Skip to main content

Strengthen your organization’s cybersecurity and resilience

The NIS2 Directive strengthens cybersecurity and resilience of critical infrastructure across the European Union. Is your organisation prepared? Use our tool to assess!

Take the GAP Pre-Assessment
Contact us

The NIS2 Directive strengthens cybersecurity and resilience of critical infrastructure across the European Union. Following its official adoption by the European Union in December 2022, the Romanian government, and all EU Member States, were required to transpose it into law by 17 October 2024. In response to this Directive, Romania has introduced Government Emergency Ordinanace 155/2024. From finance and public administration to space and waste management, NIS2 demands enhanced cybersecurity measures and resilience across several sectors. Building on its predecessor, NIS, the directive focuses on increasing the level of preparedness and coordination between EU Member States while enforcing cybersecurity measures for key sectors.

NIS2 stands on three foundational pillars:

  • National Cybersecurity Strategies: EU Member States must establish clear, coordinated national strategies to enhance cybersecurity across the region.
  • Strategic Cooperation and Information Sharing: NIS2 emphasizes collaboration between Member States and the exchange of cybersecurity information, fostering a collective defense against cyber threats.
  • Key Sectors: NIS2 applies to sectors critical to public life, including energy, healthcare, transport, and digital infrastructure, ensuring they maintain robust cybersecurity defenses.

What Requirements Does NIS2 Bring About?
NIS2 introduces several new requirements to enhance the overall security posture of organizations and sectors. These requirements focus on improving risk management, corporate governance, incident reporting, and business continuity:

  • Risk Management & Security Enhancement: Organizations must adopt measures to minimize cyber risks, including managing incidents, securing the supply chain, and enhancing network security. This ensures proactive defenses against evolving threats.
  • Corporate Accountability: Corporate management must take responsibility for cybersecurity, including overseeing, approving, and being trained on the organization's security measures. This ensures that cybersecurity is prioritized at the highest levels of decision-making.
  • Reporting of Security Incidents: Organizations must have a clear process to report any major security incidents, especially those that could significantly impact service provision or users. Timely reporting is key to mitigating the consequences of cyberattacks.
  • Business Continuity: NIS2 mandates the development and implementation of business continuity plans to ensure that organizations can maintain essential operations and recover quickly from major cyber incidents, minimizing downtime and disruptions.

Entities are categorized differently:

There are now two categories of entities that are grouped according to criticality of the associated sector:

  • Essential entities belong to sectors deemed “highly critical.” 
  • Important entities belong to other sectors deemed only “critical.”

Further distinction is made based on company size and turnover; Small and micro enterprises are not in scope.

There is no more distinction between operators of essential services (OES) and digital services providers (DSPs).

Entities are treated differently depending on their categorization:

While both essential and important entities will have to adhere to the same security requirements and be subject to an ex-post supervisory regime, essential entities will have an ex-ante supervisory regime (e.g., inspections, random checks, audits, requests of information).

Administrative fines will be up to €10 million or 2% of the total global annual turnover of the company.

There are new requirements that:

  • Oblige entities in scope to adopt specific cyber risk management practices;
  • Introduce a two-stage approach to incident reporting; and
  • Strengthen supply chain security.
Key NIS2 Implications per Type of Entity

  • While both essential and important entities will have to adhere to the same security requirements and be subject to an ex-post supervisory regime, essential entities will have an ex-ante supervisory regime (e.g., inspections, random checks, audits, requests of information).
  • Administrative fines will be up to €10 million or 2% of the total global annual turnover of the company.
  • Oblige entities in scope to adopt specific cyber risk management practices;
  • Introduce a two-stage approach to incident reporting
  • Strengthen supply chain security;
  • Executive Management can be held personally responsible for Essential entities; while;
  • No personal responsibility is envisaged for important ones.
What are the sectors in scope?

Eleven sectors have been identified as being “highly critical” based on their broad and immediate impact on societal functions, public health and the economy if the essential entities within them are compromised. These highly critical sectors can also be seen as serving as a foundation from which other sectors depend on, thus amplifying the impact of their disruption.

