Romania Introduces Government Cloud Legislation30 June 2022
During the Government session of 27 June 2022, the Romanian executive adopted the Government Emergency Ordinance on implementing the Government Cloud Platform (“Cloud GEO”). The normative act has been published in the Official Gazette no. 638 of 28 June 2022 and entered into force on the same day.
The Cloud GEO sets the general framework for the establishment, management and development, at national level, of a hybrid cloud infrastructure, called the Government Cloud Platform (the “Platform”). Additionally, the Cloud GEO aims to improve and ensure the uninterrupted digitalisation of the Romanian public administration.
The authorities responsible for the Platform’s implementation are the Ministry of Research, Innovation and Digitization (“MCID”) and the Romanian Authority for Digitization (“ADR”), in cooperation with the Special Telecommunications Service (“STS”) and the Romanian Information Service (“SRI”).
Structure of the Platform
The Platform has two components: (a) a private cloud component, referred by the Cloud GEO as “Private Government Cloud” (“Private Government Cloud”), and (b) certified public resources and services from other public or private clouds, referred by the Cloud GEO as “cloud computing infrastructures within the Platform, other than the Private Government Cloud” (“Non-Private Government Cloud”).
The Cloud GEO defines the private cloud as being a way of organising the resources of a cloud computing system in which the services are used by a single cloud customer, and the resources are controlled by that customer. On the other hand, the public cloud is defined as a way of organising the resources of a cloud computing system in which the services are potentially available to any cloud customer, and the resources are controlled by the cloud service provider. Finally, the hybrid cloud encompasses both public and private clouds, being described as a way of organising the resources of a cloud system using at least two different types of cloud computing.
According to the provisions of the GEO, public entities whose systems are eligible to migrate in the cloud services must comply with a cloud first policy (i.e., cloud first is defined by the GEO as the principle which considers the cloud before all other technologies, whether it is a new project involving IT and IT solutions communications solutions or a technological upgrade of an existing IT system).
Both the Private and the Non-Private Government Clouds must have in their structure the following technical components (“Components”): (i) Basic cloud infrastructure; (ii) Infrastructure as a service (IaaS); (iii) Platform as a service (PaaS); (iv) Software as a service (SaaS).
Private Government Cloud:
▸ The aforementioned Components included in the Private Government Cloud are private property of the Romanian state, being under the administration of STS or ADR. If the acquisition of these property rights is not possible, at least the acquisition of the rights of use must be ensured.
▸ IaaS, PaaS and SaaS service administrators, as well as cybersecurity administrators must ensure the logging of events and access to data hosted in the Private Government Cloud for periodic compliance audit
Non-Private Government Cloud:
▸ The cloud computing infrastructures from the Non-Private Government Cloud must be implemented in order to provide a range of facilities, expressly provided by the Cloud GEO.
▸ Each cloud service must be ensured by at least two data nodes, organised as data centres, to facilitate resilient delivery of cloud services.
▸ Data centres may host private, public or hybrid cloud services.
The Platform’s Marketplace
On top of that, the Cloud GEO introduces the notion of “marketplace”, which represents a catalogue of cloud applications and services available in the Platform, that can also be developed by private companies, and which can be accessed by public authorities and institutions hosted in the Platform. This marketplace is managed by ADR. The applications available in the Platform can be accessed following the conclusion of an agreement between the cloud service providers and the hosted entities (e.g., public authorities and institutions) that purchase those applications.
In order to be able to provide services for public authorities, the private cloud infrastructures must comply with the requirements provided in the secondary legislation, such as: (i) the Guidelines on Cloud Governance and (ii) the standards on cloud services security. This secondary legislation will be adopted following the proposals made by the relevant public entities (e.g., MCID, ADR, STS, SRI), according to the provisions of the Cloud GEO (e.g., the Guidelines on Cloud Governance will be adopted not later than 90 days after the date of entry into force of the Cloud GEO, based on the proposal of MCID, ADR, STS and SRI).
Lastly, the Cloud GEO also contains provisions regarding the processing of personal data, according to which (i) all the processing activities must be made in accordance with the provisions of the GDPR or local laws, and (ii) the citizens will be immediately notified when public authorities access their data.
Financing the Platform
For implementing the Platform, as well as the IaaS, PaaS, SaaS, alongside providing cybersecurity and database migration components, the authorities (e.g., ADR, STS and SRI) will organise public procurement procedures in accordance with the Romanian applicable public procurement legislation.