Skip to main content
NIS2 Manager LogoNIS2 Manager
Back to blog
ComplianceFeatured

Who needs to comply with NIS2 in Romania? Complete eligibility guide

Discover whether your organization falls under the NIS2 Directive. Classification criteria, affected sectors, size thresholds, and exceptions explained clearly.

Stefan Balan
Security Practice Lead at BetterQA
7 min read

Introduction

One of the most common questions we receive from Romanian companies is: "Does my organization fall under NIS2?" The answer depends on three main factors: your sector of activity, organization size, and the nature of services provided.

NIS2 Classification Criteria

1. Sector of Activity

NIS2 regulates organizations across 18 critical sectors, divided into two categories:

Annex I - Highly Critical Sectors:

  • Energy (electricity, oil, gas, hydrogen, district heating/cooling)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructure
  • Healthcare
  • Drinking water and wastewater
  • Digital infrastructure (DNS, IXP, cloud, data centers, CDN)
  • ICT service management B2B
  • Public administration
  • Space

Annex II - Other Critical Sectors:

  • Postal and courier services
  • Waste management
  • Manufacturing and distribution of chemicals
  • Food production and distribution
  • Manufacturing of medical devices, electronic equipment, vehicles, etc.
  • Digital service providers (online marketplaces, search engines, social networks)
  • Research

2. Organization Size

To fall under NIS2, your organization must exceed certain thresholds:

Medium Entity:

  • More than 50 employees, OR
  • Annual turnover exceeding 10 million EUR, OR
  • Annual balance sheet exceeding 10 million EUR

Large Entity:

  • More than 250 employees, OR
  • Annual turnover exceeding 50 million EUR AND balance sheet exceeding 43 million EUR

3. Exceptions and Special Conditions

Even if you don't meet the size criteria, you may still fall under NIS2 if:

  • You are the sole provider of an essential service in a member state
  • A disruption of your service could have cross-border impact
  • You provide critical services for public safety, health, or national security
  • You are explicitly designated by DNSC as an essential or important entity

Essential vs. Important Entities

Essential entities include:

  • Large organizations from Annex I sectors
  • DNS providers, top-level domain registries
  • Qualified trust service providers
  • Central public administration entities

Important entities include:

  • Medium organizations from Annex I sectors
  • All organizations (medium and large) from Annex II sectors

What About Belonging to a Corporate Group?

A common question: "Our company is small, but we belong to a large group. Does NIS2 affect us?"

According to OUG 155/2024:

  • Group membership does not automatically trigger NIS2 applicability
  • HOWEVER: if the entity operates in a regulated sector, size can be calculated at group level
  • Assessment is made on a case-by-case basis

Internal IT Departments - Are They MSPs?

Another frequent question concerns internal IT departments, especially within corporate groups. OUG 155/2024 defines "managed service providers" (MSPs) in broad terms, including any entity offering active IT infrastructure management.

The legal situation is not entirely clear. In the absence of official clarifications from DNSC, we recommend a cautious approach: if your IT department provides services to other group entities operating in NIS2 sectors, you should assess compliance requirements.

Financial Sector: NIS2 vs DORA

For entities in the financial sector (banks, payment institutions, market operators), the situation is special:

  • They are regulated primarily by DORA (Digital Operational Resilience Act)
  • Only certain provisions from NIS2/OUG 155/2024 apply regarding cooperation and risk identification
  • Registration with DNSC remains mandatory

Next Steps

  1. Verify eligibility - Use our free calculator for a quick assessment
  2. Analyze your sector - Identify exactly which category you fall into
  3. Assess size - At entity or group level, as applicable
  4. Consult specialists - For complex cases, legal opinion can clarify the situation

Conclusion

Approximately 12,000-15,000 organizations in Romania will need to comply with NIS2 - a massive increase from the approximately 1,000 regulated previously. The deadline for DNSC registration is September 2026, so preparation time is running short.

Don't leave compliance to the last minute. Start your assessment today.

NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.

Tags:
eligibilityNIS2OUG 155/2024sectorssize
Share this article:
LinkedIn
Stefan Balan
Security Practice Lead at BetterQA

Security consultant specializing in NIS2 compliance and cybersecurity frameworks. Helps organizations navigate complex regulatory requirements.

Want to know if your company falls under NIS2?

Use our free calculator to check eligibility in just 3 minutes.

Check eligibility for free

Related Articles

What must be submitted to DNSC and how often? Complete NIS2 reporting guide
Compliance

What must be submitted to DNSC and how often? Complete NIS2 reporting guide

All mandatory documents for DNSC: entity registration, annual reports, incident reporting, change notifications. Frequency and deadlines explained.

Ana Tudor
8 min
What is CyFunRO and how to calculate ENIRE@RO risk level
Compliance

What is CyFunRO and how to calculate ENIRE@RO risk level

Complete guide to the official DNSC risk evaluation methodology. Learn how to calculate your CyFunRO score and how many controls you need to implement (38, 90, or 140).

Stefan Balan
10 min
NIS2 deadlines for Romania: complete calendar 2025-2027
Compliance

NIS2 deadlines for Romania: complete calendar 2025-2027

All critical deadlines for NIS2 compliance in Romania: DNSC registration, incident reporting, annual reports. Includes recommended action plan.

Ana Tudor
6 min
160K+
organizations affected by NIS2 across the EU (ENISA, 2024)
EUR 10M
maximum penalty for NIS2 non-compliance or 2% of global turnover
24h
incident reporting deadline under NIS2 directive
18
critical sectors covered by NIS2 compliance requirements

The NIS2 Directive (EU 2022/2555) entered into force on January 16, 2023, with member states required to transpose it by October 17, 2024. According to ENISA's 2024 Threat Landscape report, ransomware attacks increased 73% year-over-year, while supply chain attacks grew by 85%. The European Commission estimates NIS2 compliance costs average EUR 120,000 per organization, but non-compliance penalties can reach EUR 10 million or 2% of global annual turnover. Only 34% of affected organizations reported full NIS2 readiness by the October 2024 deadline (EY Global Cybersecurity Survey, 2024). Romania's DNSC reported a 156% increase in cybersecurity incidents in 2024, making compliance tools essential for the 8,000+ Romanian organizations affected by the directive.

BetterQA
ISO 27001 & NATO certified security company
50+ Engineers
Cybersecurity & compliance specialists across 24 countries
Since 2018
Independent security testing & compliance expertise
NIS2 Ready
Full compliance lifecycle from assessment to certification