NIS Directive Audit
Independent assessment of cybersecurity maturity and readiness for NIS2 obligations
The NIS2 Directive requires organizations to conduct a self-assessment of their cybersecurity maturity and develop a plan of measures to remedy deficiencies.
The audit conducted by Sectio Aurea provides an independent assessment that helps the organization determine its true level of maturity and properly prepare the compliance process.
The Problem: NIS2 Compliance Is Not Just Documentation
For organizations covered by the NIS2 Directive, cybersecurity becomes a management responsibility and a legal obligation.
The compliance process involves:
-
cybersecurity maturity assessment
-
identification of existing deficiencies
-
defining a plan of remedial measures
-
demonstrating real control over risks.
In practice, many organizations experience difficulties in carrying out a realistic and coherent self-assessment, correlated with the actual level of security of the IT infrastructure.
Find out your true level of cybersecurity maturity and prepare your NIS2 self-assessment on a solid foundation.
Legal context: Self-assessment of maturity is an obligation
According to the NIS2@RO procedure managed by DNSC, organizations must perform a self-assessment of their cybersecurity maturity level and subsequently submit a plan of measures to remedy the identified deficiencies.
The self-assessment should analyze:
maturity of security documentation
implementing processes and controls
the level of protection of the IT infrastructure
existing deficiencies.
This assessment forms the basis for monitoring compliance progress and any controls carried out by the authorities.
For organizations covered by the NIS2 Directive, the cybersecurity maturity assessment becomes a legal obligation under the national procedure managed by the DNSC.
According to the NIS2@RO mechanism, organizations must go through a clear compliance process:
Risk analysis and risk score calculation
Within 90 days – submission of maturity self-assessment
Within a maximum of 60 days – submission of the action plan to remedy the deficiencies
The maturity self-assessment should analyze:
maturity of security documentation
the actual level of process implementation
existing technical and organizational controls
identified deficiencies
Based on this assessment, the organization must submit to the authority the remedial action plan, which includes the corrective measures, the responsible parties and the implementation deadlines.
This plan is used by DNSC to monitor compliance progress and prioritize controls.
Solution: NIS2 audit conducted by Sectio Aurea
The audit provides an independent and structured assessment of the level of cybersecurity maturity.
The evaluation analyzes in an integrated manner:
the documentary and governance framework
implementing security processes
technical architecture and implemented controls
the level of compliance with the requirements of the NIS2 Directive.
The result is not just a formal analysis, but a realistic picture of the organization's security level and cyber risks.
differential
Assessment of compliance with the NIS2 Directive. The audit not only analyzes the security maturity, but also the degree of compliance with the requirements of the NIS2 Directive and the national implementation framework.
Integrated analysis: documentation, implementation, and architecture. The assessment covers both the governance framework and the actual way controls are implemented in the IT infrastructure.
Correlating security with risk analysis. The audit verifies whether security measures are proportionate to the identified risks.
Structured plan of measures for compliance. The organization receives a clear remediation plan, prioritized according to impact and risk.
Find out your true level of cybersecurity maturity and prepare your NIS2 self-assessment on a solid foundation.
What you get through the NIS2 Audit
The NIS2 audit conducted by Sectio Aurea provides an independent and structured assessment of the organization's level of maturity and compliance with the requirements of the NIS2 Directive.
The assessment is not limited to verifying the existence of documents, but comprehensively analyzes the documentation, implementation of controls, and technical architecture, to determine the organization's real level of cyber security and resilience.
Evaluation of the documentary and governance framework
The audit analyzes existing documentation to verify whether the organization has an adequate formal framework for managing cybersecurity.
The assessment includes:
IT security and governance policies
operational security procedures
risk management processes
continuity and incident response plans
internal standards and operational instructions.
The analysis tracks the degree to which the documentation reflects the requirements of the NIS2 Directive and whether it is complete, coherent and formally approved at management level.
Verification of the implementation of controls in practice
The audit verifies whether the processes and controls defined in the documentation are implemented and effectively functioning in the organization's current activity.
