News and developments
ROMANIA IS ENACTING THE SECONDARY LEGISLATION PERTAINING TO CYBERSECURITY IN AN EFFORT TO AVOID EUROPEAN SANCTIONS
The responsibility for setting up the list of essential services within the meaning of the NIS Directive falls with the Romanian National Computer Security Incident Response Team (“CERT-RO”)[2].
In an effort to observe the two-month deadline provided by the European Commission, the Romanian Government adopted the Government Decision no. 963/2020 for the approval of the List of essential services[3] (“Government Decision no. 963/2020”), and the Government Decision no. 976/2020 on the approval of threshold values for establishing the significant disruptive effect of incidents on the networks and computer systems of essential service operators[4] (“Government Decision no. 976/2020”).
- What constitute essential services in Romania
- energy
- electricity: production, supply to consumers, operating centralized electric power markets, transport, operating the electro-energetic system, distribution of electric power;
- oil: operating oil pipes, oil production, refining and treating oil, storing oil, oil transport;
- natural gas: production, transport, distribution, storage, liquifying, refining, operating natural gas centralized markets; natural gas, discharge and regasification of natural gas, supply of natural gas to consumers, management of treatment installations.
- transport
- air transport: air traffic control services, air traffic communications, navigation and supervision, passenger transport, cargo transport and processing, administration of airport infrastructure, exploitation of airport safety and security installations, airships repair and maintenance, air travel safety incidents reporting;
- railway transport: railway traffic control and management, cargo transport, transport of dangerous substances, passenger transport including by metro and tram, railway infrastructure maintenance, maintenance of railway vehicles (locomotives, railway wagons etc.);
- water transport: passenger transport, cargo transport, dangerous cargo transport, dock traffic, dock security, administration and exploitation of dock infrastructure, cargo services, emergency intervention services, maritime and river traffic management services;
- road transport: national roads management, operating and managing the road infrastructure, road traffic control, managing passenger flows, managing sanitary transport services, managing cargo and dangerous cargo transport.
- banking
- managing accounts including deposit and credit accounts, payment services, investment services.
- infrastructures of the financial market
- exploiting trading platforms for financial instruments, securities issued, the central clearing/settlement service for trading on the financial market.
- health
- prevention, diagnosis, treatment services, storage and/or distribution of medicines, medicine production, analysis and diagnosis laboratories, hospital services, emergency services, supply of medical devices with an impact on life, public services of emergency medical assistance, management of the national health insurance system and of the data specific to the providers of medical services.
- drinking water supply
- the management of the river basin, capturing and treating raw water, transport and distribution of drinking water, collecting and treating used water, providing bottled drinking water.
- digital infrastructure
- IXP (internet exchange points): internet traffic exchange services;
- DNS (domain names servers): resolver DNS server operations, operations of DNS server authorisation, priming;
- TLD (top level domains): .ro domain names management and hosting, top level domain registration and allocation.
- What are the threshold values for identifying operators of essential services
- the number of users relying on the respective services, with the following threshold indicators: minimum 55,000 affected users or minimum 22,600 affected contracts or minimum 2 affected sectors or minimum 3 affected operators of essential services;
- the impact of the incidents with respect to their intensity and duration: minimum one-hour duration or minimum one Gbps intensity, or minimum a 5% affected market share;
- the geographic distribution of the affected areas: minimum one county, or minimum 3 administrative units (out of which at least one is a city/town) or minimum 5 administrative units that are not cities/towns, or minimum 2 countries or minimum one alternative means for providing the service;
- What remains to be done