Cybersecurity regulation in Romania (2026)

GEO 155/2024, published in the Official Gazette on 31 December 2024 and approved by Parliament as Law 124/2025 (in force 10 July 2025), is the principal national cybersecurity law transposing NIS2. It replaces the earlier NIS1 transposition, Law 362/2018.

The Directoratul Național de Securitate Cibernetică (DNSC), established by Emergency Ordinance 104/2021 under the General Secretariat of the Government, acts as the national NIS2 competent authority and operates CERT-RO. Entities must register with DNSC and submit ongoing compliance reports.

DNSC Order No. 1/2025 (registration/notification procedure) and Order No. 2/2025 (risk-level assessment methodology and incident classification thresholds) entered into force on 20 August 2025. In-scope entities had 30 days (deadline ~19 September 2025) to register via qualified electronic signature through the DNSC NIS2 portal.

Covered entities must issue an early warning within 24 hours of becoming aware of a significant incident, submit a follow-up notification within 72 hours, and provide a final incident report within one month. Notifications go to DNSC/CERT-RO and, where applicable, to sector-specific regulators.

Essential entities span energy, transport, banking, financial-market infrastructure, health, drinking water, wastewater, public administration, and space. Law 124/2025 expanded highly critical sectors to include retail pharmacies (NACE 4773). Important entities cover postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher); important entities up to €7 million or 1.4%. Romania's overarching Cybersecurity Strategy 2022–2027, adopted by Government Decision 1321/2021, provides the strategic framework including development of sectoral CERTs and Operational Security Centres.