The Romanian government has adopted two pieces of secondary legislation further to Romanian law 362/2018 (NIS Law):
• Government Decision no. 963/2020 for the approval of the List of essential services (GD 963/2020), which has been in force since 16 November 2020; and
• Government Decision no. 976/2020 on the approval of threshold values for establishing the significant disruptive effect of incidents on the networks and computer systems of essential service operators (GD 976/2020), which has been in force since 17 November 2020.
GD 963/2020 sets the list of essential services for each of the sectors mentioned in the Annex to the NIS Law. For example, the following list applies to digital infrastructure providers:
• IXP (internet exchange points): internet traffic exchange services;
• DNS (domain names servers): resolver DNS server operations, operations of DNS server uthorisation, priming;
• TLD (top level domains): .ro domain names management and hosting, top level domain (TLD) registration and allocation (.ro) and TLD (.ro) hosting services.
GD 976/2020 sets out the threshold values to be used in identifying the operators of essential services (OES). The thresholds are both intersectoral (i.e. applicable to all the seven sectors under the scope of the NIS Law) and sector-specific:
The intersectoral thresholds relate to:
• the number of users relying on the respective services, with the following threshold indicators: a minimum of 55,000 affected users or a minimum of 22,600 affected contracts;
• the dependency of other sectors: a minimum of two affected sectors or a minimum of three affected operators of essential services;
• the impact of the incidents in respect to their intensity and duration: a minimum one-hour duration or a minimum one Gbps intensity;
• the market share of the concerned entity: a minimum of 5%;
• the geographic distribution of the affected areas: a minimum one county, or a minimum three administrative units (out of which at least one is a city or town) or a minimum five administrative units that are not cities or towns, or a minimum two countries; and
• the importance of the concerned entity, taking into account the availability of alternative means to provide the service: a minimum one alternative means.
The sector-specific thresholds include concrete values for different criteria and metrics used for the activities in each sector.
Companies operating in the sectors that are in the scope of NIS law have had 30 days from the law’s enactment to assess both the list of essential services and the thresholds provided in order to decide if they qualify as an OES that must register with the national regulator (i.e. CERT-RO). Failure to comply with this requirement constitutes contravention and is punishable by fine.