Cybersecurity · Romania
Cybersecurity law in Romania: NIS2 compliance (2026)
Romania shaded by its cybersecurity status
Cybersecurity in Romania: comprehensive law, anchored by Government Emergency Ordinance No. 155/2024 (GEO 155/2024), as approved and amended by Law No. 124/2025, transposing EU NIS2 Directive (2022/2555); supervised by the Directoratul Național de Securitate Cibernetică (DNSC).
Romania fully transposed the EU NIS2 Directive through GEO 155/2024 (in force 31 December 2024), formally approved by Parliament as Law 124/2025 (in force 10 July 2025). The DNSC is the competent national authority and issued implementing Orders 1 and 2 of 2025 (in force 20 August 2025) covering entity registration, incident notification procedures, and risk-level assessment methodology. The regime applies to a broad range of essential and important entities across critical sectors and carries penalties up to €10 million or 2% of global annual turnover.
NIS2 & cybersecurity law in Romania
In Romania, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to €10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Romania implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Romania: FAQ
Yes. As an EU member, Romania has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
GEO 155/2024, published in the Official Gazette on 31 December 2024 and approved by Parliament as Law 124/2025 (in force 10 July 2025), is the principal national cybersecurity law transposing NIS2. It replaces the earlier NIS1 transposition, Law 362/2018.
The Directoratul Național de Securitate Cibernetică (DNSC), established by Emergency Ordinance 104/2021 under the General Secretariat of the Government, acts as the national NIS2 competent authority and operates CERT-RO. Entities must register with DNSC and submit ongoing compliance reports.
DNSC Order No. 1/2025 (registration/notification procedure) and Order No. 2/2025 (risk-level assessment methodology and incident classification thresholds) entered into force on 20 August 2025. In-scope entities had 30 days (deadline ~19 September 2025) to register via qualified electronic signature through the DNSC NIS2 portal.
Covered entities must issue an early warning within 24 hours of becoming aware of a significant incident, submit a follow-up notification within 72 hours, and provide a final incident report within one month. Notifications go to DNSC/CERT-RO and, where applicable, to sector-specific regulators.
Essential entities span energy, transport, banking, financial-market infrastructure, health, drinking water, wastewater, public administration, and space. Law 124/2025 expanded highly critical sectors to include retail pharmacies (NACE 4773). Important entities cover postal services, waste management, chemicals, food, manufacturing, digital providers, and research.
Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher); important entities up to €7 million or 1.4%. Romania's overarching Cybersecurity Strategy 2022-2027, adopted by Government Decision 1321/2021, provides the strategic framework including development of sectoral CERTs and Operational Security Centres.
Romania - other topics
Cybersecurity in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →