The NIS2 Directive in Romania: your roadmap to compliance in 2026
The NIS2 Directive (Directive (EU) 2022/2555) is Europe's second-generation cybersecurity framework, replacing the 2016 NIS directive. Romania transposed it through GEO 155/2024, which entered into force in October 2024 — and it extended legal obligations to thousands of mid-market companies that were never previously regulated under cybersecurity legislation.
If your company operates in one of the sectors covered by NIS2, you are now subject to security risk-management obligations, incident-reporting deadlines, and personal liability at the director level. This guide is your roadmap.
Are you in scope?
NIS2 classifies regulated entities into two categories:
- Essential entities — large companies (250+ employees or turnover above €50 million) in sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, and public administration.
- Important entities — medium-sized companies (50+ employees or turnover above €10 million) in the same sectors, plus postal services, waste management, chemical production, the food industry, manufacturing of medical devices and electronics, digital providers (online marketplaces, search engines, social networks), and research.
The thresholds apply at the level of the entire company, not per unit or location. A chemical processor with 60 employees in Sibiu County is an important entity, even if only fifteen of them ever touch the IT systems.
One aspect that is often missed: NIS2 also captures the entire supply chain. An essential entity is obliged to vet its critical suppliers for a security level equivalent to NIS2 — which means that even SMEs that are not directly regulated can find themselves under indirect pressure from their enterprise customers.
What the directive concretely requires
NIS2 codifies ten security risk-management measures that every regulated entity must put into practice:
- Risk analysis and information system security policies — documented, with named owners, reviewed at least annually.
- Incident handling — defined procedures for detection, triage, containment, and recovery.
- Business continuity — backup management, disaster recovery, and crisis-management capability.
- Supply chain security — risk assessment of suppliers and contractual security obligations.
- Security in the acquisition, development, and maintenance of network and information systems — secure SDLC, vulnerability disclosure management, patching.
- Effectiveness measurement — security KPIs and testing programmes (penetration tests, tabletop exercises).
- Cyber hygiene and training — mandatory periodic training for all staff with access to systems.
- Cryptography — encryption policies covering data at rest and in transit.
- Human resources security and access control — onboarding/transfer/offboarding processes, the principle of least privilege, MFA.
- Multi-factor authentication and secured communications — MFA on all administrative and remote access, with documented exceptions.
This is not a list of aspirations. These are obligations, enforced by the DNSC (the National Cyber Security Directorate) — Romania's NIS2 supervisory authority.
The 24-hour clock
NIS2 introduces a strict, cascading incident-reporting regime. From the moment a significant incident is detected:
- 24 hours — you submit an early warning to the DNSC, describing whether the incident is suspected to have been caused by an unlawful or malicious action.
- 72 hours — you submit an incident notification with an initial assessment of severity, impact, and indicators of compromise.
- One month — you submit a final report covering the root-cause analysis, the remediation measures applied, and the lessons learned.
A "significant incident" is defined broadly: any event that causes severe operational disruption, financial loss, or material impact on other natural or legal persons qualifies. The clock starts at detection, not at containment — an environment without 24/7 monitoring will systematically miss the first deadline.
Fines and personal liability
The NIS2 sanctions regime is deliberately punitive:
- Essential entities — fines of up to €10 million or 2% of global annual turnover, whichever is higher.
- Important entities — fines of up to €7 million or 1.4% of global annual turnover, whichever is higher.
Beyond the fines, the directive introduces personal liability for management. Directors who fail to ensure compliance with NIS2 obligations can be held personally liable, suspended from their management positions, or barred from holding executive positions in regulated entities. This is a structural shift: cybersecurity is no longer a CIO problem that can be delegated to IT — it is a fiduciary duty at the board level.
A pragmatic roadmap: 12 weeks
For a mid-market important entity starting from scratch, a tractable path to NIS2 compliance looks roughly like this:
Weeks 1–2 — Scoping and gap analysis You inventory the in-scope systems, identify the regulated activity, and map existing controls against the ten NIS2 measures. The output: a gap matrix prioritised by risk and effort.
Weeks 3–6 — Baseline controls You implement universal MFA, harden privileged access, stand up endpoint detection and response (EDR), and establish encrypted backups with offline copies. These four controls alone close around 60% of the gap.
Weeks 7–9 — Documentation and governance You draft the information security policy, the incident response plan, the business continuity plan, and the supplier security questionnaire. You name owners. You brief management.
Weeks 10–11 — Validation You run a tabletop exercise that simulates a ransomware incident with regulatory notification. You run a penetration test on externally exposed systems. You resolve the findings.
Week 12 — Registration and ongoing obligations You register with the DNSC (mandatory for in-scope entities) and lock in the recurring obligations: quarterly tabletops, an annual policy review, monthly vulnerability scanning, continuous monitoring.
The supply chain lever
Even if NIS2 does not catch you directly, your enterprise customers will increasingly ask for NIS2-equivalent attestations in their supplier onboarding processes. A documented information security programme — especially one mapped to ISO 27001 — becomes a commercial differentiator long before it becomes a compliance requirement.
Qbyte IT helps Romanian mid-market entities reach NIS2 compliance over the 12 weeks described above — including registration with the DNSC, facilitating tabletop exercises, and ongoing 24/7 detection and response. If you are not sure whether your company falls in scope, a one-hour scoping call is the right step.