Penetration and source-code audits by an attested cybersecurity auditor.
Romania's NIS2 law makes periodic cybersecurity audits mandatory for essential and important entities — performed only by auditors holding a valid DNSC attestation, with results and remediation plans reported to the Directorate. Vulnium delivers the technical audit activities defined in the attestation regulation: AS4 penetration audits and AS3 source-code audits, in the DNSC per-activity report format.
OUG 155/2024, approved by Legea 124/2025, transposed NIS2 into Romanian law. If your company is registered as an essential or important entity, this is what the law already says:
Cybersecurity audits are mandatory and recurring — plus ad-hoc audits after significant incidents or within 180 days of major system changes. art. 57
Audits may be performed only by auditors holding a valid DNSC attestation. At the last published count, the national register held roughly 120 attested persons — capacity will be scarce when the audit calendar lands. art. 58(1)
Fines reach €10M or 2% of worldwide turnover for essential entities (€7M / 1.4% for important ones) — and enforcement tends to start with documentation gaps, not breaches.
After the audit report, your remediation plan goes to DNSC within 15 working days, with implementation confirmed after the deadline passes. The audit is the start of a tracked process, not a PDF. art. 57(8)
The DNSC regulation defines six audit activities. Our special-type attestation covers the two that require offensive expertise — the ones that produce technical evidence instead of checklist answers.
Auditul de penetrare
Realistic attack conditions against your in-scope systems: vulnerabilities identified, exploitability verified, impact demonstrated. Executed by OSCP/OSWE-certified operators and reported in the DNSC per-activity format.
Auditul codului sursă
Total or partial analysis of source code and build conditions for vulnerabilities born of unsafe practice or logic errors — the audit activity most vendors can't staff, matched to our OSWE-level web exploitation background.
Auditul sistemelor de control industrial
For industrial-control environments, our attestation covers the special (AS3/AS4) portions of the mixed ICS audit activity — penetration and code analysis adapted to OT constraints.
A full NIS2 conformity audit also involves the common activities — architecture (AS1), configuration (AS2) and organizational security (AS5) — which require a common- or general-type attestation. When your engagement needs the full scope, we partner with attested common-type auditors and deliver one coordinated engagement with per-activity reports, as the regulation requires. You get one accountable team, not a vendor puzzle.
Under art. 58(3), your auditor cannot currently provide you other cybersecurity services, nor have done so in the previous year — and may serve at most three consecutive audits. So decide early which role we play: your auditor, or your testing and remediation partner. We'll tell you honestly which fits — even when the answer sends the audit elsewhere.
Security-ratings platforms scan your vendors from the outside and compress the result into a score. Useful for screening — but a score can't tell you whether a finding is real, reachable, or sitting in front of your data. NIS2 art. 21(2)(d) expects documented supply-chain security, not a dashboard. This is the validation layer on top.
Your score dropped, or a critical vendor got flagged. We establish within days whether the finding is real, reachable and exploitable — an evidence-backed verdict instead of a 90-day questionnaire cycle.
False attributions from shared hosting and stale IP data are the ratings industry's best-documented flaw. We separate the real findings from the noise, fix the former, and drive the dispute on the latter with technical evidence.
With their consent, we pentest the three-to-five suppliers whose compromise would actually take you down — the evidence layer questionnaires and outside-in scores structurally cannot provide.
DNSC's technical norms will fix the audit periodicity and themes — and when they do, every in-scope entity in Romania will be calling the same short register of attested auditors. Scope your technical audit now and you won't be competing for capacity later.