NIS2 is a European directive that updates and extends the requirements for cybersecurity established by the first NIS Directive (Network and Information Security) from 2016. The main purpose of NIS2 is to increase the cyber resilience of essential infrastructures and to ensure a uniform application of cybersecurity measures across all EU Member States.
Management of important entities must take a series of specific measures to comply with the requirements of the NIS2 Directive. These measures are intended to enhance cybersecurity and effectively manage associated risks. Among the necessary measures are:
Implementation of a cybersecurity risk management framework
Management must adopt a cybersecurity risk management framework that includes periodic risk assessments and security policies for information systems. This framework must align with NIS2 requirements and focus on preventing, detecting, and responding to cybersecurity incidents.
Business continuity and crisis management measures
Important entities must have a solid business continuity plan and a crisis management plan to ensure operational continuity in the event of major cybersecurity incidents. These plans should include data recovery procedures, backup strategies, and emergency communication plans.
Management’s responsibility for security measures
The management must approve and supervise the cybersecurity measures adopted by the company. This includes monitoring the implementation of security policies and ensuring that the security measures comply with the directive’s requirements. In case of non-compliance, management can be held personally accountable and face severe penalties, including disqualification from management positions.
Cyber incident reporting
Important entities must establish clear procedures for reporting cybersecurity incidents, with the obligation to notify the national competent authorities within 24 hours of detecting a major incident and to provide a complete report within 72 hours. These reporting requirements must be integrated into the incident management framework.
Supply chain security management
Entities must implement security measures to manage supply chain-related risks, including supplier assessments and security policies for all partners. It is essential for entities to establish processes to identify vulnerabilities in the supply chain and ensure compliance with NIS2 requirements across the entire partner network.
Ensuring training and awareness
Management must ensure that the company’s staff receive regular cybersecurity training and that good security practices are promoted within the organization. All individuals with roles in cybersecurity risk management must be adequately trained to understand the impact of security measures on the company’s operations.
By implementing these measures, the management of important entities can ensure compliance with the NIS2 Directive requirements and reduce the risks associated with cybersecurity.
Important entities (detailed here: link) must conduct security audits in accordance with NIS2 requirements. The directive stipulates that national authorities may request the implementation of a security audit to verify the compliance of these entities with the imposed security measures. The audit can be mandatory in the event of suspected non-compliance or as part of periodic checks to ensure that cybersecurity standards are met.
Important entities are subject to an ex-post supervision regime, meaning that the audit can be imposed after irregularities are detected or based on non-compliance reports. However, to prevent potential sanctions, it is recommended that management conducts regular internal audits to ensure compliance and identify potential deficiencies in advance.
Therefore, the security audit represents an important preventive and corrective measure to ensure that important entities meet the NIS2 directive requirements and are prepared to respond effectively to cybersecurity risks.
The NIS2 compliance audit must be conducted by companies specialized in cybersecurity and risk management, which have experience in security audits and are accredited to provide such services. These companies must meet certain criteria, such as cybersecurity and compliance certifications, and have staff with relevant expertise.
To choose a suitable firm, companies should check whether the auditor is accredited by the national competent authorities or international regulatory institutions such as ENISA (European Union Agency for Cybersecurity) and other similar bodies.
In Romania, the National Cyber Security Directorate (DNSC) is the competent authority responsible for overseeing the implementation of the NIS2 Directive. DNSC monitors and ensures compliance with the directive’s requirements for all essential and important entities operating in Romania.
For further information or any additional inquiries, please do not hesitate to contact us:
➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro
We are here to assist and provide legal support for all your needs. We look forward to discussing with you.
Elena Grecu – Attorney at Law