Romania does not yet have a standalone AI-specific legal framework. The legal landscape governing AI systems is therefore shaped by a combination of national laws of general application, EU regulations directly applicable at national level (eg, EU AI Act, Regulation (EU) 2024/1689), and sector-specific legislation.

Sector-Specific Legislation

• Contract law: Standard principles set by the Romanian Civil Code regarding legal capacity, valid will and lawful causa also apply to agreements involving AI systems. For agentic AI systems that autonomously enter transactions, the legal analysis centres on mandate (mandat) and agency principles under the same Romanian Civil Code. 
• Tort and product liability: Damage caused by AI systems may engage the liability of the developer, deployer, or operator under general tort principles under the Romanian Civil Code. Strict liability applies to damage caused by things under a person’s custody, which may encompass AI systems treated as “things”. Product liability in Romania is governed by Law No 240/2004 transposing the EU Product Liability Directive (85/374/EEC). AI embedded in products may trigger strict liability for the producer where the AI renders the product defective.
• Data protection: AI systems processing personal data must comply with all the GDPR principles. Additional obligations related to the processing of biometric data or employee monitoring are envisaged by Law No 190/2018 implementing the GDPR.   
• Copyright law: As per Law No 8/1996 on copyright and neighbouring rights (“Romanian Copyright Law”), a work must be the result of the author’s own intellectual creation, which entails a human author. AI-generated outputs may therefore lack copyright protection unless sufficient human creative input is demonstrated. Similarly, Law No 64/1991 on patents (“Romanian Patent Law”) requires a human inventor.
• Product safety: AI-enabled products must comply with the requirements of the EU General Product Safety Regulation (Regulation (EU) 2023/988) directly applicable in Romania. 
• Employment law: The use of AI in hiring, performance monitoring, and termination decisions must comply with anti-discrimination requirements under Government Ordinance No 137/2000 (preventing and sanctioning all forms of discrimination) and Law No 202/2002 (equal opportunities for women and men). Works council consultation requirements may also arise where AI-driven changes affect working conditions. 
• Consumer protection: Romanian consumer protection law (including Government Ordinance No 21/1992 and Law No 193/2000 on unfair terms in consumer contracts) applies to AI-powered products and services offered to consumers. The Unfair Commercial Practices Directive (transposed into Romanian law) may be engaged where AI is used in misleading or aggressive commercial practices, including personalised pricing or dark patterns. 
• Criminal law: The Romanian Criminal Code (Law No 286/2009) applies to AI-related conduct where it meets the elements of established offences, such as fraud, forgery, or offences against a person. Cybercrime offences under Law No 161/2003 (transposing the Budapest Convention) are relevant where AI is used as a tool for committing cyber-offences. The use of deepfakes for fraud or defamation may engage existing criminal provisions, though legislative provisions specifically addressing AI-generated synthetic media are not yet in force.

Romania has an established a growing technology sector, with Bucharest, Cluj-Napoca, Timișoara and Iași serving as major IT hubs. AI applications in Romania span several key industries, including the following.

Financial Services

• Romanian banks and fintech companies deploy traditional machine learning models for credit scoring, fraud detection, and AML compliance.
• Foundation models and large language models (LLMs) are increasingly being piloted for customer service automation, document processing, and regulatory reporting.

Healthcare

• AI is tested in diagnostic imaging, patient triage, and administrative efficiency in Romanian hospitals.
• Several Romanian start-ups have developed AI-powered diagnostic tools, particularly in radiology and pathology. 
• Romania’s National Health Insurance House (CNAS) has explored AI solutions for claims management.

Telecommunications and Technology

Major telecommunications operators in Romania currently test deployment of AI for network optimisation, predictive maintenance, and customer experience personalisation.

Manufacturing and Automotive

The use of AI is tested in robotics for quality control, predictive maintenance, and production line optimisation.

Retail and E-Commerce

• Romanian retailers and e-commerce platforms employ AI for recommendation engines, demand forecasting, dynamic pricing, and supply chain optimisation.
• Generative AI is increasingly used for marketing content creation and customer service chatbots.

Cross-Industry Initiatives

There are also various cross-industry initiatives. The Romanian AI Hub (RAHIM), academic institutions such as the Politehnica University (Bucharest) and Babeș-Bolyai University (Cluj-Napoca), and various public-private partnerships contribute to cross-industry AI research and development. Romania is also a participant in the European Digital Innovation Hubs (EDIHs) network, which supports SMEs in adopting AI technologies.

The Romanian Government has taken several steps to facilitate AI innovation, such as the following.

National Strategy

The National Strategy on Artificial Intelligence for 2024–2027 adopted by the government identifies priority sectors (healthcare, agriculture, public administration, manufacturing, and cybersecurity) and sets out objectives relating to research and development, education and skills, data infrastructure, and ethical use of AI.

