In a digital era marked by a surge in sophisticated cyberattacks, Romania has officially transposed the EU Directive 2022/2555 (NIS 2 Directive) into national legislation through Governance Emergency Ordinance No. 155/2024 (GEO 155/2024). This legal framework significantly strengthens cybersecurity requirements for a wide range of organizations, enforcing stricter security measures, reporting obligations, and penalties for non-compliance.
Key Provisions of GEO 155/2024
GEO 155/2024 sets out comprehensive cybersecurity obligations for various organizations operating in Romania. Some of the major provisions include:
- A broader scope covering additional sectors and entities essential to national and economic security.
- Mandatory risk management and security measures for organizations deemed essential and important.
- Enhanced incident reporting obligations with stricter deadlines.
- Increased regulatory oversight and compliance monitoring. National Cybersecurity Directorate (in Romanian: Directoratul Național de Securitate Cibernetică/DNSC) is the main supervisory authority.
- Significant penalties for failing to adhere to cybersecurity requirements.
As a side note, the technical rules and subsequent legislation necessary for the implementation of GEO 155/2024 were not enacted at the moment. Consequently, many of the obligations are not yet practically applicable. The DNSC has publicly announced that the orders required to implement GEO 155/2024 will be issued in the first quarter of 2025.
Organizations Covered by GEO 144/2024
GEO 155/2024 categorizes organizations into essential and important entities, based on their criticality to society and the economy. These include:
(i) Essential entities – Including providers of energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, and space sectors.
(ii) Important entities – Covering postal and courier services, waste management, food production, chemical manufacturing, and other critical industries.
The specific criteria for classification are based on the size of the entity, the sector it operates in, and the level of criticality of the services it provides.
Key Obligations for Organizations
Organizations within the scope of GEO 155/2024 are subject to rigorous cybersecurity obligations:
- Register with the DNSC, in the register of essential and important entities.
- Implement robust cybersecurity risk management measures.
- Designate a responsible entity for compliance and reporting security incidents.
- Conduct regular cybersecurity assessments and audits.
- Report cybersecurity incidents to the DNSC within the stipulated time frame.
- Ensure supply chain security and third-party risk management.
GEO 155/2024 imposes specific duties on the management bodies of essential and important entities. They are required to:
- Approve and supervise the implementation of cybersecurity measures.
- Attend accredited training courses on risk management.
- Allocate resources for the implementation of these measures.
- Appoint cybersecurity officers with managerial authority, independent of IT structures.
Consequences of Non-Compliance
Failure to comply with GEO 155/2024 can result in severe penalties, including:
- Fines ranging from EUR 5,000 to EUR 10,000,000, or up to 2% of the net turnover, considering the highest value of these, for essential entities.
- Fines ranging from EUR 5,000 to EUR 7,000,000, or up to 1.4% of the net turnover, considering the highest value of these, for important entities.
- Potential suspension of operations in case of repeated or severe violations.
- Increased liability for corporate executives failing to enforce cybersecurity measures.
Conclusion
GEO 155/2024 marks a significant step in strengthening Romania’s cybersecurity landscape, ensuring better protection against cyber threats, and aligning with EU standards. Organizations should proactively assess their cybersecurity frameworks, implement required measures, and establish robust reporting mechanisms to comply with the new regulation. Failure to do so could lead to substantial financial and operational consequences. Ensuring compliance is not just a legal requirement but an important step toward safeguarding digital resilience in an increasingly interconnected world.
Cluj IT will not be liable for any false, inaccurate, inappropriate or incomplete information presented, as the authors are free to choose their approach and relevant topics, within the general guidelines of the newsletter. The opinions expressed by the authors and those providing comments are theirs alone, and do not reflect the opinions of Cluj IT.
Certain links in the articles or comments may lead to external websites. Cluj IT accepts no liability in respect of materials, products or services available on any external website which is not under the control of Cluj IT.
