Authors: Adrian Cristea (senior associate), Adrian Zamfir (associate)
Given the current period and the risks that the entire society is facing not only on a health level, but also from an economic perspective, it is a good time to consider: (i) the concept of critical national infrastructure, (ii) the conditions under which a certain company might classify as such, (iii) the process whereby a company could gain that statute as well as (iv) the obligations incumbent upon it once it is designated as such.
1.Relevant Definitions
What does critical national infrastructure actually mean? Pursuant to the law[1], there are several conditions that must be met in order for an element, system or component thereof to be identified as potential critical national infrastructure (“CNI”):
- It must be an element, system or component thereof. If we were to analyse the definition from a grammatical perspective, we would notice that the law considers a rather wide range of items that might qualify as CNIs which can include various targets of interest such as: hypermarkets, banks, certain specific networks necessary for activities, farms etc.
- It must be located on the territory of Romania.
- The element, system or component thereof is essential for maintaining vital functions of society and the health, safety, security, social or economic wellbeing of people.
- The disturbance or destruction of that element, system or component thereof must have a material impact at national level.
A similar definition is also given to the critical European infrastructure (“CEI”) – a critical national infrastructure whose disturbance or destruction might have a material impact on at least two member states of the European Union, hereinafter referred to as member states. The impact’s importance is assessed relative to cross-sector criteria. This includes the effects of cross-sector dependency on other types of infrastructures.
The article will mainly consider the CNIs, but we need to point out that we will be also talking about a CEI when the impact is at EU level. It must be said that those presented below and applicable to CNIs are also applicable to CEIs, but the latter have a series of additional obligations given their Union impact.
Another relevant definition is that of essential services. Pursuant to the law[2], essential services represent those services, facilities or activities that are or might be necessary to ensure a minimal life and wellbeing standard for society and whose degradation or interruption following a disturbance or destruction of the base physical system could materially affect the safety or security of the population and the operation of state institutions.
Furthermore, the PSO definition is also relevant (name given under GEO no. 98/2010, which basically means a document, a security plan). Thus, the PSO is defined as the strategic planning document, that has an operative nature due to its associated procedures, prepared for each designated CNI/CEI and intended for risk management at CNI/CEI level, and which defines the CNI’s/CEI’s purpose, objectives, requirements and security measures. All CNIs must hold such a PSO.
2.Grouping Critical National Infrastructures into Sector and Subsectors
The lawmaker has created a list of sectors and subsectors given the wide range of areas where we can encounter a critical national infrastructure. For example, we have sectors such as: “Food and agriculture” where hypermarkets and farms could be subsumed; or the “Information Technology and Communications” sectors that could include the postal services or radio-TV emission or Internet access infrastructures.
Further on, these sectors are divided into subsectors. For example, the Financial-Banking sector is divided into five subsectors: Taxes and Levies, Insurance, Banks, Stock Exchange, Treasury and Payment Systems. All these sectors and subsectors could be found in Annex no. 1 to the GEO 98/2010.
Depending on the relevant sector and subsector, there is an associated responsible public authority, which will have certain duties to fulfil as indicated in GEO no. 98/2010 in relation to its sector and subsector. For example, at the level of the “Food and agriculture” activity sector, the designated responsible public authorities are the Ministry of Agriculture and Rural Development and the National Sanitary – Veterinary and Food Safety Authority (“ANSVSA”).
The responsible public authorities have numerous duties in what concerns the application of the CNI legislation, among which: the establishment of sectorial/cross-sector criteria and related critical thresholds as of which an element can be deemed a CNI/CEI; coordinates the CNI/CEI identification process specific activities; approve the PSOs for the CNIs/CEIs under their responsibility; submit proposals to the Government for the designation of a certain infrastructure as CNI/CEI; verify that the CNIs/CEIs comply with their obligations, and also other duties.
The Identification of CNI/CEI:
- The responsible public authorities identify potential CNIs/CEIs that meet the sectorial and cross-sector criteria (please see point IV for the discussion regarding the sectorial and cross-sector criteria). Legal or private persons that conduct activities and provide essential services of national interest in relevant sectors and subsectors have the obligation to participate, at the request of the public responsible authorities or of the Ministry of Internal Affairs, in the identification and designation of CNIs/CEIs.
- Following the identification of potential CNIs/CEIs, the responsible public authorities propose to the Ministry of Internal Affairs, through the National Centre for the Coordination of the Protection of Critical Infrastructure, the designation of the respective infrastructure as being a CNI/CEI.
