The law on cyber security and defence

The Senate adopted on Wednesday, as the decision-making body in this case, a bill on Romania's cyber security and defence. To ensure a unitary management and implementation of specific activities, the new law provides for the creation of the National Cyber Security System. The leader of the Alliance for the Union of Romanians MPs in the Senate Claudiu Târziu has criticised the bill initiated by the government:

"They will create a national platform to report incidents related to cyber security, with private citizens and legal entities being able to report these incidents. It's openly encouraging people to spy and denounce each other and leaves room for discretionary action."

The Save Romania Union, also in opposition, has criticised the haste in which the bill was put to vote and the lack of any real debate in the public space and in Parliament. In response, the president of the defence committee, the National Liberal Party senator Nicoleta Pauliuc said Romania needs a cyber security law, after NATO recognised cyberspace as a domain of operations:

"We need institutions whose duties we must establish appropriately, so as to monitor the cyber security component. Security threats, at the least in the cyberspace, have risen enormously in recent years."

The law on Romania's cyber security and defence applies to the information networks and systems owned, organised, administered, used or within the competence of public authorities and institutions in the area of defence, public order, national security, justice, emergency situations and the Bureau for the National Register of Secret State Intelligence; to natural persons and private legal entities used in the provision of electronic communications services to central and local public administration institutions; as well as to the information networks and systems owned, organised, administered or used in the central and local central public administration and by natural and legal entities carrying out research, development, innovation and production activities in the field of communications and IT.

The persons responsible for these information networks and systems are obliged to report incidents related to cyber security as soon as possible, but not later than 48 hours within noting the incident. If the incidents cannot be communicated fully, additions can be made within five days of the initial notification. Failure to comply with this obligation attracts a fine of between 1,000 and 10,000 euros, while a new offence committed within the next six months implies a fine of 40,000 euros. Businesses with a net turnover of over 1 million lei are facing fines of up to 1% of this figure, and of 3% if a new offence is committed within the next six months.  (CM)