The transposition of the updated Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive“) is underway in Romania as well. Member states have until October 17, 2024, to incorporate the directive into their national legislation. In line with this, on August 15, 2024, the National Cybersecurity Directorate (DNSC) in Romania launched a public consultation on the draft law for implementing the NIS2 Directive (the “Draft Law“).
1.Background
NIS 2 replaces Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the “NIS1 Directive“). The NIS1 Directive was transposed into national legislation through Law No. 362/2018 on ensuring a high common level of network and information systems security. The NIS1 Directive aimed to strengthen cybersecurity capacities across the Union, mitigate threats to the networks and information systems used to provide essential services in key sectors, and ensure the continuity of these services when facing incidents. However, its implementation revealed issues, such as unclear definitions. The increased reliance on network systems during the COVID-19 pandemic emphasized the need for stronger, coordinated EU action to address cross-border cybersecurity challenges and improve national policies while ensuring data protection and privacy.
2. Overwiew
The aim of the NIS2 Directive is to address the shortcomings of previous legislation, to the end of strengthening the legal framework on cybersecurity and offering better solutions to the evolving cybersecurity landscape across the European Union.
3. Main amendments
Broader scope
The NIS1 Directive focused on securing network and information systems for essential services, whereas NIS2 significantly broadens the scope to include additional sectors. NIS2 not only expands the range of sectors (from 7 to 18 sectors) subject to cybersecurity requirements but also extends these obligations to medium-sized and large entities within these critical sectors if certain conditions are met. This change markedly increases the number of organizations required to adhere to enhanced cybersecurity standards, ensuring a more comprehensive approach to safeguarding critical infrastructure.
These sectors include:
Essential Sectors:
- Energy (electricity, oil, gas);
- Transport (air, rail, water, road);
- Banking;
- Financial Market Infrastructures;
- Health (hospitals, healthcare providers);
- Drinking Water and Wastewater;
- Digital Infrastructure (cloud computing, data centres, DNS);
- Public Administration.
Important Sectors:
- Postal and Courier Services;
- Waste Management;
- Manufacturing (certain critical products);
- Food (production, processing, distribution);
- Digital Providers (online marketplaces, search engines).
The Draft Law categorizes entities as “essential” or “important” also based on their size, role, and significance to national security. Essential entities include public administration bodies, qualified trust service providers, DNS providers, and critical infrastructure operators, among others. Important entities cover medium and large businesses in sectors such as electronic communications and cloud services. The criteria for classification involve factors like the entity’s impact on public safety, market share, and potential cross-border effects of disruptions.
These entities are required to adopt strong cybersecurity measures, conduct regular risk assessments, and ensure robust incident reporting and management systems.
– B. Stricter cybersecurity requirements:
The NIS2 Directive mandates a more comprehensive set of risk management measures that entities must implement. This includes stronger security policies, incident response plans, supply chain security, and regular audits. Moreover, a cybersecurity officer must be appointed to oversee the compliance of the concerned entities.
– C. Enhanced Supply Chain Requirements:
Entities are required to assess and manage the cybersecurity risks related to their supply chains and third-party service providers
– D. Stronger supervision and enforcement:
The directive grants national regulatory authorities greater powers to supervise and enforce the cybersecurity measures. They can impose administrative fines, and in severe cases, they have the authority to order the cessation of business activities.
The Draft Law provides for high fines, up to 35,000,000 RON or a maximum of 1.4% of net turnover for important entities breaching certain provisions or up to 50,000,000 RON or a maximum of 2% of net turnover for essential entities breaching certain provisions.
4. Recommendations to ensure compliance with the NIS2 Directive
To ensure compliance with the new directive, entities should first of all assess whether they enter the scope of the NIS2 Directive and if so, identify the provisions applicable to it.
Entities subject to the NIS2 Directive should, among others, adjust their policies by introducing, for instance, trainings for employees or incident response plans.
The Draft Law provides that it enters into force on October 18, 2024.
