Deadlines established by GEO 155/2024 regarding the application in Romania of the NIS2 Directive

Deadlines established by GEO 155/2024 regarding the application in Romania of the NIS2 Directive

According to Emergency Ordinance no. 155/2024, issued by the Romanian Government, which transposes the provisions of the NIS2 Directive into Romanian law, essential and important entities have a series of specific obligations to ensure cybersecurity, with clear deadlines for compliance. These measures are intended to align Romania with European cybersecurity standards.

To facilitate the information of all stakeholders, we present below the obligations applicable to essential and important entities and the deadlines provided for them:

1. Notification and identification

• Term: 30 days from the entry into force of the ordinance or 30 days from the issuance by the
National Cyber Security Directorate (DNSC) of the requirements regarding the notification process for registration and the method of transmitting information.

• Obligation:

o Entities must notify the National Cyber Security Directorate (DNSC) for registration in the register of essential/important entities.

2. Implementation of risk management measures

• Term: 6 months from registration in the DNSC registry.

• Obligation:

o Conducting a risk analysis.

o Implementation of technical and organizational measures to manage risks associated with networks and information systems.

3. Incident reporting

• Term:

o 24 hours for initial notification to DNSC in case of major incidents.

o 72 hours to submit a detailed report.

• Obligation:

o Reporting incidents that have a significant impact on the services provided.

4. Developing security policies

• Term: 120 days from registration.

• Obligation:

o Developing and adopting an internal cybersecurity policy, according to the norms approved by DNSC.

5. Security audit

• Term: 1 year after registration and every 2 years thereafter.

• Obligation:

o Conducting an external audit on the state of cybersecurity.

o Transmitting the audit report to DNSC.

6. Designation of a cybersecurity officer

• Term: 30 days from registration.

• Obligation:

o Appointing a person responsible to coordinate cybersecurity measures and processes.

7. Staff training

• Term: 12 months from registration.

• Obligation:

o Regularly organize training sessions for employees on cyber risk protection and management.

8. Participation in cybersecurity exercises

• Deadline: According to the calendar established by DNSC.

• Obligation:

o Participation in simulations or exercises coordinated by DNSC to test incident response capacity.

GEO 155/2024 provides for a series of sanctions for failure to comply with obligations:

• Administrative fines calculated based on the severity of the violation and the impact on national security.

• Suspension of activity in cases of serious or continuous non-compliance with the imposed measures.

Also, GEO 155/2024 establishes a series of deadlines that the National Directorate of Cyber Security (DNSC) must respect in order to implement and supervise cybersecurity measures at national level.

The main deadlines provided for the DNSC activities are:

• 15 days from the entry into force of the ordinance:

o Establishing requirements for the registration notification process and the method of submitting information.

• 20 days from the entry into force of the ordinance:

o Development and approval of the list of sectors, subsectors and types of essential and important entities.

• 60 days from receipt of registration notification:

o Issuance of the decision to identify and register essential entities.

• 150 days from receipt of registration notification:

o Issuance of the decision to identify and register important entities.

• 120 days from the entry into force of the ordinance:

o Development and approval of the following rules and regulations:

– Risk management measures.

– Methodological norms regarding incident reporting.

– Technical rules on the compatibility and interoperability of systems, procedures and methods used by CSIRTs and the criteria for determining the number of qualified persons.

– The minimum package of CSIRT services.

– Regulation on the authorization and verification of CSIRTs, the validity conditions for the granted authorizations and the topics for training CSIRT staff.

– Implementing rules and methodology for risk-based prioritization of supervision, verification and control activities.

– Regulation on the authorization, verification and revocation of cybersecurity training service providers for auditors and CSIRTs and the validity conditions for the authorizations granted to them.

– Rules for the implementation of the provisions on supervision, verification and control for CSIRTs, CSIRT-specific service providers, as well as for cybersecurity auditors.

– Regulation on the certification and verification of cybersecurity auditors and the validity conditions for the certificates granted.

• 180 days from the entry into force of the ordinance:

o Development and approval of the national peacetime cybersecurity crisis management plan.

o Approval of topics for auditor specialization for certification.

o Approval of topics for the specialization of CSIRT staff for authorization.

• 3 months after the adoption of the national cybersecurity strategy:

o Transmission of the strategy to the European Commission.

Safetech specialists are at your disposal with a complete portfolio of services and solutions to ensure compliance with the NIS2 Directive.

To quickly verify your organization’s compliance with the requirements of the NIS2 Directive, Safetech provides you with two online questionnaires. The first questionnaire assesses whether or not the organization falls under the scope of the NIS2 Directive and the second assesses the degree of readiness of an organization for compliance with the NIS2 Directive.