope, definitions, governance, and obligations for critical-sector service providers.

The Cybersecurity Agency (ASC/NCSC-MD), created by Government Decision No. 1028/2023 in December 2023, exercises national cybersecurity policy, supervisory, and control functions, and serves as the NIS2-designated competent authority and national single point of contact.

Essential and critical-sector service providers must report significant cyber incidents to the Cybersecurity Agency. Government Decision No. 562/2025 sets specific cybersecurity obligations and reporting duties for providers in critical sectors; a State Register of Cyber Incidents will enable centralised monitoring.

Government Decision No. 860/2024 identifies which service providers fall within scope. Coverage tracks NIS2 Annexes I–II sectors (energy, transport, banking, health, digital infrastructure, etc.) and applies to medium-sized or larger entities; supervisory powers include compliance verification over operators of critical information infrastructure.

CERT-GOV-MD, operating under the Information Technology and Cyber Security Service (STISC), is Moldova's sole operational CSIRT and handles incidents for public administration. It is a registered FIRST member and the Council of Europe-recognised national CERT.

Transposition is acknowledged as partial; authorities are continuing full alignment with NIS2 as part of EU accession obligations (candidate status since June 2022, negotiations opened June 2024). The National Cybersecurity Programme 2026–2030 will guide further development.