Manuscript proposals: info@editurauniversitara.ro / 0745 204 115 //// Tracking orders Individuals / Sales:0745 200 718 / 0745 200 357 Orders Legal entities: 0721 722 783
EN 
Romana
6359.png "Editura Universitara")
Network and computer systems security. Implementation of the NIS directive in Romania, Volume 1 - Securitatea retelelor si a sistemelor informatice. Implementarea directivei NIS in Romania, Volumul 1
![Network and computer systems security. Implementation of the NIS directive in Romania, Volume 1 - Securitatea retelelor si a sistemelor informatice. Implementarea directivei NIS in Romania, Volumul 1 [1]](https://gomagcdn.ro/domains/editurauniversitara.ro/files/product/original/064162.jpg "Network and computer systems security. Implementation of the NIS directive in Romania, Volume 1 - Securitatea retelelor si a sistemelor informatice. Implementarea directivei NIS in Romania, Volumul 1 [1]")
ISBN: 978-606-28-1431-1
DOI: https://doi.org/10.5682/9786062814311
Publisher year: 2022
Edition: I
Pages: 452
Publisher: Editura Universitara
Author: Marius Dumitrescu, Daniela Simionovici
Product Code:
9786062814311
Do you need help?
0745 200 718
/
0745 200 357
- Description
- Download (1)
- Authors
- Content
- More details
- Reviews (0)
Written in the form of a detailed and pragmatic guide, this superb material for the implementation of the NIS Directive elaborates on hundreds of very well written pages the concrete experience in the field of the two authors.
In a clear and very well presented form, the work provides a variety of explanations, guidelines, recommendations, but also supporting materials, being one of the extremely necessary publications today for all those involved in the implementation of the NIS Directive.
I believe that "Security of networks and IT systems - Implementation of the NIS Directive" is one of the essential tools for specialists in the field, which I warmly recommend to be used starting today.
Dan Cimpean
Director General of the National Cyber Security Directorate - DNSC
In a clear and very well presented form, the work provides a variety of explanations, guidelines, recommendations, but also supporting materials, being one of the extremely necessary publications today for all those involved in the implementation of the NIS Directive.
I believe that "Security of networks and IT systems - Implementation of the NIS Directive" is one of the essential tools for specialists in the field, which I warmly recommend to be used starting today.
Dan Cimpean
Director General of the National Cyber Security Directorate - DNSC
-
Network and computer systems security. Implementation of the NIS directive in Romania, Volume 1
Download
MARIUS DUMITRESCU has a degree in Political Science, a master's degree in Marketing and over 18 years of experience in the implementation and management of medical and pharmaceutical software solutions. Since 2018, he is the founder and President of the Association of Specialists in Confidentiality and Data Protection from Romania (ASCPD), Member of IAPP and IAPP Romania Knowledgge Chapter Co-Chiar 2022/2023.
In 2018, he graduated from the long-term postgraduate studies on data protection at the Faculty of Economic Sciences, Law and Administration - Data Protection Center in Targu-Mures, Romania. Since 2018, he is Managing Partner and Data Management and Compliance Solutions Specialist at NeoPrivacy Romania with a PECB DPO Certification. He is the editorial director of two online publications, one for professionals in the field of personal data protection and security (www.dpo-net.ro) and another addressed to the medical and pharmaceutical community in Romania (www.health.ro). He is the author and co-author of numerous articles published in the Romanian Magazine for Personal Data Security and Protection (Juridical Universe), Curierul Judiciar and juridice.ro. He is a trainer and PECB Certified Trainer, participating in several educational sessions on topics about data protection, data security, ISO standards and organizational management. He is actively involved in the organization of national and international conferences on data protection, pharmacoeconomics and health management.
DANIELA SIMIONOVICI graduated from the Stefan cel Mare University in Suceava, majoring in Social Work and a master's degree in counseling and human resources administration at the same university. He graduated from the "Personal Data Protection" postgraduate course organized by the Faculty of Law and Administrative Sciences of the same Sucevan University. He is the vice-president of the Association of Specialists in Confidentiality and Data Protection from Romania - ASCPD, is registered as a PECB Certified DPO and obtained the title of "Best DPO in Romania" together with the North East DPO Romania Team in Targu Mures, in June 2019. He offers consulting in the field of implementation of the General Data Protection Regulation (GDPR) and also offers the services of Outsourced Personal Data Protection Officer (DPO). He is a Senior Partner of Neoprivacy Romania and a member of the GDPR, ISO, SCIM and NIS consulting and implementation team. He constantly participates in seminars, debates and conferences dedicated to the protection of personal data and the NIS Directive and shares his experience by writing articles and books dedicated to the field of data protection and NIS from the practitioner's perspective.
