8. Demonstration Scenario: Application to Politehnica University Timisoara
This section demonstrates the applicability of the proposed framework using Politehnica University Timisoara (UPT) as an illustrative higher education institution. The demonstration is not presented as a formal audit, certification exercise, or institutional security assessment. Its purpose is to show how the proposed NIS2–ISO/IEC 27001:2022 framework can be instantiated in a real university context, using publicly available institutional information and a limited set of representative service domains.
UPT is a public technical university with a complex educational, research, administrative, and student-support mission. Public institutional information describes UPT as having ten faculties and a large academic community, with more than 12,800 students enrolled across bachelor, master, doctoral, and postdoctoral cycles, supported by more than 600 teaching staff and more than 700 administrative staff [
18]. The university also operates a significant physical and educational infrastructure, including teaching and research spaces, student residences, and support services [
18]. This scale and diversity make UPT a representative case for demonstrating the applicability of a cybersecurity governance framework adapted to higher education institutions.
The choice of UPT is also justified by the institution’s explicit strategic orientation toward digitalization: its strategic plan emphasizes decentralized decision-making and software-supported information transfer [
21], and its digital transformation strategy targets increased digitalization of the entire university [
22]. This creates a relevant environment in which digital transformation, institutional autonomy, decentralized operation, and compliance requirements must be considered together.
8.1. Institutional Context
The institutional context of UPT reflects characteristics typical for technical universities: a multi-faculty structure with distributed educational and research activities, a combination of central administrative services and specialized teaching or research infrastructures, and a heterogeneous user population of students, staff, researchers, external collaborators, and international partners.
This organizational structure is relevant for NIS2 and ISO/IEC 27001:2022 implementation because cybersecurity responsibility cannot be reduced to a single technical unit. The Senate of UPT is described in the institutional regulation as the highest forum for regulation, decision, and debate, functioning under the principles of university autonomy, academic freedom, and transparency [
24]. These principles are important when adapting cybersecurity controls to a university environment. A security measure that may be straightforward in a centralized enterprise can be difficult to apply in a university if it conflicts with academic mobility, research autonomy, open collaboration, or decentralized decision-making.
The demonstration therefore treats UPT as a distributed socio-technical system, applying the framework through representative service domains that each illustrate a different aspect of institutional cybersecurity governance.
8.2. Identity and Access Management Baseline
A cross-cutting service domain for the UPT scenario is identity and access management. In the demonstration scenario, identity services are treated as a foundational cybersecurity capability, since they support access to teaching platforms, student services, administrative systems, communication services, and collaborative environments. UPT uses a Microsoft 365 and Active Directory-based identity infrastructure for institutional authentication and user management. In practical terms, this creates a central identity layer that can support account lifecycle management, institutional email, cloud collaboration, group-based authorization, and integration with university digital services.
The identity layer is complemented by a publicly accessible password self-service endpoint based on the open-source PWM application [
25,
26]. In the proposed model, this component is interpreted as a password self-service layer connected to the institutional directory, not as the identity provider itself.
From the perspective of the proposed framework, this identity layer should be considered part of the initial ISMS scope. Its relevance is structural: most other service domains depend on it. A compromise of institutional credentials may propagate toward student services, digital education platforms, administrative workflows, research collaboration environments, and external cloud services. Consequently, identity and access management should be treated as one of the main control domains for both NIS2 risk management and ISO/IEC 27001:2022 implementation.
The technical control baseline for this domain should include centralized account lifecycle management, role-based access control, privileged-account separation, multi-factor authentication for administrative and high-risk accounts, periodic privileged-user review, authentication logging, and secured self-service password reset, with lifecycle rules aligned to institutional status (admission, employment, enrolment, graduation, suspension, project participation, termination).
The evidence package should include identity-architecture documentation, lifecycle procedures, privileged-access review records, MFA coverage reports, administrator-role assignments, and incident records related to account compromise. Because identity is a dependency for several other domains, it should also be linked in the evidence repository to digital education, administrative systems, and research infrastructures.
8.3. Digital Education and Student-Facing Services
A first representative service domain is digital education and student-facing services. UPT publicly describes the development of a digital education ecosystem over more than two decades, organized around a progression from digitization toward digital transformation [
19]. A central component of this ecosystem is Campus Virtual UPT, publicly accessible through
cv.upt.ro, developed by the ID/IFR and e-Learning Center. The platform is described as an online academic-support environment for all UPT faculties and distance-learning activities, supporting online learning, mobile learning, academic and administrative support, communication, and blended-learning activities for master and doctoral students [
20]. Public information also describes the platform as Moodle-based and continuously developed from earlier institutional e-learning initiatives [
20].
