1. Background
On October 30, 2020, the European Commission sent a reasoned opinion regarding Romania’s failure to notify the national measures allowing for the identification of operators, the number of operators of essential services and the thresholds used in the identification process. The notification process is part of the implementation process of the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”). NIS Directive was transposed into the Romanian legislation through Law no. 362/2018 for ensuring a high common level of security of networks and information systems (“NIS Law”).
The responsibility for setting up the list of essential services within the meaning of the NIS Directive falls with the Romanian National Computer Security Incident Response Team (“CERT-RO”) .
In an effort to observe the two-month deadline provided by the European Commission, the Romanian Government adopted the Government Decision no. 963/2020 for the approval of the List of essential services (“Government Decision no. 963/2020”), and the Government Decision no. 976/2020 on the approval of threshold values for establishing the significant disruptive effect of incidents on the networks and computer systems of essential service operators (“Government Decision no. 976/2020”).
2. What constitute essential services in Romania
The Government Decision no. 963/2020 sets for each of the sectors mentioned in the Annex to the NIS Law the list of essential services, as follows:
(i) energy
• electricity: production, supply to consumers, operating centralized electric power markets, transport, operating the electro-energetic system, distribution of electric power;
• oil: operating oil pipes, oil production, refining and treating oil, storing oil, oil transport;
• natural gas: production, transport, distribution, storage, liquifying, refining, operating natural gas centralized markets; natural gas, discharge and regasification of natural gas, supply of natural gas to consumers, management of treatment installations.
(ii) transport
• air transport: air traffic control services, air traffic communications, navigation and supervision, passenger transport, cargo transport and processing, administration of airport infrastructure, exploitation of airport safety and security installations, airships repair and maintenance, air travel safety incidents reporting;
• railway transport: railway traffic control and management, cargo transport, transport of dangerous substances, passenger transport including by metro and tram, railway infrastructure maintenance, maintenance of railway vehicles (locomotives, railway wagons etc.);
• water transport: passenger transport, cargo transport, dangerous cargo transport, dock traffic, dock security, administration and exploitation of dock infrastructure, cargo services, emergency intervention services, maritime and river traffic management services;
• road transport: national roads management, operating and managing the road infrastructure, road traffic control, managing passenger flows, managing sanitary transport services, managing cargo and dangerous cargo transport.
(iii) banking
• managing accounts including deposit and credit accounts, payment services, investment services.
(iv) infrastructures of the financial market
• exploiting trading platforms for financial instruments, securities issued, the central clearing/settlement service for trading on the financial market.
(v) health
• prevention, diagnosis, treatment services, storage and/or distribution of medicines, medicine production, analysis and diagnosis laboratories, hospital services, emergency services, supply of medical devices with an impact on life, public services of emergency medical assistance, management of the national health insurance system and of the data specific to the providers of medical services.
(vi) drinking water supply
• the management of the river basin, capturing and treating raw water, transport and distribution of drinking water, collecting and treating used water, providing bottled drinking water.
(vii) digital infrastructure
• IXP (internet exchange points): internet traffic exchange services;
• DNS (domain names servers): resolver DNS server operations, operations of DNS server authorisation, priming;
• TLD (top level domains): .ro domain names management and hosting, top level domain registration and allocation.
3. What are the threshold values for identifying operators of essential services
The NIS Directive provided for the Member States to identify the threshold values that set the significant disruptive effect of the incidents at the level of the networks and informatic systems of the essential services providers.
After receiving the reasoned opinion issued by the European Commission, the Romanian Government has expedited the process of setting the threshold values and has published the same in order to be used in identifying the operators of essential services.
The thresholds set through Government Decision no. 976/2020 are both intersectoral, meaning that the same are applicable to all the seven sectors under the scope of the NIS Law, and sector-specific for each of the above-mentioned sectors.
The intersectoral thresholds relate to:
• the number of users relying on the respective services, with the following threshold indicators: minimum 55,000 affected users or minimum 22,600 affected contracts or minimum 2 affected sectors or minimum 3 affected operators of essential services;
• the impact of the incidents with respect to their intensity and duration: minimum one-hour duration or minimum one Gbps intensity, or minimum a 5% affected market share;
• the geographic distribution of the affected areas: minimum one county, or minimum 3 administrative units (out of which at least one is a city/town) or minimum 5 administrative units that are not cities/towns, or minimum 2 countries or minimum one alternative means for providing the service;
The sector-specific thresholds include some concrete values for different criteria and metrics used for the activities in each sector (for example, in the electric energy sector, the drinking water supply). However, for most actors and activities in the specific sectors (such as, for example, the banking system, the financial infrastructure system, the medical assistance system and the digital infrastructure system), the incidents must be reported without exception.
4. What remains to be done
Following the publication of these two Government Decisions, the companies operating in the sectors that are in the scope of NIS Law have until December 17, 2020 to assess both the list of essential services and the thresholds provided by the legal enactments in order to decide if they qualify as essential services providers that must register with CERT-RO.
Nevertheless, NIS Law just started to be fully applicable in Romania. Therefore, it will be interested to see all the further developments in this respect in both regulation and jurisprudence.
Authors: MPR Partners - Flavia Ștefura, Senior Associate & Cristina Crețu, Senior Privacy & Technology Consultant