In 2018, he graduated from the long-term postgraduate studies on data protection at the Faculty of Economic Sciences, Law and Administration - Data Protection Center in Targu-Mures, Romania. Since 2018, he is Managing Partner and Data Management and Compliance Solutions Specialist at NeoPrivacy Romania with a PECB DPO Certification. He is the editorial director of two online publications, one for professionals in the field of personal data protection and security (www.dpo-net.ro) and another addressed to the medical and pharmaceutical community in Romania (www.health.ro). He is the author and co-author of numerous articles published in the Romanian Magazine for Personal Data Security and Protection (Juridical Universe), Curierul Judiciar and juridice.ro. He is a trainer and PECB Certified Trainer, participating in several educational sessions on topics about data protection, data security, ISO standards and organizational management. He is actively involved in the organization of national and international conferences on data protection, pharmacoeconomics and health management.
DANIELA SIMIONOVICI graduated from the Stefan cel Mare University in Suceava, majoring in Social Work and a master's degree in counseling and human resources administration at the same university. He graduated from the "Personal Data Protection" postgraduate course organized by the Faculty of Law and Administrative Sciences of the same Sucevan University. He is the vice-president of the Association of Specialists in Confidentiality and Data Protection from Romania - ASCPD, is registered as a PECB Certified DPO and obtained the title of "Best DPO in Romania" together with the North East DPO Romania Team in Targu Mures, in June 2019. He offers consulting in the field of implementation of the General Data Protection Regulation (GDPR) and also offers the services of Outsourced Personal Data Protection Officer (DPO). He is a Senior Partner of Neoprivacy Romania and a member of the GDPR, ISO, SCIM and NIS consulting and implementation team. He constantly participates in seminars, debates and conferences dedicated to the protection of personal data and the NIS Directive and shares his experience by writing articles and books dedicated to the field of data protection and NIS from the practitioner's perspective.
About the authors / 5
A word before / 15
Thanks / 19
Introduction / 23
Chapter I. General considerations / 27
I.1. What is the NIS Directive and why is it important? / 29
I.1.1. Council Directive 2008/114/EC of December 8, 2008 regarding the identification and designation of critical European infrastructures and the assessment of the need to improve their protection / 30
I.1.1.1. Evaluation study of Council Directive 2008/114/EC of December 8, 2008 regarding the identification and designation of European critical infrastructures and the assessment of the need to improve their protection / 32
I.2. Why is Law no. 362/2018 transposing the NIS Directive in Romania? / 41
I.2.1. Transposition of the Directive in Romania / 42
I.3. Who is covered by Law no. 362/2018 transposing the NIS Directive in Romania? / 46
Chapter II. National Cyber ​​Security Directorate - DNSC / 49
II.1. Responsibilities and principles of the National Cyber ​​Security Directorate / 52
II.1.1. Responsibilities of DNSC / ... 52
II.1.2. DNSC Principles / 53
II.2. The objectives of the National Cyber ​​Security Directorate / 54
II.3. The functions and attributions of the National Cyber ​​Security Directorate / 55
II.3.a. Strategy and planning / 55
II.3.b. The function of competent authority at national level for regulation, supervision and control / 56
II.3.c. The function of national CSIRT / 56
II.3.d. The function of governmental CSIRT / 57
II.3.e. The function of coordination, implementation, guidance and support of the sectorial CSIRTs / ..... 58
II.3.f. The function of the cyber security incident response team for IT products and services used in the government sector / 58
II.3.g. The alerting, prevention, awareness and training function / 58
II.3.h. Cooperation and collaboration function / 59
II.3.i. The function of national certification authority regarding cyber security / 60
II.3.j. The function of ensuring compliance and a unified approach to cyber security within cyber infrastructures / 60
II.3.k. Representation function / 61
II.3.l. Research-development function / 61
II.3.m. Analysis and forecast function / 61
II.3.n. The function of identifying, evaluating, monitoring and mitigating cyber risks at the national level / 61
II.3.o. The function of the national center for the management of crises of a cyber nature during peacetime / .. 62
II.3.p. The cyber security evaluation function of new technologies / 62
II.3.q. Evaluation and certification function / 62
II.3.r. Education and training function in the field of cyber security / 63
II.3.s. Project and service management function / 63
II.4. Attributions of the leadership of the National Cyber ​​Security Directorate / 63
II.4.1. Attributions of DNSC leadership / 64
II.4.1.1. The responsibilities of the DNSC director / 64
II.4.2. DNSC Steering Committee / 64
II.4.2.1. Attributions and competences of the DNSC Steering Committee / 65
II.4.3. Regulatory Committee / 65