The student-facing digital ecosystem also includes public services such as student.upt.ro and catalog.upt.ro. These platforms are relevant because they support administrative and academic interaction with students, including student information, educational records, academic status, and access to institutional processes. In the proposed framework, such services should be classified as critical or important university services, depending on the precise service dependency, data processed, and continuity requirements.
Within the proposed framework, cv.upt.ro should be classified primarily as a critical teaching and communication service. Its cybersecurity relevance derives from the number of users, the dependency of teaching activities on platform availability, the processing of student-related data, the need for authenticated access, and the reputational impact of service disruption or compromise. In ISO/IEC 27001:2022 terms, this domain requires clear asset ownership, access control, supplier and software-management procedures, logging, backup, incident handling, and continuity planning. In NIS2 terms, the same domain is relevant to risk-management measures, incident detection and reporting workflows, continuity of essential digital services, and supply-chain or platform-dependency analysis.
For demonstration purposes, Campus Virtual is first included in the ISMS scope, its assets are classified (application components, authentication mechanisms, course content, accounts, logs, backups, administrative interfaces), and risks are assessed for scenarios such as account compromise, unauthorized access, unavailability during examination periods, ransomware, and role misconfiguration. The corresponding treatment plan can include MFA for privileged accounts, role-based access control, administrator-account review, backup and restore testing, vulnerability management, logging and alerting, and incident playbooks.
8.4. Institutional Administrative and Student Services
A second service domain concerns institutional administrative and student-facing services, including
student.upt.ro and
catalog.upt.ro. UPT’s digital transformation strategy mentions concrete institutional digitalization initiatives such as electronic registry, the
student.upt.ro application, and the virtual catalogue, as part of the effort to increase institutional digitalization and improve information exchange through modern software applications and data structures [
22]. In this paper, these services are treated as representative examples of administrative and academic-support platforms that require formal cybersecurity governance.
Compared to the digital education domain, administrative and catalogue-related systems tend to present higher integrity and confidentiality requirements. They may support official student records, administrative workflows, formal requests, grades, academic status information, and institutional reporting. The risk model should therefore include not only availability scenarios, but also unauthorized modification, incorrect data synchronization, privilege misuse, insufficient segregation of duties, and inadequate traceability of administrative actions.
For ISO/IEC 27001:2022 implementation, this domain requires clear definition of process owners, information owners, access roles, retention rules, backup procedures, audit logs, and change-management procedures. From a NIS2 perspective, the domain illustrates the importance of governance and management accountability: the protection of administrative systems is not only a technical matter, but a requirement for maintaining institutional function and trust. Evidence for this domain may include access-review records, change approvals, incident logs, backup-test reports, user-management procedures, and documented responsibilities between central IT services and administrative departments.
8.5. Research and Laboratory Infrastructure
A third service domain concerns research and laboratory infrastructure. As a technical university, UPT operates educational and research infrastructures across engineering, computer science, electronics, energy, architecture, civil engineering, mechanical engineering, and related fields [
18]. Such environments are particularly relevant for cybersecurity governance because they often combine teaching laboratories, research prototypes, specialized equipment, locally managed systems, externally funded projects, and collaboration with industrial or international partners.
For the UPT demonstration, particular attention should be given to engineering and computer-related academic units, including the Faculty of Automation and Computers and the Faculty of Electronics, Telecommunications and Information Technologies. These units are representative of the challenges encountered in technical universities: laboratory networks, student development environments, experimental platforms, embedded and industrial systems, research prototypes, specialized software, externally funded research projects, and collaboration with industrial partners. Such environments cannot be treated in exactly the same way as administrative information systems, because they often require experimentation, reconfiguration, controlled exposure, or temporary exceptions.
Such environments may include experimental systems, non-standard configurations, legacy devices, instrumentation networks, and externally provided software, and they require openness and flexibility to support experimentation, so strict uniform controls may be impractical or counterproductive. The framework addresses this through the cross-cutting constraint of academic compatibility: environments are classified according to risk, connectivity, data sensitivity, and institutional dependency rather than forced into a single control profile.
For demonstration purposes, research and laboratory infrastructure can be divided into at least three categories. The first category includes isolated or low-risk teaching laboratories, where the primary concern is availability and recovery. The second category includes connected laboratories that interact with institutional identity, file storage, cloud services, or externally accessible systems. The third category includes higher-risk research infrastructures that process sensitive data, support externally funded projects, connect to industrial partners, or expose services to the Internet. Each category requires a different control baseline. For example, isolated teaching laboratories may emphasize imaging, recovery, account hygiene, and network separation, while higher-risk research infrastructures may require stronger access control, logging, vulnerability management, segmentation, supplier assessment, and documented risk acceptance.
