Emergency Ordinance no. 155/2024 | LegalFlash 118
Emergency Ordinance no. 155/2024 | LegalFlash 118
At the end of 2024, Emergency Ordinance no. 155/2024 was published, ensuring the transposition into the national law of Directive 2022/2555 of the European Parliament and the Council of December 14, 2022, on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) no. 910/2004 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148, commonly known as NIS 2.
The main objective of this legislative act is to ensure a high level of cybersecurity at the national level by establishing risk management measures and reporting obligations for essential and important entities.
The ordinance applies to specific categories of entities classified as essential or important. Essential entities are identified based on their critical role in national infrastructure and their strategic importance in their respective sectors. According to the legal framework, these entities include:
- Public administration entities,
- DNS service providers (providers of recursive domain name resolution services for end-users of the Internet and authoritative domain name resolution services for third parties, excluding root name servers),
- Large enterprises operating in sectors such as energy, transport, drinking water, and wastewater, with the complete list of highly critical sectors detailed in Annex 1 of the ordinance,
- Medium-sized enterprises providing public electronic communications networks or services, directly impacting access to information and connectivity,
- Security service providers due to their essential role in protecting digital infrastructures against cyber threats.
Important entities are classified based on the potential impact of a vulnerability. These include both large and medium-sized enterprises operating in the sectors listed in Annex 1, as well as in sectors such as waste management, manufacturing, production, and distribution of chemicals (with the full list of critical sectors detailed in Annex 2 of the ordinance). However, they are not classified as essential entities. Examples include providers of public electronic communications networks and services, as well as trust service providers, regardless of their size.
To be classified as an essential or important entity, it is not sufficient to operate in one of the sectors listed in Annexes 1 and 2; at least one of the criteria specified in Article 9 must also be met. For example, a service disruption caused by the entity could have a significant impact on public safety, public security, or public health, or the entity may be the sole provider of an essential service critical for supporting societal and economic activities.
The ordinance establishes clear obligations for the targeted entities regarding cybersecurity risk management. These obligations are legally assigned directly to the management bodies of the entity and include:
- Adopting and implementing the necessary measures for cybersecurity risk management, complying with orders issued by competent authorities, overseeing their application, and assuming responsibility in case of violations;
- Participating in accredited professional training programs to ensure the acquisition of an adequate level of knowledge and skills for identifying and managing cyber risks, as well as assessing their impact on the services provided by the entity;
- Implementing permanent communication channels, ensuring the necessary resources for implementing cybersecurity measures, and, where applicable, appointing responsible personnel for the security of networks and information systems to implement and monitor these measures at the entity level.
The direct assignment of responsibilities to management bodies implies that they may face sanctions for non-compliance with legal obligations. Thus, the National Cybersecurity Directorate (DNSC) may notify competent authorities or entities to impose a temporary ban on holding executive director or legal representative positions within the entity concerned.
Additionally, essential and important entities have the following obligations:
- Conducting periodic cybersecurity audits and performing an annual self-assessment of the maturity level of the implemented security measures. The results of these evaluations must be submitted to DNSC and the relevant sectoral authorities.
- Registering with DNSC within 30 days of the ordinance's entry into force (or within 30 days of qualifying as an essential or important entity).
- Reporting to DNSC, without undue delay, any incident that has a significant impact on the provision of their services and, where applicable, notifying the recipients of their services about significant incidents that could affect service delivery.
Failure to comply with these obligations results in severe financial penalties ranging from €5,000 to €10,000,000 or up to 2% of turnover for essential entities, and between €5,000 and €7,000,000 or up to 1.4% of turnover for important entities. In addition to fines, complementary measures may be imposed, such as the temporary suspension of certifications and authorizations, the publication of detected violations, and temporary bans on entity management.
This ordinance represents an important step in strengthening Romania's cybersecurity. Through the adoption of effective measures and close cooperation between authorities and the private sector, the goal is to reduce risks and create a secure and robust cyber environment.