Investment and Funding

Key funding streams include the National Recovery and Resilience Plan and funding programmes, such as Horizon Europe and Digital Europe. These instruments cover projects related to AI research, digital infrastructure, skills development and the adoption of advanced technologies by both public authorities and private entities (including start-ups).

Besides the above:

• The Romanian Innovation and Technology Transfer Hub (RIHUB) supports start-ups and SMEs in accessing funding for AI projects.
• Also, the “Efficient Public Administration through Advanced Technologies” (co-financed through the European Regional Development Fund and the national budget) supports public-sector digitalisation.
• The “RO AI Factory” project seeks to provide advanced computing infrastructure and services to support AI development across academia, industry and the public sector.
• Several Romanian universities have established dedicated AI and data science programmes. The government has supported initiatives to expand the IT talent pipeline through digital skills programmes and partnerships with the private sector. Romania’s strong mathematics and computer science tradition provides a favourable foundation for AI talent development. 

Romania follows a hybrid regulatory philosophy shaped primarily by the EU AI Act. Romania’s approach can be characterised as a risk-based, human-centric, and innovation-compatible hybrid model.

Still, Romania currently lacks a comprehensive domestic AI law, with few domestic legal AI initiatives under discussion. National efforts focus on institutional implementation, rather than substantive divergence.

Hence, overall, Romania remains EU-driven rather than nationally proactive, with relatively limited domestic regulatory detail.

Romania is a member of the OECD and has endorsed the OECD Principles on Artificial Intelligence. Romania is also a signatory to the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law (adopted in 2024), the first binding international treaty on AI. These international commitments inform Romania’s approach to AI governance. 

Romania does not currently have a standalone, comprehensive AI statute; instead, it applies the EU AI Act, which is directly applicable and forms the core of AI regulation.

Romania has issued several non-binding policy documents and guidelines relevant to AI. Details are included in 5.2 Regulatory Directives.

Timeline for Application

Romania follows the direct applicability timeline of the EU AI Act.

Romania does not set a separate national timeline, but is currently lagging in institutional readiness, with some implementation milestones (eg, designation of authorities) delayed beyond EU deadlines.

Designation of Competent Authorities and Notified Bodies

On 12 March 2026, the Romanian government adopted a memorandum on the designation of competent national authorities and the establishment of the single national contact point for the application of the EU AI Act. Details are included in 5.1 Regulatory Agencies.

National Complementary Measures

Draft legislation is under discussion to operationalise the EU AI Act and formalise institutional roles.

However, Romania has not adopted significant substantive deviations from the EU AI Act.

Regulatory Sandboxes

Romania is currently in an early/planning phase, and no fully operational national sandbox has been confirmed as yet.

Implementation is expected through national authorities and integration with EU-level initiatives. 

This is not applicable in Romania.

Copyright

Romania has transposed the Directive on Copyright and Related Rights in the Digital Single Market (Directive (EU) 2019/790) through amendments to the Romanian Copyright Law. The transposition includes the text and data mining (TDM) exceptions set out in Articles 3 and 4 of the Directive. Article 3 provides a mandatory exception for TDM carried out by research organisations and cultural heritage institutions for scientific research purposes. Article 4 provides a broader exception for TDM, subject to the right of right holders to reserve their rights (opt-out). These exceptions are directly relevant to AI training, as the ingestion of large datasets of copyrighted works for the purpose of training machine-learning models may constitute TDM.

Data Protection

General GDPR principles and existing guidance on automated decision-making apply. Romania’snational implementing legislation (Law No 190/2018) supplements the GDPR.

Web Scraping

Web scraping is not addressed specifically in Romanian legislation. The legality of web scraping in Romania is assessed under general principles of contract law (terms of service), data protection law, copyright law, and potentially the Computer Fraud Directive provisions transposed into Romanian law. The TDM exceptions under the DSM Directive may provide a defence for certain scraping activities conducted for training purposes, subject to the opt-out mechanism.

Synthetic Data

Synthetic data is not specifically addressed by Romanian legislation. The use of synthetic data in AI training is assessed under general GDPR principles.

Romania does not currently have standalone national proposals, including specifically targeting agentic AI or autonomous agents.

Romania does not yet have a meaningful body of published judicial decisions specifically addressing AI-related legal issues, as the Romanian court system has not, to date, produced landmark rulings on topics such as AI inventorship, copyright in AI-generated works, or liability for autonomous AI systems.

Still, the legal framework relies heavily on the jurisprudence of the Court of Justice of the European Union (CJEU), such as CJEU decisions on data protection, automated decision-making, copyright, and product liability.

