Romanian government adopted the strengthening of Romania’s cyber security and defense legislation, initiated by MCID

Romanian Government adopted the consolidation of Law 58/2023, initiated by the Ministry of Research, Innovation and Digitalization (MCID).

More precisely, the Government approved the Decision for the approval of the Methodological Norms regarding the request and communication of data and information provided for in art. 25 para. (1) from Law no. 58/2023 regarding the security and cyber defense of Romania, as well as for the modification and completion of some normative acts.

“A consolidated legislation in the field of cyber security is an imperative for the digital systems of public institutions. We need a clear legislative framework, with short deadlines, which will underpin a quick and efficient action by the empowered institutions. This was also evident in the recent situation of the computer attack that targeted the computer system of the Chamber of Deputies. The normative update adopted today by the Government of Romania provides that cyber security technical service providers will have quick deadlines to respond to requests for data and information regarding cyber security incidents, threats, risks or vulnerabilities. The provisions are aimed at ensuring the resilience and protection of networks and IT systems that support the functions of defense, national security, public order and governance”, stated the Minister of Digitization, Bogdan Ivan.

Combating the effects of cyber attacks is achieved through the rapid communication of the following elements:

• a. data that can help identify the threat vector or cyber attack;
• b. the purpose and/or motivation of the cyber threat or attack vector;
• c. data that can help contextualize and describe the incident targeted by the threat or attack vector;
• d. techniques, tactics and procedures used for illegitimate activities;
• e. technical indicators of illegitimate activities carried out by cyber threat or attack vectors or related to the development of the incident, identified in networks and computer systems;
• f. data and information that can help in evaluating and quantifying the impact of the incident in question or the potential impact of the risk;
• g. hardware and software solutions that may be affected; h. identified vulnerabilities, data and information regarding categories of victims and targeted or potentially affected entities.

MCID will intervene to strengthen the legislation in force whenever technological advances could make institutions’ IT systems vulnerable to cyber attacks.