On August 20, the authorities published the requirements concerning the notification process for the registration of essential and important entities ( “the Requirements”) in the register ( “the Register”) administered by the National Cyber Security Directorate (NCSD). The NCSD acts as the competent authority and supervises the implementation of measures aimed at ensuring a high common level of cybersecurity.

The Ordinance establishes the legal and institutional framework, the measures, and the mechanisms necessary to guarantee cybersecurity at the national level. The NCSD reviews the notifications submitted and the classification of companies in accordance with the conditions laid down by the Ordinance, and records them in the Register. The provisions transpose the requirements of Directive (EU) 2022/2555 (NIS 2) on measures to ensure a high common level of cybersecurity within the Union.

The Requirements implement Article 18 of the Ordinance and bind the entities covered by law to notify the NCSD in order to be registered in the Register of Essential and Important Entities. The entities must submit their notifications, drawn up in accordance with Order of the NCSD Director No. 1/2025, no later than September 22, 2025. Romanian legislation distinguishes between essential and important entities depending on their strategic role and the impact that any potential disruption of their services may have on society and the economy.

Essential entities include, first and foremost, the central public administration and organizations operating in critical sectors such as energy, transport, banking, financial market infrastructures, health, drinking water and wastewater, digital infrastructure, ICT services, public administration and space. This category also covers entities identified as critical under resilience legislation, providers of DNS services, TLD registries and qualified trust service providers.

Furthermore, the law classifies as essential large enterprises operating in the critical sectors listed above, as well as in other sectors of critical importance such as: postal and courier services, waste management, the chemical industry, the food industry, the manufacture of various types of equipment, digital providers and research organizations. Medium-sized enterprises supplying public networks, electronic communications services or managed security services, also fall within this category. These entities are characterized by a major strategic role, as they provide services whose disruption could seriously affect public safety, security, or health and could generate systemic risks with potentially cross-border impact.

By contrast, important entities are organizations which, although they do not qualify as essential, provide services relevant to the functioning of society and the economy. This category includes large and medium-sized enterprises operating in the essential and critically important sectors, but which do not meet the criteria for classification as essential. It also encompasses providers of public electronic communications networks and trust service providers. The impact of a disruption to their activities is significant, but generally more limited or localized than in the case of essential entities.

Thus, the distinction between the two categories is based on the level of risk and impact: essential entities have a fundamental strategic role and a disruption of their activities may affect security and stability on a large scale, including cross-border, whereas important entities have significant relevance, but with a more limited impact, generally at national or sectoral level.

Nevertheless, from the wording chosen by the legislator, there is an overlap between the identification elements of the two types of entities, namely essential entities – Article 5(1)(b) – and important entities – Article 6(2)(a). The legislator has chosen to analyze the essential or important character from the perspective of the same criteria, set out in detail in Article 9, namely whether:
a) the entity is the sole provider of a service that is essential for supporting critical societal and economic activities;
b) a disruption of the service provided by the entity could have a significant impact on public safety, public security, or public health;
c) a disruption of the service provided by the entity could generate a significant systemic risk, particularly for sectors in which such a disruption could have cross-border impact;
d) the entity is critical due to its specific importance at the national or regional level for the sector or type of services concerned, or for other interdependent sectors.

In this way, if we analyze the same entity against the same conditions, how can we reasonably expect to obtain different results? Moreover, the distinction between the two identification elements does not lie in their size, since both in the case of essential entities and in the case of important entities reference is made to the phrase “the entities listed in Annexes 1 and 2, regardless of their size.” In this way, the provision creates uncertainty in distinguishing important entities from essential ones. It remains to be seen how the NCSD will choose to delineate these features in practice.

The NCSD has provided two notification mechanisms to facilitate the process of identifying and qualifying an entity as essential or important, in accordance with the provisions of the Ordinance, which are to be implemented in the near future:

• The NIS2@RO Tool, a digital instrument for assessment and generation of notification data;
• The NIS2@RO Platform, a platform designed for the enrollment, information, and cooperation between entities and the authority.

Since these mechanisms for facilitating communication between entities and the NSCD are not yet available, entities may, for the time being, submit notifications prepared in accordance with the Order exclusively to the email address This email address is being protected from spambots. You need JavaScript enabled to view it. and, only in exceptional cases, by physical submission at the NSCD headquarters.

The notification form is set out in the Annex to the Order and contains six sections — General Data, Specific Data, Specific Situations, Attached Documents, Preliminary Assessment and Entity Representation.

Upon confirming receipt of the application, the NSCD examines the notification and the attached documents in order to verify compliance with legal requirements. Within 60 days for essential entities and 150 days for important entities, the NSCD issues the decision confirming the notifier’s status as an essential or important entity and orders its matriculation in the Register, in accordance with Article 18(4) and (5) of the Ordinance.

If the entities in the targeted sectors fail to comply with the notification obligation, they commit a contravention. The NCSD applies fines ranging from RON 1,500 to RON 500,000 for essential entities and from RON 1,000 to RON 300,000 for important entities.

Co-authors:
Ioana Chiper Zah
Tatiana Țapu