START NIS2
Start implementing the NIS2 Directive intelligently.
Correct, Structured and Auditable.
The program is dedicated to organizations that need to start complying with the requirements of the NIS2 Directive, without previous experience.
✔ Complete policies and procedures
✔ Step-by-step implementation manual
✔ Project management models
✔ Support through AI agent specialized in NIS2 Romania
Do you find yourself in this situation?
– You know you need to implement NIS2, but it’s not clear where to start
– You don't know what is truly critical for the business
– You do not have a correlated asset and risk register
– You do not have formally approved policies
– You do not have a dedicated manager with experience in NIS2
Start NIS2 is built exactly for this stage: the beginning.
2500 RON
28 Policies
18 Procedures
Implementation manual
51 forms, guides
Specialized AI Assistant
What is it?
Start NIS2 is the right starting point in implementing the requirements of the NIS 2 Directive.
It is the framework that gives you clarity, order, and control when you need to start implementing NIS2 without prior experience.
Instead of uncertainty and a fragmented approach, you have a structured system that shows you exactly what needs to be done and in what order.
What exactly do you get?
Policies, Sub-policies, Procedures fully aligned with the requirements of the NIS2 Directive. Mature documentation, developed based on real implementations, aligned with the NIS2 Directive, GEO 155/2024 and NIST CSF.
Practical implementation manual. Operational playbook, with clear steps, logical phasing and completion guide for each register and document.
Project management templates. Structured plans for BIA, assets, risks, suppliers, information classification and identity management to help you get better organized.
Specialized AI agent NIS2. Trained for almost a year by the Sectio Aurea team, integrating applied experience from real transformational projects.
Documentation examples:
Complete set of security policies, operational and system procedures, standards and internal guidelines, developed and consolidated over several years of real implementations, in organizations from various fields.
The documentation is built to cover the requirements of the NIS2 Directive and GEO 155/2024, while being aligned with the NIST Cybersecurity Framework (CSF). Its structure ensures both formal compliance and practical applicability.
The materials are designed to respond to a wide range of implementation scenarios, but also to be adapted with minimal effort to the specifics of your organization, without compromising the coherence or integrity of the control framework.
Start NIS2 includes a complete and coherent documentation framework, built to support the real and auditable implementation of NIS2 requirements.
Global Security Policy - The strategic document that defines the organization's commitment to information protection, security directions, and governance and risk principles.
Thematic sub-policies. Complete set of policies dedicated to critical areas: asset management, risk, supplier, identity and access, continuity, cloud, incident response, vulnerabilities and others. Ensures complete coverage of NIS2 requirements.
Operational procedures. Clear and detailed processes that translate policies into concrete steps: granting access, reporting incidents, classifying information, assessing risks, managing vulnerabilities, etc.
Technical standards - Mandatory requirements for the configuration and operation of IT infrastructure, ensuring the consistent application of security measures.
Integrated and auditable structure - Policies, procedures and standards are correlated with each other, providing traceability between legal requirements and practical implementation.
The practical manual is the central component of the Start NIS2 program and functions as a detailed operational playbook for organizations starting from scratch or at a low level of maturity.
The content is organized in the logical order of implementation, so that each step builds on the outcome of the previous one.
The manual explains not only what needs to be done to comply with NIS2 requirements, but especially how it is done concretely in practice.
Include:
– clear phasing of the initial implementation phase;
– detailed instructions for carrying out each step;
– decision models and internal communications for management involvement;
– explanations regarding the link between the requirements of the NIS2 Directive, GEO 155/2024 and the implemented controls;
– completion guides for all templates included in the package.
The manual reduces ambiguity, prevents misinterpretations, and provides a clear path from legal requirement to implemented document.
It is designed to allow the organization to achieve concrete results in the first months, without relying exclusively on external consultancy.
The following areas are included in the initial implementation manual.
IT Asset Management. An initial inventory of IT and information assets is carried out, correlated with the results of the BIA. Assets are associated with critical processes.
Business Impact Analysis (BIA). Critical processes, essential services, dependencies and RTO/RPO values are identified. This is the basis for all subsequent decisions.
