NIS2 · OUG 155/2024 · Legea 124/2025

NIS2 technical audits, DNSC-attested

Penetration and source-code audits by an attested cybersecurity auditor.

Romania's NIS2 law makes periodic cybersecurity audits mandatory for essential and important entities — performed only by auditors holding a valid DNSC attestation, with results and remediation plans reported to the Directorate. Vulnium delivers the technical audit activities defined in the attestation regulation: AS4 penetration audits and AS3 source-code audits, in the DNSC per-activity report format.

🏛 Atestat DNSC — tip special (AS3 · AS4) 🎖 OSCP · OSWE on the audit team 📋 Reports per DNSC activity format
The obligation

The audit is not optional. The auditor is not either.

OUG 155/2024, approved by Legea 124/2025, transposed NIS2 into Romanian law. If your company is registered as an essential or important entity, this is what the law already says:

Periodic + ad-hoc

Cybersecurity audits are mandatory and recurring — plus ad-hoc audits after significant incidents or within 180 days of major system changes. art. 57

Attested only

Audits may be performed only by auditors holding a valid DNSC attestation. At the last published count, the national register held roughly 120 attested persons — capacity will be scarce when the audit calendar lands. art. 58(1)

€10M / 2%

Fines reach €10M or 2% of worldwide turnover for essential entities (€7M / 1.4% for important ones) — and enforcement tends to start with documentation gaps, not breaches.

15 working days

After the audit report, your remediation plan goes to DNSC within 15 working days, with implementation confirmed after the deadline passes. The audit is the start of a tracked process, not a PDF. art. 57(8)

Attested audit activities

What our attestation covers — exactly

The DNSC regulation defines six audit activities. Our special-type attestation covers the two that require offensive expertise — the ones that produce technical evidence instead of checklist answers.

AS4

Penetration audit

Auditul de penetrare

Realistic attack conditions against your in-scope systems: vulnerabilities identified, exploitability verified, impact demonstrated. Executed by OSCP/OSWE-certified operators and reported in the DNSC per-activity format.

AS3

Source-code audit

Auditul codului sursă

Total or partial analysis of source code and build conditions for vulnerabilities born of unsafe practice or logic errors — the audit activity most vendors can't staff, matched to our OSWE-level web exploitation background.

AS6

ICS audit — technical portions

Auditul sistemelor de control industrial

For industrial-control environments, our attestation covers the special (AS3/AS4) portions of the mixed ICS audit activity — penetration and code analysis adapted to OT constraints.

Where our attestation stops — and what we do about it

A full NIS2 conformity audit also involves the common activities — architecture (AS1), configuration (AS2) and organizational security (AS5) — which require a common- or general-type attestation. When your engagement needs the full scope, we partner with attested common-type auditors and deliver one coordinated engagement with per-activity reports, as the regulation requires. You get one accountable team, not a vendor puzzle.

Auditor independence is law

Under art. 58(3), your auditor cannot currently provide you other cybersecurity services, nor have done so in the previous year — and may serve at most three consecutive audits. So decide early which role we play: your auditor, or your testing and remediation partner. We'll tell you honestly which fits — even when the answer sends the audit elsewhere.

Third-party risk validation

Ratings tell you who looks risky. We prove what's exploitable.

Security-ratings platforms scan your vendors from the outside and compress the result into a score. Useful for screening — but a score can't tell you whether a finding is real, reachable, or sitting in front of your data. NIS2 art. 21(2)(d) expects documented supply-chain security, not a dashboard. This is the validation layer on top.

Rating-drop validation

Your score dropped, or a critical vendor got flagged. We establish within days whether the finding is real, reachable and exploitable — an evidence-backed verdict instead of a 90-day questionnaire cycle.

Score-dispute remediation

False attributions from shared hosting and stale IP data are the ratings industry's best-documented flaw. We separate the real findings from the noise, fix the former, and drive the dispute on the latter with technical evidence.

Critical-vendor penetration audit

With their consent, we pentest the three-to-five suppliers whose compromise would actually take you down — the evidence layer questionnaires and outside-in scores structurally cannot provide.

Continuous supplier oversight, powered by Pythia

Between audits, Pythia watches KEV, vendor PSIRTs and threat research daily and answers one question: which of my suppliers' technology is being exploited in the wild right now — and does it touch us? Your vendor list never leaves your infrastructure.

Discover Pythia

Get ahead of the audit calendar

DNSC's technical norms will fix the audit periodicity and themes — and when they do, every in-scope entity in Romania will be calling the same short register of attested auditors. Scope your technical audit now and you won't be competing for capacity later.