top of page

NIS Directive Kit

Quickly implement the requirements of the NIS Law

 Do you want to avoid a negative or qualified NIS audit opinion? 
Do you want to avoid possible controls and fines of the National Cyber Security Directorate?

Do you want to create the foundation of a more secure business?

Implement the NIS Directive and Law 362 intelligently!

2500 RON, without VAT 

Detailed implementation manual

It contains practical advice from 2 years of experience in consulting for various operators of essential services in the implementation of the requirements of the NIS Directive, which they successfully passed the NIS Audit.

Contains applicable recommendations from the founder's 20 years of experience in information security management. 

It contains pragmatic approaches, from the experience of specialists who are NIS certified auditors, in the adjustment and implementation of audit procedures and records. 136bad5cf58d_

Complete documentation for compliance with the Law 362 

38 operational procedures and 36 documents for audit records that meet the requirements of the law for 67 auditable control indicators

Documentation updated with the latest legislation

100% editable documentation

We perform a security risk analysis
Build with us the basics and finesse of compliance
Free email support

If you are unclear about how to implement this documentation in your organization, send your questions by email and we will help you by email. 

The possibility of a dedicated consultant

If you need dedicated support and consultancy specific to your requirements, you have the possibility of contracting dedicated sessions with the Sectio Aurea team of experts. 

The documentation of the Kit for the NIS Directive includes the policies, the operational procedures required by law, the mandatory registers for the provision of audit records to the NIS authorized auditors. The documentation was built to be completed and implemented simply, quickly and efficiently even by an audience less used to information security management.

The content of the kit is aligned with the requirements of the law and methodological norms, but also with the best international practices in information security (NIST Cybersecurity Framework, NIST Special Publications, ISO 27001, IEC 62443, Security for automation and industrial control systems, COBIT 5 for information security).

The NIS Directive Kit is an innovative product that helps you implement the requirements of Law 362 yourself, without specialist assistance. By following our step-by-step instructions, you will implement the requirements of the NIS Directive in a simple, fast and efficient way. You will save time, money and energy and invest in the safety of your business in the long term by avoiding fines.

The NIS Directive Kit is a coherent system of procedures and implementation guidelines born from practical experience in implementing the requirements of the NIS Directive in various companies in Romania. It is a very effective product, which will help you respond faster to the most demanding NIS auditors.

Implement the NIS Directive and Law 362 intelligently!

Business Executive

Flexible consulting line
Build compliance with Law 362 / 2018 intelligently, being guided by people with extensive experience in cybersecurity and compliance. 
depending on the level of maturity, we build you a flexible consulting package, so that we can help you with the delicate elements. 

Conference Crowd

Practical Dialogue. February 3, 2023. 

An open, honest and committed dialogue on the topic.
The largest webinar on the NIS Directive.  
The perspective of accredited NIS auditors, with practical experience in IT management.

The perspective of a consultant with 15 months of experience in implementing the requirements of the law in various companies in Romania, but also with 20 years of experience in cyber security. 

What does the Kit actually contain?

Detailed manual for implementing the requirements of the NIS directive in the organization, plus adaptable policy and procedure templatesand operational and audit evidence



  • ARNIS - Security risk analysis of networks and IT systems

  • MEGRE - Risk management methodology for the provision of essential services

    • The decision to establish the Monitoring Commission

    • The decision to appoint the Information Security Officer - the NIS Officer

    • The decision to appoint the Information Security Officer

    • Decision for risk tolerance

    • Risk identification and assessment form or "Risk alert" form

    • Information regarding the development of the risk management process at the company level

    • The plan for the implementation of risk control and follow-up measures

    • Annual report on the development of the risk management process

    • Review of risk profile and risk tolerance limit

    • Consolidated risk register

  • PONIS - The security policy of networks and IT systems that ensure the provision of essential services

  • RAIPOD - Model Report on the implementation of the security policy of networks and IT systems that ensure the provision of essential services and its application documents

