The Five Gaps Undermining Romanian Boards: Understanding Directors and Officers Liability in the Age of NIS2
Somewhere in Romania right now, a board member is personally liable for a cybersecurity failure they don't fully understand.
That's not hyperbole. Under GEO 1552024 and Law 1242025, which transpose the EU's NIS2 Directive into Romanian law, board members and management at essential entities- tens of thousands of organisations across energy, finance, transport, healthcare, food and tech- now carry direct personal accountability for cybersecurity oversight. Registration deadlines passed in September 2025. Fines run as high as €10 million or 2% of global turnover. And the regulator, DNSC, can now inspect, demand remediation plans, and sanction.
Most Romanian boards were not built for this. They were built to comply with company law, satisfy a controlling shareholder, and sign off on the annual accounts. NIS2 is simply the sharpest current example of a wider problem: Romanian boards are increasingly being asked to do a job their structure, evaluation systems and skills base were never designed for.
Beyond the Policy: Why D&O Insurance is Not a Substitute for Board Effectiveness
If you sit on a Romanian board, or you're responsible for one through ownership, investment or regulation, this isn't an IT issue you can delegate downward. It's a board capability issue, and five recurring gaps explain why so many boards are exposed.
Gap 1 & 2: Ownership Concentration and the Compliance Trap
1. Dominant shareholder influence still sets the agenda
Romanian boards remain heavily shaped by controlling owners, whether a private family group, a founder, or, in roughly 400-plus companies, the state itself. When one shareholder can appoint, remove or outvote the board, independent oversight becomes secondary to alignment with that shareholder's priorities. This isn't unique to Romania, but the concentration is unusually high for Europe, and it conditions everything that follows: a board answerable primarily to one owner has less incentive to build the broader capabilities, evaluation, disclosure, skills diversity, that serve all shareholders.
2. Many boards are still managing compliance, not building strategy
Ask a Romanian board what it spent most of its last four meetings on, and compliance items, financial statements, regulatory filings, and legal formalities often crowd out the agenda. That's understandable given the pace of recent legislative change: NIS2 registration, the first reporting cycle of the revised BVB Corporate Governance Code, and new company law thresholds for share capital and control-transfer notification, all landing within the same eighteen-month window.
The risk is that compliance becomes the board's entire job description rather than its baseline. A board that spends its energy keeping up with regulatory deadlines has little capacity left to challenge strategy, test assumptions about competitive position, or ask whether the company's five-year plan still makes sense. Compliance protects the company from penalties. It does not, on its own, create value.
Gap 3 & 4: The Need for a Robust Board Evaluation Framework and Consistent Disclosure
3. Board evaluation remains underdeveloped
Western European boards increasingly treat formal performance evaluations, individual director assessments, full-board reviews, and sometimes external facilitation as a standard governance discipline, often repeated annually or every two to three years. In Romania, this practice remains considerably less embedded. Many boards still operate without a structured, regular self-assessment process, relying instead on informal impressions of what's working.
This matters because evaluation is the mechanism that should be catching the other four problems on this list. A board that never formally assesses its own skills, dynamics, or independence in practice has no systematic way of knowing whether it has a dominant-shareholder problem, a strategic-focus problem, or a skills gap, until something goes wrong and reveals it.
4. Disclosure quality is inconsistent across the market
Transparency in Romania varies sharply by company, ownership type and listing status. Some BVB-listed firms now produce disclosure that meets the standards expected by EU-aligned institutional investors. Others, particularly smaller listings, family-controlled groups, and parts of the state-owned sector, continue to disclose at a level that meets the legal minimum without providing outside shareholders with meaningful insight into board reasoning, related-party exposure, or risk oversight.
This inconsistency has real consequences. Investors price uncertainty, and a market where disclosure quality is unpredictable trades at a discount to one where it's reliable. As global expectations on related-party transaction disclosure tighten, the share of jurisdictions requiring board approval for significant related-party deals has risen from 54% to 87% over the past decade, making the gap between Romania's best and weakest disclosers more visible to the international capital the country is trying to attract.
