OUG 155/2024 · DNSC

NIS2 compliance
without complexity,
faster and more accessible.

ZeroLix delivers NIS2 cybersecurity audits for Romanian entities, guided by DNSC-certified auditors and accelerated by our own technology.

Enter platform → How it works Try the demo Contact
Aliniat la cadrul legal
OUG 155/2024 Legea 124/2025 DNSC CSF v2.2 NIS2 Directive CyFun Maturity
0maximum fine from annual turnover
0days, DNSC notification deadline
0steps from registration to compliance
0years, audit recurrence for essential entities
Compliance process

First, see everything you have.

The scan starts with legal classification and an exposure X-ray: who you are, what risks you carry, where you stand against the requirements.

  • 01Identification and registration. Essential or Important Entity classification, DNSC notification within 30 days.
  • 02Risk assessment (ENIRE@RO). The impact of a potential incident, submitted to DNSC.
  • 03Maturity self-assessment. Complete gap analysis under Art. 30 of OUG 155/2024.
From gaps to compliance

Then close every gap.

Identified vulnerabilities become an implementation plan, and the external audit officially confirms compliance.

  • 04Implementation period. One year to remediate deficiencies: MFA, encryption, backup, training.
  • 05Security audit. External DNSC-certified auditor; report submitted within 30 days.
  • 06Maintenance and recurrence. Audit every 2 years; incidents reported in 24h / 72h.
Why ZeroLix

DNSC-certified auditors. Proprietary platform.

We combine certified cybersecurity expertise with our own digital tool that automates data collection, entity classification, and report generation.

The result: faster audits, more accessible pricing, complete traceability.

Platform

The whole audit process in one place.

Automatic NIS2 classification, maturity assessment across 31 controls, auditor verdict, dedicated client portal, effort estimation, and complete history.

Proof

Every answer, recorded.

Every finding and every verdict, with timestamp and digital signature. The audit report is generated automatically, ready for DNSC submission.

Start now

Already a ZeroLix client?

Access the platform with the credentials received from our audit team.

The complete path from registration
to full compliance

Six structured stages, each with a clear deadline, defined action, and explicit ZeroLix role.

01

Identification and Registration

Determine whether the organization qualifies as an Essential or Important Entity. Generate the notification form and submit it to DNSC within 30 days.

Deadline: 30 days
02

Risk Assessment (ENIRE@RO)

Risk analysis according to the ENIRE methodology. Determine the impact of a potential incident. The document is submitted to DNSC and supports technical investment decisions.

Immediate action
03

Maturity Self-Assessment

A current view of cybersecurity maturity under Art. 30 of OUG 155/2024. Complete gap analysis to identify exactly which measures are missing against legal requirements.

Report submitted to DNSC
04

Implementation Period

One year to remediate deficiencies. Implement technical measures such as MFA, encryption, and backups, train C-level staff, and secure IT supplier relationships.

Max. 1 year
05

Cybersecurity Audit

External audit by a DNSC-certified auditor. The audit report is submitted to DNSC within 30 days after completion, officially confirming compliance with applicable legislation.

DNSC-certified auditor
06

Maintenance and Recurrence

NIS2 compliance is a continuous process. Essential Entities repeat audits every 2 years. Incidents require 24h early warning and 72h full notification.

2-year cycle

Real expertise,
automated process

Faster than the traditional method

Your team completes questionnaires digitally before the audit. The auditor receives structured data, without email chains or Excel files. We reduce turnaround time by up to 40%.

Your data stays with you

The platform runs on-premise, in infrastructure we control. Sensitive information does not flow into third-party clouds. Security by design.

Complete traceability

Every answer, finding, and verdict is recorded with timestamp and digital signature. The audit report is generated automatically, ready for DNSC submission.

Designed for recurrence

The entity profile stays in the system. At re-audit, you continue from the last state. Essential companies with 2-year audit cycles save significantly compared with starting from zero.

The whole audit process
in one place

From initial NIS2 classification to cybersecurity maturity assessment and final report.

NIS2 classification

Structured questionnaire across 3 sections: size, services provided, and legal data. Automatic classification under OUG 155/2024 and the DNSC V2.2 algorithm.

Maturity assessment

31 controls across 3 domains: Governance (G1-G10), Technical (T1-T14), Incidents & Continuity (I1-I7). Maturity score by domain and overall.

Auditor verdict

The auditor records findings per control, identifies discrepancies against the self-assessment, and issues the final verified classification verdict.

Dedicated client portal

Each entity accesses its own secure portal. It completes questionnaires, tracks progress, and views the results published by the auditor.

Audit effort estimate

Based on entity size and maturity score, the platform automatically estimates the person-days required for the complete audit.

Complete history

All ANAF lookups, questionnaires, and verdicts are stored with timestamps. The foundation for re-audits and long-term proof of compliance.