  • DANIS - The accreditation process established in PONIS through which OSE accredits NIS used in the provision of essential services, including administration components

  • IEC - Evaluation indicators, on the basis of which the OSE evaluates its compliance with the Network and IT Systems Security Policy

    • Examples to choose from Key Risk Indicators​

  • MEIEC - Method for evaluating compliance indicators

    • Non-Conformity Report (MEIEC Annex 1)

    • Non-conformity log (Annex MEIEC 2)

    • Corrective action report (MEIEC Annex 3)

  • PGASP - Personal security assurance program

  • ISA - Security training for employees
    • Planning the awareness and professional training campaign

    • The thematic training plan in the field of IT security

    • Templates for internal emails  security awareness

  • FP - the necessary security requirements for the job description

  • PRASA - Security presentation program for all staff and for staffspecialized

  • PRISA - Security training program for employees who use the networks and IT systems that are the basis for the provision of essential services

  • INCEA - Necessary tools for raising awareness and educating employees about the types of IT security threats and the appropriate protection measures in order to limit incidents
  • COSE - Service contracts or external service provision
  • LASPO - List of assets, systems and processes of the organization

    • Construction guide SANIS​

  • PRECDI - Procedure regarding the labeling and classification of data and information

  • SICAE - Cartographic situation of the ecosystem; document through which the establishment and identification of the ecosystem that is the basis for the provision of the essential service, both NIS and other components, is carried out

  • LIRIE - List of identified potential risks and their evaluation in the provision of essential services. The risks are represented by the relations with the interested parties of the ecosystem

  • PROSRE - Procedure for establishing ecosystem relationships; the document includes interconnections (external relations) between networks and computer systems and third parties

  • LASMA - List of service level agreements and/or audit mechanisms of networks and IT systems

  • SANIS    Scheme of the architecture of networks and IT systems used to provide essential services

    • Construction guide SANIS​



  • PRUSME- Procedure regarding the use of external memory media

  • RESME - Record registers of external memory media

  • PROCESS - Procedure regarding the segregation and segmentation of networks and IT systems used for the provision of essential services

  • PROFIT - Traffic filtering procedure

  • PRAPC - Procedure for ensuring cryptographic protection for information and resources

  • MACC - Management of encryption keys; process that ensures the production, use and record of cryptographic material, including encryption keys

  • PRAPMA - Procedure for ensuring malware protection

  • PRUSSIA - Procedure regarding the use of IT administration systems

  • JIERU - Logs recording events produced by resources used for administration. Diaries are established and kept in electronic form or on paper.

  • PPSIA - The envelope with passwords used for computer systems for the administration of networks and computer systems

  • PROLD - Remote working procedure

  • ECUPA - Record of accounts for users and for automated processes

  • LICPA - List of privileged accounts by access levels and accessible functionalities

  • LICA - List of administration accounts

  • MEAUP - Authentication mechanism for users and automated processes to the resources of networks and IT systems

  • SIVMOC - System for verifying potential changes to a privileged account

  • PROMNIS - Procedure for maintaining the security of networks and IT systems

    • Evidence Implementation Minimum security level

    • Evidence of security exceptions

    • Evidence Detection of vulnerabilities and the application of Patches

    • Request for access, withdrawal of access to the computer system

  • PRORUVI - Procedure to reduce the risks related to the use of an outdated version

  • CEISC - Specific security requirements for industrial control systems

  • ANISMS - Analysis of security risks and implementation of security measures to limit unauthorized access

  • PRASI - Procedure regarding the access and security of resources and information


Cyber Defense

  • PRODAIS - Procedure for reporting security incidents

  • PEIREV - Process of identifying, classifying, fixing and eliminating vulnerabilities, especially in software and firmware, at the level of networks and IT systems

  • PRORAI - Procedure for the management, response and analysis of incidents that affect the operation or security of computer networks and systems

  • PRORIS - Procedure for reporting security incidents

  • PISAC - Interconnection procedure to the alerting and cooperation service of CERT-RO.



