Cybersecurity: strengthened national framework

 

 

 

  

Legal Alert 

 
Cybersecurity: strengthened national framework, new entities covered by NIS2 requirements and new obligations of management bodies

 

 
Law No. 124/2025

 

 The adoption of Law No. 124/2025, which came into force on July 10, 2025, marks the completion of the process of transposing the NIS (Network and Information Security) Directive 2 at national level, reinforcing the measures established by GEO No. 155/2024 on the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace.
In addition to the measures already provided for in GEO No. 155/2024, Law 124/2025 (“the Law”) introduces a number of relevant updates that essential and important entities must take into account. Given the major cyber incidents that occurred in 2024, which had a direct impact on vital services provided to the population, highlighting the limitations of current cybersecurity legislation and the need to implement updated European regulations on supply chain security, two new categories of entities will be subject to legal requirements regarding cybersecurity: authorized distributors of medicines and economic operators engaged in the trade of pharmaceutical products. As a result of the extension of the legal framework’s applicability through Law No. 124/2025, some of these entities become responsible for adopting technical, organizational, and operational measures tailored to their own level of risk in order to prevent and manage cyber incidents. In this context, they also have an obligation to promptly report significant cybersecurity incidents, in accordance with legal provisions.

 

 
Clarifications and new rules brought by Law no. 124/2025

 

 In addition, the law clarifies and broadens the scope of the food sector, expressly mentioning the production, processing, and/or distribution of food. The amendment allows the regulations to be applied to economic actors who only partially carry out activities in the food sector, without cumulative conditions.
Another novelty introduced by the Law is the redefinition of a significant cybersecurity incident. Unlike the previous form, the new regulation stipulates that an incident is considered significant if at least one of the conditions set forth is met, without the need for them to be met cumulatively. The first condition refers to the impact on the affected entity, when major disruptions in activity or significant financial losses are caused. The second considers the consequences for other natural or legal persons, especially when the incident may cause considerable material or non-material damage.
Another aspect to note is the addition made by the Law regarding the obligations of the management bodies of essential and important entities, expressly stating that:

  • their members must attend accredited professional training courses to ensure a sufficient level of knowledge and skills to identify risks and assess cybersecurity risk management practices;
  • these entities have a regular obligation to provide professional training to all staff in order to ensure a sufficient level of knowledge and skills;
  • within 30 days of the date of notification of the NCSD director’s decision to identify and register of such, the management bodies shall designate the persons responsible for the security of computer networks and systems, whose role is to implement and supervise cybersecurity risk management measures at the entity level.

 

 

For your reference:

 

 

The NIS 2 Directive establishes a unified legal framework at the European level to ensure a high common level of cybersecurity. It imposes strict obligations on public or private entities in sectors considered critical in the event of cyber threats or incidents (such as energy, transport, banking, healthcare, public administration, digital infrastructure), with the aim of strengthening operational and institutional resilience.
In this context, entities covered by the new regulations must pay close attention to the obligations arising from Law No. 124/2025, assess their exposure to cyber risks, and implement appropriate measures in accordance with the applicable legal requirements.

 

 

Is there anything you can do now? How to act

 

 

By the end of August 2025, orders from the director of the National Cyber Security Directorate (NCSD) are expected for the start of procedures for registering entities covered by the Law in the Register of Entities, specially set up for this purpose, as well as for incident reporting procedures.
We recommend that you start early to check the impact of NIS2 legislation on your organization, as the deadlines for compliance are very short, the procedure is completely new, and the fines are based on global annual turnover.
Our lawyers specialized in the IT field will assist you in verifying your compliance with Law 124/2025 and, if so, in fulfilling the subsequent obligations of registration in the Register of Entities and incident reporting.

 

  

download full english version (.pdf)