Who it applies to
Transposed into Romanian law in 2024, NIS2 covers energy, transport, banking, financial markets, healthcare, drinking water, wastewater, digital infrastructure, public administration, space, postal and courier services, waste management, manufacture of critical products, food, manufacturing of devices and equipment, digital providers, research and chemical production. If you are an essential or important entity, you are in scope.
What it requires
- Article 21: a baseline of risk management measures including vulnerability handling, supply-chain security, incident management, business continuity and cryptography
- Article 21(2)(g): cybersecurity training and awareness for the workforce
- Article 23: incident reporting — early warning within 24h, notification within 72h, final report within 1 month
- Personal accountability of the management body for security failures
How Sandline helps
- Vulnerability management programme that produces Article 21 evidence quarterly, not annually
- Penetration testing and red team exercises against the technical control set
- IR retainer with NIS2-aligned reporting templates and timelines
- Workforce training tied to Article 21(2)(g) with attendance and assessment evidence
- Centraleyezer mapping of every finding to the relevant Article 21 sub-clause