On 30 December 2024, the Romanian Government adopted the Government Emergency Ordinance (GEO) 155/2024 which transposes the NIS2 Directive.
The GEO 155/2024 was published in the Official Gazette and entered into force with its most provisions on 31 December 2024.
According to the transitory norms of such enactment, some of its provisions will enter into force at a later day (for example, the provisions on sanctions will enter into force in 30 days from 31 December 2024).
The GEO 155/2024 mainly follows the text of the updated draft transposition document about which we have written here.
Nevertheless, apart from formal adjustments of wording, the GEO 155/2024 brings certain additional updates as compared to the aforesaid draft. For example:
- additional clarifications on the scope of territorial application of its provisions;
- more clarity on the way in which the Romanian Cybersecurity Authority (DNSC) shares the competences with the sectorial competent authorities;
- additional information on the cooperation between authorities at the European and international level;
- certain adjustments with regard to the deadlines of incident reporting;
- certain completions to the Annexes I and II listing sectors of high criticality and other critical sectors;
- additional transitory provisions.
After the adoption of GEO 155/2024, DNSC must adopt certain secondary legislation covering, amongst others, norms on registration notification, incident reporting, risk assessment and risk management measures.
The press release of DNSC with regard to the adoption of GEO 155/2024 is available here.
The text of the NIS2 Directive is available here.
Our takes on the initial draft and the updated draft published by DNSC are available here and here.