This stage includes:
analysis of operational evidence (incident registers, logs, technical reports)
assessment of risk and incident management processes
verifying the application of access control and security policies
vulnerability and patch management analysis
evaluation of operational continuity processes.
The goal is to confirm that security does not only exist at a declarative level, but is integrated into the organization's operational processes.
Cybersecurity maturity assessment
The audit determines the actual level of cybersecurity maturity in the organization, both from the perspective of documentation and operational implementation.
The assessment is performed using a maturity model based on NIS2 controls and international best practices such as the NIST Cybersecurity Framework and ISO 27001.
The result provides a clear picture of:
documentation maturity
maturity of control implementation
the current level of security governance.
Technical and security architecture analysis
The audit includes a detailed analysis of the IT architecture and technical controls implemented to protect infrastructure and data.
This analysis aims to:
network architecture and system segmentation
access control and identity management
endpoint and infrastructure protection
incident monitoring and detection mechanisms
backup, recovery and resilience solutions.
The assessment allows the identification of architectural vulnerabilities and security gaps that may affect compliance with NIS2 requirements.
Assessment of compliance with the requirements of the NIS2 Directive
Differentiating element of the audit
Most security assessments analyze the maturity of processes or the technical level of security. The audit conducted by Sectio Aurea goes further and includes an explicit assessment of legal compliance with the NIS2 Directive.
This assessment is not limited to good practices or general security standards. It directly analyzes the organization's degree of alignment with the regulatory requirements of the NIS2 Directive and the national implementation framework.
The evaluation follows three essential dimensions:
1. Compliance of the documentary framework. It is verified whether the policies, procedures and internal standards correctly reflect the requirements of the NIS2 Directive and whether they are approved and integrated into the governance of the organization.
2. Compliance of technical implementation. It is analyzed whether the IT infrastructure and implemented technical controls support the requirements of the directive – including protection, detection, monitoring and incident response mechanisms.
3. Operational compliance. It is verified whether the security processes are effectively applied in practice, through the analysis of operational evidence, interviews and verification of how the controls work in current activity.
Structured plan of remedial measures
The final result of the audit is not just a list of findings, but a concrete plan of measures to align the organization with NIS2 requirements.
The remediation plan includes:
list of identified deficiencies
necessary technical and organizational measures
prioritizing measures based on risk
recommendations on responsibilities and necessary resources
a phased implementation plan.
This plan provides management with a clear foundation for building a coherent compliance program and increasing cybersecurity maturity.
Find out your true level of cybersecurity maturity and prepare your NIS2 self-assessment on a solid foundation.
What are we auditing?
Adopt a proven method and work with people more experienced in auditing IT systems and security management in the organization.
With us you identify more quickly and effectively the non-conformities with the requirements of the law, the security risks of the essential services of the business.
Integrated analysis: documentation, implementation and architecture
The audit analyzes the organization's security from three complementary perspectives:
governance framework and security documentation
implementation of processes and operational controls
the technical architecture of the IT and security infrastructure.
This approach allows for the identification of differences between what is formally defined and what actually works in the organization.
Correlating security with risk analysis
The NIS2 Directive is built around risk management.
The audit checks whether there is a real correlation between:
risk analysis carried out by the organization
security controls implemented
protection and monitoring processes.
This correlation is one of the elements frequently analyzed by authorities during NIS2 controls.
Clear plan of measures for compliance
The audit does not stop at the findings.
The final result includes a structured plan of measures to remedy the identified gaps, which allows the organization to:
to prioritize interventions based on risk
to plan the implementation of technical and organizational measures
to build a coherent program for compliance with the NIS2 Directive.
Practical experience in NIS2 audit and implementation
The audit is conducted by experts with experience in real cybersecurity, governance, and regulatory compliance projects.
This experience allows for a pragmatic approach, focused not just on formal compliance, but on operational resilience and real security governance.
Find out your true level of cybersecurity maturity and prepare your NIS2 self-assessment on a solid foundation.
Audit team
The Sectio Aurea audit team is comprised exclusively of senior professionals with advanced technical skills and internationally recognized certifications in cybersecurity auditing, IT governance and risk management. Our auditors have a deep understanding of applicable Romanian and European legislation (including NIS / NIS2) and exceed the minimum legal requirements for accredited audit service providers.
