SOC services required in the context of NIS2 alignment

SOC services required in the context of NIS2 alignment

More and more CISOs are coming to the conclusion that using a Security Operations Center (SOC) is the optimal solution to address a wide set of requirements of the NIS2 Directive. Although the regulation does not explicitly mention the mandatory nature of a “SOC”, it does require companies to implement specific security measures, such as monitoring, detection and incident response — all available 24/7, as well as logging, reporting, documentation and auditability measures. These are exactly the functions that a SOC performs.

NIS2 allows organizations to build an in-house SOC or outsource these functions to a specialized vendor, stating only that they must be implemented. Therefore, there is no obligation to hire dedicated staff if the monitoring, detection and response processes are outsourced to a third-party company.

Furthermore, the NIS2 Directive encourages more rigorous security audits, risk, vulnerability and incident analysis and remediation activities, and adequate user training on cyber threats. Essentially, NIS2 seeks to prevent incidents by requiring critical entities to continuously monitor security, document internal processes, and implement robust defense and response strategies.

Conclusion: NIS2 practically mandates the use of SOC services, but developing an internal SOC or outsourcing it is up to each organization.

The real challenges behind an internal SOC

While an internal SOC gives organizations direct control over their own operations and processes, implementing and maintaining one is challenging for several reasons. In Europe, in 2024, there is already a deficit of approximately 500,000 specialists (https://www.romania-actualitati.ro/stiri/romania/deficit-de-personal-in-domeniul-ciberneticii-id201425.html) in the field of cybernetics, according to DNSC, and in the Western region of Romania 78% of companies (https://adrvest.ro/start-la-inscrieri-pentru-cybertm-2025-eveniment-privind-securitatea-cibernetica-dedicat-imm-urilor-din-regiunea-vest) do not have internal cybersecurity experts, according to ADR.

Beyond the shortage of specialists, developing procedures and norms specific to an efficient internal SOC (response, analysis, alert escalation, continuous staff training) requires a long time, and the costs to ensure adequate availability and scalability are high. An internal SOC can also be difficult to scale quickly to deal with sudden increases in cyber threats, and attracting and retaining top talent can be a constant challenge, leaving the organization vulnerable to advanced attacks.

At the same time, using multiple security tools without effective integration can create operational overhead and compatibility issues, making operations slower and more expensive. As the volume of alerts increases, including many false positives, skilled personnel risk losing valuable time analyzing them. An underestimated limitation is that internal teams can be influenced by biases or organizational culture, which can affect the objectivity of risk assessment.

On the other hand, external providers can bring added value in the form of specialized expertise, but also cost savings. An analysis conducted by Safetech Innovations on the personnel costs for an internal SOC (estimated for an internal network with 10,000 endpoints) showed that by outsourcing, these costs can be reduced by 45%. At the same time, outsourcing brings a transparent and predictable cost structure, but also access to technical capabilities that are difficult to obtain from an internal SOC.

Arguments for outsourcing SOC services

1. Rapid access to advanced SOC services, correlated with other complementary security services/solutions. The SOC as a Service (SOCaaS) services offered by the Safetech STI-CERT (asset inventory, vulnerability management, monitoring, detection, investigation, response, logging, reporting, documentation, auditability) allow organizations to choose only the services they need, while also providing access to globally recognized solutions such as Endpoint Detection and Response (EDR), eXtended Detection and Response (XDR), NextGen SIEM, Vulnerability Management, Risk Management, Operational Technology Security and Threat Intelligence. The team’s experience allows the identification of the latest techniques and cyber threats and the application of customized solutions for each organization.

2. Certified skills and efficiency due to SOC activity structured on three levels of expertise. Organizations benefit from a high level of expertise through the STI CERT SOC, which includes over 30 cybersecurity specialists. The team, available 24/7/365, is made up of professionals with multiple international certifications, such as SANS, MICROSOFT, (ISC)², ISACA, CREST and EC-Council. The specialists work in three shifts to ensure continuous coverage and follow a permanent training program, guaranteeing high-quality cybersecurity services.

3. One of the most experienced teams on the local market. STI CERT has over 10 years of experience in managing a large volume of events, alerts and incidents, benefiting from advanced analysis capabilities. Monthly, the team handles, on average, 100 billion events captured by the monitored security solutions, analyzes 25,000 security alerts and manages an average of 180 incidents. STI CERT serves clients from various sectors, including banking and finance, utilities, healthcare, technology, retail, distribution and consulting. In addition, Safetech Innovations was included in the prestigious Top 250 MSSPs 2024 by CyberRisk Alliance, which highlights the 250 best performing managed security service providers globally, being the first MSSP company from Romania included in the top, ranking 153rd.

4. High scalability – clients can quickly access additional resources in case of incidents or expansion of activity. SOCaaS through Safetech Innovations is sized to serve a large number of clients simultaneously and has a reserve for managing peaks of activity. Unlike an internal SOC, it adapts quickly to changing requirements, and beneficiaries can scale security services without the need for additional investments.

5. Short service activation time, significantly reduced than in the case of developing an internal SOC. Safetech Innovations’ SOC team has an organized process for rapid service activation. Services provided by STI CERT can use the client’s own platforms, platforms provided by Safetech as an MSSP (Managed Security Services Provider), or a mixed model, to optimize costs and reduce operational impact.

6. Existing procedures and policies, with automated workflows that ensure a high level of efficiency. The Safetech team recommends a minimal technological architecture, which respects the principles of simplicity and defense in depth through automation, including Endpoint Detection and Response (EDR) to protect critical entry points and a multi-technology platform eXtended Detection and Response (XDR), which centralizes alerts and logs in a single SOC monitoring panel. Safetech Innovations also provides vulnerability management, risk analysis, security indicator management. asset monitoring in OT/ICS environments), using additional specialized tools.

7. Financial accessibility – no initial investment in equipment and licenses, with flexible monthly payment depending on the evolution of the activity. STI CERT services offer a competitive price, predictable costs and financial stability, allowing companies to eliminate the investments and expenses associated with developing and operating an internal SOC. Organizations can choose from three outsourced SOC service packages, customizable according to the needs and resources of each client, and all STI CERT services are covered by a EUR 500,000 insurance policy, with specific clauses for cyber risks.