CRA Compliance in Romania
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Romania manufacturers.
Romania's Directoratul Național de Securitate Cibernetică (DNSC) was established in 2021 as a dedicated national cybersecurity directorate, taking over functions previously handled by CERT-RO. DNSC serves as both the CRA national competent authority and national CSIRT. Romania has a growing IT manufacturing and services sector, and its manufacturers face CRA obligations as digital components proliferate across industrial and consumer product lines. Romania's active participation in NATO and EU cybersecurity frameworks provides a strong foundation for CRA implementation.
National Competent Authority (CRA)
DNSC
Directoratul Național de Securitate Cibernetică
DNSC was established in 2021 to consolidate Romania's national cybersecurity functions, replacing the former CERT-RO. It serves as Romania's CRA national competent authority and national CSIRT, and coordinates with ENISA and NATO cybersecurity bodies.
https://dnsc.ro →CRA Enforcement in Romania
DNSC serves as Romania's national competent authority for the CRA, with market surveillance for consumer and industrial products coordinated with the National Authority for Consumer Protection (ANPC) and the National Authority for Management and Regulation in Communications (ANCOM) for telecoms products. DNSC was established specifically to strengthen Romania's national cybersecurity governance and has been growing rapidly in both technical capacity and regulatory mandate. Romania's NIS2 transposition through Legea nr. 58/2023 provides the legislative basis for DNSC's supervisory powers over cybersecurity, which will be extended to CRA market surveillance through national implementing legislation.
Article 14 Incident Reporting for Romanian Manufacturers
Romanian manufacturers submit Article 14 notifications to DNSC through its incident reporting portal. DNSC operates incident response capability and coordinates with the EU CSIRTs network. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. DNSC's operational CSIRT function, inherited from CERT-RO, has experience coordinating cross-sector incident responses, and CRA Article 14 notifications will integrate with DNSC's existing reporting infrastructure. Manufacturers should establish a direct contact with DNSC's incident coordination team before any incident occurs.
Market Surveillance & Penalties
Market surveillance for CRA products in Romania is coordinated between DNSC and ANPC, with ANCOM involved for communications products. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Romania has been strengthening its market surveillance capacity under EU product safety frameworks, and ANPC conducts regular market surveillance operations. Romanian manufacturers should maintain comprehensive technical documentation as DNSC may request this as part of market surveillance procedures.
Support for Romanian Manufacturers
DNSC publishes cybersecurity guidance in Romanian and engages manufacturers through industry events and awareness campaigns. The Romanian National Authority for Scientific Research and Innovation (ANCSI) supports R&D including cybersecurity through national research programmes. CERT-RO's operational legacy, now absorbed into DNSC, includes a strong tradition of public-private partnership in cybersecurity. The Romanian Association of Electronic and Software Industry (ANIS) provides CRA implementation guidance for technology manufacturers. EU structural funds administered through the Ministry of Research, Innovation and Digitalization support SME cybersecurity investments including CRA compliance.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for DNSC, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact DNSC as a manufacturer with a CRA compliance question?+
DNSC can be contacted through dnsc.ro, where both incident reporting and general enquiry channels are available. For CRA-specific compliance questions, DNSC's regulatory affairs team handles industry enquiries. DNSC engages manufacturers through annual cybersecurity conferences and through industry associations including ANIS. For Article 14 notifications, use DNSC's secure incident reporting portal.
Does Romania have national-level CRA implementing legislation?+
Romania transposed NIS2 through Legea nr. 58/2023 privind securitatea și apărarea cibernetică a României. CRA implementing measures are expected through amendments to this law and through Government Decisions (Hotărâri de Guvern) on product safety market surveillance. The Ministry of Research, Innovation and Digitalization is coordinating Romania's CRA implementation, with national measures expected ahead of December 2027.
How does the CRA interact with Romania's Legea nr. 58/2023 cybersecurity obligations?+
Romania's Legea nr. 58/2023 creates incident reporting and security obligations for essential and important entities, administered by DNSC. Manufacturers that are also NIS2-designated entities face overlapping obligations. DNSC is expected to develop consolidated guidance on satisfying both frameworks with unified reporting. Romanian manufacturers in energy, transport, and digital infrastructure — where NIS2 obligations are substantial — should conduct a joint NIS2 and CRA compliance gap analysis.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.