On April 14, 2025, the National Cybersecurity Agency (“NCA”) published measure no. 164179 (“Measure”) to further implement the decree 138 of 2024 (“NIS2 Decree”).

• What’s new?

With this Measure, the NCA has identified:

• Security measures that companies must guarantee in case they are identified as an important subject (annex 1) or an essential subject (annex 2);

• Types of significant incidents that companies must report, depending on whether they are classified as an important (annex 3) or essential subject (annex 4).

• Since when?

The Measure will enter into force on 30 April 2025. However, companies will have:

• 18 months from the communication of their inclusion on the NIS subject list to comply with these new security measures;

• 9 months from the communication of inclusion on the NIS subject list to activate mechanisms to ensure the notification of incidents identified as significant.

• As a company, what do you have to do now?

• Wait for the NCA’s communication to verify if your company has been included in the NIS list;

• In case of a positive answer, your company will be required to provide further information (such as member states where the service is carried out; name and contact details of a substitute for the point of contact) by May 31, 2025;

• Implement, within 9 months from the communication of the inclusion on the NIS subject list, mechanisms for the notification of incidents expressly identified by NCA as “significant incidents”;

• Implement, within 18 months from the communication of the inclusion on the NIS subject list, the security measures expressly identified by the NCA.