🏛️NIS2 for Central Public Administration — deadlines, obligations, fines

A documented framework, all-hazards approach, covering risk policies, system security, incident handling, business continuity (with RTO/RPO for the systems underpinning citizen-facing services — ANAF SPV, ONRC RECOM, the National Pensions House portal, the electoral register), cryptography, MFA, training, access control and human resources security. NIS2 Art. 21(2) imposes the ten minimum measures (a-j), aligned with ISO/IEC 27001 and ISO/IEC 27002 [C3]. For central public administration entities, OUG 155/2024 and DNSC Order 2/2025 (Official Gazette 776 of 20 August 2025) spell out the risk-assessment methodology and the criteria for determining the degree of service disruption [C13]. The technical baseline for secure communications between central institutions is coordinated by STS — the central specialist body responsible for special telecommunications and the state's critical ICT infrastructures (Presidency, Government, ministries) and the operator of the 112 single emergency number service [C12]. The management body — minister, secretary general, agency president — approves and oversees implementation under NIS2 Art. 20, with personal accountability [C9].

For a public institution processing citizens' personal data (ANAF — tax data; CNPP — pension data; AEP — electoral data), a cyber incident in most cases also touches personal data, triggering two parallel flows. NIS2 Art. 23 to CSIRT/DNSC: early warning within 24 hours of awareness, incident notification within 72 hours, final report within one month [C4]. GDPR Art. 33 to ANSPDCP (the Romanian Data Protection Authority): notification of the personal-data breach within 72 hours of awareness, where there is a risk to the rights and freedoms of natural persons; Law 190/2018 explicitly confirms public authorities and bodies (including ministries and central bodies) as controllers under the GDPR regime [C16]. The two 72-hour clocks run independently — the start point may differ. In practice, the institution's CISO and DPO share a single runbook feeding both the DNSC form and the ANSPDCP form simultaneously, with no duplication and no delay. The lesson from the AEP / November 2024 campaign was that the moment of official declassification and the moment of triggering ANSPDCP reporting were decoupled, which complicated public communications [I1].

For a ministry or central agency, "business continuity" means citizens can file tax returns, pensioners get paid on time, businesses can query the trade register, and voters can verify their registration data. NIS2 Art. 21(2)(c) requires business continuity and crisis management as minimum measures [C3]. In practice: working offline plans (paper backup forms, manual counter flows), annual tabletop and simulation exercises (with DDoS, ransomware and defacement scenarios), immutable offline backups (rotated and restore-tested), geographic redundancy for critical data. ENISA reported public administration as the most targeted EU sector in 2024 (38% of all incidents) and that DDoS represents ~60% of sectoral incident volume [C10]. The lesson of the 2024 election campaign [I1] and of the 2022 Killnet attacks [I5] is that availability matters for public legitimacy, not only for SLAs.

Central public institutions operate under ICT contracts with private vendors (integrators, hosting providers, public-software developers, cloud providers, sub-contractors). NIS2 Art. 21(2)(d) requires supply-chain security [C3]; Art. 22 provides for EU-coordinated assessments of critical ICT supply chains [C3]. In practice: contractual clauses with each vendor (incident-response SLA, SBOM, audit rights, exit strategy, controlled sub-outsourcing), an inventory of critical vendors, continuous monitoring, concentration testing on transversal vendors (a single vendor used across multiple ministries = a single point of failure). Public procurement of cybersecurity tools (vulnerability management, SIEM/SOAR, MFA, vault) falls within the same vendor-evaluation requirements — tender specifications must contain explicit NIS2 + Reg. (EU) 2024/2847 (CRA) requirements for products with digital elements.

Regulation (EU) 2024/1183 (eIDAS 2) requires Member States to make EU digital identity wallets (EUDI Wallets) available to citizens by 6 December 2026 (24 months after the adoption of the implementing acts on 28 November 2024) [C11]. Public administration entities exposing online services with citizen authentication (ANAF SPV, pension houses, ONRC, ministerial portals, AEP) are obliged to accept the EUDI Wallet as a valid means of identification [C11]. In practice, for a central public agency in 2026: integration with the national eID scheme, support for Qualified Electronic Attestations of Attributes (QEAA), protocol alignment (OIDC4VCI / OIDC4VP, mdoc/ISO 18013-5), session-token security audit and revocation scenarios. The public identity stack becomes a direct subject of both NIS2 Art. 21(2)(j) (MFA / continuous authentication) and the eIDAS 2 Regulation — two parallel regimes that must converge on the same technical controls.

Type: Cyber campaign officially attributed (declassified SRI report) to a state actor with sustained resources; vectors: targeted phishing, SQL injection, XSS, credential theft, compromise of a GIS server connected to the internal network

Impact: More than 85 000 cyber attacks between 19 and 25 November 2024 against electoral systems. Administrative credentials for the bec.ro, roaep.ro and registrulelectoral.ro websites were leaked on a Russian cybercriminal forum less than a week before the first round of the presidential election. On 6 December 2024 the Romanian Constitutional Court annulled the results of the first round, citing foreign interference with an impact on the integrity of the electoral process.

Lesson: Electoral infrastructure is NIS2 Annex I by nature (autonomous central public entity). The compromise of a single GIS server connected to the institutional internal network enabled pivoting to administrative accounts. NIS2 Art. 21(2)(d) and (i) require network segregation, MFA and asset management. Operational takeaway: any public-facing server connected to the institutional AD = a single point of failure across the entire perimeter.

