Lithuania and Romania to Introduce Cybersecurity Laws

While the proposal for a Network and Information Security Directive (NIS Directive) was still entangled in the legislative process, EU member states started adopting cybersecurity laws. These laws largely follow the philosophy of the NIS Directive and aim at establishing a culture of security across operators of essential services and digital service providers, including providers of banking, energy, transport, financial infrastructure, health and drinking water. These laws are often based on key legal principles, such as non-discrimination and proportionality. However, the compatibility of the newly adopted laws with the human rights framework enshrined in EU treaties as well as in the Council of Europe conventions is subject to discussion. Following this observation, this chapter reflects on the legislative processes and substantive provisions of cybersecurity laws in Lithuania and Romania. An in-depth analysis of the recent developments in the two countries and of the interaction between national and European Union legal frameworks unveils several inconsistencies in the application of EU data protection principles. In analysing regulatory and legal issues concerning cybersecurity policy, the chapter employs two different approaches to examine Lithuanian and Romanian cybersecurity laws. The first approach entails an analysis of these laws as “good regulation”, following up on the concept of the regulatory scholars Robert Baldwin and Martin Cave. The second approach considers the scope of potential limitations which the two cybersecurity laws can impose on human rights. These findings will be complemented by questions which require further research from a social science point of view.