Skip links

The GRC framework transforms NIS2 requirements into resilience and sustainable cybersecurity

Author
Published on:
Published in: Technology News

The GRC framework transforms NIS2 requirements into resilience and sustainable cybersecurity

The NIS2 Directive fundamentally changes the way organisations approach cybersecurity, with a focus on governance, continuous risk management, reporting, management accountability and supplier relationship control.

For large organizations with thousands of employees and extensive, geographically distributed IT infrastructures, these requirements significantly increase complexity: the accelerated pace of development, operational dispersion, and staff turnover make it difficult to scale security measures and build a robust cyber hygiene culture. On another scale, the same challenges arise in small and medium-sized companies, where limited resources and a lack of in-house expertise often lead to reactive approaches.

Regardless of the size of the organization, the bottom line is the same: technology, no matter how advanced, is not enough for NIS2 compliance and robust cyber protection.
Effective alignment with NIS2 requires the adoption of a GRC (Governance, Risk Management and Compliance) framework, which allows for rigorous cyber risk management, the development of a security culture, the application of international best practices and the implementation of clear, measurable and scalable protection measures.

Safetech Innovations specialists Gheorghe Mărăcine, Audit and Risk Assessment Manager, and Veronica Răuță, Security Management Services Manager, recommend integrating cybersecurity into a dedicated GRC framework, aligned with corporate GRC. Thus, organizations obtain a unitary and coherent basis for strategic decisions and for the efficient functioning of the entire organization.

GRC, the unifying framework for a robust security strategy

GRC is, in short, an organization’s way of putting order in the way it makes decisions, manages risks, and follows rules. We are talking about an integrated framework that helps teams work according to the same policies and procedures, identify and address risks and vulnerabilities early, and ensure that the organization complies with both legal requirements and internal rules.

GRC means, in short, the following:

  • Governance refers to the set of activities through which the organization is led, supervised and made responsible for achieving strategic objectives (roles, responsibilities, well-defined framework policies).
  • Risk management consists of identifying, assessing, and controlling risks that may affect the decisions and functioning of the organization.
  • Compliance: the activities through which the organization complies with legal requirements, regulations, contractual obligations, and internal policies.

“By bringing these three components together in a unified model, GRC provides visibility into relevant risks, reduces process fragmentation and supports informed decision-making. In the field of cybersecurity and in the context of the NIS2 Directive, GRC facilitates the clear definition of responsibilities, the alignment of security controls with real risks and the demonstration of compliance, while helping to increase operational transparency and resilience in organisations.” , explains Gheorghe Maracine, Manager of the Audit and Risk Assessment Department at Safetech Innovations.

GRC – the right foundation for alignment to NIS 2

The adoption in Romania of the NIS and NIS2 Directives, through Law no. 362/2018 and, subsequently, Law no. 124/2025, marked a crucial moment for strengthening cybersecurity in Romanian organizations. Structuring the NIS2 requirements on the three pillars of the GRC framework helps us to understand more clearly the obligations imposed on organisations in key and important sectors, and how they apply.

At the Governance level, NIS2 includes requirements such as:

  • Empowering the management of the targeted entities: NIS2 requires the direct involvement of management in cybersecurity and related strategic decision-making, as well as sanctioning it in the event of non-compliance with legal requirements.
  • Documented policies and processes: creating and implementing clear procedures for IT&C security.
  • Organizational culture: improving cybersecurity awareness among employees.
  • Periodic reporting: monitoring and communicating cybersecurity performance to management.

Risk management:

  • Risk identification and assessment: analysis of real risks and prioritising them according to the impact on critical operations.
  • Technical and organizational measures: implementation of solutions for the prevention, detection and management of incidents.
  • Vulnerability monitoring: handling configuration errors and continuously updating systems.
  • Access to specialists: internal or external teams for 24/7 monitoring and rapid response to incidents.

Compliance:

Phased reporting to DNSC: early warning, incident notification, interim report and final report.

Compliance with deadlines: each report and incident must be submitted within the deadlines set by the regulation.

External audits: periodic evaluations (1 year after registration and then every 2 years) and submission of the report to the DNSC.

ISMS, the first step in the implementation of GRC

The effective implementation of the GRC security framework in an organization starts with clearly defining key roles and responsibilities, such as CISO (Chief Information Security Officer), CRO (Chief Risk Officer), DPO (Data Protection Officer), audit committee or NIS2 compliance officer.

In addition to establishing these roles, it is essential to create clear processes and procedures for governance, risk management and compliance, complying with international standards and best practices such as ISO 27001, COBIT, ISO 27005, NIST RMF, GDPR, PCI-DSS, DORA or NIS2. Another essential element is the use of indicators KPI, KRI, KCI) to assess and monitor the effectiveness of the implementation of the GRC framework.

