At the end of 2022, the European Union adopted Directive (EU) 2022/2555 (NIS 2), aimed at establishing a high common level of cybersecurity across the Union. It represents a significant update and extension of the NIS 1 Directive, adapted to the current context of digital threats and interdependencies.

In Romania, this Directive was transposed by Emergency Ordinance No 155/2024, which establishes the legislative framework for cybersecurity in the civilian national cyberspace. It is implemented and supervised by the National Cyber Security Directorate (DNSC).

1. Who has to comply with GEO 155/2024?

The Ordinance applies to essential and important entities active in strategic areas for the functioning of society. These include:

- Essential Entities (EE): in the sectors of energy, transportation, health, drinking water, digital infrastructure, public administration, space, financial markets.

- Important Entities (EI): from the sectors of postal and courier services, waste management, chemical industry, food production, digital services, cloud computing, etc.

A company is targeted if:

1. It operates in a field covered by the Directive.
2. It is medium or large (according to EU criteria).
3. Provides critical services or has a strategic position in the economy.

Even small entities can be included if:

- They are the sole provider of a particular vital service;

- an incident at their level could affect public safety, the economy or health;

- have significant interdependencies with other critical infrastructures.

Financial sector entities, mainly covered by the DORA Regulation, are only partially covered by GEO 155/2024, in particular as regards cooperation, risk analysis and registration.

1. Obligations imposed by the NIS 2 Directive / GEO 155/2024
2. Cybersecurity measures (Art. 17-21 NIS2)

- Implementation of effective technical and organizational measures;

- Protection of critical infrastructures and sensitive data;

- Ensuring confidentiality, integrity and availability of IT systems.

2. Incident reporting (Art. 23-24 NIS2)

- Significant incidents must be reported within 24 hours of discovery to the DNSC or CSIRT.

- Clear internal incident alert and response procedures shall be implemented.

3. Risk Management

- Regular assessment of cyber risks;

- Prepare staff through training and awareness;

- Proactive incident prevention and response measures.

4. Audit and supervision (Art. 20 NIS2)

- The DNSC will conduct audits and monitoring to verify compliance.

- Entities must cooperate with the authorities and participate in regular inspections.

5. Supply chain management (art. 28 NIS2)

- Organizations must ensure that their suppliers also comply with cybersecurity standards;

- In particular, close monitoring of critical service providers (e.g. cloud, software, infrastructure) is required.

III. Challenging registration as a covered entity

The DNSC has the power to include a company in the register of covered entities, even if it has not voluntarily identified itself. The notification sent by the authority may be contested before the Bucharest Court of Appeal, without prior administrative procedure.

Important: the challenge does not suspend the effects of the notification. It is therefore essential that any response is based on sound legal and operational analysis.

1. NIS 2 vs. DORA – Two complementary regulations

Although both acts regulate cybersecurity, they have different scopes of application.

Conclusion

The NIS 2 Directive and GEO 155/2024 mark a new standard in protecting critical infrastructures and digital services in the European Union. For the targeted public and private entities, compliance with these regulations is not merely a legal obligation, but an investment in cyber resilience and protection of their own operations.

It is essential that organizations rapidly assess whether they are subject to the new obligations and initiate the compliance process. In an increasingly complex and exposed digital environment, prevention, preparedness, and rapid response are key elements of business sustainability and security.