Supplier security management. Identifying suppliers relevant to the operation of critical services, operational dependencies and supply chain risks. This allows for the control and mitigation of risks generated by third parties.
Information classification and protection. Information categories, classification levels and minimum protection requirements are established. This ensures that security measures are applied in proportion to the sensitivity of the information.
Cyber risk management. An initial risk assessment is performed based on identified assets, processes, and threats. This informs decisions on how to treat and prioritize risks.
Identity and access management. Roles, access rights, and identity control rules are defined. This ensures controlled access to information resources and the application of the principle of least privilege.
Security indicator reporting. Define initial performance and risk indicators (KPI/KRI) and reporting mechanisms. This allows for continuous monitoring of the security level.
Cybersecurity training. Minimum training and awareness requirements for staff are established. This helps reduce risks generated by the human factor.
Project management models in critical areas
Start NIS2 not only provides documentation, but also the governance structure necessary for implementation. Dedicated project management templates are provided for each of the critical areas included – BIA, asset management, supplier security, information classification, risk management and identity and access management.
These models include:
– step-by-step list of necessary activities;
– defining responsibilities (roles involved);
– expected deliverables for each stage;
– logical dependencies between domains (e.g. BIA before risk assessment);
– indicative time frames for organizations with limited resources.
The goal is to transform the NIS2 requirements into a structured program, with clear objectives and measurable progress. Instead of a reactive or fragmented approach, the organization benefits from a coherent framework that allows for control of implementation and clear reporting to management.
Operational support through specialized AI agent
As part of the Start NIS2 program, organizations can benefit from operational support through a ChatGPT agent specialized in information security and the implementation of the NIS2 Directive.
The agent is not a generic tool. It was trained for a year by our consulting team, using experience gained in real implementation projects, applied interpretations of the NIS2 Directive and GEO 155/2024, as well as correlations with the NIST Cybersecurity Framework and other international best practices.
The agent is configured to:
– explain the NIS2 requirements in terms applicable to the organization;
– guide the completion of registers and documents included in the program;
– provide practical recommendations for initial implementation;
– clarifies the connection between processes, assets, risks and controls;
– support the internal team in making operational decisions.
The result is continuous support, available when needed, that reduces reliance on hourly consulting and accelerates implementation without compromising the quality or consistency of the compliance framework.
Start NIS2 is designed for organizations that need to begin implementing the directive but don't know where to start.
See if Start NIS2 is right for your organization
Your benefits
Implementing NIS2 can seem like a complex process, especially for organizations just starting out.
Start NIS2 is built to transform this complexity into a clear, phased and controllable path.
Reducing the risk of non-compliance
Ensures the existence of a formal documented framework, with policies, procedures and records that can be demonstrated to authorities or auditors.
Saving time and resources
Avoid months of internal analysis and document development from scratch. Implementation becomes manageable, even with limited teams.
Traceability between law and practice
Every major requirement is connected to concrete policies, procedures and records. There are no “useless documents”.
Flexibility and adaptability
The documentation is designed to be quickly adapted to the specifics of the organization, without compromising the coherence of the control framework.
AI support when needed
Through the option of a specialized AI agent and expert validation, the internal team benefits from practical guidance and quick clarifications.
The AI agent is trained by a team of consultants over several implementations and can be a very knowledgeable virtual CISO.
Foundation for further maturation
The start of NIS2 is not the end of compliance, but the solid foundation for the operation, monitoring and continuous improvement phase.
CISO on Demand brings multiple benefits to your organization, including:
UNIQUE
In a market where most offers are limited to one-off consultancy or the delivery of standard documents, Start NIS2 proposes a different approach: a complete initial implementation system, built for real organizations, with limited resources and concrete pressures.
AI agent trained on real NIS2 implementation
The ChatGPT agent integrated into the program was trained for a year by our consulting team, based on practical experience in the NIS2 Directive and GEO 155/2024.
It is not a generic tool, but a specialized operational support, configured for practical application and contextual clarification.
The documentation and manual are not academic models or translations of international standards.
They are the result of several years of real implementations, adjusted to concrete situations in organizations with different levels of maturity.
