You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
Operators of essential services are required to notify CERT-RO - the national competent authority for security of networks and information systems - for registration in the Register of operators of essential services by 17 December 2020. Otherwise, these companies risk fines of, in some cases; up to 5 % of their turnover.
The obligation to notify CERT-RO within the indicated time frame stems from the requirements set out in the package of normative acts issued last month by the Romanian Government, for the application of Law no. 362/2018, which transposed Directive (EU) 2016/ 1.148 (NIS legislation) at national level.
The NIS legislation applies to:
The NIS legislation establishes specific obligations for the two categories of entities, in order to ensure a high common level of security of networks and information systems, such as the obligation to:
In addition, the NIS Legislation establishes the obligation of OES to notify CERT-RO in order to be registered in the Register of operators of essential services, within 30 days as of fulfilment of the conditions which qualify a service as being essential, by reference to criteria and threshold values to be set by Government Decision(s).
The normative acts issued in November aim precisely at establishing the essential services, as well as the criteria and threshold values relevant for OES necessary for their identification and registration in the Register of operators of essential services, as follows:
With regard to the CERT-RO notification obligation, this requires a prior documented analysis of the essential services provided by OES. The notification consists of submitting a form, together with a statement of OES's responsibility, and documentation of a self-assessment regarding compliance with the minimum security and notification requirements.
Failure to comply with the obligation to identify and notify CERT-RO by OSE by the above date constitutes a contravention and may be sanctioned with a fine. According to the NIS legislation, the fine can be between 3,000 lei and 50,000 lei (approx. EUR 600 – 10,000), and in case of repeated violations, up to 100,000 lei (approx. EUR 20,000). For entities with a turnover of over 2 million lei (approx. EUR 400,000), the fine can reach between 0.5 % and 2 % of the turnover, and, in case of repeated violations, the fine can reach up to 5 % of turnover.