Operators of essential services are required to notify CERT-RO - the national competent authority for security of networks and information systems - for registration in the Register of operators of essential services by 17 December 2020. Otherwise, these companies risk fines of, in some cases; up to 5% of their turnover.
The obligation to notify CERT-RO within the indicated time frame stems from the requirements set out in the package of normative acts issued last month by the Romanian Government, for the application of Law no. 362/2018, which transposed Directive (EU) 2016/ 1.148 (NIS legislation) at national level.
To whom does the NIS legislation apply and what obligations does it imply?
The NIS legislation applies to:
operators of essential services (OES), including operators in the following sectors: energy, transport, banking, financial market infrastructure, health, drinking water supply and distribution, digital infrastructure; and
digital service providers.
The NIS legislation establishes specific obligations for the two categories of entities, in order to ensure a high common level of security of networks and information systems, such as the obligation to:
implement measures to meet minimum security requirements and ensure continuity of services;
notify CERT-RO about incidents deemed to have a significant impact;
designate persons responsible with the security of computer networks and systems, etc.
In addition, the NIS Legislation establishes the obligation of OES to notify CERT-RO in order to be registered in the Register of operators of essential services, within 30 days as of fulfilment of the conditions which qualify a service as being essential, by reference to criteria and threshold values to be set by Government Decision(s).
Clarifications for OES
The normative acts issued in November aim precisely at establishing the essential services, as well as the criteria and threshold values relevant for OES necessary for their identification and registration in the Register of operators of essential services, as follows:
The List of essential services for each relevant sector was approved by Government Decision no. 963/05.11.2020, published in the Official Gazette, Part I, no. 1086/16.11.2020.
For example, in case of operators in the banking sector, the list indicates the type of entity (credit institutions) as well as the relevant essential services, namely: (i) management of accounts, including accounts related to the activity of attracting deposits and granting loans; (ii) payment services; (iii) investment services.
The threshold values for establishing the significant disruptive effect of incidents at the level of OES's networks and computer systems were approved by Government Decision no. 976/12.11.2020, published in the Official Gazette, Part I, no. 1089/17.11.2020
Thus, the decision establishes both threshold values corresponding to the intersectoral criteria (for example: incident duration 1 hour, incident intensity 1Gbps), as well as sector-specific criteria and threshold values corresponding to each sector and subsector of activity.
For example, for all types of essential services established for the banking sector, the threshold value is stated as: “Without exception”, establishing that in such case, all economic operators providing the respective essential service are OES.
The Technical Norms regarding the minimum requirements for ensuring the security of networks and information systems applicable to OES were approved by Order no. 1323/2020, published in the Official Gazette, Part I, no. 1142/26.11.2020,.
What needs to be done by 17 December 2020? Risks in case of default
With regard to the CERT-RO notification obligation, this requires a prior documented analysis of the essential services provided by OES. The notification consists of submitting a form, together with a statement of OES's responsibility, and documentation of a self-assessment regarding compliance with the minimum security and notification requirements.
Failure to comply with the obligation to identify and notify CERT-RO by OSE by the above date constitutes a contravention and may be sanctioned with a fine. According to the NIS legislation, the fine can be between 3,000 lei and 50,000 lei (approx. EUR 600 – 10,000), and in case of repeated violations, up to 100,000 lei (approx. EUR 20,000). For entities with a turnover of over 2 million lei (approx. EUR 400,000), the fine can reach between 0.5 % and 2 % of the turnover, and, in case of repeated violations, the fine can reach up to 5 % of turnover.
By Carmen Stirbu, Managing Attorney at Law, and Carla Filip, Attorney at Law, Schoenherr