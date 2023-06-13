NIS: Fines of up to 100,000 lei or 5% of the turnover for non-compliance with European cybersecurity standards

Nearly 900 business operators in Romania fall under the category of essential service providers, qualifying for a high standard of cybersecurity in accordance with the Directive on the Security of Network and Information Systems (NIS) adopted by the European Union in 2016 and transposed into national law through Law no. 362/2018. Specifically, according to the National Cybersecurity Directorate (DNSC), 864 companies are providing such services, and a quarter are located in Bucharest.

What does NIS specifically require?

Among the main requirements of NIS for companies are:

– Implementation of a robust data protection and confidentiality system. Companies must implement compliant technical solutions and develop appropriate policies and procedures to ensure data security and prevent unauthorized access or information leaks.

– Risk assessment and security incident management. It is essential for each company to assess and identify potential cybersecurity risks and develop suitable action plans to promptly and effectively address security incidents.

– Protection of critical infrastructure. Companies operating in critical sectors such as energy, telecommunications, or financial services must implement adequate security measures to protect their infrastructure from cyberattacks.

– Collaboration with authorities. Companies must actively cooperate with cybersecurity authorities and provide relevant information in the event of incidents or threats.

The legal regulations that create the framework for conducting activities in the digital environment have been implemented to protect critical infrastructure and ensure an adequate level of cybersecurity in EU member states. In this regard, Romanian authorities have issued the necessary technical regulations, detailed in Official Gazette no. 1142 of November 26, 2020, specifying the cybersecurity measures essential service providers (OSE) must fulfill. Economic operators had until January 21, 2021, to notify the DNSC, and after this date, they can register following an audit. The maximum deadline for implementing security measures after the audit is 12 months.

What are the penalties for non-compliance with NIS?

If these measures are not complied with, companies risk substantial fines, according to the law. Fines for violating NIS regulations range from 3,000 lei to 50,000 lei, and in the case of repeated violations, the maximum limit can reach 100,000 lei. For companies with a turnover exceeding 2,000,000 lei, fines can represent between 0.5% and 2% of the turnover, and in the case of repeated violations, the maximum fine limit is 5% of the turnover. Of course, the company’s reputation can also be irreparably compromised in the event of an attack.

“The business information represents the business itself, and relevant data about know-how, contracts, partners, clients, suppliers, rates, benchmarks, margins, budgets, or indicators can be of interest to competitors or other organizations. Our clients have faced unwanted situations in the past, such as email spying, illicit payment requests in the name of decision-makers, and loss or alteration of company or partner data. They subsequently opted for the Swiss solution built from scratch to protect online privacy, Proton Business. Protecting information, ensuring confidentiality, and data integrity should be a major concern for companies because the stakes of a cyber attack are enormous,” said Ciprian Pocovnicu, cybersecurity expert with over 20 years of experience in the field.

4 out of 5 companies globally have suffered losses due to cybersecurity breaches in supplier ecosystems (Source: Acronis Acronis Cyberthreats Report Mid-year 2021

The Proton Business suite, which ensures information security and confidentiality, meets the specific requirements of the NIS Directive through military-grade encryption of data in transit and at rest, including emails, files, contacts, and calendars, using manageable private encryption keys and encrypting internet traffic. Proton AG is based in Geneva, in a politically neutral climate, and the data is stored encrypted in Switzerland under the protection of the world’s strongest privacy laws.