We offer integrated legal advice

Phone: +(40) 771 772 707
Book a consultation

Application of the NIS2 Directive in Romania for Financial Institutions: Obligations and Necessary Measures

Introduction

The NIS2 Directive (Network and Information Security Directive 2) is the new European framework that strengthens cybersecurity requirements for critical entities, including financial institutions. Its transposition into national legislation is essential to ensure a high level of protection against cyber threats. In this article, we will analyze the conditions for applying NIS2 in Romania for financial institutions and the measures they need to implement for compliance.

The NIS2 Directive must be transposed into Romanian law by October 17, 2024, and will become applicable from that date.

Conditions for Applying the NIS2 Directive to Financial Institutions

According to the NIS2 Directive, financial institutions, including banks, payment institutions, insurers, and other regulated entities, are considered essential operators and are subject to strict cybersecurity requirements. In Romania, the transposition of the directive will specify the exact entities covered, but it is clear that the following categories will be affected:

  • Banks and credit institutions
  • Payment institutions and electronic money service providers
  • Insurers and reinsurers
  • Providers of financial market infrastructures

To fall under the scope of NIS2, these institutions must meet criteria related to their size, economic impact, and the risks associated with their digital operations.

Mandatory Measures for Compliance

Financial institutions must implement a series of measures to comply with the NIS2 Directive. These include:

1. Technical and Organizational Measures

  • Implementation of a cybersecurity risk management system, based on the assessment of vulnerabilities and specific threats.
    • Example: The adoption of the NIST Cybersecurity Framework, which includes risk assessment, risk mitigation strategies, and continuous monitoring to detect and respond to cyber threats proactively.
  • Encryption of sensitive data to prevent unauthorized access.
  • Continuous monitoring of IT infrastructure to detect and respond quickly to incidents.
  • Use of multi-factor authentication (MFA) to protect access to critical systems.

2. Incident Reporting Obligations

  • Notification of cybersecurity incidents to the national competent authority no later than 24 hours after discovery.
  • Submission of a detailed report within 72 hours.
  • Periodic updates on the remediation measures implemented.

3. Ensuring Operational Continuity

  • Development and regular testing of incident response plans.
    • Responsibility: The Chief Information Security Officer (CISO) or a designated cybersecurity team should be responsible for drafting, maintaining, and testing the incident response plan.
    • Implementation: The plan should include clear roles and responsibilities, escalation procedures, and coordination with regulatory authorities.
    • Testing: Regular simulations and audits should be conducted to evaluate the effectiveness of the response plan.
  • Implementation of backup and data recovery systems to ensure business continuity.
  • Simulations of cyberattacks to test response capabilities and defense mechanisms.

4. Supply Chain Management

  • Evaluation and monitoring of IT service providers to reduce risks associated with external partners.
  • Implementation of strict contractual clauses on cybersecurity in relationships with third parties.
    • Example: Contracts with third-party service providers should include requirements such as regular security audits, compliance with ISO/IEC 27001 standards, real-time security monitoring, and mandatory reporting of cybersecurity incidents within a specified timeframe.

5. Training and Awareness

  • Organization of periodic training sessions for employees on cybersecurity best practices.
  • Creating an organizational culture focused on preventing cyberattacks.

Sanctions for Non-Compliance

Failure to implement the NIS2 Directive can result in severe sanctions for financial institutions, including:

  • Administrative fines of up to 10 million euros or 2% of the total global annual turnover, whichever is higher.
  • Binding instructions issued by the competent national authority, requiring immediate remediation of security deficiencies.
  • Temporary or permanent suspension of certain services or activities in cases of serious non-compliance.
  • Personal liability for senior management, including potential disqualification from holding leadership positions in case of gross negligence.

Competent Authority in Romania

In Romania, the institution responsible for overseeing compliance and applying sanctions under the NIS2 Directive is expected to be the National Cybersecurity Directorate (DNSC). DNSC will ensure that financial institutions adhere to the directive’s requirements and will impose penalties for non-compliance. Additionally, the National Bank of Romania (BNR) may also have supervisory responsibilities regarding financial institutions' cybersecurity measures.

Conclusion

The transposition of the NIS2 Directive in Romania will bring new responsibilities for financial institutions, which will need to strengthen their cybersecurity infrastructure. Implementing the measures mentioned above is essential for compliance and protecting digital assets against cyberattacks. Through a proactive strategy and adherence to applicable regulations, financial institutions can significantly reduce risks and ensure operational continuity in an increasingly complex digital environment.