The Romanian cybersecurity authority publishes the draft law on the transposition of NIS2 Directive

19.08.2024

The Romanian National Cyber Security Directorate (DNSC) has published the draft law on the transposition of the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU (NIS2 Directive).

According to the NIS2 Directive, all EU Member States, including Romania, must adopt the measures to comply with this Directive by 17 October 2024. This means that the Romanian State has less than 2 months now to adopt the law.

It is to be seen if any amendments will be introduced to the DNSC draft during the legislative process.

The NIS2 Directive repeals the NIS Directive (transposed in Romania by Law 362/2018) and (together with the DNSC draft law) comes with certain new obligations for the organizations to which it applies.

Amongst others, the NIS2 Directive:

  • broadens the scope of application as compared to NIS Directive, covering more industries and types of organizations (the text operates with the notions of “essential entities” and “important entities” to which the legal provisions apply);
  • imposes the obligation to register with the competent authority (which is DNSC in Romania) both to the essential entities and the important entities;
  • adjusts the minimal measures of security;
  • institutes additional obligations in case of significant cyber incidents;
  • imposes new obligations in case of significant cyber threats.

Moreover, the NIS2 Directive (unlike NIS Directive) expressly regulates the amounts of fines which apply in case of violations of its provision. Such fines may go up to EUR 10 million or 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.

Currently, under Law 362/2018 transposing NIS Directive, the maximal fine is RON 100,000 (approx. EUR 20,000), while in certain cases the fine may be increased to 5% of the organization’s turnover.

A particular matter of interest concerns the enforcement actions under NIS2 Directive and DNSC draft law. They include, amongst others, the suspension of the certification or authorization of the provided services or carried out activities, as well as the prohibition of responsible natural persons to exercise their managerial functions.

The text of the NIS2 Directive is available here.

The text of the DNSC draft law transposing NIS2 Directive is available here (in Romanian).

Statistics