The NIS2 Directive was transposed into Romanian national law through Emergency Ordinance No. 155 of December 30, 2024, establishing a framework for the cybersecurity of networks and information systems in the civil national cyberspace (referred to as GEO 155/2024). The ordinance came into force on December 31, 2024, and companies were given 30 days to register with the competent authority, namely the National Cybersecurity Directorate (DNSC).
1. Which entities must comply with GEO 155/2024
GEO 155/2024 applies to entities operating in sectors considered essential or important for the functioning of society and which could have a significant impact in the event of a cyber incident. These include energy, transport, healthcare, water supply, digital infrastructure, cloud computing, data centers, postal and courier services, public administration, IT service providers, online platforms, and search engines.
To determine whether a company must comply with GEO 155/2024, three main aspects must be analyzed:
-
Field of activity: The company must operate in one of the regulated sectors. If not, the ordinance does not apply.
-
Size of the entity: The regulation primarily targets medium and large companies.
-
Critical nature of services provided: Even a small company may fall under the regulation if it offers critical services, such as: (i) being the sole provider of an essential service; (ii) an incident could impact public safety, health, or the economy; (iii) strategic positioning or interdependence with other vital services.
Applicability is assessed on a case-by-case basis, depending on the entity’s sector, size, and potential risk in the event of a cyber incident.
Entities in the financial sector (banks, payment institutions, market operators) are primarily governed by DORA. For these entities, only certain provisions of GEO 155/2024 apply, particularly those related to cooperation, risk identification, and registration.
2. Group of undertakings: How group affilation affects applicability
To be required to comply with GEO 155/2024, an entity must operate in a regulated sector. This is the primary condition—group membership alone does not trigger applicability unless the entity itself performs regulated activities.
However, if the entity does operate in a regulated sector, group affiliation may influence its classification in terms of size. An entity that, on its own, does not meet the threshold for being classified as medium or large may be considered eligible if, when combined with other group entities, those thresholds are exceeded.
Thus, group affiliation only affects the size analysis, not the sector applicability, which is determined strictly by the activities carried out by the entity.
Moreover, when evaluating applicability, systemic risk associated with the entity in the group context may also be considered. In some cases, DNSC may request registration if the entity plays a significant role within a critical ecosystem.
3. Internal IT departments: are they covered by the legislation?
A frequently raised question is whether internal IT departments—especially within corporate groups—fall under GEO 155/2024.
The ordinance broadly defines managed service providers, referring to any entity offering active management of IT infrastructure or applications, without clearly distinguishing between internal and external service provision.
This raises important questions:
-
Can an internal IT department serving only the parent company or group entities be classified as a managed service provider?
-
Is a simple support role enough, or does operational independence and scale matter?
-
How is “active management” interpreted in practice?
Due to the legal ambiguity, much depends on how DNSC will apply these provisions in practice. In the absence of official guidelines, the line between compliance and risk exposure may come down to organizational nuance.
In this context, the applicability of GEO 155/2024 to internal IT structures should be assessed individually, taking into account the activity’s context, the regulation’s intent, and potential interpretations by the competent authority.
4. Challenging registration at DNSC’s request
GEO 155/2024 allows the competent authority (DNSC) to require an entity to register in the official registry of essential or important entities, even if that entity did not self-identify as being within the regulation’s scope.
Such notifications from DNSC can be challenged in court. The process is direct: a claim may be filed with the Bucharest Court of Appeal without the need for a prior administrative procedure.
However, it’s important to note that contesting DNSC’s decision does not automatically suspend its effects. The legal challenge must be well-prepared, considering both the technical applicability criteria and the authority’s interpretation.
Whether or not an entity falls within the scope of GEO 155/2024 may hinge on subtle factors—such as the precise nature of services provided, internal structure, or systemic risk. Therefore, any response to a DNSC registration request should be based on a thorough legal and operational analysis.
5. Conclusions and recommendations
The application of GEO 155/2024 is not always intuitive — especially for entities in corporate groups, those performing support functions, or operating on the edge of regulated and unregulated sectors.
Determining whether a company qualifies as an essential or important entity involves more than meeting formal criteria like turnover or headcount. It requires a broader risk-based assessment of the entity’s operations and its interdependencies within the digital ecosystem.
Given this, organizations operating in the targeted sectors or providing services relevant to digital infrastructure should conduct a customized compliance assessment, aligned with their business profile and risk exposure.