Double alignment: legal and methodological
The program is built to cover the requirements of the NIS2 Directive and national legislation, while being correlated with the NIST Cybersecurity Framework. Thus, the organization achieves not only formal compliance, but a coherent risk management framework.
Built for simplicity
Most offerings on the market are designed for already mature organizations. Start NIS2 is specifically designed for companies starting from scratch or close to scratch, offering clarity, proportionality, and immediate applicability.
Balance between autonomy and validation
The organization can deploy internally, with continuous AI support, and opt for expert validation when needed. This combination provides flexibility without compromising control and quality.
CISO on Demand brings multiple benefits to your organization, including:
Who is it NOT suitable for?
Start NIS2 is a program built for organizations that want to build their NIS2 implementation foundation internally, with AI structure and support. It is not the right solution in the following situations:
Organizations with a high level of cybersecurity maturity
If the organization already has a formal BIA, complete asset register, operational risk management, consolidated policies and recurring security processes in place (e.g. in a mature ISO 27001 context), then the need is more for advanced optimization or auditing, not initial implementation.
CISO on Demand brings multiple benefits to your organization, including:
What does Start NIS2 NOT contain and what is NOT?
To set fair and realistic expectations, it is important to clarify what is not included in the initial implementation stage.
Start NIS2 is built to lay a solid foundation for compliance: structure, governance, documentation, and risk clarity. It does not replace technical operation, ongoing monitoring, or dedicated strategic consulting.
Start NIS2 covers a number of areas covered by the NIS2 Directive in documentation, but these are not included in the initial implementation manual from an operational perspective.
Areas such as vulnerability management, IT infrastructure maintenance, incident management, antimalware protection and traffic filtering, external storage media management or cryptographic controls are already defined through standardized policies and procedures.
However, their effective implementation requires the existence of dedicated technologies and daily operational capacity.
These components are part of the operation and maturation stage (Consolidation, Digitalization, IT Security Operation, SOC), not the foundation phase.
Start NIS2 builds the governance framework and structure needed for these areas, without forcing premature technology investments or unsustainable operational implementations.
It is not consulting.
Start NIS2 does not require the allocation of a full-time dedicated consultant or unlimited hotline support.
For organizations that need ongoing involvement and direct coordination from experts, there are distinct NIS Consulting, Outsourced CISO or Security Operations services.
Does not include the daily operation of technical security measures
Domenii precum managementul vulnerabilităților, mentenanța infrastructurii, operarea soluțiilor antimalware, filtrarea traficului sau administrarea criptografică presupun tehnologii specifice și capacitate operațională continuă. Acestea sunt activate în etapele ulterioare de maturizare (Operare Securitate IT, SOC).
Does not include the implementation or provision of security technologies
Start NIS2 nu presupune achiziția, configurarea sau administrarea de soluții tehnice precum EDR, SIEM, firewall avansat, platforme GRC sau alte sisteme dedicate. Programul pregătește cadrul de guvernanță necesar pentru implementarea lor ulterioară.
Does not include 24/7 monitoring or real-time incident response
Detectarea și răspunsul operațional la incidente sunt parte din serviciile SOC și din etapa de operare, nu din implementarea inițială.
It is not a complete digitalization project
Registrele și procesele sunt structurate și standardizate, însă digitalizarea avansată, automatizarea fluxurilor și integrarea în platforme GRC fac parte din etapa NIS2 – Digitalizare și Control.
Will not ensure full compliance with the NIS 2 Directive
Start NIS2 reprezintă etapa de implementare inițială și construire a fundamentului de conformare.
Programul nu echivalează cu o conformare completă și definitivă la toate cerințele Directivei NIS2.
Conformarea deplină presupune, pe lângă cadrul documentar și de guvernanță:
– operare continuă a măsurilor de securitate;
– monitorizare și detecție permanentă;
– testare periodică a controalelor;
– actualizarea constantă a evaluărilor de risc;
– integrarea securității în procesele organizaționale recurente.
Start NIS2 oferă structura necesară pentru a începe corect și pentru a demonstra progres real și documentat. Etapele ulterioare de consolidare, digitalizare, guvernanță și operare sunt cele care conduc către un nivel complet și matur de conformare.
Această abordare etapizată reduce riscul de implementare superficială și permite organizației să construiască un sistem sustenabil, nu doar o aparență de conformare.
