Breaches of Romanian cybersecurity legislation are sanctioned by a fine ranging from RON 3,000 to RON 50,000 (EUR 600 to 10,000) or up to RON 100,000 (EUR 20,000) for repeated breaches.
For companies with a turnover exceeding RON 2m, the fine ranges from 0.5% to 2% of turnover, or even up to 5% of the turnover in case of repeated breaches.
For newly set up entities (without a reference turnover in the last approved/published financial statements) the fine ranges from one to 25 times the minimum wage.
Sanctions apply, inter alia, for:
- failure to notify oneself for the purposes of registration in the Registry of operators of essential services;
- failure to respond to requests for information from CERT-RO;
- failure to implement measures imposed by CERT-RO to remedy deficiencies in cybersecurity;
- failure to implement measures for ensuring minimal security requirements;
- failure to implement adequate measures to prevent and mitigate the impact of cybersecurity incidents;
- failure to notify cybersecurity incidents or delayed notification;
- refusal to submit to a CERT-RO audit.
Before applying sanctions, the authorities will first serve a notice to the OES/DSP that will convey: the alleged breaches, what remedies should be taken within the related deadline and the applicable sanction.
Breaches of telecom legislation (i.e. non-compliance with security requirements and incident reporting) are sanctioned by fines ranging from RON 5,000 to RON 60,000 (EUR 1,000 to EUR 12,000) or up to RON 100,000 (EUR 20,000) for repeated breaches.
For companies with a turnover exceeding RON 3m, by a fine amounting to 5% of the turnover, or even up to 10% of the turnover in case of repeated breaches.
Breaches of cybersecurity law do not trigger criminal liability (e.g. liability of OES/DSP).
Criminal sanctions are only applied to cybercrimes, for instance:
- Hacking (i.e. illegal access to a computer system);
- Disruption of computer systems;
- Computer fraud (e.g. deleting computer data);
- Unauthorised transfer of computer data.
The above criminal offences are punished by around one to seven years’ imprisonment for natural persons, a sanction that is commuted to an equivalent fine for legal persons.
Compensation can be sought for any material or non-material damage caused by violations of cyberlaw under the Romanian tort liability rules.