“In order to put these principles into practice, we recommend the operationalization of GRC through an Information Security Management System (ISMS), gradually implemented and adapted to international standards. This system allows for a structured and measurable approach to cybersecurity, covering all essential stages: identifying, protecting, detecting and responding to cyber threats, as detailed in the international NIST CSF (National Institute of Standards and Technology Cybersecurity Framework),” added Gheorghe Mărăcine.

GRC operationalized through the Safetech Innovations methodology

The Safetech Innovations methodology transforms GRC principles into operational and measurable processes, by outsourcing key roles and directly involving cybersecurity experts. The main elements of the methodology include:

Support in outsourcing essential GRC/NIS2 compliance roles

  • Safetech Innovations provides expert organizations from its team for the roles of GRC Officer, as well as for the roles dedicated to defining controls, policy development and risk analysis – specialists with extensive expertise in various areas of cybersecurity and practical experience in the role of CISO.
  • CISO Outsourcing: Safetech can take over CISO-specific activities for organizations that need additional expertise.

“The role of GRC Officer involves close collaboration with the organization’s team, from IT and CISO to senior management, to effectively manage risks, ensure compliance and align internal policies with business objectives. This approach requires a deep understanding of the organization and its way of working, so that the results are concrete and measurable,” said Veronica Răuță, Security Management Services Manager at Safetech Innovations.

Analysis and definition of the GRC framework

  • Evaluation of existing policies and processes
  • Setting targets, for example: reducing operational losses, meeting standards and strengthening cybersecurity
  • Risk analysis for solutions, technologies and suppliers (and implementation of remediation measures for threats and non-compliances)
  • Assessment of compliance with NIS2 measures and preparation of the plan of measures
  • GRC services for Business Impact Analysis (BIA) and Development of Business Continuity Plan/ Disaster Recovery Plan
  • Developing policies and procedures

Implementation of GRC processes

  • Modules for risk, incident and compliance management
  • Direct involvement in the implementation of risk reduction measures
  • Depending on the situation, the outsourcing of some elements of the Business Continuity plan
  • Management and operationalization of security policies, standards and procedures, including their periodic review
  • Safetech Innovations operationalizes GRC through an Information Security Management System (ISMS), whose evolution is tracked in real time through its proprietary security management software – iSAM, optionally included in the GRC consulting services.

Strengthening the cybersecurity culture

  • Awareness and training activities, as well as periodic employee evaluations, carried out by Safetech Innovations specialists

“The GRC services offered by Safetech Innovations support organizations in protecting data, reducing risks and complying with regulations, through the development and effective management of security strategies and systems. Companies can turn to us either for consulting, implementation or outsourcing of roles such as CISO or GRC Officer. These services can also be delivered in the form of packages adapted to specific objectives – for example: assessing compliance with NIS2, defining and implementing operational procedures or developing business continuity plans,” added Veronica Răuţă.

Impact and benefits of GRC beyond NIS2

GRC is more than a NIS2 compliance tool, it is an essential pillar for strengthening the long-term cybersecurity and operational resilience of organizations.

A dedicated cybersecurity GRC framework, properly implemented, helps organizations avoid both undersizing and oversizing cybersecurity (including tool sprawl), by adapting controls to the real risk context and business impact. This eliminates irrelevant measures, excessive documentation or unjustified investments, in favour of a balanced and efficient approach.

By involving external experts, organizations benefit from rapid mobilization, without long and costly onboarding periods, and independence and competence in evaluation, according to the requirements imposed by regulations such as NIS2, GDPR or DORA. For example, Safetech auditors are accredited by authorities such as DNSC, ensuring the credibility of assessments.

GRC contributes to the development of a strong cybersecurity culture, supporting the adoption of international best practices and the implementation of measurable and scalable protection measures. The ultimate goal is to develop behavioral cyber hygiene automatisms among administrators and users in organizations.

GRC ensures not only compliance with NIS2, but also alignment with multiple other compliance frameworks (NIST CSF, ISO, PCI DSS), a redundancy that increases security. Continuous monitoring, including through regular internal assessments and quarterly risk scores, provides visibility into progress and supports the right management decisions, both operationally and strategically.

For further information and personalized offers, please contact us at sales @ safetech.ro or 021 316 05 65.

Powered by  GDPR Cookie Compliance
Overview of Privacy

This website uses cookies to provide you with the best user experience. Cookie information is stored in your browser and serves the purpose of recognizing you when you return to our site, as well as assisting our team in understanding which sections of the site you find more interesting and useful. For more information, you can refer to the General Information Note Regarding the processing of personal data.