Digital #7 Legislative focus

Executive overview

HIGH IMPACT

Framework for Identifying Critical Entities: Framework for Identifying Critical Entities:

The Government established the methodology for identifying critical entities under Law No. 294/2024, with detailed assessment thresholds remaining classified.

HIGH IMPACT

NIS2 Implementation Advances

DNSC proposed mandatory cybersecurity training authorisation and risk management requirements for essential and important entities

MEDIUM IMPACT

MPs Regulate Vulnerability Disclosure

Parliament protects good-faith cybersecurity research and introduces a coordinated 48-hour vulnerability reporting framework.

MEDIUM IMPACT

EU Delays AI Act Deadlines:

The AI Omnibus adopted by the EU Council postpones key AI Act obligations, eases compliance for SMEs, strengthens AI oversight, and expands AI safeguards.

MEDIUM IMPACT

EU Proposes Sovereign Cloud Framework

The Commission introduces EU cloud assurance levels, stricter security requirements, and faster permitting for AI data centres.

Legislative Updates

Framework for Identifying Critical Entities: Framework for Identifying Critical Entities:

What is changing

According to a recent decision of interim PM Ilie Bolojan, Romania now has the framework for applying critical thresholds used to identify critical entities under Law No. 294/2024. The decision establishes the methodology for assessing whether a significant disruption could affect operators in essential sectors, including digital infrastructure and telecommunications. The actual thresholds and assessment criteria remain classified and are contained in a non-public annex, which may be updated by the National Centre for Critical Infrastructure Protection Coordination when necessary.

Why this matters

Telecom and digital infrastructure operators that may qualify as critical entities should expect future assessments based on predefined administrative thresholds, even though the underlying criteria are not publicly available. The new framework supports the implementation of Romania’s critical infrastructure protection regime without introducing immediate new compliance obligations.

NIS2 Implementation Advances

What is changing

The National Directorate for Cybersecurity (DNSC) has launched two draft orders to support the implementation of Romania’s NIS2 framework. The first order introduces a mandatory authorisation regime for providers delivering NIS2-related cybersecurity training. It establishes requirements on authorisation, supervision, standardised curricula, record-keeping, and certification for programmes  within essential and important entities. The second order sets out the cybersecurity risk management measures that these entities must implement. These measures include technical, organisational, and procedural controls, mandatory maturity self-assessments through the NIS2@RO platform, minimum compliance thresholds, and remediation plans where required, while exempting entities already subject to the EU’s DORA framework from the DNSC risk assessment methodology.

Why this matters

The proposed measures would significantly expand NIS2 compliance obligations by introducing mandatory requirements for both cybersecurity training and risk management. Cybersecurity training providers would need to obtain DNSC authorisation and comply with new operational standards, while essential and important entities would be required to strengthen governance, implement comprehensive security controls, ensure personnel receive training through authorised providers, and demonstrate ongoing compliance through assessments, documentation, and remediation activities.

MPs Regulate Vulnerability Disclosure

What is changing

Another law adopted by Parliament ensures that cybersecurity research carried out in good faith, without causing harm or gaining unauthorised access, does not constitute a criminal offence. Reported vulnerabilities must be notified within 48 hours and handled in accordance with strict confidentiality and system protection requirements. In this case as well, the law is yet to be signed by the President and published in the Official Gazette.

Why this matters

The law provides greater legal certainty for cybersecurity researchers and organisations involved in vulnerability disclosure, while strengthening cooperation between public authorities on cyber risk management. It is expected to encourage responsible security testing and improve cyber resilience across Romania’s telecom and digital sectors.

EU Delays AI Act Deadlines:

What is changing

The EU will soon have a simplified AI environment after the EU Council adopted the Digital Omnibus for AI.  For example, it postpones key compliance deadlines for high-risk AI systems until December 2027 for standalone systems and August 2028 for AI embedded in regulated products, while delaying watermarking obligations for AI-generated content until December 2026. It also introduces simplified compliance rules for SMEs, expands access to AI regulatory sandboxes, strengthens the supervisory role of the EU AI Office, clarifies the use of sensitive personal data for AI bias mitigation, and bans AI systems designed to generate non-consensual intimate or sexually explicit content. The regulation will soon be signed and published in the Official Journal of the European Union.

Why this matters

The regulation gives AI developers and deployers, including telecom and digital companies, additional time to comply with the AI Act’s most demanding requirements. It also reduces the compliance burden for SMEs, expands opportunities to test AI systems in regulatory sandboxes, and provides greater legal certainty for providers of high-risk AI solutions.

EU Proposes Sovereign Cloud Framework

What is changing

The European Commission has proposed a new regulation establishing a common EU framework for sovereign cloud services and AI infrastructure. The proposal introduces four EU assurance levels for cloud services used by EU institutions and the public sector, requiring cloud providers to obtain the appropriate certification before supplying these customers. It also sets new rules on data localisation, operational control, software supply chain security, and independent audits for higher assurance levels. In parallel, the proposal aims to accelerate the development of AI infrastructure by introducing fast-track permitting procedures for data centres, subject to energy efficiency and sustainability requirements.

Next procedural steps