What concrete results do you achieve?
After implementing Start NIS2, your organization can demonstrate, in a documented and auditable manner, the following:
You have a Business Impact Analysis (BIA) performed and internally validated. You know which processes and services are critical, what dependencies exist, and what the assumed and possible availability values are.
You have a structured asset register, correlated to critical processes. You no longer operate on assumptions, but on clear evidence.
You have a documented risk register, with prioritization and initial treatment. Risks are no longer treated ad-hoc, but managed in a structured manner.
There is a documented framework of policies, procedures and responsibilities, reflecting the requirements of NIS2 and national legislation.
You can demonstrate the link between the requirements of the NIS2 Directive, the measures adopted and the evidence generated.
There are formalized decisions, responsibilities, and governance mechanisms. NIS2 becomes a management issue, not just a technical one.
After completing the initial stage, you are prepared for what comes next: operation, monitoring, testing, and continuous improvement.
CISO on Demand brings multiple benefits to your organization, including:
What comes after Start NIS2?
Start NIS2 builds the foundation: structure, documentation, clarity on risks and responsibilities. The next step is to mature, operationalize and fully integrate NIS2 requirements into the organization's governance and operating model.
After the foundation, the next step is to expand and deepen the implementation across all NIS2 domains.
This stage involves fully covering the requirements of the directive, refining organizational and technical controls, integration into internal processes, and preparation for audit or control.
The objective is to transform the initial implementation into a functional and coherent system.
In this stage, the previously defined processes and records are digitized and integrated into an automated control framework.
GRC platforms, digital approval flows, management dashboards, and structured reporting mechanisms can be implemented.
Compliance thus becomes measurable, traceable and scalable.
For organizations that do not have an internal CISO or want to strengthen strategic coordination, this level introduces an outsourced Security Director service.
The role includes ongoing oversight of the NIS2 framework, reporting to management, reviewing risks and coordinating security measures.
This ensures strategic leadership and formal accountability.
IT Security Operation
It includes implementing and maintaining technical controls, vulnerability management, access management, and infrastructure hardening. Policies and procedures become effective protection.
Surveillance and Response Center (SOC)
Provides continuous monitoring, incident detection, alerting and response support. The organization gains permanent visibility and real response capacity, essential for resilience and NIS2 compliance.
Authority and experience behind Start NIS2
Start NIS2 is built on real-world implementation experience in critical organizations, not theoretical interpretations of the Directive. The methodology used in the program reflects years of applied work in regulated environments, where information security is directly linked to operational continuity and management accountability.
The program is developed and coordinated under the direct supervision of Mădălin Bratu, founder of Sectio Aurea, with active involvement in defining the implementation framework, documentation structure and governance model. This involvement ensures strategic coherence, well-founded decisions and relevant deliverables for the executive level.
Integrated expertise in methodology
Start NIS2 is not a collection of policies or a standardized product. It is a structured method, which integrates:
– practical experience in NIS implementations and complex security projects;
– correlation between the requirements of the NIS2 Directive and national legislation;
– alignment with international best practices, including the NIST Cybersecurity Framework;
– proportionate approach, adapted to the maturity level of the organization.
Every component of the program – the documentation, the manual, the project models, and the AI agent – is the result of continuous refinement based on real-world situations, not hypothetical scenarios.
Demonstrable quality and long-term partnerships
The standard by which Start NIS2 is built is the same that governs all Sectio Aurea projects: clarity, applicability and support over time.
Organizations that have worked with our team can directly confirm:
– the relevance of deliverables for management;
– the practical applicability of the recommendations;
– the ability to support documentation before auditors or authorities;
– professionalism and consistency of interventions.
For us, the strongest validation is not formal statements, but long-term collaborations and recommendations from executive management and security leaders who choose to continue the partnership beyond a one-off project.
The Start NIS2 program is developed based on real-world experience in implementing security and compliance programs.
Talk to a Sectio Aurea expert
Frequently Asked Questions (Q&A)
Our NIS consulting services support organizations in implementing a complete operational security and compliance framework, aligned with the requirements of the NIS Directive and NIS2. The approach is an integrated one, focused on reducing business risk, operational continuity and demonstrating compliance to authorities and partners.
