Practical guide: the steps to NIS2 compliance in Romania
From checking applicability to continuous monitoring — a clear path under Law 124/2025 and GEO 155/2024.
Updated: 24.06.2026 · ~8 min read
The NIS2 Directive was transposed into Romanian law through GEO 155/2024 and Law 124/2025, extending cybersecurity obligations to an estimated 12,000+ organizations, classified as essential or important entities. The legal registration deadline has already passed, the remaining deadlines run from DNSC's decision for each entity, and fines can reach EUR 10 million or 2% of global turnover, plus personal liability of management. This guide summarizes the concrete steps to reach compliance.
Step 1 — Check whether you are in scope
NIS2 applicability is determined by two cumulative criteria: your sector (energy, transport, health, water, digital infrastructure, public administration, digital services, critical manufacturing, etc.) and your organization size (generally 50+ employees or over EUR 10 million turnover/balance sheet). Some exceptions include entities regardless of size. See the detailed list on the Who needs NIS2 page.
Step 2 — Run a risk assessment and maturity self-assessment
Under GEO 155/2024, the organization must perform a cybersecurity risk assessment and a maturity self-assessment. This identifies critical assets, threats, vulnerabilities and gaps against legal requirements, and forms the basis of the remediation plan. In practice this is the "NIS2 diagnostic" — the starting point of any compliance project.
Step 3 — Appoint a NIS2 Officer
The law requires designating a person responsible for cybersecurity, registered with DNSC (the National Cyber Security Directorate). You have two options:
- In-house — hiring a specialist (typically EUR 3,000–5,000/month gross salary, plus recruitment and ongoing training).
- Outsourced — a certified NIS2 Officer contracted as a service, immediately available, from EUR 290/month.
For most SMEs, outsourcing the NIS2 Officer function delivers certified competence at a fraction of the cost.
Step 4 — Implement technical and organizational measures
NIS2 requires a minimum set of risk-management measures: security policies, incident handling, business continuity and backup, supply-chain security, access control, encryption, cyber hygiene and staff training. Measures must be documented and kept up to date — NIS2 compliance is maintained over time: periodic reviews, reporting and updates.
Step 5 — Register with DNSC and report incidents
In-scope entities must register in the DNSC platform and comply with obligations to notify significant incidents within the legal deadlines (early warning within 24 hours, notification within 72 hours, final report within one month). The lack of a clear reporting process is one of the most common causes of non-compliance.
Step 6 — Monitor and maintain compliance
After implementation, compliance is maintained through periodic monitoring, risk re-assessments, policy updates, tabletop exercises and reporting to management. An outsourced NIS2 Officer ensures this continuity without depending on a single internal employee.
How long and how much?
A typical compliance project starts with the NIS2 diagnostic (from EUR 990, one-off), followed by implementation and the monthly outsourced NIS2 Officer subscription (from EUR 290/month). The duration depends on the size and complexity of the organization, but the first step — the assessment — can start immediately.
Not sure where to start? Request a free NIS2 assessment and find out in a few minutes whether your organization is in scope and what the concrete next steps are.
Request a free NIS2 assessment
Find out if your organization falls under NIS2 and what steps you need to take. The first consultation is free.
Request free assessment