13.02.2025

Cybersecurity. Vertical and horizontal effects of Emergency Ordinance No 155/2024

In the last days of 2024, the Romanian Government adopted Emergency Ordinance No. 155/2024 on the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace (GEO No. 155/2024). This Emergency Ordinance transposes, belatedly, Directive 2022/2555 of the European Parliament and of the Council of December 14, 2022 on measures for a high common level of cybersecurity in the Union, amending Regulation (EU) No 910/2004 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148, a directive known as NIS 2.

The NIS 2 Directive was adopted relatively shortly after the previous cybersecurity directive, Directive 2016/1148 or NIS 1. However, the rapid digital transformation has outpaced the security requirements of the NIS 1 Directive and a reassessment of this legislative framework has become necessary. The NIS 2 Directive proposes a new approach to the level of cybersecurity and an extension of its scope.

With regard to its scope of application, unlike the NIS 1 Directive, which applied only to operators of essential services, the NIS 2 Directive transposed by GEO No 155/2024 extends and becomes applicable to both essential entities and important entities, i.e. large and medium-sized enterprises operating in certain sectors. A register of these entities is kept by the National Cyber Security Directorate ("DNSC")

Government Ordinance no. 155/2024 aims at a proactive, preventive approach to cybersecurity risks, as opposed to the old legislation which had rather a reactive approach. One of the principles that will govern the application of GEO No 155/2024 is that of empowerment and awareness, understood as a continuous effort by public and private entities to raise awareness of their individual role and responsibility for achieving a high common level of cybersecurity at national level. Art. 11 of the same Ordinance requires recipient entities to take proportionate and appropriate technical, operational and organizational measures to identify, assess and manage the security risks related to the networks and information systems they use in the performance of their activities or the provision of their services, as well as to eliminate or, where appropriate, reduce the effects of incidents on the recipients of their services and other services. Risk awareness thus becomes an essential component of cybersecurity, and mere passivity is not permissible, but entities must adopt risk management measures. We will see in the remainder of this article that this obligation also has significant horizontal effects on business relationships.

Direct obligations on governing bodies. Essential and important entities are legal persons, legal fictions of law, that is why a number of obligations have been directly imposed on the management bodies of these entities, such as:

- the obligation to adopt cybersecurity risk management measures, to implement the orders adopted by the competent authorities, to supervise their implementation and to answer for their breach;

- the obligation to undergo accredited training to ensure sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity. The legal rule does not excel in clarity, as it does not stipulate whether those training courses must be successfully completed or not;

- the obligation to establish permanent means of contact, ensure the allocation of the necessary resources for the implementation of cybersecurity risk management measures and, where appropriate, the designation of persons responsible for the security of networks and information systems who are responsible for implementing and supervising cybersecurity risk management measures at the entity.

The general assembly is not considered a management body in the sense of O.U.G. no. 155/2024, so that associates or shareholders, although they should be interested in respecting the cyber integrity of their business, are not subject to the above obligations.

Measures that can be taken against governing bodies. In the event of failure to comply with the obligations incumbent on the management bodies pursuant to O.U.G. no. 155/2024, deficiencies are identified which are not remedied, the DNSC may refer the matter to the competent authorities in order to impose a temporary ban on exercising the management function at the level of executive director or legal representative. We note that cyber resilience is becoming an important objective for the legislator who arrogates intrusive mechanisms in the life of companies going as far as imposing temporary bans on exercising a function involving legal representation.

O.U.G. no. 155/2024, however, has consequences not only vertically, i.e. in relation to state authorities that may apply infringement sanctions, but also horizontally, i.e. in the business relations conducted by essential and important entities. Horizontally, the pecuniary consequences could be that these entities could be ordered to pay damages.

Contractually. The contracts that essential and important entities enter into bind not only to what is expressly stipulated but, as Article 1272 of the Civil Code indicates, also to all the consequences that established practices between the parties, custom, law or equity give to the contract. O.U.G. no. 155/2024 obliges essential and important entities to identify, assess, manage risks and take proportionate measures to achieve a level of cybersecurity. During the performance of the contract, cybersecurity incidents may occur that may compromise the authenticity of e-mail communications, lead to failure to perform the contractual obligations accurately, etc.

The qualification of such an incident as a fortuitous event, in order to obtain exemption from contractual liability, will have to be made in the light of compliance with the requirements laid down in O.U.G. 155/2024. To the extent that the risk was not identified, although it was identifiable, or the measures were not taken or were taken inadequately, then the conclusion will most likely be that the incident is not a fortuitous event, capable of exempting the contractual liability, and the party affected by the cybersecurity incident, in addition to bearing the harmful consequences of this incident, will have to pay any damages to the contractual partner.

In tort. In the event that a cybersecurity incident causes damage to third parties, the question of entity liability arises. O.U.G. no. 155/2024 has effects with regard to the analysis of the conditions of the wrongful act and culpability. Art. 1349 of the Civil Code obliges any person to comply with the rules of conduct which the law or the subject matter of the place imposes. In the case of essential and important entities, O.U.G. no. 155/2024 imposes certain rules of conduct, among which the identification of cyber risks and taking appropriate measures. Failure to comply with these rules of conduct may lead to the omission being characterized as an unlawful act, and this passive attitude to cybersecurity requirements may be characterized as culpable.

In conclusion, beyond the fines that may be imposed by state authorities, failure to comply with cybersecurity rules can expose critical and important entities to claims from injured parties.

Article signed by Daniel-Alexandru Aragea, Partner.