The overall market surveillance authority and single point of contact for the EU AI Act is the National Authority for Management and Regulation in Communications (ANCOM).

The following sectoral authorities have been also designated:

• the Financial Supervisory Authority (ASF) and the National Bank of Romania (BNR) – for high-risk AI systems placed on the market, put into service or used by financial institutions;
• the National Supervisory Authority for Personal Data Processing (ANSPDCP) – for high-risk AI systems in the field of biometrics, law enforcement, migration, asylum or border control management, and in the administration of justice and democratic processes;
• the Authority for the Digitalization of Romania (ADR) – assessment, designation and notification and monitoring of conformity assessment bodies;
• the National Cyber Security Directorate (DNSC) – for aspects relating to the security, confidentiality, integrity, availability and resilience of elements within the national civil cyberspace;
• the Labor Inspectorate – for high-risk AI systems connected to technical equipment, and equipment and protective systems intended for use in potentially explosive atmospheres;
• the National Authority for Consumer Protection – for high-risk AI systems connected to toy safety;
• the Romanian Naval Authority – for high-risk AI systems connected to recreational craft and personal watercraft;
• the State Inspectorate for the Control of Boilers, Pressure Vessels and Lifting Installations – for high-risk AI systems connected to lifts and safety components for lifts, cableway installations and appliances burning gaseous fuels;
• the National Authority for Management and Regulation in Communications and the National Authority for Consumer Protection – for high-risk AI systems connected to the radio equipment market; and
• the National Agency for Medicines and Medical Devices of Romania – for high-risk AI systems connected to medical devices and in-vitro diagnostic medical devices.

At a general level, the Romanian government’s AI Strategy includes non-binding recommendations for ethical AI development and deployment, drawing on the EU’s Ethics Guidelines for Trustworthy AI developed by the High-Level Expert Group on Artificial Intelligence. 

Besides this, there are also several industry-specific guidelines which incidentally touch AI-related matters, such as: the guidelines on automated decision-making and profiling – which provides practical direction for organisations deploying AI systems that process personal data (data protection);  recommendations regarding operational resilience; and technology risk management in the banking sector; which have implications for AI deployment by credit institutions (Banling), etc. 

In any case, once the EU AI Act enters its application phases it is expected that the Romanian regulatory agencies will issue more detailed sectoral guidance on AI compliance, particularly in relation to high-risk AI systems in specific/sensitive areas (eg, financial services, healthcare and public administration).

There do not appear to have been any AI-specific enforcement actions by Romanian regulatory authorities. This reflects the early stage of AI regulation in Romania and the fact that the EU AI Act’s enforcement provisions are not yet fully applicable. 

Basically, AI enforcement in Romania currently occurs indirectly, based on GDPR, consumer and sectoral rules.

No national standards on this matter have been issued as yet.

The ISO/IEC 42001 (AI management system), ISO/IEC 23894 (AI risk management), and ISO/IEC 22989 (AI concepts and terminology) are also recognised in Romania. Compliance with ISO/IEC 42001 is increasingly seen as a benchmark for AI governance in organisations operating in Romania.

While IEEE standards are not formally adopted as Romanian or European standards, they serve as reference points for enterprises developing AI systems.

The Romanian government has repeatedly expressed ambitions to deploy AI in public administration, though implementation remains at an early stage.

The known use cases of AI systems by government agencies include:

• ION – AI Government Adviser –
1. it was deployed by the Romanian government in 2023; and
2. it collects citizen input from social media and online submissions in order to aggregate opinions and detect trends for policymakers.
• ANA – AI chatbot of the National Agency for Fiscal Administration (ANAF) –
1. deployed by the ANAF in 2025/2026 (still in pilot phase); and
2. AI-powered virtual assistant for taxpayers providing information on tax obligations and guidance for individuals.
• AI/RPA system for processing EU funding application –
1. deployed by the Agency for Financing Rural Investments (AFIR);
2. it uses AI-driven robotic process automation (RPA) to retrieve documents from state databases and process applications for EU funding; and
3. it automates land registry checks and judicial record retrieval.
• Cross-government automation (multiple ministries) –
1. it provides RPA/AI automation across 18 central institutions, implemented by the government via national digitalisation programs (PNRR); and
2. it automates administrative processes such as document handling, data entry and internal workflows.
• Municipal/local government AI (pilot use cases) –
1. it provides AI for citizen petitions and image analysis used by Romanian municipalities (pilot/research-backed deployments); and
2. it helps authorities to prioritise responses and speed up administrative (re)action.

There do not presently appear to be any Romanian judicial decisions specifically addressing the use of AI by government agencies.

