Sunt operator de transport gaz autorizat de ANRE - sunt sub NIS2?

Da. NIS2 Art. 2 + Anexa I listeaza explicit operatorii sistemelor de transport si distributie gaz ca sector de criticitate ridicata [C2]. Daca esti entitate medie sau mare (>= 50 angajati sau >= 10 mil. EUR cifra de afaceri/total bilantier), esti entitate esentiala. Pentru operatorul unic SNT (Transgaz), desemnarea este implicita - acopera intregul teritoriu national la presiuni 6-63 bar [C13]. In Romania, OUG 155/2024 + DNSC gestioneaza inregistrarea, supravegherea si controlul, iar ANRE coopereaza pe partea sectoriala-energetica [C6].

Sunt operator de distributie regional (DSO) gaz - care e diferenta fata de un TSO?

Ambii sunt in Anexa I NIS2. Diferentele de regim sunt pe Reg. 2017/1938: TSO-urile au obligatii directe pe capacitate bidirectionala, plan preventiv, plan urgent si mecanism de solidaritate (Art. 5, 8, 12) [C7]. DSO-urile au obligatii indirecte pe componenta de "consumatori protejati" si pe partea de telemetrie/billing. Pe NIS2, regimul este identic: cele zece masuri minime Art. 21(2) [C3], notificare 24h/72h/1luna [C4], raspundere management Art. 20 [C14]. ENGIE Romania prin Distrigaz Sud Retele opereaza ~24.000 km de retea de distributie [C16] - in mod clar entitate esentiala.

Cum aplic NIS2 Art. 21(2) pe SCADA si statii de compresoare?

Cele zece masuri minime se traduc concret pe OT prin IEC 62443 [C10]. Concret: (a) politica risc include OT in scope, nu doar IT; (c) business continuity cu RTO/RPO documentate per statie de compresor, plus proceduri manuale de exploatare; (d) lant ICT include audit pe vendor PLC/RTU/HMI; (e) gestionarea vulnerabilitatilor pe ICS - cu fereastra de mentenanta planificata, nu patch-uri ad-hoc; (h) criptografie pe legaturi radio si fibre intre statii; (i) controlul accesului - MFA obligatoriu pe acces remote la SCADA; (j) controale criptografice pentru sesiunile de mentenanta vendor [C3]. Segmentarea pe nivele Purdue (0-5) este implementarea standard.

Termenele de raportare incident catre DNSC - exact, pentru un operator gaz?

NIS2 (catre CSIRT/DNSC, sub OUG 155/2024): early warning in 24h de la constientizare, notificare incident in 72h, raport final in maxim o luna (Art. 23) [C4]. In paralel, daca incidentul afecteaza capacitatea de transport sau interconectarile, se activeaza comunicarea catre autoritatea competenta nationala pe energie sub Reg. 2017/1938 (planurile de urgenta + ReCo System for Gas pentru cooperare regionala) [C7]. Recomandare practica: pregateste un singur proces care alimenteaza ambele canale automat, cu fluxuri de escaladare separate la CISO, la dispecer SNT si la coordonatorul regional.

Avem multe componente SCADA cu istoric rus sau non-EU - ce facem?

Inventar tehnic complet, evaluare de risc per componenta, plan de inlocuire esalonat. NIS2 Art. 21(2)(d) cere gestionarea riscului in lant si Reg. 2024/1789 face referinta la noile riscuri cyber in contextul REPowerEU si decuplarii de surse din state cu risc geopolitic [C3][C8]. Concret: identifica componentele non-patchable (firmware proprietar fara update), segrega-le in zone IEC 62443 cu monitorizare comportamentala intensa, ai SBOM la fiecare vendor critic, contracte cu drept de audit si exit-strategy. CRA (Reg. 2024/2847) va impune din 11 dec. 2027 conformitate sectoriala pe componente noi [C9] - deci pe ciclul natural de inlocuire, problema se rezolva.

Lectia Colonial Pipeline 2021 - se aplica si la conductele de gaz din Romania?

