The Romanian Cybersecurity Authority (DNSC) has recently published some updates regarding the secondary legislation issued under the Government Emergency Ordinance 155/2024 (transposing NIS2 Directive).
Thus, the authority published the following draft documents:
- The updated version of the Order on notification for registration – available in Romanian here (Notification Order);
- The first version of the Order on the criteria and thresholds for determining the degree of service disruption and the assessment of risk level – available in Romanian here (Risk Assessment Order).
We reviewed the Notification Order, and most of the changes appear to be formal compared to the previous version. From our perspective, the only substantive change refers to a scenario in which, after this order is adopted, the DNSC electronic platform remains non-functional and unavailable for notifications. In this case, the Notification Order provides a procedure which is slightly different than that under its previous version.
***
As for the Risk Assessment Order, it sets out the criteria and thresholds for determining the degree of service disruption. These are relevant for determining whether an organization falls under the Government Emergency Ordinance 155/2024 and whether it qualifies as an essential or important entity.
The criteria and thresholds are assessed based on their impact on the following factors:
a) fundamental rights and freedoms;
b) the national economy;
c) the health and life of individuals;
d) financial impact;
e) defense, public order, and national security;
f) cross-sectoral or cross-border impact.
In addition, since essential and important entities are required to submit a risk assessment to DNSC after being registered, the Risk Assessment Order outlines how this assessment should be carried out.
The risk level is calculated based on a score derived from certain criteria (e.g., entity size, sector of activity, types of cyberattacks). Calculations must take into account various types of attackers and cyber threats.
The risk levels are as follows:
• Basic level – risk score of 0–99 points
• Important level – risk score of 100–199 points
• Essential level – risk score of 200–1500 points
Entities will be able to perform a pre-assessment of their risk level using the ENIRE@RO tool, which can be downloaded from the DNSC websites (dnsc.ro and platformanis2.ro). Another important tool is NIS2@RO, which will be used to upload the final risk assessment.
We continue to monitor the evolution of such secondary legislation prepared by DNSC.