- The designation of the CNI/CEI is approved under a Government decision. Responsible public authorities inform the owner/operator/director (hereinafter referred to as the “Holders”) of the CNI/CEI with respect to the latter’s designation as CNI/CEI, within 10 days as of the coming into force of the designatory legal act.
- Within 9 months as of the designation of an infrastructure as CNI/CEI, the Holders elaborate the security plan (PSO) by which they identify the critical infrastructure elements of the CNI/CEI and the existing security solutions or those that are to be applied for their protection. The plan is sent for approval to the responsible public authorities.
- The responsible public authorities carry out together with the Holders of CNI/CEI, an evaluation of the risks and threats to which the CNIs/CEIs are exposed, within a one-year term as of the designation of the critical infrastructure as CNI/CEI. The evaluation also contains proposals with respect to the need to improve the protection of the CNIs/CEIs designated within the subsectors and is submitted for approval to the prime minister. Subsequently, the evaluation is made on an annual basis.
It must be said that the current terms could be shortened under legislative amendments (GEO/law), especially if urgent circumstances required it.
3. Sectorial and cross-sector criteria based on which the CNIs/CEIs are identified as such:
The CNIs/CEIs are identified based on sectorial criteria that are applicable only to one particular sector, but also based on cross-sector criteria applicable to all sectors.
In what concern the sectorial criteria, they are established under orders of the responsible public authorities, being customized for each particular sector. For example, in the “Food and agriculture” sector, the sectorial criteria are established under the ANSVSA Order no. 117/519/2019 establishing the sectorial criteria and the critical thresholds corresponding to the CNI critical national infrastructure – “Food and agriculture”.
The aforementioned ANSVSA Order considers several aspects. For example, the following criteria would be relevant for hypermarkets: (i) they are critical points or elements belonging to economic operators or governmental bodies and which, once affected or destroyed, may cause disfunctions, vulnerabilities, risk factors, threats, danger states, aggression that would have a major impact on the proper operation of society in its entirety; (ii) they are vital structures and, if the economic operator is prevented from operating them, this can prevent the population’s access to vital resources: agricultural and food processing and storage systems.
On the other hand, we have cross-sector criteria that are applicable to all sectors. These are: (i) the number of victims – evaluated by reference to the possible number of deaths and injuries; (ii) the impact on the economy – evaluated by reference to the importance of economic losses and/or to the degradation of products or services, including by reference to the possible effects on the environment; (iii) the effects on the population – evaluated depending on the impact on its trust, physical suffering of disturbance of the everyday life, including the loss of essential services. The cross-sector criteria are not cumulative for the identification of the CNI/CEI.
4. The Obligations and Duties of Owners, Operators or Directors of the CNIs/CEIs
The Holders of CNIs/CEIs will have several obligations once the designation is in place, among which: they will have to nominate an officer to liaise with the responsible public authorities for the security of the critical infrastructure. Within a year of the designation of the CNI/CEI, the responsible public authorities and the CNI/CEI Holders will ensure the training of the liaison officers in charge with the CNI/CEI’s security and of the personnel in charge with certain duties regarding the protection of the critical infrastructures, in competent training and professional development educational institutions, pursuant to the law.
Furthermore, the Holders must prepare for each CNI/CEI they are liable for, a security plan (PSO) that has an operative nature and in which they will define the purpose, material objectives, a risk analysis, the security requirements and measures of the critical infrastructure.
Another important aspect is that they ensure the security of the infrastructure, they implement vulnerability mitigation actions in relation to the critical infrastructure and they ensure the financial resources required to organize and carry out the protective activities in relation thereto. Moreover, they inform the responsible public authorities with respect to any change that might impact the infrastructure.
All these obligations will become applicable only if a Government Decision is passed whereby the Government designates the respective target as being a CNI/CEI, and the breaching of such obligations may be sanctioned with fines varying from RON 2,000 to RON 30,000 depending on the actual breach.
To conclude, the concept of critical national infrastructure intuitively regards any element that is critical for the Romanian state and its population, and in whose absence the population could be faced with a crisis of any kind – energetic, health, food supply related, economic etc. It must be kept in mind that such regulation aims to ensure the continuity and safety of the respective target by its designation as CNI/CEI and by imposing the said obligations upon it, and does not intend to burden the potential CNIs/CEIs with pointless bureaucracy.
[1] Pursuant to art. 3 letter a) of GEO no. 98/2010 on the identification, designation and protection of critical infrastructures (“GEO no. 98/2010”)
[2] Art. 3 letter j) of GEO no. 98/2010