Safetech Innovations Webinar: NIS2 – Requirements and Effective Solutions to Achieve Compliance

Safetech Innovations Webinar: NIS2 – Requirements and Effective Solutions to Achieve Compliance

The NIS1 Directive was adopted at EU level in 2016 and was transposed into Romanian law in 2018. Subsequently, the European Union initiated the updating of this regulation. GEO 155/30.12.2024, a normative act that transposes the NIS2 Directive into national legislation, expands the coverage area, thus there are many organizations that are faced for the first time with specific regulations for the security of networks and information systems.

The webinar “NIS2, requirements and effective solutions to achieve compliance”, held by Safetech Innovations on February 6, 2025, was specifically addressed to entities that were not subject to NIS1 and were included in the scope of the NIS2 Directive. These organizations are generally less familiar with NIS requirements and therefore more exposed to cybersecurity risks. To avoid vulnerabilities and potential sanctions, they need to start the process of aligning with the new requirements quickly.

During the webinar, Safetech experts Gheorghe Mărăcine, Manager of the Audit Department, and Cătălin Gherghiceanu, Presales Manager, provided this category of organizations with essential clarifications about the obligations imposed by NIS2.

NIS 2: coverage, technical and organisational measures, reporting and managers’ responsibilities

Gheorghe Mărăcine opened the webinar with a summary of the NIS2 Directive, with a focus on the impacted areas. Thus, Annex 1 of GEO 155/2024 includes 11 areas of activity of high critical importance, such as Transport, Banking, Financial Market Infrastructures, Health Sector and others, complemented by 9 essential subsectors of the Energy and Transport industries, including Oil Industry, Natural Gas and Water, Air, Rail and Road Transport. Annex 2 details 7 other critical sectors, including Waste Management, Chemical Production and Distribution, and Manufacturing. This includes 6 additional subsectors, such as medical equipment, computers, electrical appliances and the manufacture of motor vehicles and transport equipment.

According to the manager of the audit department at Safetech Innovations, NIS2 adds new responsibilities for the management of the targeted organizations. These include approving security measures, overseeing their implementation, and taking responsibility for regulatory violations. Management teams must also undergo accredited cybersecurity training.

Gheorghe Mărăcine also presented the audit obligations of the organizations targeted by NIS2: “Annually, a self-assessment of the level of maturity of the implemented measures will be carried out. In addition, a periodic audit will also be carried out. Within a maximum of 5 days from the completion of any type of cybersecurity audit, the audited entity must submit the results to the DNSC. Then, within 15 working days from the receipt of the audit report, the entities have the obligation to prepare and submit to the DNSC, based on the auditor’s recommendations, a plan of measures to remedy the identified deficiencies, including the deadlines assumed for their implementation,” added Gheorghe Mărăcine.

NIS2 Compliance Technology and Implementation Steps

In the second part, Cătălin Gherghiceanu addressed more practical aspects, focusing on the actual implementation of the NIS2 Directive, from the perspective of the technology and methodology required. According to him, as a first step, organizations that believe they are under the NIS2 Directive must notify the DNSC, providing identification and contact information. If the DNSC confirms that the organisation in question meets the requirements of the Directive, it will be registered in a register of entities.

The next steps are: adopting an internal cybersecurity policy, conducting an assessment of the entity’s risk level and submitting it to the DNSC, drawing up and submitting the plan of measures for managing the risks associated with networks and information systems. By completing these steps, entities will become auditable. DNSC will not perform itself this audit, it will be carried out by one of the companies accredited by DNSC, and the costs of the audit services will be borne by the entity concerned.

According to Safetech’s Presales Manager, the implementation of a cybersecurity management system compliant with NIS2 requirements can be achieved in a structured manner by applying the recommendations of ISO 27001:2022 or NIST CSF 2.0 standards, which is more useful on the cybersecurity incident management measures side. Cătălin Gherghiceanu presented the cybersecurity architecture models recommended by Safetech to the targeted entities: Defense in Depth (DiD) and Zero Trust Architecture (ZTA).

What are the steps recommended by Safetech Innovations for implementing NIS2 compliance measures? “The ideal is to start from an Information Security Management System (ISMS), either we already exist and adapt it to what NIS 2 compliance means, or we initialize it. At this stage, Safetech defines the context of the organization, an information security policy, responsibilities in terms of information security in the company, etc.” , said Cătălin Gherghiceanu. After this, Safetech recommends carrying out a risk analysis, implementing the necessary measures to meet the objectives pursued, training the staff, carrying out current security and incident management operations, monitoring and testing the security and implementing the necessary corrective measures.