  • Complete Business Continuity Plan Template

  • PRADE - Procedure regarding the management of ensuring the availability of the essential service, in case of a cyber security incident

  • PROMRE - Procedure regarding the management of data recovery in case of disasters, as well as in case of severe cyber security incidents

  • PROCIS - Procedure regarding the organization of crisis management in case of cyber security incidents to ensure the continuity of organizational activities

  • PEGEC - Crisis management processes; documents by which the OSE establishes the processes and methods of implementation in case of cyber security incidents to ensure the continuity of organizational activities

Do you want to preview examples? 

PONIS - Network and IT systems security policy

PRECDI - Procedure regarding the labeling and classification of data and information

PROMNIS - Procedure for maintaining the security of networks and IT systems​

Why us?

We are authorized

You have the support of specialists who are certified auditors in auditing the law. 

Sectio Aurea is a DNSC certified auditor for
NIS Directive
CLE Series / 8020. 

Image by Annie Spratt

The specialists who contributed to the Kit have at least 5 years of experience in the specific field of law, in organizations of high complexity  (multinationals).
Most are opinion leaders, respected professionals: IT Managers, Security Managers, CISOs.

Image by Cesar Carlevarino Aragon
Business model

The kit is the result of hard and sustained work in implementing the requirements of the NIS directive in various environments. 

It was optimized through direct customer feedback, but also following the collaborative consultation of a focused work group. 

Do you want to act?
Order the NIS Directive Kit 

Thank you for the order!!

Our Team - Your Cybersecurity Experts

At Sectio Aurea, we collaborate with top IT and security professionals. They have a minimum of 5 years of experience in complex, multinational organizations, managing complex projects and leading security teams. They are opinion leaders, respected professionals and occupy positions such as IT Manager, Security Manager, CISO, DPO and Architects.

We work with 16 cyber security experts. With each one we have a history of years of successful projects and constant interactions. 

However, we can scale with entire teams of IT specialists in your priority areas. 

Our specialists hold a wide range of certifications in advanced fields such as cybersecurity, data protection, security management and information systems auditing. Choose to collaborate with us and we assure you that your business will benefit from the highest level of expertise in information security.

ISO 27001 LA
PECB ISO-27005-Lead-Risk-Manager
PECB ISO-22301-Lead-Auditor
ISO 27001 LA


NIS Directive Audit
Delgaz Grid
NIS Directive Consulting
Apa vital
Apa canal galati
casomes final
Image by Guillaume Périgois

About the European NIS Directive and Law 362/2018

As of January 12, 2019, the NIS Directive (EU Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016) was adopted by Law no. 362/2018 by the Romanian Parliament.
Its aim is to achieve a high common standard for network and information security in all Member States of the Union that provide essential services to society.
As services increasingly rely on IT network infrastructures, these measures are aimed at strengthening the readiness of EU states to respond to cyber security threats, thus leveraging their overall confidence in the digital single market.
Therefore, the NIS Directive is an essential European regulation that ensures the sustainability of the new digital economy.

Is the NIS Directive addressed to you?
YES. If you have a business in the following sectors of activity and meet certain indicators

Financial market infrastructures
Supply and distribution of drinking water
Digital infrastructure
Online markets
Search engines
Cloud computing

What are your obligations?

Implement the minimum security requirements according to the law.
Prepare and implement in the business a structured system of policies, procedures, regulations
Continuous (permanent) monitoring of the level of security and interfacing with the authorities 

December 17, 2020

Performing a classification analysis as an essential service operator (OSE)
Registration in the Register of Essential Service Operators (ROSE)
Self-declaration on compliance with the law
Documentation of self-assessment of compliance with minimum security requirements

2 years since enrolling in ROSE

Implement minimum security requirements in line with industry best practices.
Preparation of audit indicators auditable by the state and by authorized auditors. 
Performing risk analysis, Implementing security procedures and policies in the organization, implementing an appropriate set of technologies.

Penalties for non-fulfillment of legal obligations


For more information we recommend the following

bottom of page