II.4.4. Financing / 66
II.4.5. Authorization of civil laboratories / 67
II.4.5.1. Verification activity of civil laboratories / 67
II.5. Organization of the Register of essential service operators / 69
II.5.1. Creation of the register / 69
II.5.2. Use of the registry / 69
II.5.2.1. General rules regarding registration in ROSE, modification, deletion and protection of registered information / 70
Chapter III. Essential service operators and digital service providers / 71
III.1. Operators of essential services / 73
III.1.1. Registration in the Register of essential service operators / 74
III.1.2. Deletion from the Register of essential service operators / 75
III.1.3. Attributions of the NIS - OSE Manager / 75
III.1.4. Obligations of operators of essential services / 76
III.2. Digital service providers / 77
III.2.1. Obligations of digital service providers / 77
III.2.2. Duties of the NIS - FSD Manager / 79
III.3. Intervention teams in case of computer security incidents 79
III.3.1. Obligations of intervention teams in case of computer security incidents / 79
Chapter IV. The stages of implementation of the provisions of Law no. 362/2018 / 81
IV.1. The principles of Law no. 362/2018/83
IV.2. The identification process of essential service operators (OSE) / 83
IV.2.1. Stage 1. Identification of essential services / 85
IV.2.1.1. Step 1 - Cataloging the importance of the service / 86
IV.2.1.2. Step 2 - Identifying the service delivery method / 87
IV.2.1.3. Step 3 - Establishing the effect of service disruption in the event of an incident / 88
Phase 1. Evaluation according to the cross-sectoral criteria / 90
Conclusions regarding the assessment of the degree of disruption according to the intersectoral criteria / 96
Phase 2. Evaluation according to sectoral criteria and threshold values ​​/ 96
Conclusions regarding the assessment of the degree of disruption according to the specific sectoral criteria / 107
IV.2.2. Stage 2. DNSC notification by operators of essential services / 107
IV.2.3. Stage 3. Evaluation and registration of operators of essential services / 108
IV.3. The process of identification of digital service providers (FSD) / 109
IV.3.1. Stage 1. Identification of the digital services provided / 111
IV.3.1.1. Step 1 - Establishing the organizational category / 111
IV.3.1.2. Step 2 - Identification of the digital service provided / 112
IV.3.1.3. Step 3 - Establishing the category of the digital service provided / 113
IV.3.2. Stage 2. Communication of digital service provider data to DNSC / 114
IV.3.3. Stage 3. Registration of digital service providers / 114
IV.3.3.1. Changes and additions regarding the record of digital service providers/ 115
IV.3.3.2. Deletion of digital service providers from the record / 115
Chapter V. Technical and organizational security measures / 117
V.1. The minimum security requirements for ensuring the security of networks and IT systems / 199
V.1.1. Notification of security incidents / 119
V.1.1.1. Notification terms / 120
V.1.2. Security incident management / 120
V.1.3. Security audit of networks and IT systems belonging to essential service operators or digital service providers / 121
V.1.4. Authorization of CSIRT teams serving networks and IT systems in the category of essential services and digital services / 122
V.2. Preparation and management of documented procedures / 123
V.2.1. Management of documented procedures / 123
V.2.2. Why do we need documented procedures? / 126
V.2.3. How is a documented procedure carried out? / 126
V.2.4. Establishment of procedural activities / 127
V.2.5. Development of documented procedures / 128
V.2.5.1. The actual content of the procedure / 128
V.2.5.2. Description of the procedure / 129
V.2.5.2.1. Recommendations regarding the correct description of the procedure / 129
Chapter VI. Control of the fulfillment of security obligations and the application of sanctions / 133
VI.1. The minimum requirements for ensuring the security of networks and IT systems / 135
VI.1.1. Governess / 135
VI.1.2. Protection / 139
VI.1.3. Cyber ​​defense / 143
VI.1.4. Resilience / 145
VI.2. Application of sanctions / 148
Chapter VII. The proposal for the NIS 2.0 Directive and its major implications / 169
VII.1. The obligation of institutional independence of DNSC vis-à-vis the entities established by Directive NIS 2.0 / 171
VII.2. The changes brought by the NIS Directive 2.0 / 172
VII.2.1. NIS 2.0 Directive and Law no. 362/2018 will also apply to the public administration / 173
Chapter VIII. Security incident response plan / 177
VIII.1. General considerations / 179
VIII.2. Stages of a security incident response plan / 179
VIII.2.1. How do we recognize a security incident? / 180
VIII.2.2. Security incident management team / 180
VIII.2.3. Chronology of events in case of a security incident / 181
VIII.2.4. Discovery and reporting of a security incident / 182
VII.2.4.1. When is it considered that the operator "took notice" of the occurrence of a security incident? / 182
VIII.2.5. Types of incidents that should be reported / 183
VIII.2.6. Identification of security incidents / 185
VIII.2.7. Involvement of management and IT departments / compliance / 185
VIII.2.8. Emergency notifications / 188
VIII.2.9. Initial activities / 188