5. Gap 5: The Digital Skills Gap – A New Frontier for Directors and Officers Insurance
This is where the NIS2 example becomes the clearest illustration of a broader pattern. Romanian boards are increasingly being asked to oversee risks that didn't exist in their current form when most directors were appointed.
Cybersecurity. NIS2 and, for financial entities, DORA now require boards, not just IT departments, to understand the organisation's specific cyber risk profile, approve risk management measures, and document oversight activity that regulators can inspect. A director who cannot meaningfully engage with that material is now a compliance liability, not just a strategic one.
Digital transformation. Decisions about AI adoption, automation and platform investment increasingly require board-level judgment about technology choices that have direct commercial and reputational consequences, judgment many boards currently lack the internal expertise to exercise independently of management's own recommendations.
ESG governance. Even as ESG faces political headwinds elsewhere, EU sustainability reporting obligations continue to apply to Romanian companies within scope, requiring boards to oversee disclosure processes most were never trained to scrutinise.
Risk management. Beyond cyber and ESG specifically, boards need the capability to question management's own risk assessments rather than simply approving the risk register presented to them. This distinction separates real oversight from procedural sign-off.
International strategy. As Romanian companies expand regionally or face competition from international entrants, boards increasingly need directors who understand cross-border markets, not just domestic regulatory and ownership dynamics.
Recruiting for these competencies is happening, but unevenly, and mostly at the largest, most internationally exposed companies. Smaller listed firms, family businesses and many state-owned enterprises are further behind, precisely the companies where ownership concentration and weak evaluation systems already reduce the pressure to change.
Conclusion: Professionalizing the Board to Mitigate Liability Risks
These aren't five independent problems; they compound. Dominant shareholder influence reduces the incentive to build robust evaluation systems. Weak evaluation systems mean skills gaps go undetected. Skills gaps push boards toward compliance-only engagement, because directors without specialist knowledge default to procedural sign-off rather than substantive challenge. And inconsistent disclosure means the market has limited visibility into which boards have solved this and which haven't, until a cyber incident, a related-party scandal, or a strategic misstep forces the issue into the open.
NIS2 didn't create a new problem for Romanian boards. It exposed an existing one: a governance model built for compliance and shareholder alignment is now being asked to provide expert oversight of risks that didn't exist when most boards were formed. The fines are the least of it. The real cost is a board that signs off on things it doesn't understand and only finds out how much that matters after the fact.
Recommended articles
Digital Transformation & AI Governance
Governance & Board Effectiveness
Governance & Board Effectiveness
Governance & Board Effectiveness
Governance & Board Effectiveness
Digital Transformation & AI Governance
Digital Transformation & AI Governance
Governance & Board Effectiveness
Leadership, Boardroom Dynamics & Crisis Response
Future of Boards & NED Careers
Leadership, Boardroom Dynamics & Crisis Response
Governance & Board Effectiveness
Leadership, Boardroom Dynamics & Crisis Response
Digital Transformation & AI Governance
ESG & Risk Oversight
Governance & Board Effectiveness
Leadership, Boardroom Dynamics & Crisis Response
Digital Transformation & AI Governance
Leadership, Boardroom Dynamics & Crisis Response
Leadership, Boardroom Dynamics & Crisis Response
Governance & Board Effectiveness
Future of Boards & NED Careers
Future of Boards & NED Careers
ESG & Risk Oversight
Leadership, Boardroom Dynamics & Crisis Response
Governance & Board Effectiveness
Governance & Board Effectiveness
Leadership, Boardroom Dynamics & Crisis Response
Future of Boards & NED Careers
Governance & Board Effectiveness
Governance & Board Effectiveness
Governance & Board Effectiveness
Governance & Board Effectiveness
Future of Boards & NED Careers
Leadership, Boardroom Dynamics & Crisis Response
Future of Boards & NED Careers
Facebook
Linkedin