  • Public administration
  • Banking
  • Financial market infrastructures
  • Energy
  • Transport
  • Space
  • Digital infrastructure
  • ICT service management
  • Drinking water
  • Wastewater
  • Health

Seven other sectors have been identified as “critical” based on the significant consequences that would follow the disruption of their important entities.

  • Postal and courier services
  • Manufacturing
  • Production, processing and distribution of food
  • Manufacture, production and distribution of chemical
  • Waste management
  • Digital providers
  • Research
How Deloitte can help

Download the pdf "NIS2 Directive | Overview of the local transposition in Romania"

You must first confirm if the NIS2 requirements apply to you. We can help you:

  • Analyze your organization to check whether it falls under the entities in scope; and
  • Define and detail the NIS2 requirements applicable to your organization while considering the jurisdictional context.

If your organization is subject to requirements of NIS2, you will need to assess your readiness. We can help you:

  • Perform a gap assessment of the NIS2 security requirements, aligning it with other regulations applicable to your organization; and
  • Assess your third-party risk management practices

If you need support in implementing the enhanced security measures required by NIS2, we can help you:

  • Define a detailed remediation roadmap to mitigate cyber risk and increase compliance; and
  • Assist with implementing the required security cybersecurity measures. This includes notably:
    • Shaping and updating the required policies and procedures
    • Providing cybersecurity awareness training for management bodies and staff
  • Pentest services
  • Legal services

If you need help complying with the required two-stage approach to reporting incidents, we can help you:

  • Align your incident reporting process with the new requirements; and
  • Leverage purple teaming to review, test, and improve your mechanisms for detecting security incidents

More NIS 2 related content

NIS 2 Directive and local implementation in Romania: Embracing New Cybersecurity Responsibilities

In-person : Event
05 Mar. 2025

Join us for an insightful workshop on the NIS 2 Directive, aimed at introducing and exploring the new cybersecurity regulation. This comprehensive workshop will provide participants with a clear understanding of the enhanced requirements and obligations under the NIS 2 Directive, transposed to local law by Government Ordinance 155/2024, as well as providing insights on how to navigate these new cybersecurity responsibilities effectively.

View details
Past Event

NIS2 Whitepaper

This whitepaper provides an analysis as of January 2025 of the current regulatory landscape, touching upon key aspects such as sector definition, identification of entities, registration requirements, and security measures, as well as management accountability and government oversight.

Directiva NIS 2: o necesitate în contextul cibernetic actual, nu doar o obligație legală

Transpunerea Directivei NIS (Network and Information Security) 2 în legislația românească prin OUG 155/2024 marchează un moment definitoriu în eforturile locale de consolidare a rezilienței în fața amenințărilor cibernetice din ce în ce mai complexe.
Perspective

Under the hat

A Deloitte digest for cybersecurity experts

    

Subscribe here

For an in-depth exploration of our cybersecurity expertise

    

Discover more

Get in touch

Andrei Ionescu

Market Leader Consulting
+40 21 222 1661

Raluca Anton

Senior Manager
+40 21 222 1661

Octavian Popa

Manager, Cyber Strategy
+40 21 222 1661

In Romania, the services are provided by Deloitte Audit SRL, Deloitte Tax SRL, Deloitte Consultanta SRL, Deloitte Accounting SRL, Deloitte Fiscal Representative SRL, Deloitte Tehnologie SRL, Deloitte Support Services SRL, Deloitte Shared Services SRL as well as Reff & Asociații SPRL, the correspondent law firm of Deloitte in Romania, (jointly referred to as “Deloitte Romania") which are affiliates of Deloitte Central Europe Holdings Limited. Deloitte Romania is one of the leading professional services organizations in the country providing services in professional areas of audit, tax, legal, management consulting, financial advisory, risk management services, outsourcing solutions and technology consulting and other related services through over 3.400 national and specialized expatriate professionals. To learn more about how Deloitte makes an impact that matters, please visit www.deloitte.ro and connect with us on FacebookLinkedInYouTube and Instagram.

© 2025. For more information, contact Deloitte Romania