VIII.2.9.1. Isolation of the security incident / 189
VIII.2.9.2. Cyber ​​Insurance and the outsourcing of security incident response services / 190
VIII.2.9.3. Documentation and opening of security incident reports / 190
VIII.2.9.4. Establishment of the incident management team and analysis of alternative plans / 190
VIII.2.10. Post incident activities / 191
VIII.2.10.1. Analysis and planning / 191
VIII.2.10.2. Investigation / 192
VIII.2.10.3. Risk reduction and adoption of corrective measures / 193
VIII.2.10.4. Notification / 194
VIII.2.10.5. Closing the open file for the security incident / 194
VIII.2.10.6. Reporting / 195
Chapter IX Case study - Identification as OSE and SE according to Law NIS / 197
IX.1. General considerations / 199
IX.1.1. Does the entity operate in one or more of the sectors/subsectors provided in the Annex to the NIS Law? / 199
The list of sectors and subsectors that fall under the incidence of Law NIS / 199
Primary assessment sheet / 200
The list of types of entities falling under the scope of the NIS / 200 Law
IX.1.2. Is a special law (lex specialis) applicable? / 207
Legislative inventory / 207
Special legislative inventory / 207
IX.1.3. Does the operator provide an "essential service" within the meaning of the NIS Directive? / 208
Internal analysis of the importance of the service provided / 210
IX.1.4. Does the service depend on a network and computer systems? / 212
Internal analysis of the dependence of services on a network and IT systems / 212
IX.1.5. Would a security incident have a significant disruptive effect? / 214
IX.1.5.1. Evaluation of the degree of disruption of SENIS provision according to the intersectoral criteria / 214
Number of users relying on services / 215
Dependence of other sectors on the service provided / 217
The impact the incidents could have on economic and societal activities or public safety / 222
Market share / 224
Geographical distribution regarding the area that could be affected by an incident / 226
The importance of the entity for maintaining a sufficient level of service, taking into account the availability of alternative means for providing the service / 228
IX.1.5.2. Evaluation of the degree of disruption of SENIS provision according to the sectoral criteria and threshold values ​​/ 229
Energy Sector – A÷C / 230
In the table below, we have included only the sector codes for which explicit threshold values ​​are provided: / 230
Transport Sector – D÷G / 232
Banking Sector – H/236
Financial Market Infrastructures Sector – I/237
Health Sector – J / 238
Drinking water supply and distribution sector - K / 238
Digital Infrastructure Sector – L / 240
APPENDICES / 243
Annex 1. Sectors of activity and types of entities / 245
Annex 2. Diagram of the process of identification of operators of essential services / 249
Appendix 3. List of Essential Services approved by Decision no. 963 of November 5, 2020 / 251
Annex 4. Criteria and threshold values, intersectoral and sectoral. / 259
Threshold values ​​corresponding to intersectoral criteria / 260
Sectoral criteria and threshold values ​​/ 261
Sector: Energy. Subsector: Electricity. Sectoral/subsectoral code: A / 261
Sector: Energy. Subsector: Petroleum. Sector/sub-sector code: B / 262
Sector: Energy. Subsector: Natural gas. Sector/sub-sector code: C / 263
Sector: Transport. Subsector: Air transport. Sector/sub-sector code: D / 265
Sector: Transport. Subsector: Rail transport. Sector/subsector code: E / 266
Sector: Transport. Subsector: Water transport. Sector/sub-sector code: F / 267
Sector: Transport. Subsector: Road transport. Sector/sub-sector code: G / 269
Sector: Banking. Subsector: -. Sectoral/subsectoral code: H/ 270
Sector: Financial market infrastructures. Subsector: -. Sectoral/subsectoral code: I/271
Sector: Health. Subsector: Medical assistance institutions (including hospitals and private clinics). Sector/subsector code: J / 271
Sector: Supply and distribution of drinking water. Subsector: -. Sector/sub-sector code: K/272
Sector: Digital infrastructure. Subsector: -. Sectoral/subsectoral code: L / 273
Appendix 5. OSE / SE indicative list for threshold values ​​"0" / 275
Appendix 6. List of the most frequent cyber security threats / 319
Annex 7. List of types of entities that fall under the incidence of Law NIS / 322
Appendix 8. Forms used in relation to DNSC / 329
APPENDIX no. 2 to the rules: Assistance form for the identification of operators of essential services / 330
APPENDIX no. 3 to the rules: Assistance form for the deletion process of the operator of essential services / 332
APPENDIX no. 4 to the rules: Notification regarding registration in the Register of essential service operators / 333
APPENDIX no. 5 to the rules: Notification regarding the modification/completion of data from the Register of essential services operators / 335
APPENDIX no. 6 to the rules: Notification regarding deletion from the Register of essential service operators / 337
APPENDIX no. 7 to the rules: Declaration on one's own responsibility regarding the fulfillment of the minimum security requirements for registration in the Register of operators of essential services / 339