Audit engagements are delivered by specialists with proven practical experience in complex projects, combining audit expertise with real-world experience in managing and securing IT and OT infrastructures. This practical perspective allows for informed, relevant and business risk-oriented assessments.
Each project is directly coordinated by a senior auditor – the founder of Sectio Aurea – ensuring methodological rigor, professional project management and clear deliverables, useful for management, the Board and authorities. Our approach goes beyond formal compliance verification, focusing on identifying real vulnerabilities, assessing the business impact and defining concrete risk reduction measures.
Through Sectio Aurea, organizations benefit from a dedicated and experienced team, capable of transforming security auditing into a real tool for governance, resilience and support of strategic decisions.
How does the NIS2 Audit work?
Adopt a proven method and work with people more experienced in auditing IT systems and security management in the organization.
With us you identify more quickly and effectively the non-conformities with the requirements of the law, the security risks of the essential services of the business.
Defining the scope of the assessment
The first stage establishes the scope of the audit, including the processes, systems and IT infrastructure relevant to the organization's critical services.
They are defined:
evaluation objectives
systems and processes analyzed
roles and responsibilities of the audit team
calendar of activities.
This stage ensures a clearly delimited and efficient evaluation.
Security documentation analysis
The audit analyzes the organization's documentary framework to assess how NIS2 requirements are translated into internal policies and procedures.
They are evaluated, among others:
information security policies
risk management processes
incident response procedures
continuity and recovery plans
access management procedures.
The aim is to verify the existence of a coherent governance framework aligned with the requirements of the directive.
Analysis of control implementation
Based on the information collected, auditors determine the level of cybersecurity maturity and the degree of compliance with the requirements of the NIS2 Directive.
The assessment analyzes:
documentation maturity
maturity of control implementation
level of security governance
alignment with legal requirements.
The result is a realistic picture of the organization's current security level.
Maturity and compliance assessment
The audit includes a detailed analysis of the IT architecture and technical controls implemented to protect infrastructure and data.
This analysis aims to:
network architecture and system segmentation
access control and identity management
endpoint and infrastructure protection
incident monitoring and detection mechanisms
backup, recovery and resilience solutions.
The assessment allows the identification of architectural vulnerabilities and security gaps that may affect compliance with NIS2 requirements.
Audit report and action plan
At the end of the audit, the evaluation report and the action plan to remedy the identified deficiencies are developed.
The report provides management with a clear basis for prioritizing investments and implementing the necessary measures for compliance.
Find out your true level of cybersecurity maturity and prepare your NIS2 self-assessment on a solid foundation.
NIS2 Audit Deliverables
At the end of the audit mission, the organization receives a complete set of deliverables that document the level of security maturity and the steps needed for compliance.
Cybersecurity Maturity Assessment Report
The report provides a detailed analysis of the level of maturity of information security, both from the perspective of documentation and process implementation.
The report includes:
assessment of the governance framework
security process analysis
documentation maturity assessment
assessing the maturity of control implementation.
NIS2 Directive Compliance Assessment Report
This report analyzes the organization's degree of alignment with the requirements of the NIS2 Directive and the national implementation framework.
The report highlights:
compliance level
identified non-conformities
operational risk areas
opportunities for improvement.
Structured plan of remedial measures
The final report includes a detailed plan of measures to remedy the identified deficiencies.
The remediation plan includes:
list of identified deficiencies
recommended technical and organizational measures
prioritizing measures based on risk
recommendations on responsibilities and necessary resources
a phased implementation plan.
Maturity and compliance assessment
The audit includes a detailed analysis of the IT architecture and technical controls implemented to protect infrastructure and data.
This analysis aims to:
network architecture and system segmentation
access control and identity management
endpoint and infrastructure protection
incident monitoring and detection mechanisms
backup, recovery and resilience solutions.
The assessment allows the identification of architectural vulnerabilities and security gaps that may affect compliance with NIS2 requirements.