Da, integral. Colonial Pipeline 2021 a fost atac pe IT corporate care a propagat la OT pentru ca segmentarea era inadecvata; compania a oprit pipeline-ul preventiv 6 zile pentru a evita riscul la SCADA; 5.550 mile (~45% din combustibili pe Coasta de Est SUA) afectate [I1]. Vectorul (parola VPN scursa, fara MFA) este identic cu ce se intalneste in audituri pe operatori gaz din UE. NIS2 Art. 21(2)(h) impune MFA, iar IEC 62443-3-3 impune segmentare stricta. Pentru un TSO roman, scenariul echivalent ar opri transit-ul catre Ucraina si Moldova - cu impact direct pe Reg. 2017/1938 si mecanism de solidaritate.

Care e plafonul maxim de amenda pentru un operator gaz esential?

Sub NIS2 Art. 34: maxim cel putin 10.000.000 EUR sau 2% din cifra de afaceri mondiala anuala, oricare e mai mare, pentru entitati esentiale [C5]. Pentru entitati importante: 7.000.000 EUR sau 1,4% [C5]. Atentie: sanctiunile NIS2 sunt cumulative cu cele din legislatia energetica sectoriala (ANRE), cu cele din GDPR pe componenta de date personale (telemetrie smart-meter, billing), si cu raspunderea personala a conducerii (NIS2 Art. 20) [C14]. In practica, pentru un operator gaz roman, pragul efectiv este stabilit de OUG 155/2024 si de regulamentul de aplicare DNSC.

Cine raspunde personal in conducerea operatorului gaz?

NIS2 Art. 20 cere ca organele de conducere (directorat, consiliul de supraveghere, directorul general) sa aprobe masurile de risc-management cibernetic, sa supravegheze implementarea si pot fi tinute responsabile personal [C14]. Directiva permite Statelor Membre sa impuna interdictii temporare de exercitare a functiilor de conducere pentru entitati esentiale. In Romania, OUG 155/2024 a transpus aceste prevederi [C6]. Implementare practica: hotarare consiliu de administratie / decizie directorat care aproba cadrul de risc-management cibernetic - semnata, datata, arhivata - si raport anual prezentat consiliului de catre CISO si CIO.

Annex I — Essential Entities · Energy

🔥NIS2 for Natural Gas — deadlines, obligations, fines

Natural Gas fall under NIS2 (Directive (EU) 2022/2555 + Romanian Emergency Ordinance 155/2024). See Art.21 obligations, deadlines, max fines and compliance roadmap for Annex I.

Last reviewed: 2026-05-23 · CAI Technology · echipa Lexnomia + AEGIS

🎯 Who is covered

The natural-gas sector (transmission, distribution, storage, LNG, production, supply) is listed in Annex I to Directive (EU) 2022/2555 (NIS2) as a sector of high criticality, within the Energy sub-sector [C2]. In Romania, the rules are transposed by OUG 155/2024 (the Romanian Emergency Ordinance transposing NIS2) of 30 December 2024, with DNSC (the Romanian National Cybersecurity Directorate) as the competent national authority for cybersecurity, in cooperation with ANRE (the Romanian Energy Regulatory Authority) on the sector-energy side [C6]. On top of NIS2, gas operators fall under the classical energy stack: Directive 2009/73/EC (internal gas market) [C15], Regulation (EU) 2017/1938 (security of supply) [C7] and, since 5 August 2024, Regulation (EU) 2024/1789 (the gas and hydrogen package), which empowers the Commission to adopt a sectoral cybersecurity delegated act for cross-border gas flows [C8]. In practice, for a TSO, DSO or gas supplier, compliance means a combined NIS2 + 2017/1938 + 2024/1789 + IEC 62443 on OT stack.

Examples in Romania

Transgaz S.A. (sole NTS operator)Distrigaz Sud Retele (ENGIE Romania)Premier Energy Distributie (gas)NOVA Power & GasRomgaz (producer)OMV Petrom (gas production)Conpet (crude oil pipeline transport, adjacent sector)

Applicability thresholds

Annex I of NIS2 covers gas supply undertakings, distribution system operators, transmission system operators, storage system operators, LNG system operators, natural-gas undertakings, and natural-gas refining and treatment plants [C2]. The default threshold: medium and large entities (>= 50 staff or turnover / balance-sheet total >= EUR 10 million) are in scope as essential entities; entities below the threshold, if identified by DNSC as critical (e.g. the sole operator on a transmission corridor, regional dependency), can be notified individually [C2][C6].

