Cyber attacks are no longer an abstract threat, but an everyday reality that more and more companies are facing. From phishing emails to the complete lockdown of IT systems through ransomware or malware, the consequences can be extremely serious: financial losses, exposing the personal data of customers and employees, business interruption, or damage to the company's reputation.
Most of the time, cybersecurity is perceived exclusively as the responsibility of IT departments. But in reality, it is part of a broader responsibility that belongs to the employer under labor law and data protection regulations. In Romania, Law No. 319/2006 on Occupational Health and Safety requires employers to ensure the health and safety of workers "in all aspects related to work."
With the quick growth of tech, the view on safety and health at work has really changed. New ways of organizing work, such as teleworking, bringing in artificial intelligence, or using virtual reality solutions, are totally changing how employees relate to their jobs. In this context, occupational risk assessment must also include threats associated with the use of digital technology and equipment.
Employers have an obligation to provide adequate equipment, establish clear policies for its use, and ensure that employees receive appropriate training, both upon hiring and when equipment or work procedures change.
The protection of personal data is another essential component. Law No. 190/2018, which transposes the General Data Protection Regulation (GDPR) into Romanian law, adds clear requirements on how employers must manage their employees' personal data. Any security incident can result in significant administrative penalties, as well as damage to reputation or contractual liability towards employees or partners.
From a practical perspective, the employer's responsibilities include not only ensuring a secure IT infrastructure (through cryptography, strong passwords, protected networks, or data traffic monitoring), but also creating clear internal policies on the use of personal devices, access to information, and incident reporting. It is crucial that employees are trained regularly to recognize threats such as fraudulent emails, unsafe applications, or phishing attempts.
For essential or critical entities, regulated by Law No. 58/2023 and the NIS2 Directive and described in detail in this article, the inclusion of cyber risks in the overall risk assessment is a legal obligation. For other employers, even if there is no express regulation requiring this, including cyber risks in occupational health and safety analysis is a recommended good practice and appropriate to the current context.
One of the most effective prevention methods remains ongoing employee training, who must know how to recognize fake emails and websites, use strong passwords, avoid unsecured Wi-Fi networks, and comply with company security policies. At the same time, it is essential for organizations to implement software update policies, apply security patches in a timely manner, and adopt protection solutions such as multi-factor authentication, firewalls, and VPNs.
In conclusion, cybersecurity is no longer a luxury or an option—it is a legal obligation and an essential condition for the modern functioning of organizations. Protecting data, employees, and business depends on the collaboration of all stakeholders: employers, IT specialists, legal departments, and each individual employee.
A responsible employer does not limit itself to complying with legal provisions, but is actively involved in creating a safe working environment, adapted to current digital challenges. In this context, cybersecurity becomes an essential component. Implementing clear policies and providing adequate training to employees are not only preventive measures, but also essential tools for avoiding legal risks.
Our team is available to answer any questions you may have regarding the implementation of cybersecurity measures in relation to the legal obligations applicable to employers.
Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.
***
For further information on the technological aspects of cybersecurity or for specialized legal consulting in the digitale field, we invite you to follow us on the Hațegan Attorneys Digital platform by checking out our website: www.hategandigital.com, where you'll find resources focused on the intersection between law and technology.