Is Start NIS2 sufficient for full compliance?
No. Start NIS2 does not ensure full and final compliance with the NIS2 Directive.
The program is designed to ensure the first essential steps: building the governance framework, formal documentation, identifying critical assets and processes, initial risk assessment, and structuring responsibilities.
Full compliance additionally requires:
– continuous operation of technical security measures;
– incident monitoring and response;
– periodic testing of controls;
– constant updating of risk assessments;
– progressive maturation of processes.
Start NIS2 provides the foundation needed to get started right and demonstrate real, auditable progress. The subsequent stages of Consolidation, Digitalization, and Operation are what lead to a complete and sustainable level of compliance.
In short:
Start NIS2 does not complete compliance — it starts it correctly.
The duration depends directly on two elements: the level of focus and management involvement.
If there is clear ownership at the management level and a person designated for coordination, results can be visible within a few months.
In practice, in 60–90 days you can obtain concrete deliverables such as:
– Global Policy formally approved;
– Business Impact Analysis (BIA);
– asset register correlated with critical processes;
– initial risk register;
– formal governance structure;
– phased implementation plan.
Without managerial involvement, the process can be significantly delayed.
Start NIS2 provides the structure and methodology. The pace of implementation is determined by the actual priority given internally.
In short: with focus and commitment, results appear in a few months.
How much involvement is required from the organization?
Start NIS2 is built as an assisted implementation program, not as a full-service takeover.
The organization requires:
involving management for formal commitment to policies and governance structure;
participation of the IT team and process managers in collecting information (BIA, assets, risks);
designation of an internal person to coordinate implementation;
validation and approval of generated documents.
The effort is structured and phased through the practical manual and project models, so that implementation is achievable even in organizations with limited resources.
The program reduces ambiguity and dependence on external consultancy, but does not replace internal accountability.
Is it suitable for essential entities or only for smaller companies?
Start NIS2 is suitable for both large and essential entities at the beginning of the implementation of the NIS2 Directive.
The program is designed for organizations with low to medium information security maturity, regardless of size. The difference is not given by the size of the company, but by the current level of structuring and formalization.
For large critical entities, Start NIS2 can be the foundation stage – building the formal governance framework, documentation and initial risk assessment. Afterwards, it is necessary to continue through the Consolidation, Digitalization and Operation stages.
For very mature organizations, which already have most controls and formalized processes implemented, it may be more appropriate to enter the Consolidation or Digitalization stage directly.
In short:
Start NIS2 is suitable for any organization that needs to begin implementation in a structured manner, but is not intended for organizations that already have a fully mature and operational framework.
Start NIS2 is not a collection of predefined documents. It is a structured implementation system.
A set of templates provides you with blank forms.
Start NIS2 provides you with methodology, context, and guidance to complete them correctly and coherently.
The essential differences:
1. Methodology, not just documents
Each policy and register is integrated into a phased implementation logic (BIA → Assets → Risks → Controls → Governance).
2. Practical step-by-step manual
Not just "what document must exist", but how it is constructed, in what order, who is responsible and what decisions must be made.
3. Real correlation with NIS2 and GEO 155/2024
The documents are aligned with legal requirements and international best practices (NIST CSF), they are not generic or theoretical.
4. Project management models
Transform compliance into a structured program, with clear deliverables and responsibilities.
5. Specialized AI agent
Continuous operational guidance, based on applied experience from real NIS2 implementation projects.
A simple set of templates creates the appearance of compliance.
Start NIS2 builds a coherent, auditable and applicable foundation.
In short: the difference is between having documents and having a system.
Is the AI agent safe and specialized?
The ChatGPT agent integrated into the Start NIS2 program is not a generic chatbot nor a tool based exclusively on public information. It is a specialized system, built and trained for almost a year by the Sectio Aurea team, based on experience applied in transformative NIS2 implementation projects.
This agent integrates:
– real experience gained in NIS2 implementations in critical and regulated organizations;
– applied interpretations of the NIS2 Directive and GEO 155/2024, validated in real contexts;
– practical correlations between BIA, assets, risks and controls;
– expertise in specific areas of information security relevant to NIS2;
– international best practices, including the NIST Cybersecurity Framework.
