On 26.04.2023, the Council of Ministers has submitted for public consultation the draft law “On Cybersecurity” (the Draft Law), which is expected to repeal the existing Law no. 2/2017 “On Cybersecurity”.
The Draft Law is fully harmonized with the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS 1 Directive) and partially harmonized with the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
The Draft Law aims to establish a legal framework by defining security measures in order to achieve a high level of cybersecurity and it clearly provides for the responsible authorities of cybersecurity such as:
National Responsible Authority for Cybersecurity, hereinafter referred as Authority, which is the most important public institution responsible for the implementation of the provisions of this Draft Law.
CSIRT – Computer Security Incident Response Team, that shall be organized as national CSIRT, sectoral CSIRT and CSIRT near information infrastructure operators.
One of the novelties presented in this Draft Law is the establishment of two new structures listed as follow:
National SOC – the body that monitors security at the national level; and
CERT – the new body established to face the emergency and cyber crisis situations.
Moreover, the guarantee of cybersecurity is foreseen to be provided through the regulation of cybersecurity certification in accordance with the certification schemes of the European Union and related procedures.
Furthermore, the Draft Law presents clear provisions related to the administration of cybersecurity including the strengthening of cybersecurity measures, the increase of supervision with regard to the implementation of the provisions of this Draft Law, risk management measures, as well as incident reports and voluntary reports.
The Authority verifies the cases that constitute an infringement of the provisions and applies the relevant sanctions. Failure to fulfill the obligations according to the provisions of this Draft Law shall be subject to a fine up to ALL 10 million, or the Authority may suspend the activity of the operator for an undetermined period.
Finally, the Draft Law brings into focus the increase of national and international cooperation for the strengthening of cybersecurity as well as the fulfillment of international obligations related to this field.
Comments are closed.