President Klaus Iohannis promulgated, on Tuesday, the law regarding the cyber security and defense of Romania, as well as for the amending and completion of some normative acts, write Agerpres.
The law provides for the establishment of the National Cyber Security System in order to organize and carry out specific activities in a unitary manner at the national level.
The normative act establishes the legal and institutional framework regarding the organization and development of activities in the fields of cyber security and defense, the cooperation mechanisms and the responsibilities of the institutions with attributions.
„Cyber security and defense is achieved by adopting and implementing policies and measures for the purpose of knowing, preventing and countering vulnerabilities, risks and threats in cyberspace,” the law states.
In order to organize and carry out in a unitary manner at the national level the activities specific to cyber security, the National Cyber Security System (SNSC) is established as a general cooperation framework that brings together the authorities with responsibilities and capabilities in the fields of law enforcement, in order to coordinate actions at the national level to ensure cyber security.
The normative act applies in the field of cyber security for:
a) networks and computer systems owned, organized, administered, used or under the competence of public authorities and institutions in the field of defense, public order, national security, justice, emergency situations, the Office of the National Registry of State Secret Information;
b) computer networks and systems owned by natural and legal persons under private law and used to provide electronic communications services to central and local public administration authorities and institutions;
c) networks and IT systems owned, organized, administered or used by authorities and institutions of the central and local public administration, other than those previously provided for in letter a), as well as natural and legal persons who carry out for-profit and non-profit activities of research, development, innovation and production in the field of information and communication technology or provide public services or of public interest, other than those from letter b).
The persons who are responsible for these networks and IT systems have the obligation to notify cyber security incidents through the National Platform for Reporting Cyber Security Incidents (PNRISC), immediately, but no later than 48 hours after discovering the incident. If the cyber security incidents cannot be fully communicated within this term, they are transmitted within 5 calendar days at most from the initial notification, the information can be supplemented later with those that emerge from the investigations carried out on the basis of the event.”
According to the law, „providers of technical cyber security services have the obligation to make available to the authorities (…), upon their reasoned request, within a maximum of 48 hours from the date of receiving the request, data and information regarding incidents, respectively within a maximum of 5 days from the date of receiving the request regarding threats, risks or vulnerabilities whose manifestation may affect a network or an IT system, as well as their interconnection with third parties and end users”.
The Ombudsman, the Save Romania Union (USR) MPs and the Forta Dreptei party notified the Constitutional Court of Romania (CCR) with this normative act. The Court rejected the complaints of unconstitutionality as unfounded.