It does not provide theoretical answers, but execution-oriented guidance: how to complete a register, how to formulate a management decision, how to correlate a risk with a control, or how to justify a measure to auditors or authorities.
In the context of the local market, this represents a major differentiator: an AI agent specialized in NIS2 implementation in Romania, configured based on real experience and adapted to legislative and operational specifics.
The result for the organization is ongoing access to applied expertise, reduced dependence on hourly consulting, and accelerated implementation without compromising the quality or consistency of the compliance framework.
Can we start with the basic version and then expand?
Yes. Start NIS2 is designed for exactly this phased approach.
The program represents Level 1 – Foundation in the maturity journey. It builds the governance structure, initial documentation, and basic risk assessment.
After completing this stage, the organization can progressively continue with:
– Strengthening NIS2 – extending implementation to all areas of the directive;
– NIS2 digitalization – register automation and integration into GRC platforms;
– Outsourced Security Director – continuous strategic coordination;
– IT Security Operation and SOC – technical implementation and permanent monitoring.
The structure is modular and scalable.
It is not necessary to commit to a complex program from the beginning.
In short: you start with the foundation and evolve based on the maturity, budget, and priorities of the organization.
What if we are already partially implemented?
If the organization has already started implementation – has policies, certain technical controls, or formalized processes – the next logical step is not Start NIS2, but an NIS2 Audit.
The audit has the role of:
– assess the actual level of compliance with the NIS2 Directive and GEO 155/2024;
– identify gaps between documentation and practice;
– analyze the coherence between risks, controls and responsibilities;
– verify the operational maturity of the implemented measures;
– clearly prioritize next steps.
Often, organizations are "partially implemented" at the declarative level, but without full traceability or correlation between areas (BIA, assets, risks, controls).
An NIS2 Audit provides an objective and documented picture of the current position and determines whether it is necessary to:
– strengthening implementation;
– digitalization of processes;
– activation of a governance service (outsourced CISO);
– or operational interventions (ITSecOPS, SOC).
In short:
If you have already started, the first step is to assess your actual maturity.
Subsequent decisions must be made based on objective analysis, not internal perception.
What can we demonstrate in the event of an inspection?
After implementing Start NIS2, the organization can demonstrate that it has begun compliance in a structured, documented and risk-proportionate manner.
Specifically, in the event of an inspection, you can present:
– Global Security Policy formally approved by management;
– the complete set of sub-policies relevant to NIS2;
– the result of the Business Impact Analysis (BIA);
– IT asset register correlated with critical processes;
– initial risk register, with assessment and prioritization;
– governance structure and assigned responsibilities;
– the phased implementation plan and proof of progress.
These elements demonstrate:
✔ management level commitment;
✔ the existence of a clear methodology;
✔ identification of critical assets and processes;
✔ formal risk assessment;
✔ existence of a treatment and maturation plan.
Start NIS2 does not guarantee the absence of any non-compliance — but it allows the organization to demonstrate diligence, real progress, and a systematic approach, not a reactive or superficial one.
In the context of an audit, the major difference is between stating that "we are working on implementation" and being able to present documents, records, and formal decisions that support this.
Are you ready to start implementing NIS2?
If you have decided to order the Start NIS2 package, the process is simple, fast and completely digital.
In just a few steps, you will have immediate access to the documentation and tools needed to start compliance.
How it works:
-
Submit the order form. Read the End User License Agreement.
-
Fill out the form with your company details and billing information.
-
We confirm and send you the proforma invoice.
-
Make the payment. After confirming the payment, we activate access within a maximum of one day.
-
You receive secure access to documentation. We continuously share with you a secure Microsoft 365 area, from where you can download the full content of the Start NIS2 package. and where you can later access any ongoing additions and optimizations.
-
Activate access to the specialized ChatGPT agent. You receive nominal access to the dedicated agent, ready to assist you in applying the documentation and clarifying the NIS2 requirements.
-
for public institutions, following the order in the form, your position in the public procurement catalog of SC Sectio Aurea SRL, CUI RO18334569 is confirmed
-