Webinar Safetech Innovations: From NIS1 to NIS2, requirements and effective solutions to achieve compliance

Webinar Safetech Innovations: From NIS1 to NIS2, requirements and effective solutions to achieve compliance

On March 4, 2025, Safetech Innovations, in partnership with the Romanian Water Association (ARA), organized the webinar “From NIS1 to NIS2: requirements and effective solutions for achieving compliance”. The event addressed the NIS2 compliance challenges faced by entities previously regulated by NIS1 – a category that also includes organizations in the Wastewater and Drinking Water Supply and Distribution industries. During the presentation held by Gheorghe Mărăcine (Manager of the Audit Department, Safetech Innovations), the implications of the new regulatory requirements and the technological solutions that can support the transition of organizations to NIS2 compliance were detailed.

What are the minimum technical, operational and organisational measures required by NIS2?

Gheorghe Mărăcine began his presentation with a history of the legislation and a summary of the differences between NIS1 and NIS2, with a focus on minimum measures and requirements. According to the NIS2 Directive, essential and important entities are required to implement appropriate technical, operational and organizational measures aimed at ensuring a high level of cybersecurity. The necessary measures include the following:

• Policies and procedures for risk analysis and security of information systems, periodically reviewed;
• Policies and procedures for assessing the effectiveness of cyber risk management measures;
• Use of cryptography and, where applicable, data encryption;
• Security of the supply chain, including relations with suppliers and service providers;
• Security measures for the acquisition, development, maintenance and scrapping of networks and information systems, as well as vulnerability management;
• Security incident management procedures;
• Business continuity plans, including backups, disaster recovery and crisis management;
• Cyber hygiene practices and training programs for employees in the field of cybersecurity;
• Implementation of multi-factor authentication or continuous authentication solutions, as well as secure communication systems for internal and emergency communications.

“All these measures will be detailed by orders of the DNSC Director and we expect the Directorate to issue guidelines through which the requirements will be as clearly explained as possible. But until then, and given that the new ordinance does not repeal Law 362, Chapter 4 and Chapter 5, respectively ensuring the security of networks and information systems, and the chapter on audit and authorization, they will continue to produce effects. Thus, according to the law, all entities impacted by the old legislation will have to continue to ensure the technical and organizational measures detailed in 2020 through the respective technical norms” , explained the representative of Safetech Innovations, Gheorghe Mărăcine.

Technical norms. Legal requirements and obligations are organized into 4 areas of cybersecurity

The technical rules define the minimum requirements for the security of network and information systems, covering essential aspects for the protection of IT infrastructures. Structured around four areas – governance, protection, cyber defence and resilience – they provide a clear framework for managing risks, preventing incidents and ensuring business continuity.

1. Governance ensures a controlled approach to cyber risks, with the active involvement of management. The process begins by identifying the current situation, continues with the risk assessment and materializes in a security policy adapted to the entire organization.
2. Protection is based on the implementation of administrative, technical and physical controls to ensure the complete security of systems and equipment. These controls are essential for the prevention and management of security risks.
3. Cyber defense involves continuous monitoring of systems and rapid response to security incidents, in order to prevent and limit possible damage. The process includes event detection, analysis and remediation, testing, cooperation, as well as incident reporting.
4. Resilience is based on the implementation of procedures, technologies and control mechanisms to ensure business continuity (continuity plans, disaster recovery plans, testing and updating) and to effectively manage crises (event analysis, incident investigation, communication and cooperation, reporting).

Technologies and services required to achieve compliance

During the webinar, the Safetech representative presented its recommendation for achieving compliance with NIS2 requirements, as follows:

Step 1: Implementing an Information Security Management System (ISMS)

The main activities for compliance with NIS2 are Notification/Registration of the entity with the DNSC, submission to the DNSC of the entity’s risk level assessment, submission to the DNSC of the maturity level self-assessment, preparation and submission of the plan to remedy the identified deficiencies and reporting.

Taking these into account, the Safetech Innovations specialist recommends the implementation of an Information Security Management System (ISMS) for the continuous improvement of cybersecurity, based on a “Plan-Do-Check-Act” plan, also found in the ISO 27001:2002 standard. It provides a systematic approach to risk management in an organization. Another framework recommended during the webinar is NIST CSF 2.0, which structures the steps to create an ISMS into six functions (governance, identification, protection, detection, response and recovery) and provides a more specific framework for certain activity directions such as, for example, risk assessment.

Step 2: Establish an architecture model for compliance

Safetech recommended to RWA members a hybrid security architecture, which would take into account two current concepts: Defense in Depth (DiD) and Zero Trust Architecture (ZTA).

• Defense in Depth integrates multi-layered security measures (perimeter, network, application, endpoint), with each layer providing redundancy for data and systems protection. DiD also meets the requirements for detection, protection and recovery, respectively minimizes the impact of cyberattacks.
• The Zero Trust Architecture assumes that no entity, user, device, or application, is trusted by default, every access is verified and authenticated before it is allowed. Important features, from the perspective of NIS2, are: data encryption, access control on the principle of least privilege and multi-factor authentication solutions.

Starting from these architecture models, Gheorghe Mărăcine provided more details about the technologies, solutions and services necessary to ensure the requirements of NIS2, at the level of physical, perimeter, network level, endpoint security, application security, data security, but also policy and procedure management, monitoring and response solutions. The choice of these solutions is made according to the specific risks of each organization and based on the governance framework and internal processes.