On January 12, 2019, Law no. 362/2018 on ensuring a high common level of security of of network and information systems became operative, after its publication in the Official Gazette. The normative act is of particular importance for Romania, because it transposes at national level the NIS Directive no. 1148/2016 and aligns our country to a common European framework for responding to cyber-security incidents.
Why is so important Law no. 362/2018, which transposes the NIS Directive in Romania?
The new legislative regulations aim at ensuring the security of networks and information systems that serve vital activities for the economy and society, such as energy, transport, drinking water, health, etc. .More precisely, there is a mechanism for preventing, detecting and responding to cyber-security incidents, so that the impact on the economy and the population is minimal – all this in the context of the continuous growth of the risks we are exposed to in the digital age, not just at the individual level.
A relevant example may be the case of the BlackEnergy cyber virus that has plagued Ukraine for many years, culminating in a power cut in December 2015 that left about 230,000 people without electricity. This cyber attack on critical infrastructure in Ukraine is just one of many alarm signals in recent years about how the population and the economy of a country can be directly affected on a large scale.
Who is targeted by the law transposing the NIS Directive?
First, key service providers are targeted – natural or legal persons, whether state or private, providing services in the following sectors:
• energy (electricity, oil, natural gas);
• transport (air, rail, water, road);
• financial market infrastructures;
• health (health care institutions, including hospitals and private clinics);
• supply and distribution of drinking water;
• digital infrastructure.
Note that, according to Law no. 362/2018, a service is considered essential if its fulfills cumulatively the following conditions:
• service is essential in supporting some of the most important societal and / or economic activities;
• its supply depends on a network or computer system;
• the provision of the service is significantly disturbed in the event of an incident occurring.
Regarding the competent national level authority for network and information security, the CERT-RO National Civic Security Response Center is a function. The institution will consult and cooperate with SRI, MApN, MAI, ORNISS, SIE, STS, SPP, etc.
CERT-RO also organizes and operates:
• single point of contact at national level;
• national computer security incident response team, hereinafter referred to as the national CSIRT team or national CSIRT.