This domain also demonstrates why an HEI-specific approach is necessary. A generic ISO/IEC 27001 implementation may identify laboratory systems as assets, but it may not sufficiently account for the academic need to experiment, reconfigure, and collaborate. Conversely, treating all research autonomy as an exception would weaken institutional cybersecurity governance. The proposed framework addresses this tension by requiring explicit risk ownership, documented exceptions, compensating controls, and periodic review.
Figure 3 summarizes the high-level IT context used in the UPT demonstration scenario. The figure is intentionally abstract and avoids implementation details such as internal network topology, tenant configuration, privileged role names, policy identifiers, server locations, or integration secrets.
The diagram should not be interpreted as a complete technical architecture of UPT. Rather, it identifies the minimum set of public and high-level institutional elements needed to demonstrate how the proposed framework connects identity management, digital education, student services, administrative systems, research infrastructure, control implementation, and compliance evidence.
8.6. Application of the Framework to UPT
Table 5 is not presented as an exhaustive legal equivalence table. Its purpose is to make the framework’s traceability explicit by linking each framework component to concrete NIS2 article anchors and to ISO/IEC 27001:2022 clauses or Annex A controls that can produce auditable institutional evidence.
The demonstration shows that the same framework can be applied to domains with different cybersecurity profiles. In the identity domain, the main emphasis is on account lifecycle, authentication, privilege control, and monitoring. In the digital education domain, the main emphasis is on availability, access control, and continuity of teaching. In the administrative domain, the emphasis shifts toward integrity, confidentiality, traceability, and governance. In the research and laboratory domain, the dominant issue is the balance between cybersecurity control and academic flexibility. This confirms the relevance of treating academic compatibility as a cross-cutting constraint rather than as a separate framework layer.
8.7. Indicative Maturity Assessment
Table 6 presents an indicative maturity assessment for the selected UPT service domains, applying the scoring rules of
Section 7.1 to publicly available information. The values are not audit results: they demonstrate how the maturity model can structure institutional discussion, identify uneven development, and prioritize implementation steps, and they should be validated through internal interviews, evidence review, and technical assessment.
The indicative maturity assessment highlights a typical pattern for higher education institutions. Centralized and widely used services, such as identity management and digital education platforms, tend to have more mature operational practices. By contrast, research and laboratory environments are more heterogeneous and require a gradual, risk-based implementation approach. The purpose of the maturity assessment is therefore not to produce a single institutional score, but to identify the uneven distribution of cybersecurity capability across institutional domains.
8.8. Evidence Repository for the UPT Scenario
The proposed framework also requires that cybersecurity governance be supported by evidence. Public information indicates that UPT already maintains public sections for institutional strategies, reports, audit-related documents, and other information of public interest [
23]. While these documents are not cybersecurity evidence in themselves, they indicate the existence of institutional reporting and transparency mechanisms that can be extended or complemented by an internal cybersecurity evidence repository.
For the UPT scenario, the evidence repository should be organized by framework layer and by service domain, following the evidence categories of the traceability matrix in
Table 5: identity-lifecycle and privileged-access records for the identity domain; ownership, backup-testing, and continuity records for digital education; access, change-management, and audit-log records for administrative services; and asset classification, documented exceptions, and compensating controls for research infrastructure.
The repository should not be designed as a static document archive. It should be treated as an operational compliance layer that supports management review, internal audit, NIS2-oriented supervision, and, if pursued, ISO/IEC 27001 certification. Each evidence item should have an owner, review frequency, retention period, and relationship to both NIS2 obligations and ISO/IEC 27001:2022 controls.
8.9. Lessons from the Demonstration
The UPT scenario illustrates five main lessons. First, the implementation of NIS2 in a university cannot be reduced to central IT controls. It requires institutional governance, ownership of risk, and coordination between central services, faculties, administrative departments, and research units. Second, ISO/IEC 27001:2022 provides a suitable implementation backbone, but its scope and controls must be adapted to the university’s service domains and risk profile. Third, identity and access management should be treated as a foundational dependency because it conditions the security of teaching platforms, student services, administrative systems, and research collaboration. Fourth, student-facing and teaching platforms should be considered critical institutional services because their compromise or unavailability can directly affect educational continuity. Fifth, research and laboratory environments require explicit treatment of academic compatibility, including risk-based exceptions and compensating controls.
The demonstration also confirms the importance of starting with a limited and defensible ISMS scope (central identity, the main digital education platform, selected administrative systems) and extending it in later stages toward research infrastructures and laboratory environments; this phased approach is more realistic than whole-institution implementation and more compatible with ISO/IEC 27001:2022 certification practice.