APPENDIX no. 11 to the rules: Communication regarding the data of the digital service provider and the list of responsible persons NIS / 340
APPENDIX no. 12 of the rules: Communication regarding the modification/completion of data of digital service providers / 342
APPENDIX no. 13 to the rules: Communication regarding the deletion of the digital service provider / 344
DAICMS (Self-assessment documentation of the fulfillment of minimum security requirements) / 346
Appendix 9. Indicative list of procedures regarding IT security / 350
Annex 10. Model of "Response procedure in case of a security incident" / 354
Appendix 11. The most frequent risks regarding cyber security / 368
Appendix 12. Indications regarding a possible infection of the computer / laptop / 374
Annex 13. Model - Risk analysis for the self-assessment of meeting the minimum security requirements /376
Annex 14. Model - Decision appointing the Responsible NIS / 384
Appendix 15. Initial self-assessment checklist of entities under the NIS aspect / 385
Glossary of terms and abbreviations / 405
Bibliography / 441
A word before / 15
Thanks / 19
Introduction / 23
Chapter I. General considerations / 27
I.1. What is the NIS Directive and why is it important? / 29
I.1.1. Council Directive 2008/114/EC of December 8, 2008 regarding the identification and designation of critical European infrastructures and the assessment of the need to improve their protection / 30
I.1.1.1. Evaluation study of Council Directive 2008/114/EC of December 8, 2008 regarding the identification and designation of European critical infrastructures and the assessment of the need to improve their protection / 32
I.2. Why is Law no. 362/2018 transposing the NIS Directive in Romania? / 41
I.2.1. Transposition of the Directive in Romania / 42
I.3. Who is covered by Law no. 362/2018 transposing the NIS Directive in Romania? / 46
Chapter II. National Cyber ​​Security Directorate - DNSC / 49
II.1. Responsibilities and principles of the National Cyber ​​Security Directorate / 52
II.1.1. Responsibilities of DNSC / ... 52
II.1.2. DNSC Principles / 53
II.2. The objectives of the National Cyber ​​Security Directorate / 54
II.3. The functions and attributions of the National Cyber ​​Security Directorate / 55
II.3.a. Strategy and planning / 55
II.3.b. The function of competent authority at national level for regulation, supervision and control / 56
II.3.c. The function of national CSIRT / 56
II.3.d. The function of governmental CSIRT / 57
II.3.e. The function of coordination, implementation, guidance and support of the sectorial CSIRTs / ..... 58
II.3.f. The function of the cyber security incident response team for IT products and services used in the government sector / 58
II.3.g. The alerting, prevention, awareness and training function / 58
II.3.h. Cooperation and collaboration function / 59
II.3.i. The function of national certification authority regarding cyber security / 60
II.3.j. The function of ensuring compliance and a unified approach to cyber security within cyber infrastructures / 60
II.3.k. Representation function / 61
II.3.l. Research-development function / 61
II.3.m. Analysis and forecast function / 61
II.3.n. The function of identifying, evaluating, monitoring and mitigating cyber risks at the national level / 61
II.3.o. The function of the national center for the management of crises of a cyber nature during peacetime / .. 62
II.3.p. The cyber security evaluation function of new technologies / 62
II.3.q. Evaluation and certification function / 62
II.3.r. Education and training function in the field of cyber security / 63
II.3.s. Project and service management function / 63
II.4. Attributions of the leadership of the National Cyber ​​Security Directorate / 63
II.4.1. Attributions of DNSC leadership / 64
II.4.1.1. The responsibilities of the DNSC director / 64
II.4.2. DNSC Steering Committee / 64
II.4.2.1. Attributions and competences of the DNSC Steering Committee / 65
II.4.3. Regulatory Committee / 65
II.4.4. Financing / 66
II.4.5. Authorization of civil laboratories / 67
II.4.5.1. Verification activity of civil laboratories / 67
II.5. Organization of the Register of essential service operators / 69
II.5.1. Creation of the register / 69
II.5.2. Use of the registry / 69
II.5.2.1. General rules regarding registration in ROSE, modification, deletion and protection of registered information / 70
Chapter III. Essential service operators and digital service providers / 71
III.1. Operators of essential services / 73
III.1.1. Registration in the Register of essential service operators / 74
III.1.2. Deletion from the Register of essential service operators / 75
III.1.3. Attributions of the NIS - OSE Manager / 75
III.1.4. Obligations of operators of essential services / 76
III.2. Digital service providers / 77
III.2.1. Obligations of digital service providers / 77
III.2.2. Duties of the NIS - FSD Manager / 79
III.3. Intervention teams in case of computer security incidents 79
III.3.1. Obligations of intervention teams in case of computer security incidents / 79
Chapter IV. The stages of implementation of the provisions of Law no. 362/2018 / 81
IV.1. The principles of Law no. 362/2018/83
IV.2. The identification process of essential service operators (OSE) / 83
IV.2.1. Stage 1. Identification of essential services / 85
