ANISP
+4021 316 1033
contact[at]anisp[dot]ro
HomeUncategorized DNSC Orders 1 and 2 of 2025 (approval of notification requirements and risk level assessment methodology, respectively) have entered into force

DNSC Orders 1 and 2 of 2025 (approval of notification requirements and risk level assessment methodology, respectively) have entered into force

August 21, 2025 By anispro Comments are Off Uncategorized

After being launched for public consultation on April 30, 2025, the following DNSC orders were published in the Official Gazette and entered into force yesterday, August 20, 2025:

  1. DNSC order for approval of the requirements regarding the notification process for registration and the method of transmitting information ( https://legislatie.just.ro/Public/DetaliiDocument/301473 )
  2. DNSC order for approval of the criteria and thresholds for determining the degree of disruption of a service and the methodology for assessing the risk level of entities ( https://legislatie.just.ro/Public/DetaliiDocument/301475 )

More details about the NIS-2 legislation here: https://www.dnsc.ro/pagini/legislatie-nis2

Following the entry into force of the above mentioned orders, entities to which NIS2 applies are obliged to notify DNSC within 30 days. DNSC will confirm receipt of such notification within 5 days.

DNSC will subsequently analyze the notifications received (this process will likely take several months, as there will be many notifications sent quasi-simultaneously during this initial 30-day period). Where necessary, DNSC will also request additional details from the respective entities.

Other steps:

  • For each entity that has notified the Directorate, DNSC issues the corresponding decision of qualification (or not) as an essential / important entity;
  • Subsequently, for important / essential entities, the respective legal obligations arise;
  • The entities thus designated assess their risk level, according to Order no. 2/2025. Each entity will self-assess its maturity level (applicable requirements vs. reality – “gap analysis” – and will draw up a plan of measures for alignment with proper security requirements;
  • Following implementation of the aforementioned plan, the obligation to conduct an external audit arises. The list of certified auditors can be found on the DNSC website (https://www.dnsc.ro/pagini/auditori-de-securitate-cibernetica ).

Comments are closed.