The National Cybersecurity Directorate has opened registration for a PNRR-funded program that will deliver cybersecurity maturity evaluations to up to one thousand Romanian organizations at no cost. Registration runs through June 15 via the platform proiecte. pnrr.

gov. ro, with spots allocated on a first-come, first-served basis. Eligible participants include public institutions, private companies, small and medium enterprises, and non-governmental organizations.

The evaluation tool analyzes an organization's capacity to prevent, detect, and manage cyber incidents. Each participant receives a personalized action plan based on the assessment results, along with detailed reports measuring compliance against NIS2 Directive requirements. The directive, which establishes cybersecurity standards across EU member states, mandates specific incident management protocols and defense measures that many Romanian organizations have yet to implement.

Funding for the program comes from the National Recovery and Resilience Plan, according to Agerpres. The PNRR allocation represents one of the few instances where European recovery funds have been directed specifically toward cybersecurity capacity building rather than infrastructure procurement. Most PNRR cybersecurity spending in Romania has gone to hardware and software purchases, making this assessment-focused initiative an outlier in the broader funding field.

The two-step registration process requires organizations to submit basic institutional data and then complete a preliminary self-assessment questionnaire. The directorate has not disclosed the technical methodology behind the evaluation tool, nor has it specified which vendors or frameworks underpin the maturity model. This lack of transparency mirrors a pattern in Romanian public sector technology projects, where procurement details and technical specifications often remain opaque until after implementation.

The program's scope is ambitious given the directorate's historical capacity constraints. DNSC has operated with a staff of fewer than one hundred people for most of its existence, and conducting one thousand detailed cybersecurity evaluations within a single funding cycle will require either significant contractor involvement or a highly automated assessment process. The directorate has not announced which approach it will take, nor has it published a timeline for when participating organizations can expect to receive their evaluations and action plans.

Small and medium enterprises stand to gain the most from the program, as these organizations typically lack dedicated cybersecurity staff and cannot afford commercial audit services. A basic cybersecurity maturity assessment from a private consulting firm costs between five thousand and fifteen thousand euros in the Romanian market, placing such evaluations out of reach for most SMEs. The free PNRR-funded alternative removes this cost barrier, though it remains unclear whether the depth and rigor of the government-provided evaluation will match commercial standards.

Romanian cybersecurity specialists advocate structured backup protocols amid digital infrastructure expansion

Fritz faces tough decision on Tomac's government

The NIS2 Directive compliance component of the program addresses a pressing regulatory timeline. Member states must transpose the directive into national law by October 2024, and organizations falling under its scope will face mandatory security requirements and incident reporting obligations. Many Romanian companies remain unaware of whether they qualify as necessary or important entities under the directive's definitions, and the DNSC evaluation could serve as an early warning system for organizations that will soon face compliance deadlines.

The first-come, first-served allocation mechanism creates an uneven playing field. Organizations with dedicated legal or compliance teams will likely secure spots more quickly than smaller entities that lack administrative capacity. This dynamic risks concentrating the program's benefits among larger, better-resourced participants, precisely the opposite of the stated goal of supporting SMEs and NGOs.

A lottery system or a weighted selection process favoring underserved sectors would have distributed the limited spots more equitably. The June 15 registration deadline leaves less than two weeks for organizations to learn about the program, assess their eligibility, and complete the enrollment process. This compressed timeline suggests either that the directorate expects low demand or that it prioritizes rapid deployment over broad participation.

Given that cybersecurity awareness remains low across much of the Romanian economy, the former explanation seems unlikely. The latter prompts questions about whether the program's design prioritizes spending PNRR funds within required timeframes over maximizing the initiative's strategic impact. No information has been released about what happens after the one thousand evaluation slots are filled.

Whether the directorate plans to open additional cohorts, extend the program using different funding sources, or treat this as a one-time pilot remains unknown. The absence of a long-term roadmap limits the program's potential to build sustained cybersecurity capacity across the Romanian economy. The personalized action plans that participants will receive represent the program's most valuable output, assuming they contain specific, actionable recommendations rather than generic best practices.

An effective action plan should identify concrete vulnerabilities, prioritize remediation steps based on risk, and provide cost estimates for recommended improvements. Whether the DNSC evaluation tool can generate this level of detail at scale, across diverse organization types and sectors, will determine the program's practical utility. Registration closes June 15, with one thousand spots available through proiecte.

pnrr. gov. ro.