NIS Directive 2: criteria for assessing companies’ compliance and legal obligations in the next period

Opinion piece by Silvia Axinescu, Senior Associate Manager, and Corina Damaschin, Senior Associate, Reff & Asociații

Deloitte Legal On December 31, 2024, Emergency Ordinance no. 155/2024 (OUG 155/2024) entered into force, establishing the legislative framework for cybersecurity of networks and information systems in Romania.

The regulatory act transposes Directive (EU) 2022/2555, known as the NIS Directive (Network and Information Security Directive) 2, and imposes compliance requirements for entities operating in sectors considered critical or important for the functioning of society and the economy.

The competent authority for the application and monitoring of the provisions of the ordinance is the National Directorate for Cybersecurity (DNSC). Three criteria for assessing a company’s compliance with GEO 155/2024 The first step that companies must consider in order to ensure compliance with the requirements of GEO 155/2024 is to conduct a preliminary analysis to see to what extent the legislative framework on cybersecurity is applicable to them. In order to determine whether it falls under the scope of the ordinance, each entity must conduct an internal analysis based on three criteria.

The applicability of the ordinance is established, first of all, by identifying the sector of activity, which is achieved by checking the authorized CAEN codes according to the Trade Register and which must correspond to those listed in Annexes 1 and 2 of GEO 155/2024. Only activities authorized by the Trade Register can generate registration obligations. In the absence of relevant or authorized CAEN codes, the entity is not subject to the requirements of the ordinance. It is also important to determine the size of the company. This is established according to Law no. 346/2004 on stimulating the establishment and development of small and medium-sized enterprises, depending on a series of aspects, such as the average number of employees, turnover or total main assets of the company.

This classification involves a complex and essential analysis approach to differentiate between essential and important entities, in order to apply the relevant obligations proportionately from the provisions of OUG 155/2024. The third criterion to be taken into account is the profile of the entity. A company can be considered important or essential even in the absence of meeting the first two criteria, if it has a systemic or strategic impact on public health, the economy, the safety of citizens or national security. This criterion is regulated in articles 9 and 10 of OUG 155/2024.

Recently, on April 30, DNSC published in decisional transparency a new draft order for the approval of the criteria and thresholds for determining the degree of disruption of a service and the methodology for assessing the risk level of entities. The draft on the assessment of the risk level details the criteria and thresholds for determining the degree of disruption of a service, as well as the way in which entities calculate their score in this regard, starting from the basic values ​​related to the sector to which they belong, provided for in one of the annexes to the draft order, as well as in accordance with their size.

Every Friday, public consultations dedicated to the implementation of GEO 155/2024 are organized at the DNSC headquarters, in which representatives of the entities concerned, consultants and other relevant actors for the cybersecurity sector can participate.

These working sessions represent an important opportunity to ask direct questions and contribute to shaping the procedural details. What are the obligations and deadlines that companies must take into account? Companies that fall under the provisions of GEO 155/2024 must take into account certain aspects, such as registering in the Registry of Essential Entities managed by DNSC, designating a contact person to manage the relationship with the authority, implementing technical and organizational measures to protect IT systems and notifying security incidents within the deadline provided by law.

The deadline for registering in the registry is 30 days from the date of entry into force of GEO 155/2024 or from the moment when the conditions become applicable for an entity. However, the legislative requirements will only become applicable when the technical tools made available by DNSC are in place and will operationalize the Registry of Entities and the notification procedure. DNSC issued a draft order at the end of April, which has as its object the notification procedure and the method of transmitting information to the Register of Entities, so that the obligation will become applicable for companies starting from its publication in the Official Gazette.

Support tools

According to the draft order on the notification procedure issued by the DNSC, the authority provides support through the NIS2@RO platform for both self-assessment and information, as well as for the submission of registration and notification documents. This platform is still in the technical development phase, not being operational for the time being. Another option for conducting an analysis at the organization level in order to verify the classification in the category of entities within the scope of GEO 155/2024 can be self-assessment tools.

Expectations for the next period

After the publication of the two draft orders of the DNSC in the Official Gazette, the entities covered by GEO 155/2024 will have at their disposal all the necessary clarifications related to the documentation that will have to be submitted to the competent authority, the notification submission platform and the procedural verification stages. In the current context, it is essential that the targeted entities pay increased attention to whether or not they fall under the scope of GEO 155/2024 and, following the publication of the draft orders in the Official Gazette, to focus on registering in the Register of Entities.