Self-assessment vs external audit NIS2: what you need to know
Under OUG 155/2024, organizations have two separate obligations: annual self-assessment and periodic external audit by a DNSC-accredited auditor. Learn what each covers.
Introduction: two separate obligations
The NIS2 Directive, transposed in Romania through OUG 155/2024 and supplemented by Law 124/2025, imposes two distinct cybersecurity obligations on organizations: annual maturity self-assessment and periodic external audit performed by a DNSC-accredited auditor (the national competent authority for cybersecurity in Romania).
These two processes do not substitute each other. The self-assessment is an internal, continuous activity through which the organization measures its own level of compliance. The external audit is an independent verification, performed by an authorized third party, which confirms or refutes the self-assessment results.
In this article we explain what each process covers, what the law requires, and how you can prepare for both.
What the annual self-assessment covers
The cybersecurity maturity self-assessment is the organization's obligation to analyze its own level of implementation of security measures, according to the CyFunRO framework established by DNSC.
In practice, the self-assessment involves:
- Going through applicable controls (38 for Basic level, 90 for Important, 140 for Essential)
- Evaluating the degree of implementation for each control (not implemented, partial, complete)
- Collecting evidence supporting the declared level (policies, configurations, screenshots, reports)
- Calculating the maturity score for each function (Identify, Protect, Detect, Respond, Recover)
- Reporting results to the national competent authority (DNSC) within the legal deadline
Legal deadline
According to OUG 155/2024, the self-assessment must be completed and submitted to DNSC within 60 days after the end of each quarter (Q2+60 days). The first self-assessment becomes mandatory after the entity registers with DNSC.
Why self-assessment matters
The self-assessment is not just a formality. It is the mechanism through which the organization's management demonstrates that it understands cyber risks and has taken concrete measures. Article 20 of the NIS2 Directive establishes that management bodies bear direct responsibility for approving and overseeing security measures.
What the external audit covers
The external audit is an independent evaluation performed by a cybersecurity auditor accredited by the national competent authority (DNSC in Romania). The purpose of the audit is to verify whether the measures declared by the organization are effectively implemented and functional.
The external audit evaluates:
- Compliance with legal requirements (OUG 155/2024, DNSC orders)
- Effective implementation of CyFunRO controls declared in the self-assessment
- Effectiveness of technical and organizational measures
- Incident detection and response capability
- Documentation and evidence associated with each control
Essential vs important entities
The frequency and type of audit differ based on the organization's classification:
Essential entities (CyFunRO Essential level): proactive, periodic audit, according to the schedule established by the national competent authority. These are organizations in high-criticality sectors (energy, transport, healthcare, digital infrastructure).
Important entities (CyFunRO Important or Basic level): reactive audit, triggered by the authority following indications of non-compliance or after a reported security incident.
Who can perform the audit
The external audit can only be performed by auditors accredited by DNSC. Accreditation requires meeting competence, independence, and experience criteria established through DNSC Orders No. 1 and 2 of 2025.
Legal basis
The legislative framework governing both obligations includes:
- OUG 155/2024: transposition of the NIS2 Directive into Romanian law, establishing obligations for essential and important entities
- Law 124/2025: amendments to OUG 155/2024, clarifying deadlines and procedures
- DNSC Order No. 1/2025: risk assessment methodology (ENIRE@RO) and CyFunRO levels
- DNSC Order No. 2/2025: requirements for cybersecurity auditor accreditation
Key differences: self-assessment vs external audit
| Aspect | Self-assessment | External audit |
|---|---|---|
| Who performs it | Organization (internal) | DNSC-accredited auditor |
| Frequency | Annual (Q2+60 days) | Periodic (essential) or reactive (important) |
| Purpose | Measuring own maturity | Independent verification |
| Output | Internal report + DNSC submission | Official audit report |
| Accountability | Organization management | Auditor + management |
| Applicability | All registered entities | Based on DNSC classification |
How NIS2 Manager helps with self-assessment
NIS2 Manager is the self-assessment platform that guides you through the entire compliance process:
- Walk through all 140 CyFunRO controls with explanations in Romanian
- Evaluate the implementation level for each control
- Upload evidence (documents, screenshots, reports) directly in the platform
- Generate maturity reports for each security function
- Monitor progress and identify gaps before the external audit
- Export documentation required for DNSC
A properly completed self-assessment in NIS2 Manager prepares you for the external audit: you have controls evaluated, evidence collected, and reports generated. The external auditor will find organized and traceable documentation.
BetterQA: platform and audit, from the same partner
BetterQA offers both components needed for NIS2 compliance:
- Self-assessment platform - NIS2 Manager, available now, for internal cybersecurity maturity evaluation
- External audit services - BetterQA is in the process of obtaining DNSC accreditation for cybersecurity auditing
The advantage of a partner offering both services: the compliance process is integrated from the start. The self-assessment in the platform aligns with the criteria the auditor will verify, reducing surprises and preparation effort.
Check your organization's eligibility with our free calculator and start the self-assessment before the first legal deadline.
Built by BetterQA
