As cyberattacks become more sophisticated and damaging, Romanian businesses must adapt to a rapidly volving legal landscape and prevent cybersecurity breaches. Since 2 January 2025, companies operating in Romania face stricter compliance obligations following the adoption of Emergency Ordinance No. 155/2024. This ordinance ransposes the updated NIS2 Directive (EU 2022/2555) into national law, significantly expanding the scope of cybersecurity regulation.
What qualifies as a cybersecurity breach under Romanian law
A cybersecurity breach refers to any incident that compromises the confidentiality, integrity, or availability of information systems or data. This includes data breaches, ransomware attacks, unauthorised access to
systems, or disruption of essential services. Under Romanian law, such incidents are not merely technical issues—they trigger specific legal consequences.
Depending on the sector, companies may have parallel obligations under GDPR and NIS2 regulations, both requiring incident notification and risk management procedures. Even internal IT failures or employee-related breaches can carry legal implications if they expose vulnerabilities in the company’s infrastructure.
Civil, regulatory, and criminal liability after a cyber incident
When a cyber incident occurs, companies may face civil liability if affected clients, partners, or consumers suffer losses. Romanian civil law allows for claims based on contractual breaches or tort, and courts increasingly recognise data loss or service disruption as valid grounds for compensation.
From a regulatory standpoint, the consequences can be even more severe. Under the General Data Protection Regulation (GDPR), data controllers must report qualifying personal data breaches to the Romanian Data Protection Authority (ANSPDCP) within 72 hours. Failure to do so may result in fines of up to €10 million or 2% of global turnover. Separately, companies falling under the scope of OUG 155/2024 must report cybersecurity incidents to CERT-RO and sector-specific regulators.
These include operators in energy, banking, healthcare, transport, digital infrastructure, and more. In more serious scenarios, criminal liability may also arise.
Under Romania’s Criminal Code, unauthorised system access, data tampering, and IT sabotage are considered criminal offences. If a company is found to have failed to implement basic protective measures or ignored known
vulnerabilities, it may be held liable through the doctrine of corporate criminal liability. This is particularly relevant where negligence, poorn internal controls, or lack of oversight allowed the breach to occur or escalate.
Cybersecurity compliance under OUG 155/2024
The adoption of OUG 155/2024 represents a shift toward a risk-based and preventive model of cybersecurity regulation. The law mandates that entities in regulated sectors conduct regular risk assessments, implement
robust technical controls, and maintain detailed documentation on their security measures.
Organisations must be able to demonstrate compliance not only during incidents but through continuous onitoring and audits. Reporting requirements have become more specific and time-sensitive, and the competent authorities now have expanded powers to investigate, issue warnings, impose sanctions, or recommend nforcement actions.
Sector-specific compliance requirements
In practice, companies must align internal processes with these obligations by reviewing contracts with IT roviders, training employees on breach response, and designating responsible officers to handle cybersecurity compliance. These measures are no longer optional, especially for mid sized and large businesses classified as essential or important entities under the NIS2 framework.
Building legal and technical resilience against cyber threats
To prepare for cyber threats and legal scrutiny, companies need to integrate cybersecurity into their broader compliance framework. This includes assessing vulnerabilities in IT systems, implementing encryption and
access controls, and setting up structured internal protocols for breach response. In parallel, they must ensure legal preparedness through documented incident procedures, GDPR-aligned reporting workflows, and coordination with external counsel or IT forensic experts when necessary. Strategic planning should also involve testing the incident response system, reviewing liability clauses in service agreements, and conducting tabletop
exercises simulating real-world attacks.
An effective cybersecurity posture requires synergy between legal and technical teams. Romanian regulators are increasingly scrutinising not just the technical causes of incidents, but also whether the organisation took reasonable legal and operational steps to prevent and manage them. Businesses that fail to demonstrate accountability may face reputational damage, loss of business continuity, and exposure to significant financial and criminal sanctions.
Cybersecurity as a legal risk management priority
The legal environment for cybersecurity in Romania has changed fundamentally with the enforcement of OUG 155/2024. Companies can no longer rely on outdated risk management practices or ad-hoc IT solutions.
Legal compliance now requires a systematic and proactive approach, combining robust IT infrastructure, clear reporting protocols, and alignment with both GDPR and NIS2 obligations.
For Romanian companies, this means putting cybersecurity at the heart of governance strategy, particularly in high-risk sectors. As enforcement intensifies, the cost of non-compliance—whether through fines, litigation,
or operational disruption—will rise. Businesses that act now to strengthen their defences, conduct internal audits, and invest in compliance expertise will be better positioned to protect their operations and reputation in a digital-first economy.