The NIS2 Directive came into force in Romania through Government Emergency Ordinance 155/2024 and was extended by Law 124/2025. Thousands of Romanian companies now have new cybersecurity obligations — but most don't know whether they are included.
This guide walks you through exactly what to check, in what order, to find out in 10 minutes whether your company falls under NIS2 — and what to do if it does.
💡 In brief: NIS2 applies to companies in critical sectors that exceed the threshold of 50 employees or €10 million in annual turnover. Covered sectors include healthcare, IT, energy, transport, finance, pharmacies, pharmaceutical distributors, and others. Check for free using your CAEN code with our free tool.
Why NIS2 matters for your business
Three practical reasons:
- Fines are large. Up to €10 million or 2% of global turnover for essential entities; up to €7 million or 1.4% for important entities.
- Personal liability for management. Unlike previous versions, NIS2 allows company directors to be temporarily barred from management positions if adequate measures are not demonstrated.
- Reporting deadlines are aggressive. 24 hours for the initial alert to DNSC, 72 hours for full notification, 1 month for the final report.
Ignoring NIS2 is no longer a viable option. But the first question is: does it apply to you?
Step 1: Identify your main CAEN code
Your CAEN code is the starting point for any NIS2 analysis. You can find it on your company's ONRC certificate (Trade Registry) or in the articles of incorporation.
If your company has multiple CAEN codes, what matters is the primary activity code — the one under which you declare your majority turnover. Secondary codes may add obligations, but the primary code determines the base category.
📌 Important: NIS2 applies based on the company's actual activity, not just on the declared CAEN code. If your de facto activity includes services from a critical sector — even if your primary code seems to exclude you — you may fall under NIS2.
Step 2: Check if your sector is listed in Annex I or Annex II
NIS2 has two categories of critical sectors:
Annex I — Highly critical sectors (essential entities)
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, maritime, road)
- Banking sector and financial market infrastructures
- Health (hospitals, laboratories, medical device manufacturers)
- Pharmacies and pharmaceutical distributors (added by Law 124/2025)
- Drinking water and wastewater
- Digital infrastructure (DNS, IXP, cloud computing, data centers, CDN)
- ICT service management (MSP, MSSP)
- Public administration
- Space
Annex II — Other critical sectors (important entities)
- Postal and courier services
- Waste management
- Chemical manufacturing
- Food production and distribution
- Manufacturing (medical devices, computers, vehicles, electrical equipment)
- Digital providers (online platforms, search engines, social networks)
- Research
Step 3: Check your company's size threshold
The sector alone is not enough. You must also exceed a minimum size threshold. NIS2 uses criteria for medium and large companies as defined by Commission Recommendation 2003/361/EC:
| Category | Employees | Annual turnover | NIS2 category |
|---|---|---|---|
| Micro | < 10 | < €2M | Out of scope |
| Small | 10–49 | < €10M | Out of scope (with exceptions) |
| Medium | 50–249 | €10–50M | Important entity (if in Annex I or II) |
| Large (Annex I) | ≥ 250 | ≥ €50M | Essential entity |
| Large (Annex II) | ≥ 250 | ≥ €50M | Important entity |
The criteria work through OR — exceeding either the employee threshold or the turnover threshold brings you into scope.
Step 4: Use an automated verification tool
Steps 1–3 give you an estimate. For a concrete, complete answer — including related GDPR obligations and sector-specific penalties — use a specialized tool.
Our free checker asks for your CAEN code, employee count, and turnover, then instantly generates your exact NIS2 status, GDPR obligations, DPO and DPIA requirements, the full list of art. 21 technical measures, and real penalties applied in your sector.
Check now for your CAEN code →
Step 5: If you fall under NIS2 — what comes next
Three immediate priorities:
1. Register with DNSC
The National Cybersecurity Directorate (DNSC) maintains the national registry of NIS2 entities. You must register and designate a contact point responsible for communication with the authority.
2. Implement the mandatory technical measures
Art. 21 of OUG 155/2024 requires 10 categories of measures: documented security policies, incident management procedures, business continuity and disaster recovery, supply chain security, procurement security, efficacy assessments, personnel training, encryption and MFA, asset management, and vulnerability disclosure procedures. All must be in place before the first DNSC inspection.
3. Prepare your incident reporting procedure
NIS2 deadlines are strict: 24 hours for the early alert to DNSC, 72 hours for full notification with incident classification, 1 month for the final report with root-cause analysis. These must be documented in a written internal procedure and periodically tested.
If your company does NOT fall under NIS2
Good news: You don't have NIS2's additional obligations — extended technical measures, DNSC reporting, or personal management liability.
Less good news: Regardless of NIS2, you still have GDPR obligations. These apply to any company that processes personal data, with no size exception. Read our complete GDPR guide or check directly for your CAEN code.
Conclusion
NIS2 is not optional for companies within its scope. Fines are large, deadlines are aggressive, and management is personally liable.
The good news: checking whether it applies takes no more than 10 minutes. Use our free checker for a personalized report. If the result confirms significant NIS2 or GDPR obligations, BrainTrust helps Romanian companies comply — audit, documentation, technical measures, training. First consultation is free.
This article is for informational purposes only and does not constitute legal advice. Last updated: May 20, 2026. Sources: OUG 155/2024, Law 124/2025, NIS2 Directive (EU 2022/2555).