Romania: National Cyber Security Directorate adopted order on criteria and thresholds for determining degree of service disruption and methodology for assessing risk level of entities

On 11 August 2025, the National Cyber Security Directorate (DNSC) adopted Order No. 2/2025 for the approval of the Criteria and thresholds for determining the degree of service disruption and the methodology for assessing the risk level of entities. The order was issued pursuant to Government Emergency Ordinance No. 155/2024 on establishing a framework for the cybersecurity of networks and information systems in the national civil cyberspace, as amended by Law No. 124/2025, and Government Emergency Ordinance No. 104/2021 on the establishment of the DNSC, as amended by Law No. 11/2022. The Government Emergency Ordinance transposes into national legislation the European Union Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive). The Order defines service disruption as interruption or impairment of confidentiality or functionality and requires entities not classified as essential or important to evaluate disruption levels across all services listed in Annexes 1 and 2 of Government Emergency Ordinance No. 155/2024. It establishes three impact categories, high, medium, and low, based on consequences for fundamental rights, the national economy, health and life, financial stability, defence, public order, national security, and trans sectoral or cross-border impact within the European Union. Thresholds include compromise of personal data affecting more than one million individuals, economic damage exceeding 0.1% of GDP, or health effects on more than 115'000 persons. The Methodology requires the calculation of a baseline risk score using sectoral values, entity size, impact and probability parameters, and typologies of cyberattacks by common- and extended-capability actors, with recalculation every three years or when disruption thresholds are exceeded.