IV.2.1.1. Step 1 - Cataloging the importance of the service / 86
IV.2.1.2. Step 2 - Identifying the service delivery method / 87
IV.2.1.3. Step 3 - Establishing the effect of service disruption in the event of an incident / 88
Phase 1. Evaluation according to the cross-sectoral criteria / 90
Conclusions regarding the assessment of the degree of disruption according to the intersectoral criteria / 96
Phase 2. Evaluation according to sectoral criteria and threshold values ​​/ 96
Conclusions regarding the assessment of the degree of disruption according to the specific sectoral criteria / 107
IV.2.2. Stage 2. DNSC notification by operators of essential services / 107
IV.2.3. Stage 3. Evaluation and registration of operators of essential services / 108
IV.3. The process of identification of digital service providers (FSD) / 109
IV.3.1. Stage 1. Identification of the digital services provided / 111
IV.3.1.1. Step 1 - Establishing the organizational category / 111
IV.3.1.2. Step 2 - Identification of the digital service provided / 112
IV.3.1.3. Step 3 - Establishing the category of the digital service provided / 113
IV.3.2. Stage 2. Communication of digital service provider data to DNSC / 114
IV.3.3. Stage 3. Registration of digital service providers / 114
IV.3.3.1. Changes and additions regarding the record of digital service providers/ 115
IV.3.3.2. Deletion of digital service providers from the record / 115
Chapter V. Technical and organizational security measures / 117
V.1. The minimum security requirements for ensuring the security of networks and IT systems / 199
V.1.1. Notification of security incidents / 119
V.1.1.1. Notification terms / 120
V.1.2. Security incident management / 120
V.1.3. Security audit of networks and IT systems belonging to essential service operators or digital service providers / 121
V.1.4. Authorization of CSIRT teams serving networks and IT systems in the category of essential services and digital services / 122
V.2. Preparation and management of documented procedures / 123
V.2.1. Management of documented procedures / 123
V.2.2. Why do we need documented procedures? / 126
V.2.3. How is a documented procedure carried out? / 126
V.2.4. Establishment of procedural activities / 127
V.2.5. Development of documented procedures / 128
V.2.5.1. The actual content of the procedure / 128
V.2.5.2. Description of the procedure / 129
V.2.5.2.1. Recommendations regarding the correct description of the procedure / 129
Chapter VI. Control of the fulfillment of security obligations and the application of sanctions / 133
VI.1. The minimum requirements for ensuring the security of networks and IT systems / 135
VI.1.1. Governess / 135
VI.1.2. Protection / 139
VI.1.3. Cyber ​​defense / 143
VI.1.4. Resilience / 145
VI.2. Application of sanctions / 148
Chapter VII. The proposal for the NIS 2.0 Directive and its major implications / 169
VII.1. The obligation of institutional independence of DNSC vis-à-vis the entities established by Directive NIS 2.0 / 171
VII.2. The changes brought by the NIS Directive 2.0 / 172
VII.2.1. NIS 2.0 Directive and Law no. 362/2018 will also apply to the public administration / 173
Chapter VIII. Security incident response plan / 177
VIII.1. General considerations / 179
VIII.2. Stages of a security incident response plan / 179
VIII.2.1. How do we recognize a security incident? / 180
VIII.2.2. Security incident management team / 180
VIII.2.3. Chronology of events in case of a security incident / 181
VIII.2.4. Discovery and reporting of a security incident / 182
VII.2.4.1. When is it considered that the operator "took notice" of the occurrence of a security incident? / 182
VIII.2.5. Types of incidents that should be reported / 183
VIII.2.6. Identification of security incidents / 185
VIII.2.7. Involvement of management and IT departments / compliance / 185
VIII.2.8. Emergency notifications / 188
VIII.2.9. Initial activities / 188
VIII.2.9.1. Isolation of the security incident / 189
VIII.2.9.2. Cyber ​​Insurance and the outsourcing of security incident response services / 190
VIII.2.9.3. Documentation and opening of security incident reports / 190
VIII.2.9.4. Establishment of the incident management team and analysis of alternative plans / 190
VIII.2.10. Post incident activities / 191
VIII.2.10.1. Analysis and planning / 191
VIII.2.10.2. Investigation / 192
VIII.2.10.3. Risk reduction and adoption of corrective measures / 193
VIII.2.10.4. Notification / 194
VIII.2.10.5. Closing the open file for the security incident / 194
VIII.2.10.6. Reporting / 195
Chapter IX Case study - Identification as OSE and SE according to Law NIS / 197
IX.1. General considerations / 199
IX.1.1. Does the entity operate in one or more of the sectors/subsectors provided in the Annex to the NIS Law? / 199
The list of sectors and subsectors that fall under the incidence of Law NIS / 199
Primary assessment sheet / 200
The list of types of entities falling under the scope of the NIS / 200 Law
IX.1.2. Is a special law (lex specialis) applicable? / 207
Legislative inventory / 207
Special legislative inventory / 207
IX.1.3. Does the operator provide an "essential service" within the meaning of the NIS Directive? / 208
