NIS2 implementation — operational checklist for essential and important entities (Directive 2022/2555)

NIS2, Directive (EU) 2022/2555, entered into force on 16 January 2023, with mandatory member-state transposition by 17 October 2024. Romania transposed the directive through GEO 155/2024, published in the Official Gazette no. 1199 of 27 November 2024. The transposition deadline was missed by roughly half of the member states, but that does not suspend the substantive obligations of covered entities. The European Commission opened infringement procedures in March 2025 against several member states, without changing the substance of corporate obligations.

This article provides an operational checklist and a map of the critical articles for an essential or important entity in Romania.

TL;DR

• NIS2 covers 18 sectors above a medium-size threshold of 100 employees and/or 10 million EUR turnover.
• Articles 20-23 are mandatory: governance (board approval), 10 minimum technical measures, incident reporting at 24h/72h/30 days.
• Fines: up to 10 million EUR or 2% of global turnover for essential entities.
• DNSC (the National Cybersecurity Directorate) is the competent authority in Romania.
• Mandatory registration in the DNSC register; lack of registration does not suspend obligations.

Who is in scope — the two-category classification

Directive 2022/2555 splits entities into two categories with differentiated obligations.

Essential entities (Annex I) are 11 sectors deemed critical:

1. Energy (electricity, oil, gas, hydrogen).
2. Transport (air, rail, water, road).
3. Banking.
4. Financial market infrastructure (under the DORA umbrella).
5. Health (hospitals, laboratories, class II/III medical device manufacturers).
6. Drinking water.
7. Wastewater.
8. Digital infrastructure (DNS, TLD, IXP, cloud, data centre, CDN, trust services).
9. ICT B2B service management (MSP, MSSP).
10. Central public administration.
11. Space (ground infrastructure operators).

Important entities (Annex II) are 7 sectors:

1. Postal and courier services.
2. Waste management.
3. Manufacture, processing and distribution of chemicals.
4. Food production.
5. Manufacturing (medicines, class I medical devices, computer hardware, electronics, machinery, vehicles).
6. Digital service providers (online marketplaces, search engines, social networks).
7. Research.

The size cap applies horizontally: a company is in scope if it exceeds 50 employees and 10 million EUR turnover or 10 million EUR balance sheet. The upper threshold for classification as essential (versus important, in Annex I sectors) is 250 employees or 50 million turnover.

Do not be misled by the declared NACE code: the real test is the actual activity. An industrial group manufacturing automotive parts may fall in scope through the sub-activity of “internal MSP” for European subsidiaries.

Article 21 — the 10 minimum technical and organisational measures

Article 21(2) lists 10 minimum categories of measures the entity must implement based on a risk assessment:

1. Risk analysis policies and information systems security.
2. Incident handling, including detection, response, recovery.
3. Business continuity — backup management, disaster recovery, crisis management.
4. Supply chain security, including aspects related to direct supplier relationships.
5. Security in acquisition, development and maintenance of network and information systems, including vulnerability handling.
6. Policies and procedures to assess the effectiveness of risk management measures.
7. Basic cyber hygiene practices and training in cybersecurity.
8. Policies and procedures regarding cryptography and, where appropriate, post-quantum cryptography.
9. Human resources security, access control policies and asset management.
10. Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications.

For each of the ten, the competent authority will request: a written policy, evidence of implementation, evidence of testing. A PDF and a green icon are not enough. See evidence vs PDF in our article.

Article 23 — incident reporting, the 24/72/30 windows

Unlike NIS1, NIS2 sets out a three-step procedure for reporting “significant” incidents:

• Early warning — within 24 hours of becoming aware of the incident. Includes an indication of whether the incident is suspected of having an unlawful cause or cross-border impact.
• Incident notification — within 72 hours of awareness. Includes an initial severity assessment, indicators of compromise, mitigation measures taken.
• Final report — within one month of notification. Detailed description, root cause, measures applied, cross-border impact.

In Romania, reporting is done to DNSC through the dedicated platform. For incidents in the financial sector, parallel reporting is required to BNR / ASF, under DORA — see our DORA article.

The definition of “significant incident” (Art. 23(3)): an incident that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Article 20 — governance and personal liability of the board

Article 20 introduces a novelty versus NIS1 with direct impact on the board: management bodies approve risk management measures and are personally liable for non-compliance. Members of management bodies must follow regular training on cybersecurity, and that training must be documented.

In jurisdictions with full transposition (Belgium, Germany, Italy), the first administrative actions against board members have already begun in cases where the incident was not reported on time. Romania has similar provisions in GEO 155/2024.

Article 22 — supply chain and supplier relationships

Article 22 requires entities to assess supply chain risks, including:

• Quality and resilience of suppliers’ products and services.
• Cybersecurity practices of suppliers.
• Their secure development procedures.

For a European MSP/MSSP, this means the client entity will demand a detailed assessment of your security stack. For us, it was an additional argument for building CAI-AUTH with native post-quantum and public SBOMs — because the supply chain audit of an energy or banking client will include the IdP as well.

Fines — 10 million EUR or 2% of turnover

Article 34 sets the maximum penalties:

• Essential entities: administrative fine of 10 million EUR or 2% of global annual turnover, whichever is higher.
• Important entities: administrative fine of 7 million EUR or 1.4% of global turnover, whichever is higher.

In addition, the competent authority may temporarily suspend authorisation, prohibit the exercise of management functions, and impose mandatory corrective measures.

30-day operational checklist

Week 1 — gap assessment:

• Confirm classification (essential vs important, size cap threshold).
• Inventory of applications + systems + suppliers.
• Map against the ten Article 21 measures.
• Identify major gaps.

Week 2 — policies and governance:

• Board approval of the risk management policy.
• Initial board training on NIS2.
• Appoint a CISO or equivalent with reporting line to the board.
• Remediation plan for gaps.

Week 3 — critical technical measures:

• MFA on all administrative access.
• Tested off-site backups.
• Incident procedure with clarified roles.
• Vulnerability management with SLA.

Week 4 — supply chain and registration:

• Critical supplier evaluation, contracts revised.
• Registration in the DNSC register.
• Annual continuity testing plan.
• Documentation ready for audit.

How Lexnomia helps

Lexnomia includes a NIS2 module that:

• Automatically maps inventoried applications to the ten Article 21 measures.
• Generates the early warning + 72h notification + final report templates with DNSC fields pre-filled.
• Tracks board training with cryptographically signed evidence.
• Supply chain risk register integrated with the supplier inventory.
• Multi-framework: the same evidence covers ISO 27001:2022 (details) and DORA for financial entities.

Related articles

• DORA Regulation 2022/2554 — the five pillars for banking, fintech and insurance
• ISO/IEC 27001:2022 — migrating from the 2013 edition with the 93 controls reorganised
• Cyber Resilience Act (Regulation 2024/2847) — obligations for products with digital elements
• On-premise SIEM with a local LLM: AI incident analysis without breaking confidentiality
• Pillar Lexnomia — the sovereign EU compliance platform

Next steps

For a NIS2 readiness assessment for your organisation, the Lexnomia page shows the 30-day implementation plan. Or write to contact for a technical discussion.

References

• Directive (EU) 2022/2555 — consolidated text on EUR-Lex
• GEO 155/2024 — Romanian NIS2 transposition
• DNSC — National Cybersecurity Directorate
• ENISA — NIS2 Directive guidance
• European Commission — NIS2 implementation status