Skip to main content
NIS2 Manager LogoNIS2 Manager
Back to blog
ComplianceFeatured

What must be submitted to DNSC and how often? Complete NIS2 reporting guide

All mandatory documents for DNSC: entity registration, annual reports, incident reporting, change notifications. Frequency and deadlines explained.

Ana Tudor
Compliance Team at BetterQA
8 min read

Introduction

One of the most frequently asked questions we receive is: "What documents must I send to DNSC and how often?" In this comprehensive guide, we'll clarify all types of reporting required by OUG 155/2024 and Order 2/2025.

Types of Documents and Submission Frequency

1. Entity Registration - ONE TIME

What it is: Entity registration form with DNSC (National Cybersecurity Directorate), accompanied by Annex 1 and Annex 2.

Contents:

  • Entity identification data (name, Tax ID, address)
  • NIS2 classification (essential or important)
  • Sector of activity
  • Contact data and NIS responsible person
  • Annex 1: Service disruption impact analysis
  • Annex 2: Risk level assessment

Deadline: By September 18, 2026

Frequency: One-time only, with updates only when material data changes.

2. Annual Compliance Report - ANNUALLY

What it is: Periodic report on NIS2 compliance status.

Contents:

  • Maturity level achieved
  • Incidents reported in the previous year
  • Measures implemented
  • Plans for the upcoming year
  • Internal audit results

Deadline: At DNSC's request or according to the calendar set by the authority.

Frequency: Annual

3. Incident Reporting - AD-HOC (for each incident)

What it is: Mandatory notification of significant cybersecurity incidents.

Strict deadlines:

  • 24 hours: Initial alert (early warning)
  • 72 hours: Complete notification (initial notification)
  • 30 days: Final report

Criteria for significant incident:

  • Severe operational impact
  • Substantial financial impact
  • Affecting third parties or cross-border impact
  • Unauthorized access to critical systems
  • Ransomware or malware with operational impact

Frequency: Whenever a significant incident occurs - can range from 0 to multiple per year.

4. Change Notifications - AD-HOC (when data changes)

What it is: Informing DNSC about material changes in registration data.

Types of changes that must be notified:

  • Change of contact data
  • Change of NIS responsible person
  • Modification of sector of activity
  • Modification of services provided
  • Change of classification (essential/important)
  • Legal changes (merger, acquisition)

Deadline: Within 30 days of the change occurring.

Frequency: Whenever changes occur - can be never or multiple times per year.

Summary Table

DocumentFrequencyDeadlineMandatory
Registration + AnnexesOne-timeSept 18, 2026Yes
Annual reportAnnualAt DNSC requestYes
Incident reportPer incident24h/72h/30 daysYes, if applicable
Change notificationsPer change30 daysYes, if applicable

Why You Need Continuous Monitoring

Even though registration is one-time, NIS2 compliance requires continuous attention:

1. Incident Reporting (24h!)

You must be prepared to report within 24 hours. Without a prepared system, you'll miss the deadline.

2. Expiring Documents

Certificates, insurance policies, supplier contracts - all have expiration dates. If you don't monitor them, you risk non-compliance.

3. Periodic Gap Analysis

Risks evolve. Today's gap analysis may be outdated in 6 months.

4. Team Training

New employees must be trained. Existing ones need reminders.

5. Legislative Updates

DNSC may issue new orders or clarifications. The platform must reflect the latest requirements.

How NIS2 Manager Helps

Automatic Document Generation

  • Pre-filled forms with organization data
  • Professional PDF generation for DNSC
  • All 6 form types supported

Automatic Alerts

  • Notifications for expiring documents
  • Reminders for annual report
  • Alerts for important deadlines

Rapid Incident Reporting

  • Forms ready for immediate reporting
  • Step-by-step guidance
  • Complete documentation for audit

Continuous Monitoring

  • Dashboard with compliance status
  • Long-term trend analysis
  • Reports for management

Penalties for Non-Compliance

Failure to meet reporting deadlines can result in:

For essential entities:

  • Up to EUR 10 million or 2% of global turnover
  • Temporary ban from exercising management functions

For important entities:

  • Up to EUR 7 million or 1.4% of global turnover

Conclusion

DNSC registration is just the first step in a continuous compliance process. Long-term success depends on the ability to:

  1. Monitor deadlines and obligations
  2. Report incidents in a timely manner
  3. Keep documentation updated
  4. Train teams periodically

NIS2 Manager automates all these processes, ensuring you never miss a deadline and are always prepared for audits.

Start free with NIS2 Manager

NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.

Tags:
DNSCreportingdocumentsdeadlinesobligations
Share this article:
LinkedIn
Ana Tudor
Compliance Team at BetterQA

Expert in European cybersecurity regulations with focus on NIS2 and GDPR implementation for Romanian enterprises.

Want to know if your company falls under NIS2?

Use our free calculator to check eligibility in just 3 minutes.

Check eligibility for free

Related Articles

Who needs to comply with NIS2 in Romania? Complete eligibility guide
Compliance

Who needs to comply with NIS2 in Romania? Complete eligibility guide

Discover whether your organization falls under the NIS2 Directive. Classification criteria, affected sectors, size thresholds, and exceptions explained clearly.

Stefan Balan
7 min
What is CyFunRO and how to calculate ENIRE@RO risk level
Compliance

What is CyFunRO and how to calculate ENIRE@RO risk level

Complete guide to the official DNSC risk evaluation methodology. Learn how to calculate your CyFunRO score and how many controls you need to implement (38, 90, or 140).

Stefan Balan
10 min
NIS2 deadlines for Romania: complete calendar 2025-2027
Compliance

NIS2 deadlines for Romania: complete calendar 2025-2027

All critical deadlines for NIS2 compliance in Romania: DNSC registration, incident reporting, annual reports. Includes recommended action plan.

Ana Tudor
6 min
160K+
organizations affected by NIS2 across the EU (ENISA, 2024)
EUR 10M
maximum penalty for NIS2 non-compliance or 2% of global turnover
24h
incident reporting deadline under NIS2 directive
18
critical sectors covered by NIS2 compliance requirements

The NIS2 Directive (EU 2022/2555) entered into force on January 16, 2023, with member states required to transpose it by October 17, 2024. According to ENISA's 2024 Threat Landscape report, ransomware attacks increased 73% year-over-year, while supply chain attacks grew by 85%. The European Commission estimates NIS2 compliance costs average EUR 120,000 per organization, but non-compliance penalties can reach EUR 10 million or 2% of global annual turnover. Only 34% of affected organizations reported full NIS2 readiness by the October 2024 deadline (EY Global Cybersecurity Survey, 2024). Romania's DNSC reported a 156% increase in cybersecurity incidents in 2024, making compliance tools essential for the 8,000+ Romanian organizations affected by the directive.

BetterQA
ISO 27001 & NATO certified security company
50+ Engineers
Cybersecurity & compliance specialists across 24 countries
Since 2018
Independent security testing & compliance expertise
NIS2 Ready
Full compliance lifecycle from assessment to certification