Public-sector cybersecurity in Romania moved from "policy on paper" to "DNSC inspections in practice" over the last three years. NIS2 transposition (Law 124/2025) put most central-government entities and a long tail of subordinate agencies in scope. Procurement law makes choosing a supplier hard; we routinely work as a sub-contractor through framework agreements.
Sandline operates inside DNSC and SRI-CERT-coordinated programmes when invited. Our deliverables match the formats the regulator asks for, and our staff work cleared where required. We do not handle classified information without explicit clearance and a dedicated environment.
Typical engagements
- Pentest of citizen-facing portals (e-government services)
- Vulnerability assessment of internal admin systems
- IR retainer aligned with DNSC notification timelines
- Awareness programme for civil servants
Sector-specific threats
Public-administration phishing wave campaigns
Common in EU member states. Our human-vulnerability programme tests staff with realistic central-government pretexts.
Hacktivism and state-aligned attackers
Especially around elections and during regional crises. Our CTI engagement curates the relevant actors and their TTPs.
Legacy ASP.NET / Java EE estates
Pentests routinely surface decades-old findings on systems that are still business-critical. Remediation plans must be realistic about replacement vs. compensating controls.