On 1 October 2024, the draft law on the resilience of critical entities was registered with the Romanian Chamber of Deputies for debate, after being adopted by the Senate.
The draft law was created to transpose into national legislation the provisions of EU Directive 2022/2557 of 14 December 2022 on the resilience of critical entities (Directive 2022/2557), which sets out the legal framework for identifying critical entities, supports them in building resilience, and improves cross-border cooperation between competent authorities in order to ensure the provision of essential services in the EU internal market.
EU member states have until 17 October 2024 to transpose and implement the provisions of the Directive 2022/2557 into national legislation.
Directive 2022/2557 repeals Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (Directive 2008/114/EC). Directive 2008/114/EC was transposed at the national level by Government Emergency Ordinance No. 98/2010 on the identification, designation and protection of critical infrastructures, approved with amendments by Law No. 18/2011 (GEO 98/2010) and by Government Decision 1110/2010.
In order to transpose the new Directive (2022/2557), however, several amendments and additions to the national framework are necessary.
The definition and identification of the critical entities
Critical entities are defined as public or private entities with legal personality, belonging to one of the categories specified in the draft law’s annex.
The criteria in the draft law for identifying critical entities are as follows:
– the entity provides one or more essential services;
– the entity operates and its critical infrastructure is located on Romanian national territory;
– should an incident occur, it would have significant disruptive effects on the provision of one or more essential services or on the provision of other essential services in the sectors set out in the draft law’s annex.
In the assessment of the above criteria, the following definitions are relevant:
– essential services are provided by the critical entity, and play an indispensable role in maintaining vital societal functions, economic activities, public health and safety, or the environment;
– critical infrastructure refers to an asset, facility, equipment, network or system, or to a part of an asset, facility, equipment, network or system, which is necessary for the provision of an essential service.
The following sectors are set out in the draft law’s annex: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space and production, processing and distribution of food.
All entities with legal personality under public or private law that carry out activities in the sectors and sub-sectors specified in the annex are obliged to participate in the process of identifying critical entities.
Single point of contact and sector competent authorities
The draft law designates the National Critical Infrastructure Protection Coordination Centre (CNCPIC) as the single point of contact for Romania.
The Sector Competent Authorities (SCAs) have the responsibility to ensure the provision on the domestic market of services essential to maintain the safety or security of the population and the functioning of state institutions and to support the critical entities operating in their regulatory area in the fulfilment of their obligations.
Specific rules
In order to implement the requirements of Directive 2022/2557, the draft law establishes specific rules on the following matters:
– the strategic framework on the resilience of critical entities;
– the criteria for determining the significance of a disruptive effect in order to identify critical entities;
– the risk assessments of critical entities and the resilience measures taken by them;
– background checks of certain persons performing sensitive functions within critical entities;
– notification of incidents that significantly disrupt or have the potential to disrupt the provision of essential services;
– identification of critical entities of particular importance to the EU;
– identifying violations and applying sanctions for non-compliance.
Exceptions and specific rules
The draft law excludes from its scope certain operators, such as public administration entities operating in the field of defence, public order and national security, including the investigation, detection and prosecution of criminal offences.
Additionally, certain specific rules apply to the banking sector, the financial market infrastructure sector and the digital infrastructure sector, which should achieve higher levels of resilience.
Sanctions
According to the draft law, non-compliance by the SCAs and those critical entities with specific obligations will qualify as misdemeanours. The CNCPIC and SCAs will be responsible for identifying offences and applying the sanctions outlined in the draft, which include fines of up to RON 30,000 (approximately EUR 6,000).
Conclusions
Entities should determine if they are likely to be recognised as a critical entity under the draft law and, if affirmative, they must become familiar with the requirements that apply to them and assess and review their plan for resilience.
Cristina Popescu, Partner, Head of CEE Insurance Practice Group CMS Cameron McKenna Nabarro Olswang LLP SCP
Carmen Turcu, Associate CMS Cameron McKenna Nabarro Olswang LLP SCP
Raluca Crețu, Associate CMS Cameron McKenna Nabarro Olswang LLP SCP