Skip to main content
NIS2 Manager LogoNIS2 Manager
Back to blog
ComplianceFeatured

NIS2 deadlines for Romania: complete calendar 2025-2027

All critical deadlines for NIS2 compliance in Romania: DNSC registration, incident reporting, annual reports. Includes recommended action plan.

Ana Tudor
Compliance Team at BetterQA
6 min read

Introduction

With the final registration deadline rapidly approaching, many Romanian organizations are asking: "How much time do we have left?" This guide details all critical deadlines you must meet for NIS2 compliance.

NIS2 Calendar for Romania

Past Deadlines

January 2025 - Entry into force of OUG 155/2024

  • Romanian legal framework for NIS2 is active
  • Organizations must begin preparation

September 2025 - Initial registration deadline (modified)

  • Initially planned for September 22, 2025
  • Deadline was extended to allow adequate preparation

Critical Upcoming Deadlines

September 2026 - DNSC Registration

  • Final deadline for submitting the registration form
  • Includes Annex 1 (Service Impact Analysis) and Annex 2 (Risk Level Assessment)
  • This deadline is non-negotiable

60 days from confirmation - Risk level assessment

  • After DNSC confirms your registration, you have 60 days
  • Must submit complete risk assessment

60 days after risk assessment - Maturity self-assessment

  • Assessment of security measures maturity level
  • Based on 140 controls from the adapted NIST CSF framework

October 2026 - Incident reporting becomes mandatory

  • Initial alert: 24 hours (modified from initially proposed 6 hours)
  • Complete notification: 72 hours
  • Final report: 30 days

April 2027 - First annual report

  • Compliance report to DNSC
  • Includes progress on implemented measures

What Documents Need Preparation?

For registration (September 2026):

  1. Registration Form

    • Organization identification data
    • Sectors of activity
    • Services provided
    • Security contact person

  2. Annex 1 - Service Impact Analysis

    • Assessment of potential incident impact
    • Identification of critical dependencies
    • Operational and financial impact estimates

  3. Annex 2 - Risk Level Assessment

    • Identification of relevant threats
    • Vulnerability assessment
    • Global risk level calculation

For ongoing compliance:

  • Updated security policies
  • Incident management procedures
  • Business continuity plan
  • Evidence of control implementation
  • Audit and test reports

Penalties for Missing Deadlines

Failure to meet deadlines can result in severe penalties:

For non-registration:

  • Essential entities: up to 500,000 RON
  • Important entities: up to 300,000 RON

For general non-compliance:

  • Essential entities: up to 10 million EUR or 2% of global turnover
  • Important entities: up to 7 million EUR or 1.4% of global turnover

Additional possible measures:

  • Temporary suspension of activities
  • Temporary ban for management personnel
  • Remediation obligations and notification of affected clients

Recommended Action Plan

Now - 3 months from now

  1. Verify eligibility using our calculator
  2. Form the team for NIS2 compliance
  3. Conduct gap analysis - where you are vs. where you need to be

3-6 months from now

  1. Implement priority controls
  2. Document policies and procedures
  3. Collect evidence of implementation

6-9 months from now (until September 2026)

  1. Complete self-assessment on all 140 controls
  2. Prepare DNSC documents - form, Annex 1, Annex 2
  3. Test incident reporting processes
  4. Submit registration well before the deadline

Comparison with Other EU Countries

Romania is not alone in this race. The situation in the EU:

  • 16 countries have already transposed NIS2 into national legislation
  • 11 countries (including Germany, until recently) were delayed
  • Belgium was among the first - registration deadline passed in March 2025
  • Germany adopted legislation in November 2025, with registration deadline April 2026

Romania is in the middle of the pack, with a deadline that still offers time for adequate preparation.

Conclusion

You still have time, but not much. Organizations starting preparation now will have a major advantage over those waiting until the last moment. Fines are substantial, and consequences for management can be personal.

Use NIS2 Manager to organize your compliance and meet all deadlines.

NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.

Tags:
deadlinesDNSCregistrationcalendartimeline
Share this article:
LinkedIn
Ana Tudor
Compliance Team at BetterQA

Expert in European cybersecurity regulations with focus on NIS2 and GDPR implementation for Romanian enterprises.

Want to know if your company falls under NIS2?

Use our free calculator to check eligibility in just 3 minutes.

Check eligibility for free

Related Articles

Who needs to comply with NIS2 in Romania? Complete eligibility guide
Compliance

Who needs to comply with NIS2 in Romania? Complete eligibility guide

Discover whether your organization falls under the NIS2 Directive. Classification criteria, affected sectors, size thresholds, and exceptions explained clearly.

Stefan Balan
7 min
What must be submitted to DNSC and how often? Complete NIS2 reporting guide
Compliance

What must be submitted to DNSC and how often? Complete NIS2 reporting guide

All mandatory documents for DNSC: entity registration, annual reports, incident reporting, change notifications. Frequency and deadlines explained.

Ana Tudor
8 min
What is CyFunRO and how to calculate ENIRE@RO risk level
Compliance

What is CyFunRO and how to calculate ENIRE@RO risk level

Complete guide to the official DNSC risk evaluation methodology. Learn how to calculate your CyFunRO score and how many controls you need to implement (38, 90, or 140).

Stefan Balan
10 min
160K+
organizations affected by NIS2 across the EU (ENISA, 2024)
EUR 10M
maximum penalty for NIS2 non-compliance or 2% of global turnover
24h
incident reporting deadline under NIS2 directive
18
critical sectors covered by NIS2 compliance requirements

The NIS2 Directive (EU 2022/2555) entered into force on January 16, 2023, with member states required to transpose it by October 17, 2024. According to ENISA's 2024 Threat Landscape report, ransomware attacks increased 73% year-over-year, while supply chain attacks grew by 85%. The European Commission estimates NIS2 compliance costs average EUR 120,000 per organization, but non-compliance penalties can reach EUR 10 million or 2% of global annual turnover. Only 34% of affected organizations reported full NIS2 readiness by the October 2024 deadline (EY Global Cybersecurity Survey, 2024). Romania's DNSC reported a 156% increase in cybersecurity incidents in 2024, making compliance tools essential for the 8,000+ Romanian organizations affected by the directive.

BetterQA
ISO 27001 & NATO certified security company
50+ Engineers
Cybersecurity & compliance specialists across 24 countries
Since 2018
Independent security testing & compliance expertise
NIS2 Ready
Full compliance lifecycle from assessment to certification