Skip to content
World Watch/Romania/Cybersecurity

Cybersecurity · Romania

Cybersecurity law in Romania: NIS2 compliance (2026)

Comprehensive lawGovernment Emergency Ordinance No. 155/2024 (GEO 155/2024), as approved and amended by Law No. 124/2025, transposing EU NIS2 Directive (2022/2555); supervised by the Directoratul Național de Securitate Cibernetică (DNSC)Country index 96 · A+

Romania shaded by its cybersecurity status

Cybersecurity in Romania: comprehensive law, anchored by Government Emergency Ordinance No. 155/2024 (GEO 155/2024), as approved and amended by Law No. 124/2025, transposing EU NIS2 Directive (2022/2555); supervised by the Directoratul Național de Securitate Cibernetică (DNSC).

Romania fully transposed the EU NIS2 Directive through GEO 155/2024 (in force 31 December 2024), formally approved by Parliament as Law 124/2025 (in force 10 July 2025). The DNSC is the competent national authority and issued implementing Orders 1 and 2 of 2025 (in force 20 August 2025) covering entity registration, incident notification procedures, and risk-level assessment methodology. The regime applies to a broad range of essential and important entities across critical sectors and carries penalties up to €10 million or 2% of global annual turnover.

NIS2 & cybersecurity law in Romania

In Romania, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to €10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Romania implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Romania: FAQ

Does NIS2 apply in Romania?

Yes. As an EU member, Romania has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Romania?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Romania?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Romania?

Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

Primary legislation

GEO 155/2024, published in the Official Gazette on 31 December 2024 and approved by Parliament as Law 124/2025 (in force 10 July 2025), is the principal national cybersecurity law transposing NIS2. It replaces the earlier NIS1 transposition, Law 362/2018.

Competent authority, DNSC

The Directoratul Național de Securitate Cibernetică (DNSC), established by Emergency Ordinance 104/2021 under the General Secretariat of the Government, acts as the national NIS2 competent authority and operates CERT-RO. Entities must register with DNSC and submit ongoing compliance reports.

Implementing orders & registration

DNSC Order No. 1/2025 (registration/notification procedure) and Order No. 2/2025 (risk-level assessment methodology and incident classification thresholds) entered into force on 20 August 2025. In-scope entities had 30 days (deadline ~19 September 2025) to register via qualified electronic signature through the DNSC NIS2 portal.

Incident reporting duties

Covered entities must issue an early warning within 24 hours of becoming aware of a significant incident, submit a follow-up notification within 72 hours, and provide a final incident report within one month. Notifications go to DNSC/CERT-RO and, where applicable, to sector-specific regulators.

Scope & sector expansion

Essential entities span energy, transport, banking, financial-market infrastructure, health, drinking water, wastewater, public administration, and space. Law 124/2025 expanded highly critical sectors to include retail pharmacies (NACE 4773). Important entities cover postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

Penalties & national strategy

Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher); important entities up to €7 million or 1.4%. Romania's overarching Cybersecurity Strategy 2022-2027, adopted by Government Decision 1321/2021, provides the strategic framework including development of sectoral CERTs and Operational Security Centres.

Romania - other topics

Cybersecurity in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →