Romania: Cybersecurity framework update

Romania: Cybersecurity framework update

Romania is enacting the secondary legislation pertaining to cybersecurity in an effort to avoid European sanctions. On October 30, 2020, the European Commission sent a reasoned opinion1 regarding Romania’s failure to notify the national measures allowing for the identification of operators, the number of operators of essential services and the thresholds used in the identification process. The notification process is part of the implementation process of the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”). NIS Directive was transposed into the Romanian legislation through Law no. 362/2018 for ensuring a high common level of security of networks and information systems (“NIS Law”).

The responsibility for setting up the list of essential services within the meaning of the NIS Directive falls with the Romanian National Computer Security Incident Response Team (“CERT-RO”).

In an effort to observe the two-month deadline provided by the European Commission, the Romanian Government adopted the Government Decision no. 963/2020 for the approval of the List of essential services3 (“Government Decision no. 963/2020”), and the Government Decision no. 976/2020 on the approval of threshold values for establishing the significant disruptive effect of incidents on the networks and computer systems of essential service operators4 (“Government Decision no. 976/2020”).

The complete article is available here.