Current status of implementation

The preliminary public consultation stage (i.e. with a view to determine and set up the strategic, institutional and legal framework needed for transposing the Directive) was launched by the Ministry of Communications and Information Societies on 10 April 2017.

The draft bill transposing the NIS Directive into national legislation has not been published yet. On 3 October 2017, the Ministry of Communications and Information Societies launched a public consultation on the bill of law concerning measures for a high common level of security of network and information systems across the Union. The text of the bill is available here.

To date, we are not aware that the next legislative steps have been carried out.

Implementation Act

More details to follow.

Determination of operators of essential services (Art. 5 NIS)

The bill provides that, by 9 November 2018, the essential operators will be identified by the relevant Romanian authority (i.e. the Romanian National Centre of Response to Cyber Security Incidents - CERT-RO ) for the following sectors of activity: a) energy, b) transport, c) banking, d) financial market infrastructures, e) health, f) drinking water supply and distribution, g) digital infrastructure.
Reporting obligations

According to the bill, the essential service operators and providers of digital services have an obligation to notify incidents that have a significant impact on the continuity of services. The notification obligations correspond to the obligations provided at Article16 of the NIS Directive. The notification procedure will be detailed in a technical norm which will be adopted by CERTRO.
Sanctions regime

Failure to comply with the prescribed obligations may be sanctioned with administrative fines ranging from RON 3,000 (approx. EUR 670) to RON 50,000 (approx.EUR 11,000). Repeated breaches of the obligations may be sanctioned with administrative fines of up to RON 100,000 (EUR 22,000).

Companies with a turnover exceeding RON 2,000,000 (approx. EUR 440,000), may be subject to the administrative fines of up to 2% of the company's turnover and, for repeated breaches, of up to 5% of the company's turnover.

Competent authorities

The Romanian National Centre of Response to Cyber Security Incidents (CERT-RO).
Jurisdictional applications

The provisions of the bill are applicable to (i) essential service operators which have the head office, branch, subsidiary, working point or any other form of representation in Romania and (ii) providers of digital services headquartered in Romania, or in other non- EU country which has a representative office in Romania (non- EU entities offering relevant services in Romania have to designate a Romanian representative).

The security and notification requirements shall not apply to (i) undertakings providing public communications networks or publicly available electronic communications services which have special or exclusive rights for the provision of services in other sectors in Romania or another EU Country and (ii) to trust service providers which are subject to the requirements of Article 19 of Regulation (EU) No 910/2014.

Remarks (if any)

More details to follow.

Last reviewed 28.02.2018