NIS2 IN ROMANIA: HOW DNSC’S DRAFT RULES SHAPE CYBERSECURITY

Romania’s transposition of the NIS2 Directive is entering a new implementation phase. On 5 January 2026, the National Directorate for Cyber Security (DNSC) launched a public consultation on two draft pieces of secondary legislation addressing cyber risk management and board‑level responsibilities applicable to essential and important entities, with the objective of strengthening cyber resilience.

DNSC’s proposed draft rules operationalize Romania’s obligations under Articles 21 and 22 of Directive (EU) 2022/2555 (NIS2), as transposed by GEO 155/2024, and represent the first detailed secondary framework governing risk management and executive accountability.

DNSC’S DRAFT RULES ON RISK MANAGEMENT

One of the key draft rules focuses on cyber risk management measures applicable to essential and important entities, setting out a framework that enables organizations to anticipate the level of security required on the basis of their individual risk assessments and maturity evaluations.

Risk management measures: The draft rules specify technical and organizational requirements tailored to the entity’s classification.
The maturity self-assessment: Under Article 18(7) of Governance Emergency Ordinance No. 155/2024 regarding the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace (GEO 155/2024), entities are required to complete a maturity self-assessment within 60 days of submitting their initial risk level assessment. The draft rules include maturity self-assessment tools for the three cybersecurity levels: basic, important, and essential. In practice, the maturity classification will likely determine the intensity of DNSC supervision, the scope of remedial measures imposed, and the frequency of compliance audits.
Amendments to the risk assessment methodology: The draft rules also provide amendments to the Methodology of 11 August 2025 on the assessment of entities’ risk levels, approved by Order of the Director of DNSC No. 2/2025.

DNSC’S DRAFT Rules ON BOARD-LEVEL QUALIFICATIONS

The second draft regulation issued by DNSC focuses on governance‑ and leadership‑related qualifications. It introduces:

A standard for professional training applicable to members of the governance bodies (e.g., boards and executive leadership) of essential and important entities.
A list of cybersecurity certifications recognized by DNSC, intended for the person responsible for the security of networks and information systems (Chief Information Security Officer – CISO), for the purpose of fulfilling the obligation set out in Article 14(4)(e) of GEO 155/2024 (e.g., to obtain, within 12 months of appointment, a specialized accredited training course in the field of cybersecurity, recognized by DNSC).

A standout feature of the draft rules is the formalization of cybersecurity as a board‑level responsibility. DNSC moves away from treating cybersecurity as a purely IT‑related issue by introducing the role of Cyber Security Governance Manager within the organizational structure of essential and important entities. The holder of this position is responsible for exercising governance, oversight, and control responsibilities over the organization’s cybersecurity posture.

PRACTICAL IMPLICATIONS FOR essential and important ENTITIES

In light of the DNSC’s draft rules, essential and important entities should consider:

Mapping existing risk management measures against DNSC maturity tools;
Reviewing board-level training and certification status;
Assessing whether internal governance structures meet the new requirements;
Updating internal policies and incident response frameworks.

CONCLUSION: Building a Resilient Cyber Future

Romania’s implementation of NIS2, supported by these DNSC draft regulations, represents a transformative shift in national cybersecurity governance. By articulating clear expectations for risk management practices and leadership competence, the framework aims to elevate organizational resilience against cyber threats and align Romanian entities with EU-wide standards of cybersecurity.

These draft regulations signal also that the DNSC will be rigorous in its supervisory role. Organizations should act now by reviewing the DNSC maturity tools and evaluating whether their current leadership structures align with the new governance requirements.

Cluj IT will not be liable for any false, inaccurate, inappropriate or incomplete information presented, as the authors are free to choose their approach and relevant topics, within the general guidelines of the newsletter. The opinions expressed by the authors and those providing comments are theirs alone, and do not reflect the opinions of Cluj IT.

Certain links in the articles or comments may lead to external websites. Cluj IT accepts no liability in respect of materials, products or services available on any external website which is not under the control of Cluj IT.

NIS2 IN ROMANIA: HOW DNSC’S DRAFT RULES SHAPE CYBERSECURITY

DNSC’S DRAFT RULES ON RISK MANAGEMENT

DNSC’S DRAFT Rules ON BOARD-LEVEL QUALIFICATIONS

CONCLUSION: Building a Resilient Cyber Future

Certain links in the articles or comments may lead to external websites. Cluj IT accepts no liability in respect of materials, products or services available on any external website which is not under the control of Cluj IT.

Recent Posts

Guide for SMEs: How to Start Adopting AI While Avoiding Operational Risks

Types of Digital Fraud in Banking and How to Prevent Them

CITADEL Eurocluster

Cluj IT and AKTANTIS: Building Bridges Between Europe’s Deep Tech Ecosystems

Regulamentul european privind reziliența cibernetică (CRA): un nou standard european pentru produse digitale sigure

Success!