Gruia Dufaut

NIS2 DIRECTIVE : NOTIFICATION DEADLINE SET FOR COVERED ENTITIES

  • Home
  • News
  • NIS2 DIRECTIVE : NOTIFICATION DEADLINE SET FOR COVERED ENTITIES
NIS2 DIRECTIVE : NOTIFICATION DEADLINE SET FOR COVERED ENTITIES

Last updated: 25 August 2025

NIS2 DIRECTIVE : NOTIFICATION DEADLINE SET FOR COVERED ENTITIES

With a delay of almost six months from the initial deadline announced (31 March 2025), the implementing rules of the NIS2 Directive have been published, by means of Order no. 1/2025 approving the Requirements regarding the notification process for registration and the method of transmitting information, and Order no. 2/2025 approving the Criteria and thresholds for determining the degree of disruption of a service and the Methodology for assessing the risk level of entities, issued by the National Cyber Security Directorate (DNSC) and published in the Official Gazette no. 776 of 20 August 2025.

For more information regarding the NIS2 Directive, see our previous article published:

https://www.gruiadufaut.com/en/posts/transposition-of-the-nis2-directive-obligations-for-romanian-companies

Deadline for notification

According to the new regulations, the entities concerned by Emergency Ordinance no. 155/2024 are obliged to notify the DNSC regarding their qualification as an essential or important entity, by 19 September 2025.

Until the announced NIS2 platform becomes operational, notifications may be transmitted through the NIS2 Tool available on the DNSC website, which generates a form in PDF format, to be signed by the legal representative and sent by e-mail 2. Once the platform becomes operational, each concerned entity will be required to create its own account.

The notification form is structured into six sections:

  • General data: name and identification of the entity, where applicable, registration number in other national registers for entities not registered in Romania, contact details, main activity and, where applicable, authorized secondary activity (CAEN). The authorized secondary CAEN codes corresponding to the sectors and subsectors included in Annexes no. 1 and 2 to Emergency Ordinance no. 155/2024 must be indicated.
  • Specific data: size of the entity (number of employees, turnover, assets), sector and subsector of activity, data concerning the person responsible for cybersecurity3  (where already appointed) and contact persons, ranges of public IP addresses, presence in other EU Member States.
  • Specific situations: results of the self-assessment of the impact of service disruption, the status of critical entity (whether or not identified as such), analysis of dependence on IT&C infrastructures of national interest or of the role of sole provider of an essential service.
  • Attached documents: it is mandatory to attach the documents required by legal provisions, such as documents attesting to the size of the entity (ONRC extracts, financial statements, declarations on own responsibility), results of the self-assessment and, where applicable, additional documents requested by the DNSC.
  • Preliminary assessment: refers to the proposal for qualification as an essential or important entity, following the entity’s self-assessment in accordance with Emergency Ordinance no. 155/2024 and the requirements provided by Order no. 1/2025.
  • Entity representation: identification details, position held and signature of the legal representative.

The notification must be signed with a qualified electronic signature. In the case of transmission via the NIS2 Tool, the use of a handwritten signature is also permitted.

Notes

  1. The Directive (EU) 2022/2555, known as the NIS2 Directive, represents the new European framework on cybersecurity, adopted in 2022 and replacing the NIS Directive of 2016. It extends the categories of entities concerned (energy, transport, health, digital infrastructures, public administration, postal services, food sector, IT and others), introduces clear obligations for the implementation of security measures and for the reporting of incidents, as well as severe sanctions (fines of up to EUR 10 million or 2% of the global annual turnover). Member States must apply it through national legislation starting from 17 October 2024; in Romania it has been transposed by Emergency Ordinance no. 155/2024.
  2. The e-mail address is: evidenta @ dnsc.ro
  3. According to the recent amendments to Emergency Ordinance no. 155/2024, entities have 30 days from the receipt of the notification regarding their registration in the DNSC register to appoint this person.

On the same subject

HEALTH CARDS

The CNS certifies the fact that its holder (who has to be at least 18 years old) is insured within the Romanian healthcare insurance system and thus can benefit from medical services on Romanian territory. Read more

22 May 2014

PURCHASING AGRICULTURAL LANDS IN ROMANIA : NEW RULES

As of January 1, 2014, Romania gave the green light to the purchase of agricultural lands by citizens of the European Union/European Economic Area or of the Swiss Confederation. Read more

13 June 2014

HEALTH INSURANCE CONTRIBUTIONS: EXEMPTIONS

In accordance with article 296 21 paragraph 1 letter i) of the Fiscal Code, persons obtaining revenues from asset rental are subject to the payment of the compulsory health insurance contribution of 5% for such revenues. The Central Tax Commission has rec Read more

30 July 2015

SALE-PURCHASE OF AGRICULTURAL LAND LOCATED OUTSIDE BUILT-UP AREAS

The Law no. 175/2020, amending and supplementing the Law no.17/2014 on the sale of agricultural land located outside built-up areas comes, indeed, with certain restrictions related to the preemption rights in case of transfer of ownership, to agricultura Read more

11 March 2021

INCREASE IN THE MINIMUM BASIC GROSS SALARY IN ROMANIA

The minimum basic gross salary at the national level will increase from 1 July 2024, rising from 3,300 lei (approx. €663) to 3,700 lei per month (approx. €744) for a monthly working time of 168 hours, which equates to 22.024 lei (€4.43) per hour. Read more

12 June 2024

Subscribe to our newsletter

Please tick the following box to subscribe to our newsletter

Share this on:

Gruia Dufaut & Partners never communicate through gmail or public email services.

Stay vigilant against phishing:

- Verify the sender's email address carefully before responding or sharing any sensitive information.

- If you receive an email claiming to be from Gruia Dufaut & Partners but originating from a different domain, do not engage and contact us directly.

Close