Navigating NIS2: Cybersecurity compliance obligations for Romanian companies

11 December 2025

The Government Emergency Ordinance no. 155/2024 (“GEO 155/2024”) on the cybersecurity of networks and information systems, as approved and amended by Law no. 124/2025, fully transposes the NIS2 Directive into Romanian law and significantly expands the cybersecurity related obligations applicable to entities operating in critical sectors (e.g. energy, tech, finance, transportation, healthcare, food, etc).

The National Cybersecurity Directorate’s (“DNSC”) Orders no. 1/2025 and 2/2025, entered into force at the end of August 2025, approved the instruments for concerned entities to register with DNSC, as well as the rules on self-assessment and documenting the cyber risk profile.

At the end of October 2025, DNSC published for consultation a draft order on regulatory control and sanctioning, which has not yet entered into force.

Our team has prepared a briefing that explores the key issues related to this law and outlines additional clarifications for businesses that are subject to its effects.

The briefing is available below.

Download PDF

Briefings

Navigating NIS2: Cybersecurity compliance obligations for Romanian companies

11 December 2025

The National Cybersecurity Directorate’s (“DNSC”) Orders no. 1/2025 and 2/2025, entered into force at the end of August 2025, approved the instruments for concerned entities to register with DNSC, as well as the rules on self-assessment and documenting the cyber risk profile.

Maria-Ecaterina Burlacu

Counsel

Clifford Chance Badea, Bucharest

Persida Ciobanu

Associate

Clifford Chance Badea, Bucharest

Filip Marinau

Associate

Clifford Chance Badea, Bucharest

Associate

Clifford Chance Badea, Bucharest

Associate

Clifford Chance Badea, Bucharest

Log in