Romania: New law 362/2018 on the security of network and information systems / NIS directive
EU Directive 2016/1148 on Security of Network and Information Systems (the “NIS Directive”) regulates the main EU legislative framework, which aims to achieve a high common level of network and information systems security across the European Union.
The NIS Directive applies to so-called Operators of Essential Services (“OESs”) acting in sectors that heavily rely on information and communications technology, such as Water Transport, Energy, Digital Infrastructure, Banking and Financial Market, Healthcare or Transport. The NIS Directive also applies to those Digital Service Providers (“DSPs”), that normally provide their services for remuneration, at a distance, by electronic means and at the individual request of the recipient of services.
THE MAIN PROVSISION OF THE NATIONAL LAW
On January 9th 2019, Law no. 362/2019 concerning measures for a high common level of security of network and information systems (“Law no. 362/2019”) was published in the Official Journal of Romania No. 21, Section I, and came into force on 12th January 2019, with the aim of transposing the NIS Directive into the national legislation.
Law no. 362/2019 empowers The Romanian National Computer Security Incident Response Team (“CERT-RO”) as the competent national authority for supervising OESs and DSPs in implementing their responsibilities according to the law.
Law no. 362/2019 requires OESs and DSPs to: (i) take appropriate technical and organizational measures to secure their networks and information systems; (ii) prevent security incidents and minimize the impact thereof in order to provide service continuity; (iii) notify CERT-RO of any security incidents having a significant impact on service continuity; (iv) appoint an IT Security Responsible in direct contact with CERT-RO; (v) notify CERT-RO in order to be so registered in the newly created National OESs Register; and (vi) interconnect with CERT-RO’s alerts and co-operation system.
Law no. 362/2019 has connections with the GDPR (General Data Protection Regulation no. 679/2016), as much as CERT RO shall cooperate with the data protection authority (“ANSPDCP”) when it comes to personal data processing, including when security incidents are subject to notification.
In this respect, article 30 paragraph 7) of Law no. 362/2018 expressly provides that the OESs’/DSPs’ obligation to notify ANSPDCP in case of a data breach event is not affected by the obligation of the same entities to notify CERT RO in case of a security incident affecting the continuity of those essential or digital services that are subject to Law no. 362/2018. Also, the minimum security requirements provided by article 25 of Law no. 362/2018 must be referred to in the context of article 32 of GDPR. This means that data controllers (subject to the Law no. 362/2018) must also ensure an adequate level of data security through appropriate technical and organizational measures to protect the network and information systems storing/processing personal data. CERT RO must enact technical norms within the framework of European and international standards to observe the principle of neutral technology.
Thus, within five (5) months, The Romanian Ministry of Communication (“MCSI”) must submit for Government approval, the technical standards and criteria regarding threshold values for determining compliance with the legal requirements.
SANCTIONS
Law no. 362/2019 provides for a wide range of violations that may constitute contraventions (almost 50 obligations under this sanction), the fines being set between specific thresholds of 3,000 and 100,000 LEI. For companies with a turnover higher than 2 million LEI (approximatively EUR 425,000), the law provides fines amounting of 0.5% up to 5% of their annual turnover, in case of repeated violations.
Read the full text