	NIS2 Implementation in the EU
	Romania
	(Europe) Firm Nestor Nestor Diculescu Kingston Petersen Contributors Iurie Cojocaru Oana Stefan Updated 30 Jan 2026
Status of the legislative process	*Ongoing - GEO 155/2024* is enacted, but secondary legislation is still expected.**
Status of the NIS2 Implementation Act	Romania implemented NIS2 primarily through Government Emergency Ordinance (GEO / OUG) no. 155/2024 on the cybersecurity of networks and information systems in the national civil cyberspace, adopted on 30 December 2024 and published in the Official Gazette on 31 December 2024. The ordinance was subsequently approved and amended by Law no. 124/2025 (published in Official Gazette no. 638/7 July 2025), consolidating and refining the national framework. Implementation is supported by secondary legislation issued by the National Cyber Security Directorate ("DNSC") (e.g., Orders on registration/notification processes and risk methodologies).
Significant deviations of the National Implementation Act from the NIS2 Directive, if any	The Romanian implementation relies much more heavily on secondary legislation issued by DNSC, which introduces additional procedural and methodological requirements (registration workflows, forms, platforms, assessment methodologies, thresholds and periodicity) that go beyond the level of detail set out in the NIS2 Directive. Following DNSC confirmation, entities must submit a risk-level self-assessment within the national deadline, introducing a specific sequencing of compliance steps that is not detailed in the Directive. GEO 155/2024 introduces an annual cybersecurity maturity self-assessment to be submitted to DNSC, with the detailed methodology established through secondary legislation. The Romanian framework extends periodic cybersecurity audit obligations to important entities, whereas the NIS2 Directive requires regular audits only for essential entities. Auditors need to be certified under a DNSC framework and audit costs are borne by the audited entity. The amount of information that the essential and important entities must notify DNSC is more significant than that provided under the NIS2 Directive. A particularly important provision is the possibility granted in certain cases to the competent authority to impose double the amount of fines set forth under the transposition (including double the top fines of EUR 10 million and 2% of the turnover).
Date of entry into force of the Implementation Act	OUG/GEO 155/2024 entered into force on 31 December 2024 (with certain provisions deferred under the ordinance’s transitional rules). Law no. 124/2025 (approval/amendment law) was published on 7 July 2025 and applies as the law approving the ordinance with amendments.

NIS2 Implementation in the EU

Back XLS

Status of the legislative process

Ongoing - GEO 155/2024 is enacted, but secondary legislation is still expected.

Status of the NIS2 Implementation Act

Romania implemented NIS2 primarily through Government Emergency Ordinance (GEO / OUG) no. 155/2024 on the cybersecurity of networks and information systems in the national civil cyberspace, adopted on 30 December 2024 and published in the Official Gazette on 31 December 2024.

The ordinance was subsequently approved and amended by Law no. 124/2025 (published in Official Gazette no. 638/7 July 2025), consolidating and refining the national framework.

Implementation is supported by secondary legislation issued by the National Cyber Security Directorate ("DNSC") (e.g., Orders on registration/notification processes and risk methodologies).

Significant deviations of the National Implementation Act from the NIS2 Directive, if any

The Romanian implementation relies much more heavily on secondary legislation issued by DNSC, which introduces additional procedural and methodological requirements (registration workflows, forms, platforms, assessment methodologies, thresholds and periodicity) that go beyond the level of detail set out in the NIS2 Directive.
Following DNSC confirmation, entities must submit a risk-level self-assessment within the national deadline, introducing a specific sequencing of compliance steps that is not detailed in the Directive.
GEO 155/2024 introduces an annual cybersecurity maturity self-assessment to be submitted to DNSC, with the detailed methodology established through secondary legislation.
The Romanian framework extends periodic cybersecurity audit obligations to important entities, whereas the NIS2 Directive requires regular audits only for essential entities.
Auditors need to be certified under a DNSC framework and audit costs are borne by the audited entity.
The amount of information that the essential and important entities must notify DNSC is more significant than that provided under the NIS2 Directive.
A particularly important provision is the possibility granted in certain cases to the competent authority to impose double the amount of fines set forth under the transposition (including double the top fines of EUR 10 million and 2% of the turnover).

Date of entry into force of the Implementation Act

OUG/GEO 155/2024 entered into force on 31 December 2024 (with certain provisions deferred under the ordinance’s transitional rules).
Law no. 124/2025 (approval/amendment law) was published on 7 July 2025 and applies as the law approving the ordinance with amendments.