📅 Regulatory timeline

2009-07-13
Adoption of Directive 2009/73/EC — internal market in natural gas [C15]
2017-10-25
Adoption of Regulation (EU) 2017/1938 — security of gas supply; applicable from 1 November 2017 [C7]
2021-05-07
Global reference incident: DarkSide ransomware shuts down Colonial Pipeline (US) for about 6 days, 5,550 miles of pipeline [I1]
2022-07-01
Predatory Sparrow attack on an Iranian steelworks — SCADA forced into an unsafe state, industrial fire [I4]
2022-12-14
Adoption of Directive (EU) 2022/2555 (NIS2) [C1]
2022-12-27
Publication of NIS2 in the Official Journal of the EU [C1]
2023-12-18
Predatory Sparrow attack on Iranian fuel stations — 70% inactive, Iran's oil minister confirms [I2]
2024-06-13
Adoption of Regulation (EU) 2024/1789 (gas and hydrogen package) with a sectoral cybersecurity delegated-act provision for gas [C8]
2024-08-05
Regulation (EU) 2024/1789 enters into force [C8]
2024-10-17
EU deadline for transposing NIS2 into national law (NIS2 Art. 41) [C1]
2024-10-18
NIS1 (Directive 2016/1148) repealed; NIS2 takes effect [C1]
2024-12-10
Cyber Resilience Act (Regulation (EU) 2024/2847) enters into force [C9]
2024-12-30
Romania publishes OUG 155/2024 (Romanian Emergency Ordinance transposing NIS2); DNSC designated as competent national authority [C6]
2026-09-11
CRA — reporting obligations for actively exploited vulnerabilities and severe incidents start to apply [C9]
2027-12-11
CRA — main obligations (security-by-design for products with digital elements) start to apply [C9]

📋 Key obligations

ICT+OT risk-management framework — NIS2 Art. 21(2) minimum measures applied to the pipeline

effort: high

A documented framework, all-hazards approach, covering risk policies on IT and OT, security of SCADA systems and compressor stations, business continuity with RTO/RPO on transmission and distribution, cryptography, MFA on remote access to control systems, training and access control. NIS2 Art. 21(2) imposes the ten minimum measures (a-j), aligned with European and international standards, with explicit reference to ISO/IEC 27001, ISO/IEC 27002 and ETSI EN 319 401 [C3]. For a gas operator, IEC 62443 is the technical reference for the OT segment: zone-and-conduit architecture (Purdue), authentication control (FR1), system integrity (FR3), restriction of data flows (FR5), response to events (FR6) and availability (FR7) [C10]. The management body approves and oversees implementation (NIS2 Art. 20), with personal liability [C14].

Recommended controls: NIS2 Art. 21(2)(a-j)ISO/IEC 27001:2022ISO/IEC 27002:2022IEC 62443 (all series)NIS2 Art. 20

Incident reporting in 24h/72h/1 month to DNSC, in parallel with ANRE obligations on security of supply

effort: high

For a Romanian gas operator, a significant cyber incident touching SCADA or metering telemetry triggers two communication tracks. NIS2 Art. 23 to CSIRT/DNSC: early warning within 24 hours of awareness, incident notification within 72 hours, final report within one month [C4]. In parallel, the security-of-supply framework (Reg. 2017/1938) requires communication to the competent national energy authority when transmission capacity is affected or when the cross-border solidarity mechanism is activated [C7]. In practice, the CISO and the head of operations share a single runbook that feeds the DNSC form and the ANRE/Commission flow simultaneously, with no duplication and no delay. For the cross-border flows to Ukraine, the Republic of Moldova, Bulgaria and Hungary, Reg. 2024/1789 will bring a sectoral cybersecurity delegated act, analogous to the electricity network code (Reg. 2024/1366) [C8].

