Romania’s NIS2 transposition is law. OUG 155/2024, approved by Legea 124/2025, places real operational obligations on thousands of organizations — not someday, but now. If your organization operates in energy, finance, health, transport, water, digital infrastructure, public administration, or a range of important entity categories, the reporting clock is already running.
This article walks through the concrete obligations: what you owe, by when, and the consequences of missing deadlines.
Who is in scope
OUG 155/2024 divides organizations into essential entities and important entities, following the NIS2 directive logic.
Essential entities include operators in energy (electricity, gas, oil, heat), transport (air, rail, road, maritime), banking and financial market infrastructure, health (hospitals, labs, pharmaceutical manufacturers), drinking water, wastewater, digital infrastructure (cloud providers, IXPs, DNS, TLD registries, data centers), ICT service management, and public administration at central and regional level.
Important entities include postal and courier services, waste management, chemical production and distribution, food production, manufacturing of medical devices, computers, motor vehicles and other critical goods, digital providers (online marketplaces, search engines, social networks), and research organizations.
Size thresholds generally apply (medium and large enterprises), though certain sectors face obligations regardless of size. If you are unsure whether your organization qualifies, the DNSC registration platform — NIS2@RO — is the reference point. DNSC is the Directoratul Național de Securitate Cibernetică, the Romanian national cybersecurity authority designated as the competent authority under OUG 155/2024.
The incident notification cascade
Article 23 of the NIS2 directive establishes a three-stage notification obligation that OUG 155/2024 transposes directly:
Within 24 hours of becoming aware of a significant incident: submit an early warning to DNSC. This is a brief notification — it establishes that a significant incident has occurred and gives DNSC situational awareness. “Significant” means incidents that cause or could cause severe operational disruption, financial loss to the entity, or substantial material or non-material damage to other persons.
Within 72 hours: submit an incident notification with more detail — the nature of the incident, initial assessment of severity and impact, indicators of compromise where available, and the measures taken or planned.
Within one month: submit a final report containing a full description of the incident, the root cause, the impact, the remediation measures taken, and any cross-border dimension. For ongoing incidents, an interim report at the 72-hour mark followed by a final report within one month of resolution.
This cascade is not optional. Missing the 24-hour early warning — even if you eventually submit a full report — is a compliance failure. Build the escalation path into your incident response procedure now, not during an active incident.
Registration deadlines: 15 days and 5 days
Beyond incident notifications, OUG 155/2024 requires organizations to register on the DNSC NIS2@RO platform and to notify DNSC of substantial changes to registration data within 15 days of the change occurring. This includes changes to the scope of services, contact details, and other material information.
There is a separate 5-day deadline for notifying changes to the designated NIS Security Officer (Responsabilul NIS). The NIS Officer is the named individual responsible for coordinating compliance within the organization — think of them as the internal owner of the NIS2 obligation. If that person changes (reassignment, departure, organizational restructuring), DNSC must be informed within 5 working days.
These deadlines are operational. They require HR processes, a change management procedure, and a named owner who tracks when registrations need to be updated.
Audit obligations
OUG 155/2024 requires essential entities to undergo regular security audits. Those audits must be conducted by DNSC-attested auditors — individuals who have obtained the attestation issued by DNSC under the procedures defined in the law. The attestation is valid for three years, after which renewal is required.
This creates a supply-side constraint: the pool of DNSC-attested auditors is limited in 2026. Organizations that delay identifying and engaging an attested auditor risk not being able to schedule an audit within their compliance window. The audit platform for scheduling and reporting is ATHENA.
Audits are not a one-time checkbox. The cycle is ongoing. Organizations should factor audit planning into their annual compliance calendar from the start.
Penalties
The penalty regime follows the NIS2 directive’s graduated approach:
- Essential entities: administrative fines of up to 2% of total annual global turnover for the preceding financial year, or the equivalent in lei if higher.
- Important entities: up to 1.4% of total annual global turnover.
Beyond financial penalties, DNSC can issue binding instructions, require public disclosure of non-compliance, and — for essential entity management — issue temporary prohibitions. The reputational and operational risk compounds the financial exposure.
Practical recommendations
1. Verify your scope status. Do not assume you are out of scope. Check against the sector and size criteria in OUG 155/2024. If there is doubt, consult.
2. Register on NIS2@RO. If your organization has not registered, this is the first obligation. The registration creates the baseline record DNSC uses for oversight.
3. Designate a NIS Security Officer. Name a specific individual, document it, and register that person with DNSC. Ensure there is a clear succession plan — the 5-day change notification obligation bites.
4. Build the 24-hour early warning into your incident response procedure. The 72-hour and monthly deadlines are achievable with normal IR processes. The 24-hour window requires a pre-defined trigger and an owner who can submit without bureaucratic delay.
5. Identify a DNSC-attested auditor. Start conversations early. Auditor availability is not unlimited.
6. Set a calendar for 15-day notifications. Treat material changes to your NIS2 registration the same way you treat a regulatory filing — with a defined process and an owner.
This article is informational. It summarizes obligations under OUG 155/2024 and Legea 124/2025 as publicly available law but does not constitute legal advice. Your specific obligations depend on your sector, size, and activities. Consult qualified legal and cybersecurity counsel for your compliance program.
If your organization is working through NIS2 readiness and wants a structured assessment of where you stand against OUG 155/2024 requirements, start a conversation with us.