Type: Data breach / exfiltration with extortion; 0.8 BTC ransom demand (~EUR 30,000) — incident made public on 31 January 2024 after a hacker group boasted online (reported by Digi24)

Impact: Approximately 250 GB of data exfiltrated from the Chamber of Deputies' servers, including parliamentarians' personal documents — ID cards, medical records, banking contracts, personal vehicle data. Part of the data was published, including the ID of Prime Minister Marcel Ciolacu and of UDMR leader Kelemen Hunor. The prime minister announced he would replace his ID card after the incident.

Lesson: The Parliament is outside the direct scope of NIS2 (Annex I excludes the judiciary, parliaments and central banks [C2]), but the incident illustrates the risk model for any central institution holding sensitive data on dignitaries and officials. The double-extortion tactic (encryption + exfiltration with public extortion) has been standard against Romanian public entities since 2023; the correct response is refusal to pay and immediate reporting to ANSPDCP under GDPR Art. 33 [C16].

Type: Conti ransomware (16 April 2022) followed by Hive (31 May 2022 on CCSS); initial ransom demand USD 10 million, later raised to USD 20 million

Impact: 8 May 2022 — President Rodrigo Chaves declares a national state of emergency, the first time a ransomware attack triggers such a response. Over 600 GB of data exfiltrated; tax collection blocked; customs halted; international trade disrupted. Estimated losses of more than USD 125 million for the country's economy during the month without functioning tax services. The follow-on Hive attack on the social security fund shut down 759 servers and 10 400 computers, and forced rescheduling of more than 30 000 medical appointments.

Lesson: A coordinated ransomware attack can effectively take the state out of operation for weeks. The lesson for NIS2 Art. 21(2)(c) and the Romanian Strategy 2022-2027 [C14]: quarterly tested offline backups, continuity plans with manual flows, and annual exercises simulating the total loss of a central agency. The Cyber Solidarity Act (Reg. 2025/38) was adopted in part as a response to scenarios of this kind [C15].

Type: Exploitation of Microsoft Exchange ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065); officially attributed by the Norwegian Government to actors operating from China (HAFNIUM)

Impact: Data exfiltrated from the Stortinget's email systems in March 2021. Official attribution was made on 19 July 2021, on the same day as the coordinated US / UK / EU / NATO attribution for the ProxyLogon campaign. The Chinese Embassy was summoned to the Norwegian Ministry of Foreign Affairs. The incident followed an earlier attack in December 2020 (attributed to APT28 / Russia).

Lesson: Poor patch management on known Microsoft Exchange vulnerabilities (published 2 March 2021, in-the-wild exploits within days) inside a politically sensitive perimeter. NIS2 Art. 21(2)(e) and Reg. (EU) 2024/2847 (CRA) require timely vulnerability handling and mandatory reporting of actively exploited CVEs. For Romanian ministries, the STS technical baseline for secure communications is one of the key lines of defence [C12].

GDPR — Regulation (EU) 2016/679 + Law 190/2018 · GDPR directly applicable from 25 May 2018; Law 190/2018 published 31 July 2018, sets out the obligations of Romanian public authorities and bodies [C16]

Public authorities and bodies (Chamber of Deputies, Senate, Presidential Administration, Government, ministries, other central bodies, autonomous authorities) are explicitly listed as controllers under the GDPR regime by Law 190/2018 [C16]. ANSPDCP supervises and may impose sanctions. Key difference from NIS2: GDPR is triggered by a personal-data breach, NIS2 by a significant cyber incident — they can coincide but do not have to. Sanctions are cumulative.

Regulation (EU) 2024/1183 (eIDAS 2 — European Digital Identity Framework) · Directly applicable from 20 May 2024; EUDI Wallet mandatory by 6 December 2026 (24 months after adoption of the implementing acts on 28 November 2024) [C11]

Member States must make EU digital wallets available to citizens; any public entity exposing online services with authentication (ANAF SPV, ONRC, pension houses, MFE, etc.) must accept the EUDI Wallet alongside existing methods (CNP + password, qualified digital certificate) [C11]. Cumulative with NIS2 Art. 21(2)(j), which requires MFA on internal administrative accounts — eIDAS 2 adds the citizen's digital wallet as a second external factor.

Cyber Resilience Act — Regulation (EU) 2024/2847 · In force since 10 December 2024; main obligations applicable from 11 December 2027, active-vulnerability reporting from 11 September 2026

For central public institutions, the CRA acts from the procurement side — any product with digital elements (software, network hardware, IoT, access-control devices, connected cameras) purchased after 2027 must be CRA-compliant. That means SBOM, mandatory reporting of active vulnerabilities to ENISA within 24 hours, and lifecycle management of the product. Public tender specifications must explicitly require CRA compliance for products with digital elements.

Cyber Solidarity Act — Regulation (EU) 2025/38 · In force since 4 February 2025 [C15]

Establishes the EU Cybersecurity Reserve — incident-response services provided by trusted private providers, deployable at the request of Member States or EU institutions for major incidents [C15]. For a Romanian central public entity, in the event of a severe incident (of the I1 / I3 type), access to this reserve is channelled through DNSC to ENISA. The European Cybersecurity Alert System and the Cyber Emergency Mechanism reduce response time in cross-border and large-scale incidents.

Romanian National Cybersecurity Strategy 2022-2027 (HG 1321/2021) · National strategic framework; adopted by Government Decision no. 1321/2021 of 30 December 2021 [C14]

The strategy sets five objectives: secure and resilient networks, Romania as a relevant player in international cooperation, a national cybersecurity culture, expertise development, and an innovation framework. For central public institutions, the strategy requires allocating part of the budget to cybersecurity and participating in the national incident-management system coordinated by DNSC + STS [C14]. It forms the framework on which OUG 155/2024 and DNSC Orders 1-2/2025 were subsequently built.