The first piece of EU-wide legislation on cybersecurity is expected to be transposed into Romanian law anytime now, bringing into play enhanced system security obligations for major companies in certain sectors, as well as fines of up to 5 % of non-compliant companies' turnover.
Romania is on its way to finalising the second attempt to transpose the European Directive on network and information security (NIS Directive), which aims to achieve a high common standard of network and information security across all EU Member States, into its national legislation.
While Member States were supposed to have the NIS Directive transposed into their local legislation by May of this year, relevant companies should keep a close eye on the status of the transposing law and start taking the first steps towards ensuring compliance to avoid delays or adverse consequences once the local law comes into effect.
Who must comply?
The NIS Directive applies to major companies in sectors that rely heavily on information and communications technology and that operate in critical fields, such as:
- energy (electricity, oil, natural gas);
- transport (air, railways, water, roads);
- financial market infrastructures;
- health (hospitals and private clinics);
- water (supplies and distributors of water);
- digital infrastructure; and
- digital service providers (marketplaces, search engines, cloud computing services).
Suppliers of relevant services to the companies in these fields should consider the requirements of the NIS Directive too, as their level of service should also comply with the new cybersecurity regime.
It is up to the transposing law and its application norms to clearly indicate the criteria for identifying "major companies", as well as other matters of compliance with the new cybersecurity requirements.
Basic obligations for companies which need to comply with the NIS Directive include:
- taking appropriate technical and organisational measures to secure their network and information systems;
- considering the latest developments and accounting for potential risks facing the systems;
- taking appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity;
- notifying the relevant supervisory authority (in Romania, as per the draft NIS Directive implementing law, the Romanian National Computer Security Incident Response Team, CERT-RO) of any security incident having a significant impact on service continuity without undue delay; and
- revising their contracts with their service suppliers to account for the new cybersecurity requirements and related liability.
Sanctions for failure to comply
Based on the available draft law, fines ranging from 0.5 % to 5 % of the company's annual turnover will be imposed for failure to comply with the local legislation transposing the NIS Directive.
Current status of the NIS Directive transposition in Romania
Based on information from public authorities, the law transposing the NIS Directive should receive parliamentary approval by the end of December. It is expected that the President will promulgate it shortly thereafter and we anticipate it will be transposed completely by the first quarter of 2019. Once the local legislation transposing the NIS Directive becomes effective, it cannot be excluded that authorities will apply the relevant fines for failure to comply.
Need for action. Where to start?
Major companies in the relevant sectors should already start assessing their compliance needs by conducting an NIS Regulation Assessment Analysis. This will highlight shortcomings in the company's overall security programme to help prioritise objectives and establish a roadmap for achieving full compliance with the NIS regulations.
By Costin Sandu, Senior Attorney at Law, Daniele Iacona, Attorney at Law Schoenherr