NIS2 in Romania 2026: Deadlines, Obligations, Fines (Law 244/2024)
The NIS2 Directive is transposed in Romania via Law 244/2024. Discover applicable entities, compliance requirements, and actual fines (up to €10 million).
In Short
Directive (EU) 2022/2555 (NIS2) is transposed in Romania through Law 244/2024 and through Emergency Ordinance 155/2024, subsequently approved by Law 124/2025. It becomes an active legal obligation for a very large number of entities starting August 20, 2025 (registration deadline with DNSC: 30 days, until ~September 19, 2025).
Fines for non-compliant essential entities reach up to €10 million or 2% of global annual turnover (whichever is higher). For important entities: €7 million or 1.4%.
In this article, we clarify: who falls under NIS2, what concrete obligations exist, how incident reporting works, and how the CAI Technology team can assist you with assessment and technical remediation.
Who Falls Under NIS2 in Romania
NIS2 divides organizations into 2 categories:
Essential Entities (Annex I) — under a stricter regime
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, maritime, road)
- Banking & financial infrastructures
- Healthcare (hospitals, laboratories, pharmaceutical manufacturing)
- Drinking water + wastewater
- Digital infrastructure (DNS providers, TLD registries, cloud, data centers, CDN)
- Public administration
- Space (space service operators)
Important Entities (Annex II)
- Postal + courier services
- Waste management
- Chemical production + distribution
- Food production + distribution
- Medical device + in vitro diagnostic production
- Scientific research
- Digital service providers (search engines, social networks, B2B platforms — including many SaaS and e-commerce)
Size Thresholds
NIS2 applies to organizations with >50 employees and/or >€10 million turnover. Below these thresholds = SMBs exempted (with exceptions for critical sectors).
Calculate quickly:
- Company >50 employees + digital service → NIS2 important
- Hospital with >50 employees → NIS2 essential
- B2B SaaS with >50 employees → NIS2 important
Concrete Obligations under NIS2 Art. 21
1. Cybersecurity Risk Policies (Art.21.1)
Documented, approved by top management, reviewed annually. Key subjects:
- Risk assessment methodology
- Incident response plan
- Business continuity / disaster recovery
- Supply chain security policy
2. Technical Risk Management Measures (Art.21.2)
Official list:
- a) Risk analysis policies + information system security
- b) Cyber incident handling
- c) Business continuity + crisis management
- d) Supply chain security
- e) Security in acquisition / development / maintenance of networks and information systems
- f) Policies for evaluating measure effectiveness
- g) Cyber hygiene practices + training
- h) Cryptography + encryption policies
- i) HR security + access control + asset management
- j) MFA + continuous authentication + secure email/voice/video communications
3. Incident Reporting — strict deadlines (Art.23)
| Deadline | Action |
|---|---|
| 24 hours | Early warning notification to DNSC (online tool: NIS2@RO) |
| 72 hours | Detailed incident report |
| 1 month | Final report + lessons learned |
“Significant” incident = disrupts normal operations, affects users, causes material financial losses, etc.
4. Registration with DNSC (National Directorate for Cybersecurity)
Official tool: NIS2@RO (online, launched 2025). Provide:
- Organization identification data
- Sector (Annex I or II)
- Services provided
- Security contact person
5. Audit + Annual Reporting
Self-assessment of cybersecurity risk management maturity + corrective plan submitted to DNSC for identified deficiencies (30-day deadline).
Real Fines (Law 124/2025)
| Category | Maximum |
|---|---|
| Essential entities | €10,000,000 or 2% of global turnover (whichever is higher) |
| Important entities | €7,000,000 or 1.4% of global turnover |
| Delayed incident notification | Additional to the maximums above |
| Refusal to cooperate with DNSC | Additional to the maximums |
The CEO or a Board Member can be held personally liable in severe cases (Art.24 NIS2).
How to Prepare — CAI Technology Roadmap
Phase 1 — Scope Identification (1-2 weeks)
Key question: are we an essential entity, an important entity, or exempt?
Use BeLegal — free 5-minute check that places you in the correct category based on your organization’s profile.
Phase 2 — Maturity Assessment (1 month)
NIS2 Art.21 Self-assessment — how many of the 10 measures are implemented, partially implemented, or missing?
Use Lexnomia — auditor-grade assessment for GDPR / NIS2 / DORA / ISO 27001. Output: maturity score + prioritized remediation plan. €99/month for mid-market.
Phase 3 — Technical Audit (1 week)
Concrete technical verification: do all exposed websites / APIs / infrastructures have DNSSEC, MTA-STS, DKIM, DMARC reject, CSP, HSTS, CAA, WAF? How many known vulnerabilities (CVEs) are in use?
Use ARTEMIS — complete audit at €40/scan. Report includes explicit mapping to NIS2 Art.21 per finding.
Phase 4 — Corrective Plan (1-3 months)
Based on Lexnomia + ARTEMIS outputs, concrete plan:
- 0-30 days: quick wins (headers, DKIM, MFA, training)
- 30-90 days: architecture (WAF, monitoring, IRP)
- 90-180 days: maturity (BCP, supply chain, crypto)
Phase 5 — Investment Funding (parallel)
Many NIS2 measures are eligible for European funds (PNRR, POIDS, Horizon Europe).
Use AriaUnited — specialized European funding consultancy. Grants cover 50-90% of implementation costs for WAF, SIEM, training, audits.
Phase 6 — DNSC Registration + Continuous Monitoring
NIS2@RO — official registration. Setup continuous monitoring (SIEM, IDS, ARTEMIS continuous scan) for real-time incident detection.
Frequent Confusions
“We are an SMB with under 50 employees — it doesn’t affect us.” — Partially true. Exception: critical sectors (DNS provider, cloud, healthcare). Also, your NIS2 clients will require security evidence (supply chain) even if you are not directly covered.
“NIS2 is just about technical cybersecurity.” — Incorrect. It includes policy, training, supply chain, governance, incident reporting, BCP. Holistic.
“We have ISO 27001 — we are automatically NIS2 compliant.” — ~70% overlap. NIS2 requires specific measures not in default ISO 27001 (e.g., 24h reporting, universal MFA). Specific audit still required.
“The deadline was postponed.” — No. Romania transposed on time (Law 244/2024 + OG 155/2024 + Law 124/2025). Active deadline.
Check Now
Recommended CAI Technology combination for NIS2:
- BeLegal — check in 5 minutes if you fall under NIS2
- Lexnomia — auditor-grade maturity assessment
- ARTEMIS — technical infrastructure audit
- AriaUnited — European funds for implementation investments
🔗 Complementary CAI Technology Solutions
- Lexnomia — MAIN CRITERION — auditor-grade assessment NIS2 / GDPR / DORA / ISO 27001 / DSA / CRA / EU AI Act. Output directly usable in official DNSC reports.
- BeLegal with SandboxAI — Free NIS2 check in 5 minutes. Mandatory first step.
- ARTEMIS — Complementary technical audit (NIS2 Art.21.2.b, e, f, g, h, j all verified automatically).
- Auditope — Holistic web audit (Performance + AI search + GDPR).
- AriaUnited — European funding consultancy for NIS2 implementation (grants 50-90% via PNRR / POIDS / Horizon Europe).