New procedures for application of NIS law25 July 2019
The recently published NIS Law, transposing the European NIS Directive, requires that a comprehensive set of secondary national implementing regulations is adopted. To this aim, methodological norms providing for the procedures for the identification of operators of essential services and digital service providers, for the purpose of their registration in the Register of operators of essential services/Register of digital service providers have recently been adopted and published in the Official Gazette (the “Methodological norms”).
We remind that according to NIS Law, an operator of essential services represents an entity, public or private, carrying out the activities set forth in the NIS Law (in sectors such as energy, banking, financial market infrastructures or digital infrastructure) and providing a service which is essential in supporting societal activities and/or economic activities of a great importance, if the supplying of the service depends on a network or on information systems and it will be significantly disrupted in case of an incident.
I. The identification as operator of essential services requires the completion of the following stages:
1. Identifying the essential services. In order to establish the essential nature of a provided service, the operator or other entity that falls under the scope of the norm proceeds to assess the importance of the service, to identify the method used for providing the services, as well as to establish the disruptive effects in case of an incident.
2. CERT-RO notification by the operators of essential services. This stage implies the notification of CERT-RO by the operators of essential services for the purpose of its registration in the Register of operators of essential services, by filling in and signing the notification for the registration in the Register. At the same time, it is required for the notification to be accompanied by an audit report attesting the fulfillment of the minimum-security conditions.
3. The evaluation and registration of operators of essential services. In accordance with the Methodological norms, during the last stage for the identification as operator of essential services, the request and potential documents enclosed are analyzed by the National Authority for the Security of Networks and Information Systems within CERT-RO, the latter being able to require further documents.
II. The identification as digital service provider requires the completion of the following stages:
1. The identification of digital services provided. For the purpose of the identification of digital services, the economic operator or other entity that provides digital services proceeds to establish the organizational category, to identify the digital service provided and to establish the category of digital service provided.
2. The communication of digital service providerdata to CERT-RO. Following the self-assessment, the digital service provider will designate, according to the Methodological norms, the persons responsible with the security of networks and information systems, who are also responsible for monitoring the contact channels and ensuring the relationship with National Authority for the Security of Networks and Information Systems.
3. The evaluation and evidence of digital services providers. As a last stage in the identification of digital services providers, CERT-RO proceeds to evaluate the digital service provider’s request, as well as potential documents enclosed, being able, at the same time, to require further documents.
You can read and download this legal alert in PDF format right here.
 Law No 362/2018 concerning the insurance of a a high common level of security of network and information systems, published within the Official Gazette, Part I no. 21 dated January 9th 2019, as subsequently amended and completed;
 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, published within the Official Journal, series L, no. 194 dated July 19th 2016;
 Order no. 599/2019 for the approval of Methodological norms on the identification of operators of essential services and digital service providers, published in the Official Gazette, Part I, No 584 dated July 17th, 2019;
 Order no. 601/2019 for the approval of the Methodology of establishing the disruptive effects in case of incidents at the level of the networks and information systems of operators of essential services was also recently published within the Official Gazette, Part I no. 590 dated July 18th, 2019;
 Romanian National Computer Security Incident Response Team.