I. General context
One of the major objectives of the EU is reducing the vulnerabilities of critical infrastructure and increasing their resilience. An adequate level of protection must be ensured and the harmful effects of disruptions on the society and citizens must be limited as far as possible.
Critical infrastructures extend across many sectors of the economy, including communications, banking and finance, transport and distribution, energy, utilities, health, food supply, as well as key government services.
Critical infrastructure consists of physical and information technology facilities, networks, services and assets that, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of the government as a result of the failure to maintain those functions.
Threats to a single critical infrastructure can have a very significant impact on a broad range of actors in different infrastructures and more widely.
Moreover, the effects of those interdependencies are not limited to single countries. Many critical infrastructures have a cross border dimension. In addition to interdependencies between sectors, there are also many interdependencies within the same sector but across several European countries.
Critical Infrastructure Protection is therefore about ensuring that services vital to the society continue to function.
Therefore, at EU level the European Programme for Critical Infrastructure Protection (“EPCIP”) has been created. The programme aims to provide an all-hazards cross-sectoral approach (terrorism, criminal activities, natural disasters, etc.) across all EU States and in all relevant sectors of economic activity.
The Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (“Directive 2008/114/EC”) is the key pillar of the EPCIP and it has been transposed into Romanian legislation by Government Emergency Ordinance no. 98/2010 on the identification, designation and protection of critical infrastructures “GEO 98/2010”).
II. National legal framework for Critical Infrastructure Protection
GEO 98/2010 establishes a procedure for identifying and designating of both National Critical Infrastructures (“NCI”) and European Critical Infrastructures (“ECI”) and sets out a common approach for improving the protection thereof.
It also requires owners/operators/administrators of designated NCI to prepare Operator Security Plans (advanced business continuity plans) and nominate Security Liaison Officers (linking the owner/operator/administrator with the national authority responsible for critical infrastructure protection).
In order to improve the transposition of the Directive 2008/114/EC and to ensure a better correspondence with the same, Law no. 636/2018 amending and supplementing GEO 98/2010 (“Law 636/2018”) was enacted and published on August 3, 2018 in the Romanian Official Gazette. It will enter into force on September 3, 2018, except for the provisions of point 1.1 of Appendix no. 1 List of NCI sectors and public authorities in charge, where will enter into force on November 3, 2018.
III. Changes provided by Law 636/2018
The main changes provided by Law 636/2018 take better account of interdependencies between critical infrastructures, industry and state actors. The law also amends the list of sectors that potentially hold critical infrastructure.
The changes impact both public authorities responsible for critical infrastructure protection and the owner/operator/administrator of an NCI/ECI.
With respect to the owner/operator/administrator of an NCI/ECI, Law 636/2018 brings the following main changes:
(i) compulsory participation to the NCI/ECI identification and designation process;
(ii) establishment of new attributions and obligations;
(iii) compulsory training of all personnel that perform activities related to NCI/ECI protection.
As far as NCI/ECI responsible public authorities are concerned, Law 636/2018 brings the following main changes:
(i) supplementing the coordination attributions of the Prime Minister with regards to the activities of identifying, designating and protecting of NCI/ECI;
(ii) granting the Prime Minister the attribution to manage the Critical Infrastructure Protection activities and to issue decisions with regards to its attributions;
(iii) extending the Internal Affairs Ministry’s competencies with regards to the strategic planning, coordination, permanent monitoring and control of the Critical Infrastructure Protection responsible public authorities;
(iv) the Coordination Centre for Critical Infrastructure Protection is renamed as “National Coordination Centre for Critical Infrastructure Protection”;
(v) establishment of the general responsibilities of National Coordination Centre for Critical Infrastructure Protection and of the responsible public authorities;
(vi) clarifying the procedure for documents exchanges with the European Commission;
(vii) fines for breaching GEO 98/2010 became also applicable to public authorities in default.
Critical infrastructure protection is one of the major components of the national security. The amendments provided by Law 636/2018 strengthen the role of the NCI/ECI owner/operator/administrator and give new attributions and responsibilities to relevant public authorities, spanning the Prime Minister and Internal Affairs Ministry and the National Coordination Centre for Critical Infrastructure Protection.
This article contains general information and should not be considered as legal advice.