Romania

(a) What is the NIS2 implementation status?

The EU NIS2 Directive has not been transposed so far in the Romanian legislation. We have identified a press release dated 18 June 2023 of the deputy director of National Directorate of Cybersecurity in which he refers to the major impact of the transposition of the EU NIS2 Directive that is expected during the following period.

Recently, the National Cyber Security Directorate (DNSC) published a draft law for public consultation that aims to transpose the NIS2 Directive into national legislation. While this is an important step, the draft is still in its preliminary phase and must pass through several stages of the legislative process before it becomes effective.

However, at national level, interest in cybersecurity has increased, and a number of measures have recently been adopted to strengthen cyber security. Among them is the entry into force in December last year of Law no. 354/2022 regarding the protection of IT systems of public authorities and institutions, in the context of the invasion initiated by the Russian Federation against Ukraine.

Another notable aspect is the entry into force of Law no. 58/2023 on the cybersecurity and defense of Romania, which establishes the legal and institutional framework for the organization and conduct of activities in the fields of cybersecurity and cyber defense, as well as the mechanisms of cooperation and responsibilities of the institutions involved in these areas.

The law sets up the National Cybersecurity System, responsible for the unified organization and conduct of specific cybersecurity and cyber defense activities at the national level. The law applies in the field of cybersecurity to the computer networks and information systems of public authorities and institutions, as well as to individuals and legal entities that provide public or public interest services.

(b) What is the envisaged NIS2 implementation timeline?

At this stage, there is no clear timeline for when the consultation period will conclude or when the final version of the law will be available.

(c) What does the NIS2 mean for other national cybersecurity legislation?

We anticipate amendments to the Law no. 362/2018 on the security of network and information systems which transposed the EU NIS Directive. In Romania, a considerable impact of the EU NIS2 Directive is expected, requiring compliance with the requirements of the directive and the development of an adequate legal and institutional framework and the improvement of cybersecurity.

(d) Who will be the supervisory authority and how are they preparing the market?

Although there are no information in relation to a draft law, we anticipate that the supervisory authority will be the National Directorate of Cybersecurity – this is the competent authority as well with attributions in the application of Law no. 362/2018 implementing the EU NIS Directive.

(e) What should you be doing/on the lookout for?

It is strongly advisable to closely monitor any development in this field.