Audit report and action plan
At the end of the audit, the evaluation report and the action plan to remedy the identified deficiencies are developed.
The report provides management with a clear basis for prioritizing investments and implementing the necessary measures for compliance.
What can DNSC check?
Adopt a proven method and work with people more experienced in auditing IT systems and security management in the organization.
With us you identify more quickly and effectively the non-conformities with the requirements of the law, the security risks of the essential services of the business.
Existence of a governance framework for security
Authorities analyze whether the organization has clearly defined policies, procedures and responsibilities for managing cybersecurity and whether these are assumed at the management level.
Cyber risk management
It is verified whether the organization has identified the relevant risks for its critical processes and services and whether there are adequate measures to mitigate them.
Implementation of security measures
The authorities analyze whether the technical and organizational measures are actually implemented and integrated into the organization's current activity.
Cybersecurity maturity level
The assessment may include analysis of the maturity of security processes, documentation, and how controls are applied in practice.
Security improvement action plan
Organizations must demonstrate that they have identified any deficiencies and have a realistic plan to remedy them.
Frequently Asked Questions (FAQ)
Is the NIS2 audit of Sectio Aurea mandatory?
Currently, the NIS2 audit is not yet explicitly regulated by methodological rules that establish the obligation to carry out a formal security audit for all organizations covered by the directive.
What is clearly provided for by the implementation framework, however, is the obligation of organizations to conduct a self-assessment of their cybersecurity maturity level, as well as to develop a plan of measures to remedy the identified deficiencies.
The NIS2 audit conducted by Sectio Aurea is not a legal obligation in itself, but it can provide a solid foundation for conducting a maturity self-assessment. The independent assessment provides the organization with a realistic picture of the current level of security and helps identify deficiencies that need to be remedied for compliance.
How long does an NIS2 audit take?
The duration of an NIS2 audit depends on the size of the organization, the complexity of the IT infrastructure, and the number of processes and systems analyzed.
In most cases, an initial assessment can be completed within a few weeks, including documentation review, discussions with internal managers, and evaluation of existing security controls.
The purpose of the audit is not just to formally check documents, but to obtain a realistic picture of how cybersecurity is managed in practice.
What happens after the audit is completed?
At the end of the audit, the organization receives a detailed report that includes the results of the assessment and the main findings regarding the level of cybersecurity maturity.
The report is accompanied by a structured plan of measures to remedy the identified deficiencies. This plan can be used by management to prioritize security investments, plan the implementation of necessary controls, and support the process of compliance with the requirements of the NIS2 Directive.
The audit thus provides a clear starting point for developing a coherent security program and increasing the maturity of the organization.
Does the audit also include analysis of the IT infrastructure?
Yes. The NIS2 audit conducted by Sectio Aurea includes not only the analysis of documentation and security processes, but also an assessment of the technical architecture and controls implemented in the IT infrastructure.
This assessment looks at how information systems are protected, how access and identities are managed, and what mechanisms exist for detecting and managing security incidents.
The analysis allows the identification of potential vulnerabilities or security gaps that may affect the operational resilience of the organization.
Is the audit relevant to the relationship with the authorities?
The audit provides an independent assessment of the organization's level of maturity and compliance. While it does not replace legal reporting or self-assessment obligations, it can support the organization in making a more realistic and well-founded assessment.
By identifying deficiencies and defining a clear plan of action, the audit helps the organization demonstrate that it is addressing cybersecurity in a structured and responsible manner.
This approach can facilitate dialogue with authorities and reduce the risk of superficial or incomplete assessments.
Is the audit also suitable for organizations that have not yet started implementing NIS2?
Yes. The audit can be useful both for organizations that have already started implementing security measures and for those that are at the beginning of the compliance process.
For organizations just starting out, the audit provides an initial assessment of maturity level and helps identify key implementation priorities.
For organizations that already have certain processes or controls implemented, the audit allows verification of the actual level of compliance and identification of gaps that need to be addressed to comply with the requirements of the NIS2 Directive.
reference
Request initial NIS2 assessment
Fill out the form and we will contact you to discuss your organization's context and NIS2 audit options.