Romania does not currently have a standalone, comprehensive law specifically regulating AI in national security and defence.

Three national strategies collectively establish a policy framework which, while not constituting binding AI-specific regulation, defines the institutional priorities, action plans, and governance directions for AI in the defence and security domain.

National Strategies Adopted in Romania

Romania has taken steps to develop a national AI strategy and governance framework, as follows:

Romania’snational AI strategy

In 2024, Romania adopted the National Strategy in the Field of Artificial Intelligence for 2024–2027. The Strategy’s action plan includes a specific program entitled “Adoption and exploitation of AI in the defence, public order, and national security system” providing for the following key measures:

• accelerating the implementation of AI, by funding AI research and development within institutions in the defence, public order and national security sectors, as well as encouraging investment in AI research and development relevant to defence, public order and national security, and developing and implementing solutions in collaboration with the relevant industry;
• continued participation in existing projects and accession to new projects within NATO (eg, NAEW&C, ACCS, AGS, ballistic missile defence capabilities) and consolidating Romania’s participation in PESCO and all European defence programmes;
• continuous adaptation of the national legislative framework to attract European funding through European defence industry instruments/programmes; and
• developing capabilities for preventing, detecting, and countering threats and risk factors generated by AI against national security, both in the digital security and critical cyber-infrastructure dimension, and in countering hostile information interference.

The Strategy’s inter-institutional commission responsible for monitoring and evaluating implementation includes the Romanian Intelligence Service (“SRI”), the Foreign Intelligence Service (“SIE”), the Special Telecommunications Service (“STS”), and the National Directorate for Cybersecurity (“DNSC”), alongside core ministries and agencies.

Romania’s National Defence Strategy

In 2025, Romania adopted the National Defence Strategy for 2025–2030 (approved by Government Decision No 48/2025). The Strategy:

• calls for the development of national capabilities for responding to cyber-attacks, including through the integration of new technologies, in particular artificial intelligence, and for increased co-operation between public, private and academic sectors in this domain; and
• states the following, among its national security objectives: “creating new technologies and accelerating scientific research and innovation, in particular in strategically important domains, developing and managing artificial intelligence, including through the exploitation of EU programs, as well as ensuring the security of scientific research as a measure to protect the knowledge ecosystem”.

Romania’s National Strategy for the Defence Industry

In 2024, Romania adopted the National Strategy for the Defence Industry for 2024–2030. It focuses on the modernisation, re-technologisation and development of Romania’s national defence industrial base. The Strategy states, among other things, that:

• the integration of emerging technologies, such as artificial intelligence and automation, requires new protection standards and counter-measures within the defence industry context; and
• in the section on strategic directions for re-technologisation and modernisation of defence production capacities, the Strategy lists among its specific objectives: “conducting research in related subfields: nanomaterials, smart materials, robotics, and artificial intelligence”.

NATO and International Commitments

Romania is a NATO member, and as such, its defence AI initiatives are also shaped by:

• NATO’s AI Strategy and Responsible AI Principles, adopted in 2021, which set out principles of lawfulness, responsibility, explainability, traceability, reliability and governability for AI in defence.
• Romania’s participation in NATO co-operative programmes, which may impose additional interoperability and standards compliance requirements on AI systems used in a defence context.

Romania does not yet have AI-specific national legislation targeting generative AI. The legal framework is composed of the EU AI Act, GDPR and national laws in the intellectual property sector.

Accordingly, legal challenges posed by generative AI are addressed through a hybrid framework combining EU rules and national IP/data protection law. For aspects pertaining to IP, see 16. Intellectual Property, while for aspects pertaining to data protection, see 17. Data Protection.

Additionally, liability for harmful outputs of generative AI systems (including defamatory content, misinformation and IP-infringing material) is assessed under Romanian tort law, product liability law, and sector-specific legislation. The allocation of liability between the provider of the foundation model, the deployer and the end-user is a developing area of law.

The use of AI in the Romanian legal profession is expanding but cautious, with a focus on legal research, contract review and analysis, due diligence, and document automation. Romanian law firms adopted a “human-in-the-loop” approach, where AI is a support tool, and lawyers retain full legal and ethical responsibility for their work.

The use of generative AI in legal practice raises concerns as it introduces significant risks, such as:

• hallucinations and reliability issues;
• confidentiality breaches; and
• unauthorised legal practice concerns.

Nevertheless, the general existing ethical obligations of Romanian lawyers, including duties of competence, diligence, confidentiality and independence, apply to the use of AI tools. Lawyers remain personally responsible for the accuracy and quality of the advice provided, regardless of whether AI tools were used in its preparation.