Internal analysis of the importance of the service provided / 210
IX.1.4. Does the service depend on a network and computer systems? / 212
Internal analysis of the dependence of services on a network and IT systems / 212
IX.1.5. Would a security incident have a significant disruptive effect? / 214
IX.1.5.1. Evaluation of the degree of disruption of SENIS provision according to the intersectoral criteria / 214
Number of users relying on services / 215
Dependence of other sectors on the service provided / 217
The impact the incidents could have on economic and societal activities or public safety / 222
Market share / 224
Geographical distribution regarding the area that could be affected by an incident / 226
The importance of the entity for maintaining a sufficient level of service, taking into account the availability of alternative means for providing the service / 228
IX.1.5.2. Evaluation of the degree of disruption of SENIS provision according to the sectoral criteria and threshold values ​​/ 229
Energy Sector – A÷C / 230
In the table below, we have included only the sector codes for which explicit threshold values ​​are provided: / 230
Transport Sector – D÷G / 232
Banking Sector – H/236
Financial Market Infrastructures Sector – I/237
Health Sector – J / 238
Drinking water supply and distribution sector - K / 238
Digital Infrastructure Sector – L / 240
APPENDICES / 243
Annex 1. Sectors of activity and types of entities / 245
Annex 2. Diagram of the process of identification of operators of essential services / 249
Appendix 3. List of Essential Services approved by Decision no. 963 of November 5, 2020 / 251
Annex 4. Criteria and threshold values, intersectoral and sectoral. / 259
Threshold values ​​corresponding to intersectoral criteria / 260
Sectoral criteria and threshold values ​​/ 261
Sector: Energy. Subsector: Electricity. Sectoral/subsectoral code: A / 261
Sector: Energy. Subsector: Petroleum. Sector/sub-sector code: B / 262
Sector: Energy. Subsector: Natural gas. Sector/sub-sector code: C / 263
Sector: Transport. Subsector: Air transport. Sector/sub-sector code: D / 265
Sector: Transport. Subsector: Rail transport. Sector/subsector code: E / 266
Sector: Transport. Subsector: Water transport. Sector/sub-sector code: F / 267
Sector: Transport. Subsector: Road transport. Sector/sub-sector code: G / 269
Sector: Banking. Subsector: -. Sectoral/subsectoral code: H/ 270
Sector: Financial market infrastructures. Subsector: -. Sectoral/subsectoral code: I/271
Sector: Health. Subsector: Medical assistance institutions (including hospitals and private clinics). Sector/subsector code: J / 271
Sector: Supply and distribution of drinking water. Subsector: -. Sector/sub-sector code: K/272
Sector: Digital infrastructure. Subsector: -. Sectoral/subsectoral code: L / 273
Appendix 5. OSE / SE indicative list for threshold values ​​"0" / 275
Appendix 6. List of the most frequent cyber security threats / 319
Annex 7. List of types of entities that fall under the incidence of Law NIS / 322
Appendix 8. Forms used in relation to DNSC / 329
APPENDIX no. 2 to the rules: Assistance form for the identification of operators of essential services / 330
APPENDIX no. 3 to the rules: Assistance form for the deletion process of the operator of essential services / 332
APPENDIX no. 4 to the rules: Notification regarding registration in the Register of essential service operators / 333
APPENDIX no. 5 to the rules: Notification regarding the modification/completion of data from the Register of essential services operators / 335
APPENDIX no. 6 to the rules: Notification regarding deletion from the Register of essential service operators / 337
APPENDIX no. 7 to the rules: Declaration on one's own responsibility regarding the fulfillment of the minimum security requirements for registration in the Register of operators of essential services / 339
APPENDIX no. 11 to the rules: Communication regarding the data of the digital service provider and the list of responsible persons NIS / 340
APPENDIX no. 12 of the rules: Communication regarding the modification/completion of data of digital service providers / 342
APPENDIX no. 13 to the rules: Communication regarding the deletion of the digital service provider / 344
DAICMS (Self-assessment documentation of the fulfillment of minimum security requirements) / 346
Appendix 9. Indicative list of procedures regarding IT security / 350
Annex 10. Model of "Response procedure in case of a security incident" / 354
Appendix 11. The most frequent risks regarding cyber security / 368
Appendix 12. Indications regarding a possible infection of the computer / laptop / 374
Annex 13. Model - Risk analysis for the self-assessment of meeting the minimum security requirements /376
Annex 14. Model - Decision appointing the Responsible NIS / 384
Appendix 15. Initial self-assessment checklist of entities under the NIS aspect / 385
Glossary of terms and abbreviations / 405
Bibliography / 441
More than four years after the entry into force of EU Directive no. 2016/1148 (NIS Directive) and over three years after its transposition by Law no. 362/2018 on ensuring a common high level of security of networks and IT systems, Romania has made tangible progress in the implementation process.
