CRYPTOITDATACRYPTOITDATA

Cybersecurity

NIS2 in Romania: a compliance guide for SMBs

What the NIS2 Directive is, which Romanian companies are in scope, what obligations apply and how to prepare for compliance without blocking your business. Practical 2026 guide.

9 min read

The NIS2 Directive (Network and Information Security 2) is the most important piece of cybersecurity legislation of the last decade at European Union level. It has been transposed into Romanian national law, and the practical effect is simple: far more companies now have legal security obligations, under penalties that can reach millions of euros.

If you are a director or IT manager at a mid-sized company, the question is no longer "does this affect me?", but "how fast do I need to be ready?". This guide gives you the essential answers, without the jargon.

What NIS2 is, in short

NIS2 replaces the old 2016 NIS directive and dramatically expands its scope. The goal is to raise the minimum level of cyber resilience in sectors deemed critical and important to the economy and society. Unlike the previous version, NIS2 sets a common set of risk-management measures and introduces direct accountability for company management.

Which Romanian companies are in scope

The general rule: you fall under NIS2 if you operate in a regulated sector AND exceed the "medium entity" threshold — meaning at least 50 employees or annual turnover / balance sheet above 10 million euros. There are also exceptions where smaller companies are included due to their critical role.

Sectors of high criticality (essential)

  • Energy (electricity, gas, oil, hydrogen)
  • Transport (air, rail, maritime, road)
  • Health (hospitals, laboratories, medical device manufacturers)
  • Drinking water and wastewater
  • Digital infrastructure (cloud, data centres, DNS, networks)
  • Banking and financial market infrastructures
  • Public administration

Important sectors (high impact)

  • Postal and courier services
  • Waste management
  • Manufacturing (medical devices, electronics, equipment, vehicles)
  • Production and distribution of food
  • Digital service providers (marketplaces, search engines, social networks)
  • Research

Watch the supply-chain effect: even if your company is not directly regulated, if you are a supplier to a NIS2 entity you will be contractually required to demonstrate a similar level of security. In practice, NIS2 "flows" down through the entire chain.

What concrete obligations apply

  1. 1Technical and organisational risk-management measures: security policies, access control, encryption, network segmentation, patch management.
  2. 2Business continuity and disaster recovery plan — including tested backups (see below on the link with the 3-2-1 strategy).
  3. 3Reporting of significant incidents to the competent authority (DNSC) within strict deadlines: initial alert within 24 hours, notification within 72 hours.
  4. 4Supply-chain security — assessing suppliers and direct relationships.
  5. 5Management accountability: directors must approve the measures and can be held personally liable for non-compliance.
  6. 6Regular staff training in cyber hygiene.

Penalties: why you cannot postpone

For essential entities, fines can reach up to 10 million euros or 2% of global annual turnover, whichever is higher. For important entities, up to 7 million euros or 1.4%. Beyond the money, the authority can temporarily suspend certifications and hold management personally accountable.

How to prepare — step by step

NIS2 compliance is not solved with a single "turnkey" product. It is a risk-management process. Here is the pragmatic path we recommend to our clients:

  1. 1Determine applicability: clearly establish whether and in which category you fall.
  2. 2Gap analysis: compare the current state with NIS2 requirements and get a prioritised list.
  3. 3Remediation plan with deadlines and budget: you do not fix everything at once, but based on risk.
  4. 4Implementation: policies, technical controls, segmentation, monitoring, tested backup.
  5. 5Incident reporting procedure and a designated team/owner.
  6. 6Audit and continuous improvement — NIS2 is not a project with an end, but a permanent regime.

For steps 2-6, a partner experienced in cybersecurity audit drastically shortens the timeline and avoids unnecessary investments. We are an authorised DNSC auditor and ISO 27001 certified — exactly the reference framework NIS2 relies on.

The link with ISO 27001 and data protection

The good news: if you already have an information security management system aligned with ISO 27001, you are 70-80% of the way to NIS2. The two frameworks overlap significantly. Likewise, data protection (GDPR) and cybersecurity measures are complementary — a security incident is almost always also a potential personal-data incident.

Conclusion

NIS2 is not bureaucracy for its own sake — it is the minimum level of cyber hygiene any serious company should already have. The difference is that it now becomes a legal obligation, with real penalties. Companies that start early turn compliance into a commercial advantage: they become preferred suppliers precisely because they can demonstrate security.

Frequently asked questions

When does NIS2 apply in Romania?+

The NIS2 Directive has been transposed into national law and the obligations are already in force. The incident-reporting deadlines (24h / 72h) and risk-management measures apply to in-scope entities from the moment of transposition, which is why preparation can no longer be postponed.

My company has 40 employees — am I in scope for NIS2?+

In principle the threshold is 50 employees or over 10 million euros turnover/balance sheet, within a regulated sector. However, smaller companies may be included if they have a critical role, and through the supply chain you may be contractually required to meet similar requirements. We recommend an individual applicability assessment.

How long does it take to become NIS2 compliant?+

It depends on your starting point. A gap analysis in 1-2 weeks gives you the priority list; implementing the measures typically takes 3-6 months for a mid-sized company. If you already have ISO 27001, the path is much shorter.

Who is liable if the company is not compliant?+

NIS2 introduces direct accountability for management bodies. Directors must approve the security measures and can be held personally liable, not just the company as an entity.

All articles

Have a concrete question?

30 minutes, free. We discuss exactly your situation.

Book a consultation