What must be submitted to DNSC and how often? Complete NIS2 reporting guide
All mandatory documents for DNSC: entity registration, annual reports, incident reporting, change notifications. Frequency and deadlines explained.
Introduction
One of the most frequently asked questions we receive is: "What documents must I send to DNSC and how often?" In this comprehensive guide, we'll clarify all types of reporting required by OUG 155/2024 and Order 2/2025.
Types of Documents and Submission Frequency
1. Entity Registration - ONE TIME
What it is: Entity registration form with DNSC (National Cybersecurity Directorate), accompanied by Annex 1 and Annex 2.
Contents:
- Entity identification data (name, Tax ID, address)
- NIS2 classification (essential or important)
- Sector of activity
- Contact data and NIS responsible person
- Annex 1: Service disruption impact analysis
- Annex 2: Risk level assessment
Deadline: By September 18, 2026
Frequency: One-time only, with updates only when material data changes.
2. Annual Compliance Report - ANNUALLY
What it is: Periodic report on NIS2 compliance status.
Contents:
- Maturity level achieved
- Incidents reported in the previous year
- Measures implemented
- Plans for the upcoming year
- Internal audit results
Deadline: At DNSC's request or according to the calendar set by the authority.
Frequency: Annual
3. Incident Reporting - AD-HOC (for each incident)
What it is: Mandatory notification of significant cybersecurity incidents.
Strict deadlines:
- 24 hours: Initial alert (early warning)
- 72 hours: Complete notification (initial notification)
- 30 days: Final report
Criteria for significant incident:
- Severe operational impact
- Substantial financial impact
- Affecting third parties or cross-border impact
- Unauthorized access to critical systems
- Ransomware or malware with operational impact
Frequency: Whenever a significant incident occurs - can range from 0 to multiple per year.
4. Change Notifications - AD-HOC (when data changes)
What it is: Informing DNSC about material changes in registration data.
Types of changes that must be notified:
- Change of contact data
- Change of NIS responsible person
- Modification of sector of activity
- Modification of services provided
- Change of classification (essential/important)
- Legal changes (merger, acquisition)
Deadline: Within 30 days of the change occurring.
Frequency: Whenever changes occur - can be never or multiple times per year.
Summary Table
| Document | Frequency | Deadline | Mandatory |
|---|---|---|---|
| Registration + Annexes | One-time | Sept 18, 2026 | Yes |
| Annual report | Annual | At DNSC request | Yes |
| Incident report | Per incident | 24h/72h/30 days | Yes, if applicable |
| Change notifications | Per change | 30 days | Yes, if applicable |
Why You Need Continuous Monitoring
Even though registration is one-time, NIS2 compliance requires continuous attention:
1. Incident Reporting (24h!)
You must be prepared to report within 24 hours. Without a prepared system, you'll miss the deadline.
2. Expiring Documents
Certificates, insurance policies, supplier contracts - all have expiration dates. If you don't monitor them, you risk non-compliance.
3. Periodic Gap Analysis
Risks evolve. Today's gap analysis may be outdated in 6 months.
4. Team Training
New employees must be trained. Existing ones need reminders.
5. Legislative Updates
DNSC may issue new orders or clarifications. The platform must reflect the latest requirements.
How NIS2 Manager Helps
Automatic Document Generation
- Pre-filled forms with organization data
- Professional PDF generation for DNSC
- All 6 form types supported
Automatic Alerts
- Notifications for expiring documents
- Reminders for annual report
- Alerts for important deadlines
Rapid Incident Reporting
- Forms ready for immediate reporting
- Step-by-step guidance
- Complete documentation for audit
Continuous Monitoring
- Dashboard with compliance status
- Long-term trend analysis
- Reports for management
Penalties for Non-Compliance
Failure to meet reporting deadlines can result in:
For essential entities:
- Up to EUR 10 million or 2% of global turnover
- Temporary ban from exercising management functions
For important entities:
- Up to EUR 7 million or 1.4% of global turnover
Conclusion
DNSC registration is just the first step in a continuous compliance process. Long-term success depends on the ability to:
- Monitor deadlines and obligations
- Report incidents in a timely manner
- Keep documentation updated
- Train teams periodically
NIS2 Manager automates all these processes, ensuring you never miss a deadline and are always prepared for audits.
NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.