Recommended controls: NIS2 Art. 23(4)Reg. (EU) 2017/1938 Art. 8 + Art. 12Reg. (EU) 2024/1789 - delegated act gas cybersecurityOUG 155/2024

SCADA / OT security for compressor stations and trunk-line telemetry

effort: high

For a transmission operator, SCADA systems control valves, compressor stations, regulation-and-metering stations, and telemetry on trunk lines. NIS2 Art. 21(2)(e) and Art. 21(2)(h) require timely vulnerability handling and cryptography policies [C3]. Applied to OT, that means: segmentation on IEC 62443 zones (level 0 sensors, level 1 controllers, level 2 SCADA, level 3 industrial DMZ), patch management with a planned maintenance window (many IACS components are non-patchable in production — compensated through compensating controls), behavioural monitoring on industrial protocols (Modbus, DNP3, IEC 60870-5-104), MFA on any remote access to SCADA, encryption of radio and fibre links to isolated stations. The Colonial Pipeline concentration of risk (May 2021) — 5,550 miles of pipeline shut down for about six days after a single compromised VPN password — illustrates what lack of segmentation between IT and OT means [I1]. ENTSOG and ENISA have issued a crisis-management communication guide on cyber for the gas community [C11].

Recommended controls: NIS2 Art. 21(2)(e)NIS2 Art. 21(2)(h)IEC 62443-3-2 (zones and conduits)IEC 62443-3-3 (system security requirements)IEC 62443-4-2 (component security)

Operational continuity on the transit pipeline and cross-border interconnectors

effort: high

For a gas TSO, continuity means the interconnectors with Ukraine, Moldova, Bulgaria and Hungary do not stop. NIS2 Art. 21(2)(c) requires business continuity and crisis management as minimum measures [C3]. Reg. (EU) 2017/1938 requires TSOs to have bidirectional capacity on all interconnectors between Member States (with exceptions) and preventive-action plans + emergency plans on regional groupings, tested through exercises every two years between updates [C7]. The solidarity mechanism (Art. 12 Reg. 2017/1938) is triggered when protected customers are at risk [C7]. In practice, plans also need to address the scenario "primary SCADA encrypted by ransomware, secondary SCADA OK" — that is, offline procedures for operating manual valves, backup radio communications, dispatch decisions without an HMI. The lesson of Norsk Hydro 2019: switching to manual operations saved production but cost between USD 81 million and over USD 100 million in downtime and recovery [I3].

Recommended controls: NIS2 Art. 21(2)(c)Reg. (EU) 2017/1938 Art. 5, 8, 10, 12ISO 22301:2019 (business continuity management)OUG 155/2024

ICT supply chain and non-EU vendor audit — including SCADA components with Russian heritage

effort: medium

NIS2 Art. 21(2)(d) requires supply-chain risk management for all essential entities [C3]. For a Romanian gas operator, that means audit on three levels: (1) suppliers of SCADA and IACS equipment (PLCs, RTUs, HMIs, telemetry systems) — technical inventory, SBOM, contractual patching policy; (2) managed-ICT service providers (data centre, cloud, billing systems for distribution); (3) legacy components of Russian or non-EU origin — REPowerEU and the decoupling policy highlighted the risk of components originating from states with elevated geopolitical risk [C8]. The Cyber Resilience Act (Reg. 2024/2847), in force since 10 December 2024, will impose from 11 December 2027 mandatory sectoral conformity for products with digital elements placed on the EU market, and reporting of actively exploited vulnerabilities becomes mandatory from 11 September 2026 [C9]. The 2022 attack on the Iranian steelworks (Predatory Sparrow) demonstrated that an actor with PLC access can force an industrial process into an unsafe state — relevant for gas compressor stations [I4].

Recommended controls: NIS2 Art. 21(2)(d)Reg. (EU) 2024/2847 (CRA) Art. 14 + Annex IIEC 62443-2-4 (security requirements for IACS service providers)ENISA Energy ISAC participation

📰 Real incidents, concrete lessons

Colonial Pipeline

2021 · United States (East Coast)

Type: DarkSide ransomware; compromise vector via a VPN password leaked on the dark web, without MFA

Impact: Shutdown of 5,550 miles of pipeline (petrol, diesel, kerosene) for about six days; panic and queues at fuel stations on the US East Coast; the company paid about 75 BTC (~USD 5 million) in ransom; the DOJ later recovered 63.7 BTC (~USD 2.3 million). The pipeline carries roughly 45% of fuels consumed on the US East Coast.

