What is CyFunRO and how to calculate ENIRE@RO risk level
Complete guide to the official DNSC risk evaluation methodology. Learn how to calculate your CyFunRO score and how many controls you need to implement (38, 90, or 140).
Introduction
If you've checked your organization's NIS2 eligibility, you've probably heard about CyFunRO and ENIRE@RO. But what do these terms actually mean and why do they matter for your compliance?
In this guide, we explain the official DNSC methodology for calculating risk levels and why not all NIS2 organizations need to implement all 140 controls.
What is CyFunRO?
CyFunRO (Cybersecurity Function Romania) is the official cybersecurity level established by DNSC for each organization in the NIS2 scope. There are three levels:
| Level | ENIRE@RO Score | Required Controls |
|---|---|---|
| BASIC | 0-99 points | ~38 controls |
| IMPORTANT | 100-199 points | ~90 controls |
| ESSENTIAL | 200+ points | ~140 controls |
Why does this matter? The CyFunRO level determines exactly which security controls you must implement. A Basic level organization doesn't need to implement all 140 controls—only the ~38 fundamental ones.
What is ENIRE@RO?
ENIRE@RO (Risk Level Evaluation for Romanian Entities) is the official DNSC tool for calculating risk scores. The current version is v1.2.
The methodology evaluates 4 main criteria:
1. Entity Size (10-100 points)
| Category | Employees | Score |
|---|---|---|
| Micro/Small | < 50 | 10 points |
| Medium | 50-249 | 50 points |
| Large | >= 250 | 100 points |
2. Attack Nature (25-75 points)
| Attack Type | Description | Score |
|---|---|---|
| Global/Untargeted | Mass malware, generic phishing | 25 points |
| Targeted/APT | Targeted attacks, nation-state | 75 points |
Attack nature depends on sector and organization profile. Critical infrastructure entities (energy, transport, healthcare) are more susceptible to targeted attacks.
3. Impact Level (25-150 points)
| Impact | Description | Score |
|---|---|---|
| Low | Affects < 10,000 people, losses < €1M | 25 points |
| Medium | Affects 10,000-100,000 people, losses €1-10M | 75 points |
| High | Affects > 100,000 people, losses > €10M | 150 points |
4. Incident Probability (25-150 points)
| Probability | Description | Score |
|---|---|---|
| Low | Incident unlikely in next 3 years | 25 points |
| Medium | Incident possible in next 1-3 years | 75 points |
| High | Incident likely in next year | 150 points |
CyFunRO Calculation Formula
The final score is calculated with the formula:
CyFunRO Score = (Size × Attacks × Impact × Probability) / 1000
Calculation Examples
Example 1: Medium IT Company
- Size: 50 points (medium)
- Attacks: 25 points (global)
- Impact: 25 points (low)
- Probability: 75 points (medium)
Score = (50 × 25 × 25 × 75) / 1000 = 2.34 points → BASIC
Example 2: Regional Hospital
- Size: 100 points (large)
- Attacks: 75 points (targeted - healthcare)
- Impact: 150 points (high - human lives)
- Probability: 75 points (medium)
Score = (100 × 75 × 150 × 75) / 1000 = 843 points → ESSENTIAL
Which Controls Apply at Each Level?
BASIC Level (~38 controls)
Fundamental security controls:
- Basic security policies
- IT asset inventory
- Backup and data recovery
- Antivirus and firewall
- Incident response plan
- Account security (passwords, access)
- Updates and patches
IMPORTANT Level (~90 controls)
All BASIC controls plus:
- Multi-factor authentication (MFA)
- Network monitoring
- Vulnerability scanning
- Business continuity plan (BCP)
- Internal security audits
- Email security
- Network segmentation
ESSENTIAL Level (~140 controls)
All IMPORTANT controls plus:
- SIEM (Security Information and Event Management)
- Threat intelligence
- Periodic penetration testing
- Digital forensics
- Supply chain security
- Red team / Blue team exercises
- Zero trust architecture
Multi-Sector Organizations
If your organization operates in multiple NIS2 sectors (maximum 6), the situation is more complex:
- Separate evaluation for each sector
- Overall CyFunRO level = highest level across all sectors
- Applicable controls = union of controls for all levels
Example: A company operates in Transport (Basic level) and Energy (Important level). The overall level is Important, so they must implement ~90 controls.
The ENIRE@RO Document (Annex 2)
When registering with DNSC, you must submit Annex 2 containing:
- Organization data
- Sector(s) of activity
- Justification for each criterion (size, attacks, impact, probability)
- CyFunRO score calculation
- Resulting level
NIS2 Manager automatically generates this document in PDF format according to official DNSC requirements.
Why the ENIRE@RO Methodology Matters
1. Proportionality
Not all organizations present the same risk. A small courier company has a different risk profile than an electric grid operator.
2. Efficiency
Implementing 38 controls vs 140 means a major difference in effort and resources. Focus on what matters for your level.
3. Demonstrable Compliance
DNSC will verify if implemented controls correspond to your CyFunRO level. Implementing the wrong controls = non-compliance.
How NIS2 Manager Helps
Our platform:
- Automatically calculates CyFunRO score based on organization data
- Guides evaluation with specific questions for each criterion
- Filters controls so you only see those applicable to your level
- Generates Annex 2 in PDF format per DNSC requirements
- Supports multi-sector for complex organizations
Next Steps
- Check eligibility with our free calculator
- Perform ENIRE@RO evaluation to find your CyFunRO level
- Focus on relevant controls for your level
- Generate documentation for DNSC registration
Conclusion
Understanding the ENIRE@RO methodology and CyFunRO levels is essential for efficient NIS2 compliance. Don't overcomplicate with all 140 controls if your level is Basic—focus on what matters.
NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies. The platform automatically calculates CyFunRO level and generates documentation required for DNSC.
