On 10th of December, Bucharest has been selected as the site of the new European Cybersecurity Competence Centre, having as main duty the distribution of EU and national funding for cybersecurity research projects across the bloc.
In the light of these innovative events, a better understanding of the concept of cyberlaw and its applicability in Romania is desired.
On 6th of July 2016, Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the European Union (hereinafter referred to as the “NIS Directive”) was adopted. This Directive can be easily regarded as the first piece of cybersecurity legislation passed by the European Union. Its aim is to achieve a high common standard of network and information security across all EU Member States which had until 9th of May to adopt legislative acts in order to transpose the Directive. In this respect, Romania published on 9th of January 2019 Law 362/2018 concerning the assurance of a high common level of security of networks and information systems (hereinafter referred to as the “NIS Law”) transposing the NIS Directive.
The NIS Directive sets a range of network and information security requirements that are applicable to operators of essential services (also known as “OESs”) and digital service providers (also known as “DSPs”).
Operators of essential services (OESs) are service providers found to be active in sectors such as:
- Banking and financial market infrastructures;
- Energy (i.e., oil and gas, electricity);
- Transport (air, rail, water and road);
- Distribution and digital infrastructures (i.e., internet exchange points, domain name system providers, as well as domain name registries);
- Health (i.e., private clinics, hospitals);
- Drinking water supply.
Member States are under the obligation to compile a list of organizations active within those sectors considered essential service providers.
Digital service providers (DSPs) are providers active in the field of online market places, online search engines and cloud computing.
A key aspect to be taken into account with respect to DSPs is the fact that the NIS Directive applies also to companies that are based outside the EU, but have services available within the territory. Hence, these companies are under the obligation to assign an EU-based representative to act on their behalf for compliance matters. Nevertheless, DSPs are, however, subject to a less stringent framework, compared to OESs.
How to determine whether an undertaking qualifies as an OES?
This self-assessment entails three main steps:
- The first step regards identifying whether its services are essential
- The second step regards whether the services use networks or information systems
- The third step regards the disturbance effect of a possible incident
Consequently to the reasoned opinion enacted by the European Commission and sent on 30th of October 2020 with respect to Romania’s failure to notify the national measures for identifying operators and essential services, the Romanian Government adopted Government Decision no. 963/2020 for the approval of the List of essential services and Government Decision no. 976/2020 on the approval of threshold values for establishing the significant disruptive effect of incidents on the networks and computer systems of essential service operators .
According to Government Decision no. 976/2020, certain thresholds established are common to all the above-mentioned sectors and regard:
(i) The number of users that rely on the respective service (i.e., minimum 55.000);
(ii) The impact of the incidents based on its duration and intensity (i.e., minimum one-hour duration);
(iii) The geographic distribution of the affected areas (i.e., minimum one county)
The legal provisions include also specific values and criteria in accordance to the affected sector.
How to determine whether an undertaking qualifies as an DSP?
Similar to OESs, a self-assessment process is required. However, here the process entailed is more straight-forward, as the undertaking needs only to evaluate whether its services regard an online market place, online search engine or a cloud computing service.
However, it is important to bear in mind the fact that if the undertaking is regarded as a small or medium company, then it shall not qualify as a DSP.
When the self-assessment is finalized and the undertaking falls under the scope of an OES or a DSP, the next step to be taken is the notification of Romanian National Computer Security Incident Response Team (hereinafter referred to as “CERT-RO”), the national competent authority for the security of networks and information systems that provide essential services or digital services.
Why is it important to comply with these new legal provisions? Turnover-based fines
Any failure to comply with these legal obligations on behalf of OESs and DSPs is regarded as an administrative offence. Hence, the fines range from 3.000 RON to 50.000 RON.
However, if the turnover of the OES or the DSP in the year preceding the offence exceeds 2.000.000 RON, the fines range from 0.5 % to 2% of that turnover.
The importance of NIS Directive and its domestic effects are just starting to be applicable in Romania. Therefore, further developments in this regard need to fall under the scope of our interest.