The Romanian Airline Companies Association “Carpathia” draws the attention of Romanian aviation operators to the new European regulations on cybersecurity and the obligations arising from the NIS2 Directive.
What is NIS2?
-
NIS (Network and Information Security) was the first European directive (2016) designed to increase the level of cybersecurity across Member States.
-
NIS2 (Directive (EU) 2022/2555), adopted in 2022, expands its scope, introduces stricter governance and reporting obligations, and provides for more severe sanctions in case of non-compliance.
Implementation in Romania
The NIS2 Directive has been transposed into national law through Emergency Ordinance no. 155/2024, subsequently approved and amended by Law no. 124/2025. In the air transport sector, the obligations apply to:
-
certified air carriers;
-
aerodrome and airport operators;
-
air navigation service providers (ATC/ANS);
-
maintenance and CAMO organizations;
-
air operators, ATOs, aeromedical centers;
-
auxiliary facility providers and simulator operators.
Deadline and sanctions
-
22 September 2025 is the deadline for registering the concerned entities with the DNSC (National Cybersecurity Directorate)..
-
Failure to register by this date may result in penalties of up to EUR 10 million or 2% of turnover.
Operators’ obligations
- Registration with DNSC in the official Registry (available online).
- Risk and maturity assessment - following registration, entities must carry out a self-assessment in line with the DNSC orders issued in August 2025.
- Incident reporting and operational continuity implementation of procedures and continuity/disaster recovery plans (BCP/DRP).
- Governance - clear designation of responsibilities at management level.
Support for operators
RACA is already in contact with cybersecurity experts and will continue to facilitate the exchange of information and best practices among its members, in order to support compliance with NIS2 requirements.