​The government wants to pass a bill on Wednesday that would ban the use and purchase of anti-virus products and services from organizations originating from or controlled by Russia, on the grounds that in the context of a war between Ukraine and Russia, this software could be used for cyberattacks. The explanatory note cites the Russian companies Kaspersky and Group-IB as an example.

• VIEW THE DRAFT LAW AND THE FUND HERE

Why do they want to ban IT programs and products in Russia?

In the explanatory note to the draft law, it is stated that in the conditions of the war of aggression against Ukraine, more and more member states of the European Union are issuing recommendations or normative acts of an imperative nature, by which they oblige their authorities and the public. institutions to change their anti-virus solutions if they use those from Kaspersky Lab, as there is a risk that Russia could use this software for a cyberattack.

• “For example, the German BSI (Federal Office for Information Security) warns that the risk may be greater for companies in the field of basic infrastructures.
• BSI says that all German companies using AV solutions or other types of software from Kaspersky would do well to move away from them and use third-party software.
• BSI explains that anti-virus solutions maintain constant, encrypted and unverified communication with the vendor’s servers to continuously update virus definitions.
• There are fears that confidential files can be extracted from computers using the company’s solutions to be sent to the servers of Kaspersky and other Russian companies.
• In Italy, Franco Gabrielli, secretary of state to the president of the Council of Ministers, told the Senate that the government in Rome is working on a set of rules that would allow government agencies to remove software developed by the Russian company Kaspersky2. Meanwhile, the regulation was adopted.
• According to some public data published in the media, Bucharest City Hall organized a tender for the purchase of Kaspersky Endpoint Security For Business-Select antivirus for 1,200 devices with maintenance for 12 months.
• The press service of the mayor’s office reported that the city hall has been using Kaspersky antivirus since 2012.
• Many government agencies and local government agencies purchase Russian anti-virus programs because of the low prices and distribution through the Joint Information System for a Highly Effective Public Procurement Environment (SICAP).
• The presence of Russian anti-virus software is a vulnerability for the cybersecurity of Romanian authorities and institutions, as these programs take over important functions of networks and computer systems, creating relationships of interdependence.
• In the context in which the Russian Federation also uses cyber attacks against Western countries and uses its national companies and Russian citizens in various ways in the war against Ukraine, violating all norms of international law in this matter, Romania cannot consider that the presence of Russian IT products and services in the national cyber infrastructure,” the document states.

Which products, IT solutions and companies will be banned: the name list will be updated every six months

The draft law states in Art. 2 that “it is prohibited to purchase, install and use the following software products and services by state bodies and institutions:

• a) products for device security, endpoint security;
• b) anti-virus software and programs;
• c) anti-malware applications and software, web application firewall, firewall as a
• service;
• d) virtual private networks;
• (e) detection and response systems for endpoints.’

According to the draft law, a business entity that is under the direct or indirect control of a natural or legal person from the Russian Federation is considered to be one that is in at least one of the following situations:

• a) one or more individuals or legal entities from the Russian Federation own, individually or jointly, directly or indirectly, a qualified share of at least 25% of the voting rights of the relevant operator;
• b) one or more individuals or legal entities from the Russian Federation own, directly or indirectly, the majority of voting rights at the general meeting of the relevant operator;
• c) as an associate or shareholder of the relevant operator, a natural or legal person from the Russian Federation has the authority to appoint or recall the majority of members of administrative, management or supervisory bodies;
• d) one or more individuals or legal entities from the Russian Federation finance the operator in any way, directly or indirectly;
• e) one or more individuals or legal entities from the Russian Federation promise, offer or provide money or other benefits to the operator.

Within 15 days after the entry into force of this law, the Minister of Digitalization shall issue an order regarding the criteria for establishing and the nominal list of prohibited products, services and manufacturing and/or suppliers, which shall be updated every six months or as necessary, as the case may be.

Also in this term, the order of the Minister of Research, Innovation and Digitalization will establish the procedure, methods and tools for stopping the use of prohibited products and services.

Within 60 days from the moment of entry into force of the ministerial order, all prohibited products and services will be disconnected, respectively, removed from the networks and IT systems of state authorities and institutions.

Within 30 days from the date of entry into force of the above-mentioned ministerial order, state bodies and institutions will begin the procedure for purchasing compatible and legal software products and services.

What will be the sanctions and which institutions will be exempted from these obligations

Purchase, installation and use of prohibited products and services, as well as failure to remove or disconnect products and

prohibited services will be considered a violation and will be punished by a fine of 50,000 to 200,000 lei.

However, not all institutions will be obliged to comply with this law.

When they come into force, the provisions of the law will not apply to authorities and government agencies with their own national security, cyber security (not SRI, STS or DNSC), national defense and public order powers. .

After approval by the Government, the draft law will be sent to the Verkhovna Rada for discussion and approval.