Romania Adopts Stricter Cybersecurity Rules

Emergency Ordinance 155/2024 on the Establishment of a Cybersecurity Framework for Networks and Information Systems in the National Civil Cyberspace

Adoption of Emergency Ordinance 155/2024

On December 30, 2024, the Romanian Government passed Emergency Ordinance No. 155/2024, on the establishment of a framework for cybersecurity of networks and information systems in the national civil cyberspace, which transposes Directive (EU) 2022/2555 of the European Parliament and the Council of December 14, 2022 on measures for a high common level of cyber security in the European Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148, published in the Official Journal of the European Union (OJEU) No. L. 333/80 of December 27, 2022. The adoption of the ordinance therefore contributes to Romania’s alignment with international standards and to increasing its resilience in the face of cyber threats, strengthening the national capacity to react effectively to regional and global developments in the field.

 Designation of the National Cyber Security Directorate (DNSC)

One of the main purposes of the Ordinance is to designate the National Cyber Security Directorate (DNSC) as the competent authority responsible for cyber security and for the tasks of supervision, monitoring and sanctioning those entities that do not comply with the standards imposed by the Ordinance.

Entities Covered by the Ordinance

In terms of scope, the Ordinance applies only to public or private entities established and registered in Romania. By way of exception, providers of public electronic communications networks or providers of electronic communications services intended for the public fall within the scope of the Ordinance when they provide services on Romanian territory, regardless of their place of establishment or registration.

 Classification of Entities: Essential vs. Important

The Ordinance classifies entities as essential or important according to three basic criteria: whether it is the sole provider of a critical service; whether any disruption to its business would affect public safety or national security; and whether the impact of the disruption would have cross-border consequences. Critical entities include central government entities; entities in sectors of high criticality; entities identified as critical entities under the Critical Entity Resilience legal provisions; DNS service providers; etc., while important entities include large and medium-sized enterprises; public electronic communication network providers and providers of public electronic communication services; providers of public electronic communication services; trust service providers and other entities in sectors of high criticality that do not meet the requirements to qualify as critical entities. An entity is critical in terms of its importance at national or regional level to the sector in which it operates or to other interdependent sectors, taking into account factors such as impact on fundamental rights and freedoms; the national economy; public health; national security and financial risks.

Mandatory Registration with DNSC

Within 30 days of the entry into force of the Ordinance, essential and important entities must notify DNSC for registration and provide data on identification, scope of activity, member states of the European Union in which they provide services, IT infrastructure used. The registration decision is issued within 60 days for essential entities and 150 days for important ones. If an entity no longer fulfills the necessary conditions laid down in the Ordinance, it must notify DNSC and provide supporting documents within 30 days. If applicable, DNSC will issue a delisting decision.

Expanded Scope of Cybersecurity Regulations

The Ordinance brings as a novelty element an expansion of the sectors to which cybersecurity rules apply, classifying them into two categories: Critical sectors – energy; transportation; banking; financial market infrastructures; digital infrastructure; health; drinking water, waste water, central public administration, space, ICT service management; and Sectors of major importance – postal and courier services; waste management; chemicals; food; manufacturing; digital providers; research; local public administration.

Cybersecurity Risk Management Requirements

In terms of effective cybersecurity risk management measures, entities falling under the Ordinance must conduct a risk analysis and implement appropriate measures to ensure protection. Within 60 days of registration with DNSC, entities are required to submit the risk level assessment, which must include the list of relevant assets and the list of identified risks. Subsequently, 60 days after the submission of the risk assessment, entities shall also conduct a self-assessment of the maturity level of cybersecurity risk management measures. The assessment provided for by the Ordinance is a continuous one, as entities are required to perform an annual self-assessment and to come up with a remediation plan for the identified deficiencies, which is assumed by the management.

Supply Chain Obligations

Another relevant element brought by the Ordinance is its application also to the supply chain, i.e. also to suppliers and economic operators in critical and major sectors, entities being obliged to provide information on suppliers upon request by DNSC.

Appointment of a Security Officer

Where appropriate, entities may appoint a security officer, a person who must have managerial authority and be independent of the entity’s IT structures in order to be able to make objective decisions. This person must complete an accredited specialist course recognized by the DNSC within 12 months of appointment.

Reporting of Significant Cybersecurity Incidents

An incident is considered significant if it causes serious business disruption or significant financial loss, or if it has affected or is likely to affect other entities, causing substantial material or non-material damage. The Ordinance imposes an obligation on entities to report significant incidents and sets certain deadlines. For example: early warning must be given within a maximum of 24 hours of becoming aware of the significant incident; updates of incident information must be made within a maximum of 72 hours of discovering the incident; reporting in the case of an incident with possible cross-border impact must be made within a maximum of 6 hours of becoming aware.

Cybersecurity Audits: Periodic and Ad-Hoc

The Ordinance also lays down a number of obligations concerning the audit of entities and provides for two possibilities, the rule being the periodic audit and the exception being the ad-hoc audit. During the periodic audit, a systematic evaluation of all the protection measures, policies and procedures implemented is carried out in order to identify malfunctions and vulnerabilities. No later than 15 working days from the date of receipt of the audit, the entity shall submit to the DNSC the plan of measures to remedy all deficiencies found and shall agree on deadlines for their implementation. As mentioned above, the ad-hoc audit is ordered by DNSC by way of exception, in cases such as the occurrence of a significant security incident or if there are reasonable suspicions of violation of the Ordinance regulations.

 Sanctions for Non-Compliance

As a sanction for non-compliance with the legal provisions, the Ordinance imposes a series of harsh penalties on entities. Fines can reach up to the equivalent in RON of €7,000,000 or 1.4% of annual turnover for important entities and up to the equivalent in RON of €10,000,000 or 2% of turnover for essential entities, whichever is higher. Prescription period for the application of the fine is 3 years from the date of committing the offense. As complementary measures, the Ordinance provides for measures such as temporary suspension of certain activities; temporary prohibition from exercising managerial functions; ordering the entity to remedy vulnerabilities or informing the customers on these measures. If the decision is challenged in court, only the payment of the fine is suspended, not the obligations imposed.

In conclusion, passing Emergency Ordinance 155/2024 comes as a natural reaction to the intensification of cyber-attacks, as well as to the acceleration of the diversification of online services due to a set of factors such as the Russian-Ukrainian conflict; the COVID-19 pandemic; the development and globalization of the business environment or the reduction of costs for accessing new markets. The regulation aims to align the cybersecurity measures adopted in Romania with European standards through a series of measures that aim mainly at preventing cyber-attacks and at enhancing security in this field.