Datanet » NOUTĂȚI ȘI EVENIMENTE » Tendințe în industrie » Datanet Systems Supports Romanian Organizations in Complying with OUG 155/2024 (NIS 2 Directive) – Key Steps to Follow
SOITRON GROUP
Menu
Datanet » NOUTĂȚI ȘI EVENIMENTE » Tendințe în industrie » Datanet Systems Supports Romanian Organizations in Complying with OUG 155/2024 (NIS 2 Directive) – Key Steps to Follow
Datanet Systems Supports Romanian Organizations in Complying with OUG 155/2024 (NIS 2 Directive) – Key Steps to Follow

With the adoption of OUG 155/2024 on December 31, thousands of Romanian companies must now ensure compliance with the NIS 2 Directive. The new legislation clarifies key uncertainties, establishes clear deadlines, and introduces additional measures beyond the European framework. Further guidance is expected in the first half of 2025 through orders issued by the DNSC Director, providing additional regulatory clarity.

 

Datanet Systems provides end-to-end support for organizations impacted by the directive, offering everything from free initial consultations to assess applicability, to comprehensive security evaluations and the design and implementation of a robust cybersecurity architecture. So 2025 will be a pivotal year for compliance efforts, not just in Romania but across the European Union. While some organizations have prior experience with NIS 1, the expanded scope of NIS 2 presents new challenges. In most cases, companies and public institutions lack the in-house expertise to manage this transition efficiently.

 

Evaluating Your Organization’s Compliance Scope

 

C

The first step in achieving compliance with OUG 155/2024 is determining whether your organization falls within the directive’s scope. Annexes 1 and 2 of the ordinance outline the critical and highly critical sectors and subsectors. If your organization operates in areas such as energy, transportation, banking, healthcare, potable water, wastewater management, digital infrastructure, or waste management, it is highly likely to be subject to NIS 2 regulations.

Next, organizations must assess whether they qualify as an essential or important entity based on factors such as company size, service impact, and potential risks to society or the economy.

While the ordinance provides clear criteria, certain complexities can create uncertainty. To streamline this process and reduce compliance risks, Datanet Systems offers a structured NIS 2 Applicability Assessment Form, designed to help organizations quickly determine their obligations. Access the form here!

 

DNSC Notification and Official Registration

 

A key update introduced by OUG 155/2024 is the creation of a registry of essential and important entities, managed by DNSC. Organizations falling under the scope of this ordinance must complete their registration within 30 days – either from the ordinance’s effective date or when the provisions begin to apply.

This process involves notifying DNSC, which includes submitting critical company details such as the designated representative’s information, public IP address ranges, and TLD name registries. The full list of required data is outlined in Article 18 of the ordinance.

 

Risk Assessment and Cybersecurity Strategy: Building a Robust Framework

 

OUG 155/2024 sets two specific deadlines for compliance – a risk assessment, within 60 days of official registration, organizations must submit a comprehensive risk assessment to DNSC; and a cybersecurity strategy evaluation, within 60 days of submitting the risk assessment, and organizations are required to assess the maturity of their cybersecurity risk management measures.

These assessments are complex processes that require a high level of expertise in both cybersecurity risk management and regulatory compliance. The risk assessment must identify the key cybersecurity threats, vulnerabilities, and potential impacts on the organization. The maturity evaluation assesses the effectiveness of the organization’s existing cybersecurity strategies, processes, and measures.

Given the complexities involved, many organizations may find it challenging to navigate these requirements without external support. This is where Datanet Systems can play a pivotal role. With its extensive experience in NIS 1 compliance and a deep understanding of ISO 27000 standards, Datanet Systems offers specialized services to help organizations through both the risk assessment and cybersecurity strategy evaluation processes.

A cyber risk assessment involves identifying, analyzing, and quantifying the threats and vulnerabilities that could impact an organization’s security. The first critical step is identifying key assets – such as IT systems, databases, network infrastructure, and sensitive data—that need to be protected. Once these assets are defined, the next step is to assess the potential threats from both external (e.g., hacking, phishing, malware, ransomware) and internal (e.g., human error, unauthorized access, insider threats) sources, as well as risks from third-party vendors, partners, and suppliers.

An equally important aspect is evaluating the vulnerabilities within the organization’s IT infrastructure. This involves conducting security audits, penetration testing, and reviewing configurations and protection policies. The ultimate goal is to identify any weak points that could be exploited by cybercriminals.

The final step in the risk assessment is to quantify the impact and likelihood of a potential security incident. This involves determining the possible financial, legal, and reputational consequences of a cyberattack. Based on these assessments, risks are categorized as low, medium, or high, enabling the organization to clearly prioritize and address the most critical vulnerabilities.

