Through the emergency ordinance adopted at the end of the year (GEO 155/2024), a new legal framework on the measures and mechanisms necessary to ensure the cybersecurity of information networks and systems is implemented in Romania. The obligations are applicable to essential and important entities, as qualified under GEO 155, i.e. entities that fulfil the size and relevance criteria set out in the ordinance and which carry out activities in the areas identified in the annexes to the ordinance.
It impacts sectors such as energy, transport, finance and banking, health, drinking water and waste water, digital infrastructure, IT&C services, space services, postal and courier services, waste management, chemicals production and distribution, food, as well as manufacturing activities related to the production of medical devices, machinery and transport equipment, computers, electronic and optical products, electrical equipment, etc.
In summary, the main obligations laid down in the legislation:
- Registration with the National Cyber Security Directorate (DNSC), the competent authority in the field, in the register of essential and important entities.
- Conducting and submitting to the DNSC annual self-assessments on the level of risk, in accordance with the requirements to be established by the DNSC.
- Implementation of cybersecurity risk management measures, according to the DNSC approved standards, covering both governance (e.g. implementation of internal policies, procedures and processes) and technical aspects.
- Conducting regular security audits.
- Reporting to the DNSC (via the PNRISC platform) of security incidents with significant impact or cross-border effects.
- Designation of persons responsible for information networks and systems (NIS Officer).
- Ensuring professional training for all staff and in particular for members of the management bodies, who will be required to attend accredited courses to ensure a sufficient level of knowledge and competence to identify risks and assess cybersecurity risk management practices.
- Also, it establishes specific obligations and responsibilities for the management bodies of essential and important entities, which, under GEO 155, approve cybersecurity risk management measures, supervise their implementation and are responsible for infringements of these provisions.
As an important clarification, there are currently no technical rules and subsequent legislation regarding the implementation of GEO 155 – for this reason, most of the obligations are not yet applicable in practice. The DNSC has announced that the orders necessary to implement the new legislation will be issued in the first quarter of 2025.