Romania does not yet have a dedicated AI liability regime. Liability for AI-caused harm is governed by:

• the Romanian Civil Code; and
• EU-derived regimes (applicable in Romania) on –
1. product liability rules; and
2. e-commerce/intermediary liability.

Adaptation of Traditional Legal Doctrines to AI Systems

As a result, liability is currently addressed through the adaptation of traditional legal doctrines to AI systems.

Product liability for defective AI systems

• Law No 240/2004 on producer liability for defective products establishes the strict liability of producers.
• Applicability to AI: AI systems may qualify as: (i) products (software increasingly recognised as such under EU reforms) or (ii) components integrated into products (eg, medical devices, vehicles).
• A product is defective if it does not provide the safety a person is entitled to expect. As for AI systems, aspects that may qualify as defects include incorrect outputs, unpredictable behaviour and bias leading to harm.
• Challenges: given that AI systems evolve (machine learning updates), it is difficult to define concepts such as “expected safety” or ”normal behaviour”.

Negligence (fault-based liability)

• Under the Romanian Civil Code, liability arises where a person commits a wrongful act that causes damage with fault (intent or negligence).
• Application to AI: developers may be liable for design flaws while deployers, for misuse of AI systems.
• Challenges: determining fault in complex AI systems as there are multiple actors involved in their life cycle.

Strict liability regimes

• Strict liability exists in limited cases, such as liability for defective products and/or liability for dangerous activities (in certain contexts).
• Applicability to AI: currently, there is no general strict liability for AI. However, high-risk AI (eg, medical, infrastructure) may indirectly fall under sector-specific strict regimes.

Vicarious liability

• Under the Romanian Civil Code, employers are liable for the acts of employees performed in the course of employment.
• Application to AI: given that the AI system is not a legal person and it cannot bear liability itself, liability remains with employers using AI systems and organisations deploying AI systems.

Liability for AI-generated content

• AI-generated content may produce false statements about individuals.
• Since Romanian law protects honour, dignity and reputation, liability may arise for (i) the publisher (person/entity disseminating content), and/or (ii) the platform (in limited cases, depending on knowledge/control).
• Online platforms may benefit from limited liability if they lack knowledge of illegal content and they act promptly upon notice.

Intellectual property infringement

• Under the Copyright Law, AI outputs may infringe copyright and related rights.
• Liability may fall on the user generating the content or the developer (in some cases, depending on design).

Key Evidentiary Challenges

• Opacity (“Black Box” problem): AI systems often lack explainability. This complicates proof of fault and/or proof of defect.
• Access to evidence: Affected persons may not have access to training data or model architecture, thus creating difficulties in gathering evidence.
• Burden of proof: Under Romanian law, the claimant must prove the damage, the defect and the causation link. This may prove difficult in AI system cases given the involvement of multiple actors (eg, causation becomes fragmented – no single actor is clearly responsible). Additionally, AI systems produce non-deterministic outcomes, which makes it harder to prove direct causal link.

The liability provisions of the Civil Code (liability for things under custody) and the product liability regime offer the most direct routes for AI liability claims, but their application to complex AI systems is yet to be tested before courts of law. In the absence of specific Romanian AI-oriented legislation, the most significant regulatory developments on AI liability still originate at EU level. Thus, the revised Product Liability Directive (Directive (EU) 2024/2853), adopted in 2024, expressly extends strict product liability to software and AI systems. Romania is required to transpose this Directive by 9 December 2026. Once transposed, this will hopefully provide a clear strict liability regime for damage caused by defective AI systems, including provisions on the burden of proof and a rebuttable presumption of defectiveness in certain circumstances. 

Romanian law does not yet contain specific provisions addressing agentic AI, and the legal analysis must therefore proceed from existing general principles and the EU AI Act framework.

The Civil Code provisions on mandate and agency may be applied by analogy, though they were designed for human agents not AI tools, so the applicability of these principles is yet to be tested before a court of law.

Allocation of Liability Among Developers, Deployers and Users

• General aspects: Romania currently relies on general legal frameworks, as there is no AI-specific liability regime. Thus, under Romanian law, liability for harm caused by autonomous AI systems could be allocated based on general tort principles, product liability, and the specific circumstances of each case.
• A developer may be liable under product liability if the AI system is defective.
• A deployer may be liable in tort for negligent deployment, failure to conduct adequate risk assessments, or failure to implement appropriate human oversight.
• A user may bear responsibility where the harm results from misuse or failure to follow instructions.

Adequacy of Existing Liability Regimes

Existing Romanian liability regimes were not designed for autonomous AI systems and therefore may not be entirely applicable, with many topics requiring extensive interpretation and remodelling to fit within the existing framework.

Existing Romanian frameworks are capable of covering defective AI (product liability) and/or misuse (negligence).