In addition to the risk assessment, Datanet Systems offers a comprehensive cybersecurity strategy evaluation. Our approach covers all key aspects, including organizational processes, system architecture, and the technologies in use. This evaluation is further enhanced by results from penetration testing (PEN Test), Security Health Checks, vulnerability scans, and findings from other security audits, ensuring a thorough and holistic understanding of your security posture.

For a comprehensive overview of this topic, we recommend reading the following article „ Security Strategy Assessment: The First Step Towards Strengthening Cyber Defense”.

 

Effective Alignment with NIS 2 Requirements

 

Under the new legislation, organizations are required to submit a detailed remediation plan to DNSC (or the relevant sector authority) within 30 days of completing their self-assessment. The ordinance specifies that this plan must be endorsed by the organization’s management. This step is pivotal under the new Directive, which mandates the implementation of risk analysis policies for information system security, along with regular reviews and evaluations. Additional requirements include the use of cryptography, supply chain security, vulnerability management and disclosure, access control policies, business continuity planning, disaster recovery, cybersecurity training, and the integration of multi-factor authentication or continuous authentication solutions.

Based on the outcomes of prior assessments, Datanet Systems can assist your organization in designing and implementing a robust security architecture that aligns with NIS 2 standards—both in terms of technology and procedures. Our services also encompass improving cyber hygiene across your user base.

Datanet’s comprehensive portfolio includes all necessary solutions and tools to meet these requirements, through strategic partnerships with leading global providers such as Cisco, Fortinet, Palo Alto Networks, Crowdstrike, Infosim, F5, CyberArk, and others. In addition, we’ve partnered with local consultancy firms to offer tailored services for various industries and sectors specified in OUG 155/2024. To ensure the best possible alignment with the requirements, it is crucial to understand the unique needs of each client’s business.

Incident Monitoring and Reporting

 

One of the most sensitive areas of the NIS 2 Directive is incident monitoring and reporting. This is critical not only because the timelines for reporting are very strict but also because non-compliance carries a high risk of financial penalties. Organizations are required to adhere to the following clear deadlines for reporting significant incidents:

  • In the case of an incident with potential cross-border impact, the report must be submitted within 6 hours of becoming aware of the incident.
  • Early warning must be provided within 24 hours of becoming aware of the incident.
  • Incident reporting, including updates, must be completed within 72 hours of discovering the incident.
  • An interim report, containing updated information, is to be provided at the request of the national incident response team.
  • The final report must be submitted within one month of the initial notification of the incident.

All reports should be sent to the national cybersecurity incident response team (CSIRT) using the dedicated platform PNRISC.

To mitigate the risks associated with non-compliance, Datanet Systems provides advanced threat monitoring and incident response services, leveraging top-tier tools from the previously mentioned providers and supported by a highly skilled and experienced team. For instance, the use of SecOps (Security Operations) solutions introduces a new approach to cybersecurity strategies by integrating security policies and processes with IT operations. This approach fosters closer collaboration between security teams and operations teams, enabling quicker detection and resolution of security incidents.

Additionally, our focus on highly automated solutions enables the correlation of data from multiple sources (email, web, network, processes) to detect attacks with greater accuracy. It also allows for scaling the data sources to identify behavioral or traffic patterns that employees may miss due to workload or the large volume of alerts.

With these services, including Security Operation Center (SOC) solutions, organizations can block threats, minimize damage, and, importantly, ensure timely reporting of incidents to the relevant authorities. This approach enhances both cyber resilience and compliance with regulatory requirements.

 

Mitigating the Risk of Penalties

 

The penalties stipulated under OUG 155/2024 are considerable and should not be overlooked. Non-compliance with the directive, as outlined in Article 60, can result in significant fines, including:

  • Essential entities: Fines ranging from RON 10,000 to EUR 10,000,000 (or the equivalent in RON), or up to 2% of annual turnover.
  • Important entities: Fines ranging from RON 5,000 to EUR 7,000,000 (or the equivalent in RON), or up to 1.4% of annual turnover.

Furthermore, DNSC has the authority to issue warnings, temporarily suspend certifications or authorizations, notify the organization’s clients, and impose temporary restrictions on the leadership of the organization. For a full breakdown of penalties, please refer to Articles 48-49 of OUG 155/2024.

 

The early initiation of risk and maturity assessments and the deployment of cutting-edge security architectures are the only surefire ways to prevent hefty penalties. The cost of non-compliance could easily exceed the effort needed to align with the directive, and investing in cybersecurity not only protects you from penalties but also mitigates other high-stakes risks, such as ransomware attacks. In fact, aligning with NIS 2 can deliver rapid, tangible returns.

 

With Datanet Systems as your partner, you’ll have the support you need to navigate the entire compliance process — from risk assessments to implementing robust security measures and continuous infrastructure monitoring.

For expert guidance on NIS 2 and OUG 155/2024, book now  your FREE CONSULTATION!