Lesson: Hydrocarbon pipelines (oil or gas) are vulnerable to IT attacks that propagate to OT when there is no rigorous segmentation. Compromise happened via a leaked VPN password, without MFA. NIS2 Art. 21(2)(h) requires cryptography and authentication controls, and IEC 62443 requires strictly separated zones and conduits between corporate IT and pipeline OT.

Public source ↗

Iran — fuel stations (attributed to Predatory Sparrow / Gonjeshke Darande)

2023 · Iran

Type: Cyberattack on the central IT payment and subsidy system for fuel stations

Impact: About 70% of Iran's fuel stations inactive for days; Iran's oil minister (Javad Owji) confirmed the attack; long queues and blocked traffic in Tehran and other cities; Predatory Sparrow claimed the attack with a political message. Check Point researchers assessed that the sophistication suggested state sponsorship.

Lesson: Retail fuel distribution can be paralysed nationwide via an attack on the central payment system, without physically touching the pipeline. For DSOs and gas suppliers operating centralised billing/telemetry systems, the lesson is the same: NIS2 Art. 21(2)(d) requires ICT supply-chain security and Art. 21(2)(f) requires policies on the effectiveness of risk measures.

Public source ↗

Iran — steel plant (attributed to Predatory Sparrow / Gonjeshke Darande)

2022 · Iran

Type: Cyberattack on SCADA that forced the industrial process into an unsafe state (July 2022)

Impact: Serious fire in the steelworks' furnace; the group later claimed the attack and published it. A publicly documented case of cyber-physical impact caused by an attacker with access to industrial control systems in a large facility.

Lesson: An attacker with access to PLCs and SCADA can force the industrial process into an unsafe state with real physical impact. For gas operators with compressor stations, the same vector could force dangerous pressures. NIS2 Art. 21(2)(e) and IEC 62443-3-3 (system security requirements) require behavioural monitoring on industrial protocols and safety procedures independent of the network (physical interlocks, mechanical safety valves).

Public source ↗

Norsk Hydro

2019 · Norway (operations in 40 countries)

Type: LockerGoga ransomware; encryption of corporate endpoints that spread to energy-intensive systems and SCADA on terminals

Impact: Tens of thousands of PCs locked at 170 sites in 40 countries; damage reported between USD 81 million and over USD 100 million (downtime and recovery); switch to manual operations on most flows; primary aluminium production resumed after a week, but smelters remained operational. Volodymyr Tymoshchuk was later identified as the mastermind behind LockerGoga (alongside MegaCortex and Nefilim).

Lesson: Transparent communication during the incident (Hydro refused to pay, went public, held daily press conferences) saved the reputation, but the operational cost remained high. For gas operators: continuity plans must include offline operating procedures and public communication prepared in advance, not improvised under pressure. NIS2 Art. 21(2)(c) requires tested business continuity and crisis management.

Public source ↗

⚠️ Typical threats

• Atacuri pe sisteme de comprimare/măsurare
• Manipulare consum (smart-meter fraud)
• Disruption pe pipeline-uri internaționale

💰 Maximum fines

Max 10 mil. EUR sau 2% cifra afaceri

📊 Romania compliance status

Transgaz + distribuitorii mari (Distrigaz, ENGIE RO) la 60-70% conformitate Q2 2026.

🛡️ How CAI Technology helps

AEGIS — Observability + SecOps with AI

Unified SIEM for on-premise DCs: logs + metrics + threat detection + AI incident analysis.

ARTEMIS — AI Pentest · Hunt · Reveal · Strike

Autonomous pentest platform with 5 AI agents and 6 audit types. From 2€ per scan, no subscription.

CAI-AUTH — Post-Quantum Identity Provider

OIDC IdP built in Romania with post-quantum cryptography (hybrid post-quantum signatures). Patent Pending.

