Cyber Security in Romania: the NIS 2 Directive, the DORA Regulation and the GDPR

Today’s business environment is highly digitalised, while cyber security has long since surpassed the stage of being a mere technical issue to become an essential component of any business strategy with important legal implications when it comes to ensuring conformity with the applicable legal regulations.

For some years now, the security of networks, information systems and data has been a major concern of the European Union, which has created a number of legislative mechanisms to help boost security at EU and Member State levels.

The central role in EU regulations in the field of cyber security is played by the NIS 2 Directive (Directive (EU) 2022/2555  on measures for a high common level of cybersecurity across the Union), as transposed into Romanian legislation through GEO 155/2024, which entered into force on 31 December 2024.

DORA (Regulation (EU) 2554/2022 on digital operational resilience for the financial sector) and the well-known GDPR (General Data Protection Regulation) complements this framework, creating a complex legal structure of which an in-depth understanding is required in order to ensure conformity and to minimise risks.

The NIS 2 Directive and GEO 155/2024: the regulatory foundation stone in the field of cyber security

Cyber security involves protecting network and information systems (NIS), their users and other affected individuals from cyber incidents and threats. In response to the increased exposure to cyber threats, the EU adopted the NIS 2 Directive, which considerably broadens the scope of its predecessor, NIS 1, establishing clearer rules and more powerful supervision tools.

In addition to the sectors already covered by NIS 1, such as energy, transport, healthcare, banking, water management and digital infrastructure, NIS 2 extends its area of applicability to a wider range of entities, both public and private, including more providers of digital services (e.g. social media platforms, data centre services, cloud computing services, public electronic communications networks, publicly available electronic communications services, providers of digital marketplaces and online search engines), as well as providers of waste management services, postal and courier services, TIC management services (business-to-business), research organisations, etc. Moreover, depending on the nature and type of obligations incumbent on entities, situations may arise in which, as a knock-on effect, the applicability of NIS 2 also extends to certain services providers of entities already directly targeted by NIS 2.

Entities are classified as either essential or important, depending on their impact on the economy and society, as determined based on a series of factors, such as size, sector of activity and critical role in national infrastructure.

Depending on which category they fall under, entities will have a series of specific obligations and responsibilities relating to risk management and the implementation of related policies and procedures, the reporting of significant cyber security incidents including specific details and within the legal deadline, and cooperation and information exchange with relevant authorities and other entities in order to prevent and manage incidents.

DORA: specific obligations for the financial sector

The DORA Regulation focuses on the operational resilience of the financial sector, addressing cyber threats specific to this field. The complex effects of this regulation for companies operating in the financial sector is comparable to what the GDPR meant for the field of personal data protection.

Although it complements NIS 2, DORA imposes supplementary obligations on financial institutions, with emphasis being placed on incident management and the creation of strong incident detection, reporting and management procedures, the regular performance of resilience tests to evaluate the capacity of institutions to cope with cyberattacks and collaboration with the supervisory authorities and other institutions to ensure the resilience of the entire financial system.

The GDPR: protecting personal data – an essential component

The GDPR, which has been in force since 25 May 2018, is a fundamental regulation for the protection of personal data, applicable to all entrepreneurs, with a direct impact on cyber security. A security breach that results in a loss or compromising of personal data entails an obligation to notify the relevant authorities and, in some cases, the affected individuals, as well as significant financial penalties.

Interdependence and challenges

The thee legal acts – the NIS 2 Directive/GEO 155/2024, the DORA Regulation and the GDPR – are interdependent. A security breach may generate simultaneous obligations under each of these regulations. For example, a financial institution affected by a cyber attack will need to respect the DORA requirements in order to manage the incident, the NIS 2 Directive/GEO 155/2024 requirements on reporting and the GDPR rules in terms of notifications in the event of a leak of personal data.

Conforming with these regulations requires an approach combining technical, legal and organisational aspects, with companies among other things being required to do the following:

• to evaluate their risk profile with respect to NIS 2 Directive/GEO 155/2024, the DORA Regulation (where applicable) and the GDPR, and to determine if and how the respective provisions thereof apply to them
• to implement appropriate cyber security measures that are proportional to the identified risks and to ensure the recording of all activities undertaken to this end
• to create and to implement security policies and procedures and to ensure these are updated periodically
• to train employees in the field of cyber security and data protection and to ensure they have clear incident management procedures, including reporting procedures, in keeping with legal requirements

Failure to carry out these obligations may result in significant financial penalties and a damaged image and loss of trust among a company’s clients and partners.

Disclaimer: this text provides an overview and does not constitute legal advice. It neither eliminates the need to analyse the legal provisions as published in legal instruments nor the need to seek legal advice from a lawyer, for which it is not a substitute.