€ USD
BizLawyer
CMS | Romania expands scope of NIS2 implementation
18 Iulie 2025
CMS RomaniaFor more information on cyber security rules in Romania, contact your CMS client partner or CMS experts: Cristina Popescu and Carmen Turcu.
The Romanian parliament has formally approved Government Emergency Ordinance No. 155/2024 (GEO 155) implementing EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) in Romania. The law for approval amends provisions of the original ordinance and broadens its scope by including new entities in the highly critical sectors listed in Annex 1.
Romanian Government issued GEO 155 to transpose the NIS2 Directive into Romanian law. GEO 155 entered into force on 31 December 2024. Although government emergency ordinances apply immediately, they require subsequent parliamentary review and confirmation by law, which must be promulgated by the Romanian President and published in the Official Gazette.
The law approving GEO 155 was adopted by Romania’s parliament, published in the Official Gazette, and entered into force as Law No. 124/2025 on 10 July 2025.
The law of approval introduces several amendments to GEO 155. Some changes serve clarification or implementation purposes, while others materially expand the initial provisions. The following is a list of the most relevant amendments:
→ Essential and important entities are now expressly required to ensure regular professional training for all staff to maintain an adequate level of cyber security knowledge and competence. The original wording did not mandate training at regular intervals.
→ Management bodies of essential and important entities must appoint persons responsible for network and information systems security within 30 days from the decision’s notification date by the National Directorate for Cyber Security (DNSC) regarding each entity’s identification and registration in the national register.
→ Fines expressed as a percentage of turnover are now explicitly referenced to the annual global turnover of the entity. The previous text did not clarify whether the turnover referred to local or global revenues.
→ In the case of repeated violations, the amount of the fine will be determined based on the legal limits applicable to the offence and increased by 50%. Previously, the increase was discretionary, but it is now mandatory.
→ The following entities have been added to Annex 1:
→ holders of distribution authorisations for medicinal products;
→ entities carrying out activities mentioned in NACE code 4646 – wholesale of pharmaceutical and medical products;
→ entities carrying out activities mentioned in NACE code 4773 – retail of pharmaceutical products in specialised stores.
This expansion increases the number of entities subject to the GEO 155 provisions. Affected organisations should reassess their qualification under the updated scope and prepare for compliance with the applicable cybersecurity requirements.
What’s next?
The DNSC is expected to issue implementing orders for GEO 155 in the near future, including procedures for the registration of entities falling within its scope.
For more information on cyber security rules in Romania, contact your CMS client partner or CMS experts: Cristina Popescu and Carmen Turcu.
Romanian Government issued GEO 155 to transpose the NIS2 Directive into Romanian law. GEO 155 entered into force on 31 December 2024. Although government emergency ordinances apply immediately, they require subsequent parliamentary review and confirmation by law, which must be promulgated by the Romanian President and published in the Official Gazette.
The law approving GEO 155 was adopted by Romania’s parliament, published in the Official Gazette, and entered into force as Law No. 124/2025 on 10 July 2025.
The law of approval introduces several amendments to GEO 155. Some changes serve clarification or implementation purposes, while others materially expand the initial provisions. The following is a list of the most relevant amendments:
→ Essential and important entities are now expressly required to ensure regular professional training for all staff to maintain an adequate level of cyber security knowledge and competence. The original wording did not mandate training at regular intervals.
→ Management bodies of essential and important entities must appoint persons responsible for network and information systems security within 30 days from the decision’s notification date by the National Directorate for Cyber Security (DNSC) regarding each entity’s identification and registration in the national register.
→ Fines expressed as a percentage of turnover are now explicitly referenced to the annual global turnover of the entity. The previous text did not clarify whether the turnover referred to local or global revenues.
→ In the case of repeated violations, the amount of the fine will be determined based on the legal limits applicable to the offence and increased by 50%. Previously, the increase was discretionary, but it is now mandatory.
→ The following entities have been added to Annex 1:
→ holders of distribution authorisations for medicinal products;
→ entities carrying out activities mentioned in NACE code 4646 – wholesale of pharmaceutical and medical products;
→ entities carrying out activities mentioned in NACE code 4773 – retail of pharmaceutical products in specialised stores.
This expansion increases the number of entities subject to the GEO 155 provisions. Affected organisations should reassess their qualification under the updated scope and prepare for compliance with the applicable cybersecurity requirements.
What’s next?
The DNSC is expected to issue implementing orders for GEO 155 in the near future, including procedures for the registration of entities falling within its scope.
For more information on cyber security rules in Romania, contact your CMS client partner or CMS experts: Cristina Popescu and Carmen Turcu.