Lexnomia — EU Compliance Audit Platform

Self-serve compliance audit across 7+ EU regulations: GDPR, NIS2, DORA, EU AI Act, ISO 27001, CRA, DSA.

📚 Adjacent regulations with overlap

Regulamentul (UE) 2017/1938 - securitatea aprovizionarii cu gaze · Directly applicable from 1 November 2017; does not require national transposition [C7]

The backbone of security of supply. Requires TSOs to have bidirectional capacity on interconnectors, cooperation through the ReCo System for Gas during emergencies, and preventive-action and emergency plans developed regionally. The solidarity mechanism (Art. 12) is the last-resort tool for protected customers [C7]. In a cyber context: a cyber incident that reduces transmission capacity can trigger the emergency plans — so the NIS2 runbook must be coupled with the Reg. 2017/1938 runbook.

Directiva 2009/73/CE - piata interna in gaze naturale · Transposed in Romania by the Romanian Electricity and Natural Gas Law 123/2012 [C15]

Sets the sector's architecture: transmission, distribution, supply, storage, LNG, unbundling of transmission operators. Identifies the entities falling into Annex I of NIS2 in the gas sub-sector. Also applies to biogas and gas from biomass injected into the system [C15].

Regulamentul (UE) 2024/1789 - pachetul gaz si hidrogen · Adopted 13 June 2024, published 15 July 2024 in the OJEU, in force 5 August 2024; directly applicable [C8]

Extends the security-of-supply regime to renewable gases and hydrogen. Most importantly: empowers the Commission to adopt a sectoral cybersecurity delegated act for cross-border gas flows, with rules on common minimum requirements, planning, monitoring, reporting and crisis management [C8]. The model is the electricity network code (Reg. 2024/1366), already in force since 13 June 2024.

Cyber Resilience Act - Regulamentul (UE) 2024/2847 · In force since 10 December 2024; main obligations applicable from 11 December 2027, active-vulnerability reporting from 11 September 2026 [C9]

For gas operators, the CRA means that products with digital elements purchased (PLCs, RTUs, OT gateways, telemetry systems, smart-meter gateways, HMI systems) must be CRA-compliant before being placed on the EU market. Manufacturers bear the responsibility, but the buying operator demands proof [C9]. In practice: contractual clauses with the vendor on SBOM, vulnerability disclosure and lifecycle patch management.

IEC 62443 - cybersecurity pentru IACS (industrial automation and control systems) · International IEC standard; adopted as a reference by ENISA, CISA and national energy regulators [C10]

The technical reference framework for OT security in pipelines and compressor stations. The seven fundamental requirements (FR1-FR7) cover authentication, use control, system integrity, data confidentiality, restricted data flow, response to events, and availability [C10]. The Purdue model of zones and conduits separates levels 0-5, which makes practical implementation of the NIS2 network-segregation requirement possible.

❓ Frequently asked

I am an ANRE-licensed gas transmission operator — am I in scope of NIS2?

Yes. NIS2 Art. 2 + Annex I explicitly list gas transmission and distribution system operators as a sector of high criticality [C2]. If you are a medium or large entity (>= 50 staff or >= EUR 10 million turnover / balance-sheet total), you are an essential entity. For the sole NTS operator (Transgaz), designation is implicit — it covers the entire national territory at 6-63 bar [C13]. In Romania, OUG 155/2024 + DNSC manage registration, supervision and enforcement, and ANRE cooperates on the sector-energy side [C6].

I am a regional gas DSO — what is the difference compared to a TSO?

Both are in Annex I of NIS2. The regime differences are in Reg. 2017/1938: TSOs have direct obligations on bidirectional capacity, the preventive plan, the emergency plan and the solidarity mechanism (Art. 5, 8, 12) [C7]. DSOs have indirect obligations on the "protected customers" component and on the telemetry/billing side. On NIS2 the regime is identical: the ten minimum measures of Art. 21(2) [C3], 24h/72h/1 month notification [C4], management liability Art. 20 [C14]. ENGIE Romania, via Distrigaz Sud Retele, operates about 24,000 km of distribution network [C16] — clearly an essential entity.

