NIS2 in Practice:
What the New Directive Means for Your Organization and How to Prepare Responsibly

1. General Context

In an increasingly complex digital landscape, where cyberattacks no longer bypass any organization—whether a tech company, an SME from another sector, a public institution, or a digital service provider—an important question arises: are we truly prepared to respond to a security incident?

The new NIS2 Directive, transposed into Romanian legislation through Emergency Ordinance no. 155/2024, does not merely introduce obligations. It provides a clear framework for better protection. For many organizations, these regulations may seem abstract or difficult to approach. This is why, within Transilvania IT Cluster, we aim to help the community understand, prepare for, and comply step by step—not out of fear of sanctions, but out of responsibility toward people, processes, and data.

2. Who Does NIS2 Apply To?

NIS2 (E.O. no. 155/2024) applies to a broad range of entities, both public and private. It targets:

  • Large and medium-sized private companies across more than 18 essential or important sectors
  • Public institutions, including central and local authorities
  • NGOs and non-profit entities active in regulated sectors
  • Digital service providers (cloud services, data centers, online marketplaces)
  • Educational organizations and research institutes of strategic relevance

Organizations are divided into:

  • Essential entities – with major societal or economic impact
  • Important entities – with significant but indirect impact

An entity may be classified as essential or important regardless of size if:

  • it is the sole provider of a service essential for critical societal or economic activities;
  • disruption of its services could significantly impact public safety, security, or health;
  • disruption could generate systemic risk, especially cross-border impact;
  • it is critical at national or regional level for its sector or interconnected sectors.

Essential entities include:

  • Large enterprises operating in sectors listed in Annex 1
  • Medium-sized providers of public electronic communications networks or services
  • Medium-sized managed security service providers
  • Central public administration entities (Annex 1)
  • Entities identified under Art. 9
  • Entities designated as critical under critical resilience legislation
  • DNS service providers
  • Qualified trust service providers
  • TLD name registries

Important entities include:

  • Large enterprises listed in Annex 2
  • Medium-sized enterprises operating in sectors from Annexes 1 and 2 but not classified as essential
  • Entities not identified as essential under Art. 5
  • Small public communications network providers
  • Non-qualified trust service providers

Highly Critical Sectors (Annex 1):

Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management (B2B), Public Administration (with exceptions), Space.

Other Critical Sectors (Annex 2):

Postal and courier services, Waste management, Chemicals, Food production and distribution, Manufacturing (medical devices, electronics, vehicles), Digital providers (online marketplaces, search engines, social platforms), Research.

If your organization operates in sectors listed in Annexes 1 or 2 and meets size thresholds, it may be classified as essential or important—bringing concrete obligations related to protection, prevention, and response to cyberattacks.

3. Essential Obligations: Security Measures and Governance

Affected organizations must implement technical, operational, and organizational measures to proactively manage cyber risks.

Mandatory measures include:

  • Risk assessment and vulnerability management
  • Network and information systems security
  • Access control, authentication, encryption
  • Backup, recovery, and business continuity
  • Incident response and rapid notification
  • Secure internal and external communications
  • Protection of sensitive and confidential data

4. Risk Management: A Strategic Requirement

NIS2 requires a formal cybersecurity risk management framework.

This includes:

  • Identification of critical assets and associated risks
  • Assessment based on likelihood and impact
  • Treatment through controls and mitigation measures
  • Monitoring of effectiveness
  • Periodic review reflecting internal and external changes

The process must be documented, validated, and approved at executive level.

5. Third-Party Risk Management

Organizations must evaluate and control risks arising from suppliers and partners.

They must:

  • Assess supplier security pre-contract
  • Include cybersecurity clauses in contracts
  • Continuously monitor external risks (cloud, hosting, data processing)
  • Request compliance guarantees (certifications, audits)
  • Implement due diligence and access control policies

Many major breaches have originated from insecure third parties.

6. Governance and Executive Accountability

NIS2 strengthens executive responsibility:

  • Leadership must approve security policies and budgets
  • Executives may be held liable for negligence
  • Ongoing cyber risk training is required
  • A NIS2 compliance officer must be designated

Cybersecurity becomes a governance issue—not solely an IT matter.

7. Incident Notification

Organizations must report significant incidents to the Romanian National Directorate for Cyber Security (DNSC):

  • Initial notification: within 24 hours
  • Update: within 72 hours
  • Final report: within 30 days

Procedures must be standardized and tested.

8. Sanctions

Penalties are comparable to GDPR:

Entity Type Maximum Sanction
Essential €10 million or 2% of global turnover
Important €7 million or 1.4% of global turnover

Additional measures may include activity suspension, executive liability, and public disclosure.

9. Continuous Testing and Resilience Validation

Organizations must demonstrate real defensive and recovery capability.

Required tests include:

  • External and internal penetration testing
  • Red Team / Blue Team simulations
  • Crisis simulations (ransomware, data exfiltration)
  • Backup and recovery validation

Testing should be certified, documented, and repeated regularly.

10. Three Key Criteria for Assessing Compliance

  1. Sector of activity – Verify authorized CAEN codes against Annexes 1 and 2.
  2. Organizational size – According to Law 346/2004 (employees, turnover, assets).
  3. Strategic/systemic impact – Entities may be designated essential due to national or regional importance (Arts. 9–10).

Practical Scenarios

  • Medium IT cloud provider → Essential entity
  • Regional research university → Important entity
  • Municipal city hall → Essential entity
  • Smart electrical equipment manufacturer → Important entity
  • EdTech platform for schools → Important entity (potentially essential if regionally critical)

Each classification carries proportional compliance obligations.

11. Conclusion

For many organizations, NIS2 and E.O. 155/2024 may initially appear as complex regulatory burdens. In reality, they represent an opportunity to identify vulnerabilities and prevent real risks that could impact clients, partners, reputation, and daily operations.

At Transilvania IT, we aim to support members and partners in navigating this new framework with confidence. Whether you are an IT company, a critical infrastructure operator, or a digital service provider, understanding and applying NIS2 should not be a solitary effort.

This directive is not about ticking compliance boxes. It is about building organizations that are more prepared, aware, and resilient. Cybersecurity is no longer solely an IT issue—it is a matter of governance and organizational sustainability.

Transilvania IT Cluster stands ready to translate regulatory requirements into concrete, practical actions tailored to real organizational needs. Together, we can transform compliance into competitive advantage—and into a safer digital community.

How We Can Support You Through TEDIHT

Within The European Digital Innovation Hub in Transilvania (TEDIHT), we support organizations that aim not only to comply with NIS2 requirements, but to genuinely strengthen their capacity to prevent and respond to cyber risks.

We provide compliance assessment and audit services, tailored training sessions for both employees and executive management, as well as strategic mentorship for building sustainable cybersecurity policies and practices.

Regardless of your organization’s size or sector, we can adapt our support to your specific needs—from the initial stage of understanding the directive, to the concrete implementation of measures and preparation for inspections.

At TEDIHT, we turn compliance into competitive advantage—through practical tools, applied expertise, and long-term support.