However, there are certain limitations, such as:

• it is hard to prove negligence in complex AI systems;
• the product liability legislation was originally designed for physical products, thus creating uncertainty regarding standalone software and self-learning systems;
• product liability requires proof of defectiveness, which may be difficult to establish for AI systems that function probabilistically; and
• there are no rules for autonomy as the current law assumes human control and predictable behaviour.

Contractual Liability Allocation

The allocation of liability for AI systems in Romania is often addressed traditionally via contracts and instruments such as indemnification clauses, liability caps, insurance requirements, and representations and warranties in AI procurement and licensing.

Evidentiary Challenges

In the absence of specific legislation, claimants in AI liability cases in Romania would face the standard burden of proving damage, causation, and (in fault-based claims) negligence. Details are included in 10.1 General Theories of Liability.

Cascading Failures in Multi-Agent Systems

Where autonomous AI agents interact in multi-agent systems and cascading failures occur, the allocation of liability would be very difficult to prove under the current legal framework and principles, as Romanian law has no specific provisions in this respect. Consequently, general principles of joint and several liability (solidaritate) under the Civil Code may apply where multiple parties contribute to the damage, but proving the contribution of each party in a multi-agent failure scenario presents significant practical difficulties.

Romania has no standalone legislation on algorithmic bias, hence the EU AI Act applies.

Additionally, Romania has a robust anti-discrimination legal framework that should also apply to algorithmic decision-making:

• Government Ordinance No 137/2000 on preventing and sanctioning all forms of discrimination prohibits discrimination on grounds including race, nationality, ethnicity, language, religion, social category, sex, sexual orientation, age, disability and other criteria. This legislation also applies to decisions made with the assistance of AI systems.
• Law No 202/2002 on equal opportunities between women and men similarly applies to algorithmic decisions in employment and service provision.

Romania does not have a standalone statute on biometric AI, thus the EU AI Act applies. Additionally, given the fact that such systems involve the processing of personal data, GDPR obligations (such as the need for a proper legal basis, measures implemented to protect the data, transparency, etc) apply. Law No 190/2018 complements GDPR obligations as it reinforces (i) strict necessity and proportionality requirements for public authorities, and (ii) additional safeguards for processing sensitive data (the focus is on necessity, proportionality and minimisation principles).

Romania does not yet have a dedicated “deepfake law”, therefore synthetic media is regulated through a combination of national laws and EU instruments.

Disclosure and Labelling Requirements and Authentication Technologies

These fall under the scope of the EU AI Act.

Platform Liability

Platform liability is governed primarily by the Digital Services Act, which imposes obligations on online platforms regarding illegal content, including deepfakes used for harmful purposes. Details are included in 15.1 Digital Platform Companies.

Civil Remedies

The creation and dissemination of deepfakes for the purpose of fraud may constitute fraud. Deepfakes used for defamation, harassment or extortion may engage provisions on defamation, threats and blackmail. The dissemination of non-consensual intimate images (including deepfake pornography) may be prosecuted under the Criminal Code (violation of private life). 

Victims of deepfakes may pursue civil remedies under Romanian law, including claims for non-pecuniary damages (moral damages) under the Civil Code, injunctive relief to require removal of content, and claims under personality rights provisions.

The EU AI Act transparency obligations apply. Additionally, when processing personal data, the GDPR transparency obligations apply. Details are included in 17. Data Protection.

Romania does not yet have a standalone AI-specific legal framework, therefore such aspects fall under the scope of the EU AI Act.

There are no specific Romanian legal provisions addressing these topics, therefore such aspects fall under the scope of the EU AI Act.

General contracting laws and industry best practices and principles usually apply depending on the relevant topic under review (representations, liability, indemnifications, etc). 

In addition to the EU AI Act, the use of AI in hiring and termination decisions in Romania is governed by the Labour Code (Law No 53/2003), anti-discrimination legislation (Government Ordinance No 137/2000, Law No 202/2002) and the GDPR.

Key Aspects

• Employers using AI tools for recruitment screening, CV analysis, video interview assessment, or automated shortlisting must ensure that these tools do not discriminate on prohibited grounds. The National Council for Combating Discrimination (“CNCD”) has the power to investigate and sanction such practices.
• Where decisions are based solely on automated processing and produce legal effects or similarly significant effects on the candidate, the data subject has the right not to be subject to such decisions, the right to obtain human intervention, and the right to contest the decision. Employers must provide meaningful information about the logic involved in automated processing.
• The Romanian Labour Code requires just cause for dismissal and procedural safeguards. AI-generated performance evaluations or misconduct assessments used as the basis for termination must be accurate, fair and subject to human review.