How do I apply NIS2 Art. 21(2) on SCADA and compressor stations?

The ten minimum measures translate concretely onto OT through IEC 62443 [C10]. Concretely: (a) the risk policy includes OT in scope, not just IT; (c) business continuity with documented RTO/RPO per compressor station, plus manual operating procedures; (d) ICT supply chain includes vendor audit on PLC/RTU/HMI; (e) vulnerability handling on ICS — with planned maintenance windows, not ad-hoc patches; (h) cryptography on radio and fibre links between stations; (i) access control — mandatory MFA on any remote access to SCADA; (j) cryptographic controls for vendor-maintenance sessions [C3]. Segmentation on Purdue levels (0-5) is the standard implementation.

Incident reporting deadlines to DNSC — exact, for a gas operator?

NIS2 (to CSIRT/DNSC, under OUG 155/2024): early warning within 24 hours of awareness, incident notification within 72 hours, final report within one month (Art. 23) [C4]. In parallel, if the incident affects transmission capacity or interconnectors, communication to the competent national energy authority under Reg. 2017/1938 is triggered (emergency plans + ReCo System for Gas for regional cooperation) [C7]. Practical recommendation: prepare a single process that feeds both channels automatically, with separate escalation flows to the CISO, the NTS dispatcher and the regional coordinator.

We have many SCADA components with Russian or non-EU heritage — what do we do?

A complete technical inventory, per-component risk assessment, and a staggered replacement plan. NIS2 Art. 21(2)(d) requires supply-chain risk management and Reg. 2024/1789 references the new cyber risks in the context of REPowerEU and decoupling from sources in states with elevated geopolitical risk [C3][C8]. Concretely: identify non-patchable components (proprietary firmware with no updates), segregate them into IEC 62443 zones with intensive behavioural monitoring, maintain an SBOM at each critical vendor, contracts with audit rights and an exit strategy. The CRA (Reg. 2024/2847) will impose, from 11 December 2027, sectoral conformity on new components [C9] — so on the natural replacement cycle the problem resolves itself.

The Colonial Pipeline 2021 lesson — does it apply to Romanian gas pipelines too?

Yes, fully. Colonial Pipeline 2021 was an attack on corporate IT that propagated to OT because segmentation was inadequate; the company shut the pipeline preventively for 6 days to avoid risk to SCADA; 5,550 miles (~45% of fuels on the US East Coast) affected [I1]. The vector (leaked VPN password, no MFA) is identical to what is found in audits of EU gas operators. NIS2 Art. 21(2)(h) requires MFA, and IEC 62443-3-3 requires strict segmentation. For a Romanian TSO, the equivalent scenario would stop transit to Ukraine and Moldova — with direct impact on Reg. 2017/1938 and the solidarity mechanism.

What is the maximum fine ceiling for an essential gas operator?

Under NIS2 Art. 34: at least EUR 10,000,000 or 2% of annual worldwide turnover, whichever is higher, for essential entities [C5]. For important entities: EUR 7,000,000 or 1.4% [C5]. Note: NIS2 sanctions are cumulative with those under sectoral energy law (ANRE), those under GDPR on the personal-data component (smart-meter telemetry, billing), and with personal liability of management (NIS2 Art. 20) [C14]. In practice, for a Romanian gas operator, the effective ceiling is set by OUG 155/2024 and the DNSC implementing regulation.

Who is personally liable in the management of a gas operator?

NIS2 Art. 20 requires the management bodies (management board, supervisory board, managing director) to approve cyber risk-management measures, oversee implementation, and may be held personally liable [C14]. The directive allows Member States to impose temporary prohibitions on exercising managerial functions for essential entities. In Romania, OUG 155/2024 transposed these provisions [C6]. Practical implementation: a board decision / management-board decision approving the cyber risk-management framework — signed, dated, archived — and an annual report presented to the board by the CISO and the CIO.

🔗 Official sources

Are you in the natural gas sector?

Free NIS2 audit for companies with 50+ employees. We reply within 24 business hours.

Request audit →