The law on cyber security and defence

The Romanian senate has adopted a bill on the countrys cyber security and defence.

România Internațional, 22.12.2022, 13:50

The Senate adopted on Wednesday, as the
decision-making body in this case, a bill on Romania’s cyber security and
defence. To ensure a unitary management and implementation of specific
activities, the new law provides for the creation of the National Cyber
Security System. The leader of the Alliance for the Union of Romanians MPs in
the Senate Claudiu Târziu has criticised the bill initiated by the government:

They will create a national platform to report
incidents related to cyber security, with private citizens and legal entities
being able to report these incidents. It’s openly encouraging people to spy and
denounce each other and leaves room for discretionary action.

The Save Romania Union, also in opposition, has criticised
the haste in which the bill was put to vote and the lack of any real debate in
the public space and in Parliament. In response, the president of the defence
committee, the National Liberal Party senator Nicoleta Pauliuc said Romania
needs a cyber security law, after NATO recognised cyberspace as a domain of
operations:

We need institutions whose duties we must establish
appropriately, so as to monitor the cyber security component. Security threats,
at the least in the cyberspace, have risen enormously in recent years.

The law on Romania’s cyber security and defence
applies to the information networks and systems owned, organised, administered,
used or within the competence of public authorities and institutions in the
area of defence, public order, national security, justice, emergency situations
and the Bureau for the National Register of Secret State Intelligence; to
natural persons and private legal entities used in the provision of electronic
communications services to central and local public administration
institutions; as well as to the information networks and systems owned,
organised, administered or used in the central and local central public
administration and by natural and legal entities carrying out research,
development, innovation and production activities in the field of
communications and IT.

The persons responsible for these information networks
and systems are obliged to report incidents related to cyber security as soon
as possible, but not later than 48 hours within noting the incident. If the
incidents cannot be communicated fully, additions can be made within five days
of the initial notification. Failure to comply with this obligation attracts a
fine of between 1,000 and 10,000 euros, while a new offence committed within
the next six months implies a fine of 40,000 euros. Businesses with a net
turnover of over 1 million lei are facing fines of up to 1% of this figure, and
of 3% if a new offence is committed within the next six months. (CM)