The steps to comply with the NIS2 Directive include several essential phases that affected organizations must follow to ensure they meet all the directive’s requirements. These steps include:
- Compliance assessment and identification of targeted entities:
The first step is determining whether the organization falls under the category of essential or important entities defined by the directive. Organizations must assess their field of activity and identify whether they provide essential or important services to the critical infrastructure of the European Union. This is done by analyzing the classification criteria established in the NIS2 Directive. - Conducting a risk assessment and an initial audit:
Organizations must conduct a comprehensive cyber risk assessment and carry out an initial audit to understand the current state of their security measures. The risk assessment should cover all critical systems and processes to identify potential vulnerabilities. - Developing and implementing a compliance plan:
After the initial audit, organizations must develop a compliance plan, which includes technical and organizational measures needed to address the identified risks. This plan should cover:- Establishing specific security policies and procedures.
- Implementing security controls and measures to protect critical infrastructure (e.g., data encryption, access control, patch management).
- Developing cyber incident management capabilities:
Organizations must implement incident management procedures, which should include:- Reporting incidents to DNSC within 24 hours.
- Creating a business continuity and disaster recovery plan.
- Establishing internal teams dedicated to incident management (e.g., CSIRT – Computer Security Incident Response Team).
- Implementing security measures for the supply chain:
According to NIS2, organizations must identify and manage risks associated with the supply chain, ensuring that all suppliers and partners comply with the imposed security standards. This involves evaluating suppliers and implementing protective measures to prevent unauthorized access or security breaches caused by third parties. - Employee training and awareness:
Organizations must ensure periodic staff training in cybersecurity and raise awareness about best security practices. Management and operational teams must have the necessary knowledge to identify and manage cyber risks. - Continuous monitoring and periodic audits:
Organizations must conduct internal and external audits periodically to assess the effectiveness of the implemented measures and identify potential deficiencies. The audit should be performed by specialized and certified firms, and its results should be reviewed by management to establish corrective actions, if necessary. - Continuous reporting and communication with authorities:
Organizations must maintain ongoing communication with national authorities (in Romania, DNSC) and report all security incidents that may affect their activity or service delivery to clients. Additionally, they must ensure that all reports and documentation are kept according to legal requirements.
It is important to highlight that essential and important entities must involve both a technical consultant, specialized in cybersecurity, and a lawyer with expertise in data protection, specializing in NIS2 compliance. By following these steps, organizations will be able to comply with the NIS2 Directive and improve their cybersecurity, reducing the risk of incidents and ensuring the continuity of essential and important activities.
For further information or any additional inquiries, please do not hesitate to contact us:
➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro
We are here to assist and provide legal support for all your needs. We look forward to discussing with you.
Elena Grecu – Attorney at Law
