NIS 2 Explained: What Companies Must Know and Do

Cyber incidents have become part of everyday life, and for many organizations they can be just as disruptive as shutting the doors of a physical building. To respond to increasingly sophisticated attacks, the European Union has tightened the rules. The main tool is the NIS 2 Directive.

What is NIS 2 and who falls under it?

NIS 2 replaces the old NIS Directive (2016) and expands it significantly. NIS 2 forces Member States to align on the same baseline: uniform rules, clearer obligations, and fewer loopholes.

Unlike the old Directive, NIS 2 dramatically widens the net, bringing in sectors and companies that were previously outside any cybersecurity obligations.

In Romania, the Directive was transposed through GEO 155/2024, which groups organizations into two categories:

1. Essential entities: These are the sectors where a cyber incident would stop the country in its tracks. An incident affecting them would have a major impact on the economy or public safety.

Examples of sectors: Energy (electricity, gas), Transportation (road, rail, air), Banking and Financial Market Infrastructure, Healthcare (hospitals, laboratories), Drinking Water, Digital Infrastructure (DNS, large cloud service providers), and Central Public Administration.

2. Important entities: These are still important, but with incidents that typically stay below the national-impact threshold. Examples of sectors: Postal and Courier Services, Waste Management, Chemical Production and Distribution, Food Industry, Electronic and Optical Equipment Manufacturing, Motor Vehicle Manufacturing, Small and Medium-sized Digital Service Providers.

Even if a company is small or medium-sized, it may be included if it is the sole provider of an essential service in a given area or if an incident would have a major impact on public safety.

Risk management: what companies must do

Companies must implement technical and organizational measures to secure their networks and IT systems. Key requirements include:

• Regularly assessing cyber risks and implementing clear policies.
• Assessing risks related to IT/digital service and product providers, an increasingly common area of attack.
• Developing business continuity and disaster recovery plans (DRP) to ensure rapid service resumption after an incident.
• Using robust encryption and identity verification methods.
• Ensuring that employees, including management, are regularly trained on cyber risks.

Incident reporting: strict and fast

The companies concerned are required to report significant incidents promptly to the competent national authority (in Romania, this is the National Directorate for Cybersecurity – DNSC).

For the purpose of reporting, entities must comply with the deadline set for incidents, as follows:

• An early warning, within 24 hours of becoming aware of the significant incident.
• An incident report, within 72 hours of becoming aware of the significant incident, which may update the information in the early warning.
• An interim report containing relevant updates on the situation, if requested.
• A final report within one month of submitting the incident report.

Sanctions

• Failure to comply can cost up to 2% of turnover. NIS 2 is not optional. What companies should do now Identify the organization’s status (essential vs. important), based on its activity.
• Review and update all cybersecurity plans to make sure they align with NIS 2.
• Ensure management is involved, since leadership is responsible for approving and supervising risk management measures.
• Create an internal procedure for rapid reporting, including a clear contact point or team—because the 24-hour window does not leave time for improvisation.
• For financial institutions: check alignment between NIS 2 and the DORA Regulation, which also became applicable in January 2025.

Why NIS 2 matters

NIS 2 is the EU’s direct response to the spike in cyber threats. It turns cybersecurity from a “nice to have” into a legal obligation with teeth. But beyond the penalties, the Directive is meant to help organizations stay functional, limit damage during incidents, and protect the trust of the people who depend on their services.