NIS 2 Status Rumänien

NIS 2 status in Romania

What the directive requires, how Romania transposes it, and where DNSC sits in the picture.

Simon OrzelSimon Orzel·

Overview

The NIS 2 Directive is the EU layer. It binds every Member State, Romania included, to a single minimum standard for essential and important entities. Romania has to convert that standard into national law and run supervision under it.

Romania transposed NIS 2 through a national law widely cited as Law 58/2024 (Legea nr. 58/2024), enacted to bring the directive into Romanian law within the EU's 17 October 2024 deadline window. The European Commission's transposition tracker lists Romania as having notified transposition measures. The exact title and Monitorul Oficial reference should be verified against the official text before citation.

DNSC, the Directoratul National de Securitate Cibernetica (National Cyber Security Directorate), is the competent authority and runs the national CSIRT function. DNSC absorbed the former CERT-RO in 2021, so contact data still labelled CERT-RO in EU registers refers to the same institution. Registration of NIS 2 entities runs through DNSC channels.

Where the rules sit
Three layers anyone reading the Romanian NIS 2 picture has to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. It fixes the obligations every Member State has to transpose, including the size and sector test for essential and important entities.

EU implementing act

Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Romania, no national transposition needed.

Romanian transposition

Law 58/2024 (Legea nr. 58/2024), as widely cited

The Romanian transposition of NIS 2. The exact title, date and Monitorul Oficial reference should be checked against the official text. Secondary norms and DNSC guidance fill in the operational detail.

Three points you have to know
What changes for entities active in Romania.
Transposition

National law (Law 58/2024)

Brings NIS 2 obligations into Romanian law. Defines essential and important entity categories, DNSC's supervisory powers, incident reporting duties and the sanction regime. Operational detail is set through secondary norms and DNSC guidance. The exact law number and date should be verified against the Monitorul Oficial entry before any compliance citation.

Authority

DNSC as competent authority and CSIRT

DNSC runs supervision, audits and sanction procedures, and operates the national CSIRT. CERT-RO was absorbed into DNSC in 2021. References to CERT-RO in older EU registers point at the same institution. Sector regulators keep their role where lex specialis applies, for instance the financial sector under DORA.

Deadlines

Registration and reporting

The directive requires entities to be identifiable to the Member State from 17 April 2025 onward. In Romania this runs through DNSC's registration channel. Significant incidents follow the directive timetable: early warning in 24 hours, incident notification in 72 hours, final report within one month.

Two principles that settle every edge case
Read before any Romanian commentary on NIS 2.

On Romanian territory, Romanian law applies

Activities on Romanian territory follow the Romanian transposition. A German managing director with a Romanian subsidiary reads the Romanian law and DNSC's guidance for that subsidiary, not the BSIG. The directive-level obligations are identical. Procedure, registration channel and sanctions sit in Romanian law.

Romania cannot fall below the EU floor

The directive is minimum harmonisation. Romania may go stricter. Romania may not fall below it, not on obligations for essential and important entities, not on reporting timelines, not on management body responsibility under Article 20.

Who does what in Romania
Three institutions that show up in almost every Romanian NIS 2 question.
RO

DNSC

Directoratul National de Securitate Cibernetica. Lead competent authority. Runs registration, supervision, audits and sanction procedures, publishes guidance and operates the national CSIRT. Absorbed CERT-RO in 2021.

RO

National CSIRT (under DNSC)

The CSIRT function for Romania sits inside DNSC. This is the channel for incident notifications under NIS 2. Older references to CERT-RO point at this same function, now part of DNSC.

EU

ENISA

The EU cybersecurity agency. Publishes guidelines, runs the European vulnerability database and coordinates cross-border. Not a supervisor for Romanian entities. That sits with DNSC.

Pitfalls
Errors we see when Romanian entities read NIS 2 for the first time.

  • We can just follow the BSIG playbook, NIS 2 is the same everywhere.

    The directive-level obligations are identical across Member States. Procedure, registration portal, sanction levels and supervisory style sit in national law. A Romanian subsidiary registers with DNSC under the Romanian law, not with the BSI under the BSIG. The compliance content overlaps. The administrative wrapper does not.

  • Romania has no NIS 2 registration channel yet, so we can wait.

    Romania has notified transposition measures to the European Commission, and DNSC runs the registration channel for essential and important entities. The 17 April 2025 EU identification deadline applies. Waiting for a perfect bilingual portal is not a defence against an applicability finding.

  • We are not in the energy or financial sector, so NIS 2 does not apply.

    Annexes I and II of the directive list 18 sectors, including digital infrastructure, postal and courier services, waste management, food, manufacturing of critical goods, research and public administration. The size test then decides essential or important. Many Romanian mid-sized companies that never saw themselves as critical infrastructure fall in scope through these sectors.

From practice

Most Romanian mid-market operators we meet still treat NIS 2 as a topic for IT, not for the management body. That is the same mistake we see elsewhere in the EU. Article 20 puts the obligation on the management body to approve risk management, oversee its implementation and follow management training. DNSC will look at that approval, not at who wrote the policy.

The practical step in Romania is the same as everywhere in the EU: test applicability against the directive, register through DNSC's national channel, set up the four continuous obligations (keep registration data current, incident reporting, supply chain risk, management body oversight) and document the minimum.

What the platform delivers

We build the NIS 2 obligation register on the EU layer, not on a single national transposition. The same checklist fits a Romanian subsidiary under Law 58/2024 (as widely cited), a German parent under the BSIG and a Dutch sister under the Cyberbeveiligingswet. The article references change per country. The substance of the obligations does not.

For Romanian scope you start with applicability, then incident timing, supply chain clauses and management body sign-off. Where DNSC publishes sector guidance, we link it. We do not copy it.

Sources
  • Directive (EU) 2022/2555 (NIS 2) on EUR-Lex
  • Implementing Regulation (EU) 2024/2690
  • Romanian transposition law (widely cited as Legea nr. 58/2024), to be verified against Monitorul Oficial
  • DNSC (Directoratul National de Securitate Cibernetica), official site
  • European Commission, NIS 2 transposition tracker, Romania country page
  • ENISA, CSIRTs interactive map, Romania entry
Clear Romanian scope in under five minutes
The applicability check applies the size and sector test from the directive. If your Romanian subsidiary is in scope, the next step is DNSC registration.
Start applicability check