Romanian employers are increasingly deploying AI-enabled tools for employee monitoring and evaluation, including productivity-tracking software, keystroke and screen monitoring, email and communications monitoring, attendance tracking, and AI-driven performance analytics.

Key Aspects

• As per the Labour Code and GDPR, employers must inform employees about the conditions and methods of monitoring. Details regarding data processing are included in 17. Data Protection.
• Additionally, Law 190/2018 introduces specific conditions for employee monitoring, such as the mandatory prior consultation of employees’ representatives, prior informing of employees, proof that other less intrusive measures were not effective, and a retention period of 30 days.
• As per the anti-discrimination legislation, employers must ensure that AI-driven evaluations are fair and non-discriminatory.

Digital platform companies operating in Romania are subject to the Digital Services Act (DSA, Regulation (EU) 2022/2065) and the Digital Markets Act (DMA, Regulation (EU) 2022/1925).

These Regulations impose obligations on platforms regarding content moderation, algorithmic transparency, recommender systems, and targeted advertising.

The DSA requires platforms to be transparent about the use of automated tools for content moderation and to provide information about the main parameters used in recommender systems. Users must be able to modify or influence the parameters.

Additionally, platforms may benefit from limited liability (hosting safe harbour), if they lack knowledge of illegal content and act promptly upon notice.

The use of AI in financial services in Romania is governed by a dual-layer framework: directly applicable EU legislation and EU-derived national law, supervised at the domestic level by the BNR and the ASF. Apart from the EU AI Act, Romanian financial institutions deploying AI must comply with the core applicable instruments, such as the Capital Requirements Regulation (CRR) and Directive (CRD), the Markets in Financial Instruments Directive (MiFID II), the Insurance Distribution Directive (IDD), and the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). In its most recent report, the BNR noted that the financial sector is among the fields with the greatest opportunities and risks arising from AI, due to the significant proportion of complex cognitive tasks and its highly data-dependent nature.

Key Aspects

• MiFID II imposes obligations on investment firms with respect to algorithmic trading, covering systems’ resilience, surveillance, risk and compliance controls, market-making continuity, abuse prevention, and record-keeping – proper compliance with which may be difficult to enforce at modern market speeds without AI-assisted tools.
• Romanian banks and fintech companies increasingly use AI and machine-learning models for credit scoring, and the processing and monitoring of payments. AI enables large volumes of transaction data, fraud detection and compliance with AML regulations to be processed.
• The BNR expects credit institutions to maintain robust model risk-management frameworks for AI and machine-learning models to be used in risk assessment, in line with the EBA Guidelines on internal governance (EBA/GL/2021/05). This includes model validation, ongoing performance monitoring, and documented governance arrangements. However, the BNR has not issued specific rules to address AI model risk for financial institutions. AI systems are increasingly used for AML transaction monitoring and suspicious activity detection in Romania. These systems must comply with Law No 129/2019 on preventing and combating money laundering, which transposes the EU Anti-Money Laundering Directives and BNR Regulation No 2/2019.

AI-powered medical devices (including diagnostic software, clinical decision support systems, and medical imaging analysis tools) are regulated under the EU Medical Devices Regulation (MDR Regulation (EU) 2017/745, as amended) and by local legislation implementing the MDR.

Key Aspects

• AI as a medical device software intended for medical purposes, including AI-based diagnostic tools, may qualify as a medical device under the MDR and must undergo conformity assessment before being placed on the market. The classification of AI medical devices depends on their intended purpose and risk level.
• The Romanian National Agency for Medicines and Medical Devices (ANMDMR) is the competent authority for medical device regulation. 
• AI systems used for clinical decisions must be designed to assist, not replace, clinical judgement. The responsibility for patient care remains with the healthcare professional.

Romania does not yet have specific legislation on autonomous vehicles. Road traffic is governed by Government Emergency Ordinance No 195/2002 (“Road Code”), which implies a human driver. The deployment of fully autonomous vehicles on public roads in Romania is therefore not currently permitted under existing legislation. 

AI-powered retail practices are subject to consumer protection legislation, including Government Ordinance No 21/1992 on consumer protection, Law No 193/2000 on unfair terms in consumer contracts, and the Unfair Commercial Practices Directive (transposed into Romanian law).

The Omnibus Directive (Directive (EU) 2019/2161), transposed into Romanian law, requires traders to inform consumers of personalised pricing based on automated profiling. The price indicated before any personalisation must be clear, and misleading price reduction claims are prohibited. AI-enabled consumer products sold in Romania must comply with the General Product Safety Regulation (Regulation (EU) 2023/988).

The National Agency for Consumer Protection (ANPC) is responsible for market surveillance and enforcement. 

