#EUexplained. Cybersecurity: what we have, what needs to be changed, what’s next
Mihaela Ciobanu
The Republic of Moldova’s status as a candidate country for accession to the European Union requires it to align its national legislation with EU standards, including in the field of cybersecurity. In a context in which cyberattacks, security incidents and digital risks affect both public institutions and critical infrastructure, as well as citizens’ everyday lives, the European Union places emphasis on developing national systems capable of preventing, managing and responding effectively to cyber threats. For the Republic of Moldova, the challenge lies not only in adopting laws compatible with EU standards, but also in strengthening the responsible institutions and effectively implementing the new rules.
WHAT IS ALREADY IN PLACE?
The Republic of Moldova has already begun the process of adjusting its regulatory framework in the field of cybersecurity. According to information provided to Media Azi by the Cybersecurity Agency, a partial transposition of the NIS 2 Directive — the Directive on measures for a high common level of cybersecurity across the Union — has been carried out at national level through the adoption of Law No. 48/2023 on cybersecurity.
In parallel, the Government of the Republic of Moldova has approved several regulatory acts for the organisation and functioning of the national cybersecurity system. These include:
- Government Decision No. 1028/2023 on the establishment and functioning of the Cybersecurity Agency;
- Government Decision No. 860/2024 on the identification of service providers;
- Government Decision No. 562/2025 on cybersecurity obligations for providers in critical sectors;
- the National Cybersecurity Programme for 2026–2030;
- the Regulation on coordinated vulnerability disclosure;
- the Regulation on responding to cyber incidents and cyber crises.
WHAT DOES THE EU REQUIRE?
The European Union requires Member States and candidate countries to develop robust cybersecurity systems capable of protecting critical infrastructure, essential services and users’ data. The main legislative instrument in this field is the NIS 2 Directive, which sets common requirements for the security of network and information systems.
NIS 2 extends cybersecurity obligations to a larger number of sectors and entities considered essential or important, including energy, healthcare, transport, electronic communications, financial services and public administration. The Directive imposes strict measures for risk management, incident reporting and supply chain security, as well as clear cooperation mechanisms between authorities and the private sector.
Under the European framework, the entities concerned must:
- implement technical and organisational security measures;
- report significant cyber incidents;
- manage IT vulnerabilities;
- ensure the continuity of critical services;
- cooperate with the competent authorities in the field of cybersecurity.
The Directive also places emphasis on states’ capacity to respond in a coordinated manner to major cyber crises, including through national response plans and specialised institutions.
In brief, the EU’s objective is to create a high common level of cybersecurity across all European states through uniform rules, cooperation mechanisms and greater accountability for operators of essential services.
WHAT IS MOLDOVA DOING NOW?
According to the Cybersecurity Agency, the Republic of Moldova continues to adjust its regulatory framework to the acquis of the European Union in order to ensure the full transposition of the NIS 2 Directive and other relevant acts.
At operational level, the Agency undertakes to continue implementing the regulatory framework by identifying service providers, developing and providing methodological guidance for them, and actively engaging in the prevention of potential cyberattacks. The establishment of the State Register of Cyber Incidents is also planned, along with further amendments to the existing regulatory framework to ensure the effective and coherent application of European requirements.
“At the same time, we emphasise that the Ministry of Economic Development and Digitalisation is the central public administration authority responsible for developing and promoting state policy in the field of cybersecurity, while the Cybersecurity Agency is responsible for implementing these policies, as well as for managing incidents and crises in the field of cybersecurity,” Mihai Lupașcu, Director of the Cybersecurity Agency, told Media Azi.
WHAT WILL CHANGE IN PRACTICE?
With the implementation of the new rules, service providers in critical sectors will have clear obligations regarding the security of information systems and the reporting of cyber incidents. The public institutions and economic operators concerned will have to adopt stricter protection measures, develop internal risk management procedures and cooperate more actively with the competent authorities.
At the same time, the authorities will be able to monitor cyber incidents and vulnerabilities more effectively through the future State Register of Cyber Incidents and national coordination mechanisms.
The new rules are also intended to increase the state’s capacity to prevent cyberattacks against critical infrastructure and to respond quickly in the event of cyber crises.
WHEN WILL IT ENTER INTO FORCE?
The Cybersecurity Agency explains that the Republic of Moldova is in an ongoing process of aligning its legislation with European standards, while the authorities say they will continue the full transposition of the NIS 2 Directive and the implementation of related regulatory acts.
Some of the necessary acts were already adopted between 2023 and 2025, while the National Cybersecurity Programme for 2026–2030 is expected to guide the development of the national system in the coming years.
The Republic of Moldova submitted its application for EU membership in March 2022, obtained candidate country status in June of the same year, and accession negotiations were officially opened in June 2024. The accession process consists mainly of demonstrating that our state can adopt and implement EU legislation — the EU acquis — a process structured around 33 thematic chapters across six areas, such as justice, the internal market, the environment and economic policy. For each negotiating chapter, there are clear stages, recommendations and indicative deadlines, while Moldova’s progress is constantly monitored by the European institutions.
