Safetech provides a complete set of services and solutions for aligning with the requirements of the NIS Directive
Although it was intensively popularized at the level of the European Union, the adoption of the NIS Directive was carried out in stages in Romania. Thus, the transposition into national legislation of EU Directive 2016/1148 – approved by the EC since 2016 – took place in 2018, through the adoption of Law no. 362. However, the application rules of the normative act appeared in 2020 (EOG 119), and the Regulation for the attestation and verification of cyber security auditors in 2021 (Order no. 559).
However, the last two years have been marked by numerous challenges in the area of cybersecurity for organizations in Romania. Numerous organizations that fall into the categories of Essential Service Operators (OES) and Digital Service and Solution Providers (DSP) – as defined by Law no. 362/2018 – are encountering difficulties in implementing measures to protect critical and digital infrastructures and ensuring the delivery of essential services for society.
Technical and organizational difficulties
The challenges generated by the application of Law 362/2018 are both technical and organizational in nature and are mainly generated by the requirements of:
– Identification of business processes, assets and critical digital networks that fall under the scope of the NIS Directive,
– Identification and analysis of the categories of risks to which they are exposed and the definition of a strategy to address and remedy them,
– Detection, declaration, and reporting of security incidents to authorized entities,
– Adopting the necessary technical and organizational security measures for detection and remediation,
– Periodic assessment of risks and threats to the stability and continued operation of the essential services provided.
Many organizations in Romania focus their efforts only on this last aspect, having the audit process as their objective, losing sight of the fact that law 362/2018 does not emphasize the examination itself, but the fulfillment of security requirements. The audit indicates the level of compliance with the requirements of the NIS Directive and must follow the stage of adopting the necessary technical and organizational measures, and validating a functional system.
Calling in specialists, a universally valid solution
The report of the EU Cyber Security Agency (ENISA “NIS Investments” www.enisa.europa.eu/publications/nis-investments-2022), shows that last year 83% of OES/DSP organizations of the Union called in outsourced services for the management of security risks. It is an approach justified mainly by the limited resources of skills in the area of cybersecurity, but also in the field of security legislation. The shortage of specialists in this sector is constantly growing, and Romania is no exception to the rule.
In this context, Safetech Innovations is the partner you need. The company is specialized in the field of IT security, has a high level of certification of skills and experience in highly regulated industries, such as the financial-banking area, but also that of critical infrastructures.
Safetech specialists have also accumulated experience in the field of transposing technical and legal requirements into business processes and assessing the level of security in accordance with the technical norms of the NIS Directive, a field in which the company already has over 25 completed projects.
The first step – defining the governance framework
In the Safetech approach, the basis of the process of assessing the level of compliance with the requirements of Law 362/2018 is the establishment of the security governance framework within an organization. This requires, in a first phase, the identification of the protection capacity of the respective organization in order to be able to establish and, subsequently, apply the necessary measures to ensure the compliance of the security level with the requirements of Law 362.
The stage involves assessing the existing level of security, inventorying network devices and their vulnerabilities, detecting threats, as well as assessing the risks to which the organization is exposed. Defining the governance framework also requires the establishment of plans and policies at the level of the entire organization, which ensure the coverage of dependencies between IT systems and business processes, as well as the controlled approach to risks.
Based on the recommendations made, Safetech defines a roadmap customized on the needs of the organization, with the help of which it can plan and implement an optimized investment, hiring, training and outsourcing plan. Safetech can also outsource the role of Chief Information Security Officer in the organization, following the implementation of the governance framework in the organization.
Step two – effectively ensuring the protection of essential services
Safetech can provide you with the design, supply, implementation, configuration and maintenance of specific security solutions necessary to comply with the compliance requirements of Law 362/2018, such as, for example, systems for filtering traffic between networks, for controlling logical and physical access to data and applications necessary for critical services, for the management of privileged access to the IT systems necessary for these critical services, systems for detecting and responding to security threats on computers and in the data networks necessary for critical services, systems for management of information and security events.
Safetech also provides 24/7/365 cyber security threat monitoring, detection and response services. Safetech ensures the interconnection with the alert, monitoring and cooperation service of the DNSC, ensuring a prompt response to the alerts and requests sent by the national CSIRT (Computer Security Incident Response) team.
Also, the technical divison of Safetech includes a team of accredited auditors who, at the client’s request, can evaluate whether the organization complies with the security requirements provided by Law 362/2018.
Through its complete offering, Safetech helps operators of essential services to achieve their compliance objectives, monitor and reduce risks and improve their level of business resilience, while ensuring compliance with Law 362/2018.
For more information about our services and commercial offers, we invite you to contact us by email at [email protected] or by phone at 021 316 05 65.