On 7 July 2025, Law No. 124/2025 was published in the Official Gazette of Romania, approving Government Emergency Ordinance No. 155/2024 on establishing a framework for the cybersecurity of networks and information systems in the national civil cyberspace (Ordinance), which transposes the EU NIS2 Directive. This law introduced several amendments to the Ordinance, among which the most relevant are the following:
- The management bodies of essential and important entities must appoint, within 30 days from the communication of the National Cyber Security Directorate (DNSC) Director’s decision on the registration as essential/important entity, the persons responsible for network and information systems security having the role of implementing/supervising the cybersecurity risk management security.
- An incident is considered significant if at least one of the listed conditions required by the Ordinance in this regard is met (before this, it was not clear if such conditions were alternative or cumulative).
- Entities are required to implement the action plan on the remediation of deficiencies within the committed deadline, notify the DNSC of the implementation of all measures included in the plan, and provide supporting documents within five days from the committed deadline.
- The list of the serious violations of the Ordinance is revised, with minor clarifications and textual refinements introduced, but without substantive changes.
- The offense related to failing to report information on time is replaced by the failure to notify or remediate significant incidents and address deficiencies within the deadlines set by the competent authorities.
- Two new offenses are introduced: failure of essential and important entities to implement measures within the committed deadline and failure to notify and provide supporting documents within the specified deadline. Consequently, the sanction provisions have been extended to explicitly cover these new offenses.
- Serious violations are now classified as offenses punishable by fines ranging from RON 3,000 to RON 600,000 (approx. EUR 600 to EUR 120,000), with penalties increasing by 50% for repeated violations.
- The healthcare sector from Annex 1 is updated with the addition of two new types of entities: entities involved in pharmaceutical distribution and entities involved in specialized retail of pharmaceutical products.
- The digital infrastructure sector from Annex 1 was updated by replacing the “content broadcasting network providers” category of entities with the “content delivery network providers” one, as referred to in the NIS 2 Directive.
- In Annex 2, the scope was broadened to reflect that carrying out any of the activities of production, processing, or distribution of food is sufficient to trigger the application of the Ordinance, unlike the initial wording which implied that carrying out these activities (production, processing, and distribution) in a cumulative manner is necessary for the application of the Ordinance.
The adoption law, and thus the Ordinance incorporating these amendments, enters into force on 10 July 2025.
