In 2024 and 2025, the NIS2 conversation in Romania revolved around a single question: "am I in scope of the directive or not?". In 2026, the question has changed entirely. The DNSC registration deadline has passed, the legal framework is complete, and the authority now has the tools to check. The question is no longer whether you are covered, but whether you can prove that you are compliant.
The difference is enormous. A company that "knows it should do something" and one that can put a file acceptable as evidence in front of DNSC are in diametrically opposite legal positions. A readiness check tells you, coldly, which of the two you are in — and what to do to move to the right camp before an inspection.
Where we stand, legally, in 2026
The NIS2 Directive was transposed in Romania through GEO 155/2024, consolidated and approved by Law 124/2025, in force since July 2025. On top of this law, DNSC issued the implementing rules that matter for day-to-day work: Order no. 1/2025 (notification and registration requirements) and Order no. 2/2025 (the risk-level assessment methodology), both in force since 20 August 2025.
In other words, the framework is no longer "a work in progress". It is complete, operational and accompanied by concrete tools — from the registration form to the methodology by which you calculate your risk level. The excuse "the rules are not clear yet" no longer exists.
The registration deadline has passed. Now what?
In-scope entities had 30 days from 20 August 2025 to notify DNSC — a deadline that expired around 19–22 September 2025. The key message, stressed by DNSC itself: the fact that the deadline has passed does NOT extinguish the obligation. A company that did not register on time is still required to do so now, only in a more vulnerable position.
The good news for latecomers: DNSC has communicated that its priority in the first part of 2026 is voluntary compliance and supporting companies, not the immediate application of maximum fines. An organisation that registers now and presents a realistic compliance plan may benefit from additional deadlines, procedural tolerance and, in the event of an inspection, a possible penalty reduction of up to 50%. This is a window that will not stay open indefinitely.
In 2026, DNSC is not yet looking to punish — it is looking to see who moved. A realistic plan put on the table in time is worth more than perfect compliance promised "later".
The chain of obligations after registration
This is where most companies go wrong: they think registration is the finish line. In fact, it is the starting line. Once you notify, a chain of legal deadlines unfolds automatically, whether you are ready or not:
- 1DNSC issues the identification and registration decision — in roughly 60 days for essential entities and 150 days for important ones.
- 2Within 60 days of the decision: you submit the risk-level assessment, performed according to the methodology in Order 2/2025 (via the ENIRE@RO tool / the NIS2@RO platform).
- 3Within 60 days of the risk assessment: you perform the maturity self-assessment of your security measures.
- 4Annually: you repeat the maturity self-assessment of your risk-management measures, explicitly assumed by the entity's management.
Each step requires documentation, evidence and real technical decisions — not ticking a form. And the deadlines run from the moment of the DNSC decision, not from when you "get around to them". A company that discovers only on day 55 that it has no compliant risk assessment is already late.
Incident reporting: 24h / 72h / one month
Beyond the compliance file, NIS2 imposes a strict regime for reporting significant incidents. If you are hit by an attack, the clock starts immediately:
- 1Within a maximum of 24 hours of becoming aware of a significant incident: an early warning to DNSC, indicating whether there are suspicions of malicious action or possible cross-border impact.
- 2Within a maximum of 72 hours: a full notification, with an initial assessment of severity and impact.
- 3Within a maximum of one month of the notification: a final report, with an analysis of the causes and the measures applied.
These deadlines are impossible to meet on the fly. Without a written incident response plan and clear roles, the first 24 hours pass in panic, and the delay in reporting becomes a violation in itself — on top of the attack.
Penalties: what non-compliance actually costs
- Essential entities: fines of up to 10 million euros or 2% of annual worldwide turnover, whichever is higher.
- Important entities: fines of up to 7 million euros or 1.4% of annual worldwide turnover.
- Failure to notify and register: separate fines, up to 500,000 lei for essential entities and 300,000 lei for important ones.
- Management liability: NIS2 introduces the direct responsibility of management for security measures — it is no longer "the IT department's problem".
The point is not to sell fear, but proportion. For a mid-sized company, exposure to a fine in the hundreds of thousands of lei — plus the personal liability of the administrator — makes a few days of orderly preparation one of the most profitable investments possible.
What a DNSC readiness check actually checks
A readiness check is not a certification audit and does not take months. It is a focused assessment that answers three questions: am I in scope, where are the gaps, and what do I do, in what order. Concretely, a NIS2 / DNSC Readiness Check delivers:
- Applicability determination — whether you are an essential entity, an important one, or out of scope, argued by sector and thresholds.
- A gap analysis against DNSC requirements — where you stand well, where you have gaps and how serious they are.
- An action plan with prioritised legal deadlines — what you fix first and by when, aligned to the timeline chain above.
- Structured documentation, acceptable as evidence before the authority.
The difference we bring is that the assessment is performed by an authorised DNSC auditor — someone who knows exactly what form of evidence passes and what does not. It is part of the broader cybersecurity service, where we then take the plan through to implementation: technical controls, awareness training and an incident response plan.
Where to start, in practice
- 1Clarify your status: check the sector and thresholds (≥50 employees or over 10 million euros in turnover/balance sheet) to know whether you are essential, important or out of scope.
- 2If you have not registered, do it now — while the 2026 tolerance window is still open.
- 3Order a readiness check to find out, in days, where you stand and what you are missing against the real DNSC requirements.
- 4Turn the gaps into a plan with deadlines and owners, aligned to the decisions and legal timelines.
- 5Put the minimum operational basics in place: MFA, patching, tested backup and an incident response plan that respects the 24h/72h/one-month chain.
You do not need to do everything in a month. You need to start in an orderly way and be able to show that you moved. If you want to know which camp you are in right now — compliant or just "well-intentioned" — let us talk for 30 minutes and I will tell you the concrete first step.
NIS2 compliance is not proven with intentions, but with documents. A readiness check shows you exactly what is missing from the file before the inspector does.
Conclusion
In 2026, NIS2 has moved from the "what is this about" phase to the "show me the evidence" phase. The legal framework is complete, the deadlines are running, and the penalties are real. But the DNSC tolerance window makes this year the ideal moment to get in order without the pressure of the maximum fine. A readiness check gives you the map: where you are, what you are missing and in what order to fix it. The rest is just discipline.