However, the success of the implementation does not only depend on the new legislative regulations, but also on the effective ability of essential service operators, digital service providers and those responsible for the implementation of NIS at the level of the targeted entities to understand, interpret and apply the legal provisions, technical norms and related methodologies. Moreover, it is important that the specialists can correctly appreciate the implications of the application of these provisions, through the lens of other relevant normative acts.
For this, an in-depth analysis is needed, the acquisition of new skills and specific knowledge regarding the way of implementing the NIS Directive in Romania and a deep cultural change on the part of everyone. Practically, we need to study again, to have access to detailed case studies and to the in-depth knowledge of recognized experts in the field.
Written in the form of a detailed and pragmatic guide, this superb material for the implementation of the NIS Directive elaborates on hundreds of very well written pages the concrete experience in the field of the two authors.
In a clear and very well presented form, the work provides a variety of explanations, guidelines, recommendations, but also supporting materials, being one of the extremely necessary publications today for all those involved in the implementation of the NIS Directive.
I am pleasantly surprised by the technical level, the pragmatism of the ideas and recommendations expressed in the published material. The material explains in detail and with practical examples key elements of the responsibilities of essential service operators and digital service providers, as well as details regarding the stages of implementation of Law no. 362/2018 by them or the technical and organizational security measures that must be applied. Effectively, each chapter gives us the opportunity to apply and implement in practice the provisions of the directive.
Moreover, the paper also covers a series of elements regarding the NIS 2.0 Directive, with the objective of anticipating and preparing the reader for the new obligations deriving from the natural evolution of the directive.
I believe that "Security of networks and computer systems - Implementation of the NIS Directive in Romania" is one of the essential tools for specialists in the field, which I warmly recommend to be used starting today.
Dan Cimpean
Director General of
National Cyber ​​Security Directorate - DNSC
Bucharest, 2021
However, the success of the implementation does not only depend on the new legislative regulations, but also on the effective ability of essential service operators, digital service providers and those responsible for the implementation of NIS at the level of the targeted entities to understand, interpret and apply the legal provisions, technical norms and related methodologies. Moreover, it is important that the specialists can correctly appreciate the implications of the application of these provisions, through the lens of other relevant normative acts.
For this, an in-depth analysis is needed, the acquisition of new skills and specific knowledge regarding the way of implementing the NIS Directive in Romania and a deep cultural change on the part of everyone. Practically, we need to study again, to have access to detailed case studies and to the in-depth knowledge of recognized experts in the field.
Written in the form of a detailed and pragmatic guide, this superb material for the implementation of the NIS Directive elaborates on hundreds of very well written pages the concrete experience in the field of the two authors.
In a clear and very well presented form, the work provides a variety of explanations, guidelines, recommendations, but also supporting materials, being one of the extremely necessary publications today for all those involved in the implementation of the NIS Directive.
I am pleasantly surprised by the technical level, the pragmatism of the ideas and recommendations expressed in the published material. The material explains in detail and with practical examples key elements of the responsibilities of essential service operators and digital service providers, as well as details regarding the stages of implementation of Law no. 362/2018 by them or the technical and organizational security measures that must be applied. Effectively, each chapter gives us the opportunity to apply and implement in practice the provisions of the directive.
Moreover, the paper also covers a series of elements regarding the NIS 2.0 Directive, with the objective of anticipating and preparing the reader for the new obligations deriving from the natural evolution of the directive.
I believe that "Security of networks and computer systems - Implementation of the NIS Directive in Romania" is one of the essential tools for specialists in the field, which I warmly recommend to be used starting today.
Dan Cimpean
Director General of
National Cyber ​​Security Directorate - DNSC
Bucharest, 2021
If you want to express your opinion about this product you can add a review.
write a review
Similar products
Introduction to the study of law and state. University course
The Criminal Code and the Code of Criminal Procedure. Updated on 02/01/2024
Customer Support Monday - Friday, between 8.00 - 16.00
0745 200 718 0745 200 357 comenzi@editurauniversitara.ro