NIS2 Compliance: What organizations need to know

In this week's edition of our Digital Compliance Newsletter, we explore the latest regulatory advancements in EU cybersecurity: the NIS2 Directive.

This directive represents a significant milestone in strengthening the Union’s digital resilience and tackling the rising threat of cyberattacks

💌 Stay informed, subscribe now!

For more details, visit www.suciupartners.ro.

For guidance, reach us at dan.ciobanu@suciupartners.ro or elisa.cristea@suciupartners.ro.

About NIS2

The NIS2 Directive (i.e., Directive 2022/2555 on measures for a high common level of cybersecurity across the Union) is a significant advancement over its predecessor, the NIS1 Directive 2016/1148. 

It introduces enhanced cybersecurity measures, expands the scope of application, and establishes detailed risk management measures, reporting requirements, and rules for cooperation, information sharing, supervision, and compliance. Ultimately, NIS2 aims to enhance the resilience and responsiveness of entities across various economic sectors to cyber threats.

Key changes and expansions

NIS2 not only reinforces cybersecurity within sectors already covered by NIS1 (such as energy, transport, healthcare, and finance) but also extends its reach to new sectors. These include providers of public electronic communications services, digital services (like social platforms), manufacturing of critical products, postal and courier services, and public administration.

One of the most notable changes introduced by NIS2 is the broader scope of application. The directive now covers a wider range of industries, including digital service providers, public electronic communications services, and critical manufacturing sectors, reflecting the increasing interconnectivity of modern economies. This expansion ensures that cybersecurity measures are not limited to traditionally regulated industries but also encompass emerging digital infrastructures.

Additionally, NIS2 introduces enhanced cybersecurity measures that require organizations to adopt a proactive risk management approach. This includes implementing advanced security policies, conducting regular system testing, and ensuring compliance with international security standards such as ISO 27001.

The directive also mandates incident response planning and real-time risk assessment, helping entities prevent, detect, and respond effectively to cyber incidents.

Another key improvement is the strengthened framework for cooperation and information sharing. NIS2 establishes clearer communication channels between national cybersecurity authorities, the European Union, and private sector entities. This ensures better coordination in handling large-scale cyber incidents and promotes the exchange of threat intelligence across member states.

Moreover, NIS2 reinforces supervision and enforcement mechanisms, introducing stricter compliance requirements and significant penalties for non-compliance. Member states must now define and oversee cybersecurity obligations more rigorously, ensuring that organizations prioritize digital security at an executive level. Notably, company leadership, directors, and decision-makers can be held personally accountable if their organization fails to meet NIS2 standards.

Ultimately, the NIS2 Directive aims to enhance the resilience and responsiveness of entities across various economic sectors. By raising cybersecurity standards and ensuring a coordinated response to cyber threats, the directive contributes to a more secure, stable, and resilient digital environment within the European Union.

Local implementation (Romania)

Romania has transposed the NIS2 Directive through the adoption of the Government Emergency Ordinance no. 155/2024, focusing on establishing a framework for cybersecurity of networks and information systems within the national civil cyberspace.

Key aspects of Romania's implementation include:

• Categorization of entities: the ordinance defines "essential entities" (most vulnerable to cyberattacks and providing critical services) and "important entities" (such as postal services and food sector manufacturers);    

• Registration and notification obligations: entities falling under the ordinance must register with the National Cyber Security Directorate (DNSC). They are also obligated to notify the DNSC of significant cybersecurity incidents within 24 hours (preliminary report) and provide a detailed analysis within 72 hours;

• Incident reporting: incident reports must be submitted to the Romanian National Cyber Security Incident Response Team (CERT-RO), including details about the incident's nature, affected systems, impact assessment, and mitigation measures.

Looking ahead

The implementation of NIS2 directives will enable Romanian organizations to significantly improve their cyber resilience, minimize the impact of potential cyberattacks, and ensure the functionality of essential services.

This will contribute to a more secure and stable digital environment for businesses, attract foreign investments, and foster economic growth and innovation in Romania's digital sector, ultimately benefiting citizens.

To prepare for NIS2 compliance, organizations should conduct a gap analysis to identify areas where their current cybersecurity practices are lacking, develop a roadmap for implementing the necessary security measures, and allocate sufficient resources for training and awareness programs.