In the absence of Romanian-specific AI legislation, industrial AI and robotics are subject to the EU Machinery Regulation (Regulation (EU) 2023/1230). The deployment of AI and robotic systems in Romanian workplaces must comply with occupational health and safety legislation (Law No 319/2006 on occupational health and safety), including requirements for risk assessment, worker training, and safe working conditions in environments where humans and robots collaborate.

Patent Protection

• Romanian Patent Law provides patent protection for inventions that are new, involve an inventive step, and are susceptible to industrial application.
• AI algorithms per se may face challenges in obtaining patent protection, as mathematical methods and computer programs as such are excluded from patentability. However, concrete AI applications that meet the requisite conditions, AI-implemented inventions of a technical nature, and providing a technical solution to a technical problem may be patentable, consistent with the approach of the European Patent Office.
• A patent will be refused if the invention is contrary to public order or morality (eg, AI exhibiting discriminatory behaviour).

Copyright Protection

• Under Romanian Copyright Law, copyright protects original works that are the result of the author’s own intellectual creation. Copyright subsists only in works created by human authors. 
• Databases constitute a distinct entity that may be protected by a sui generis right for databases in which a substantial investment has been made in their obtainment.
• The EU Database Directive (Directive 96/9/EC), transposed into Romanian law through Law No 8/1996, provides sui generis database rights to the maker of a database that has made a substantial investment in obtaining, verifying or presenting the contents. Extraction and re-utilisation of non-substantial parts are permitted under certain conditions, including for research and education purposes. Training datasets may qualify for database protection where the requisite investment threshold is met.

Trade Secret Protection

• Trade secrets are protected under Law No 11/1991 on combating unfair competition and the Trade Secrets Directive (transposed through amendments to national legislation).
• Model weights, training methodologies, proprietary datasets, and hyperparameter configurations may qualify as trade secrets if they are secret, have commercial value because of their secrecy, and are subject to reasonable steps to keep them secret.
• Unauthorised disclosure constitutes an unfair competition practice and may be sanctioned under the law.

IP Allocation

• The allocation of IP rights in AI systems is heavily dependent on contractual arrangements. AI development, licensing, and procurement agreements must clearly address ownership of pre-existing IP, developed IP, model customisations, fine-tuned weights, and output IP. Romanian contract law allows broad freedom in IP allocation between commercial parties.
• The economic rights over programs created by employees in the course of their employment duties vest in the employer in the absence of contrary contractual clauses.
• The creation of content (output) generated exclusively by AI raises IP protection roadblocks under current legislation, given that the protected subject must be a natural person.
• Inputs may contain protected works, the use of which for training must be authorised or covered by exceptions (text and data mining).

AI Provider Terms

• The terms and conditions of AI providers may include limitations on IP in outputs or limitations of liability.
• The use of copyrighted works for AI training, the generation of outputs that resemble existing protected works, and the incorporation of third-party patented technology in AI systems create potential IP infringement risks.

The Romanian Patent Law requires that an inventor be a natural person. Romania’s State Office for Inventions and Trademarks (OSIM) has not, to the firm’s knowledge, been presented with an application naming an AI as inventor, but it is expected that such an application would be refused, consistent with the approach of the European Patent Office. 

Romanian Copyright Law requires that a work be the result of a human author’s intellectual creation. Works generated entirely by AI without meaningful human creative input are very unlikely to qualify for copyright protection under current Romanian law. Where a human author uses AI as a tool in the creative process, the resulting work may be protected by copyright if the human contribution is sufficiently original. This will always be evaluated on a case-by-case basis by the appropriate authority or court of law. Ownership would vest in the human author or, where applicable, in the employer under work-for-hire provisions.

Romanian copyright laws provide for moral rights protection, including the right of attribution and the right of integrity. These rights are personal to the human author and cannot be assigned. 

The use of copyrighted works as training data for AI models involves reproduction and potentially other acts restricted by copyright.

Key Aspects

• Under Romanian Copyright Law, reproduction of a work requires the authorisation of the rightsholder. 
• The DSM Directive (EU Directive 2019/790) introduces mandatory TDM exceptions, transposed into Romanian Copyright Law.
• There is a mandatory exception for TDM by research organisations and cultural heritage institutions for scientific research purposes, which cannot be overridden by contract.
• Where a generative AI system produces outputs that are substantially similar to copyrighted works in its training data, the user or provider may face infringement claims. Romanian Copyright Law assesses infringement based on substantial similarity and reproduction of original elements. The question of who bears liability (provider, deployer or user) depends on the circumstances and will be assessed by a court of law where a dispute occurs. 

The Romanian Copyright Law requires that a work be the result of a human author’s intellectual creation. Purely AI-generated works of art, literature, music, or other creative outputs are highly unlikely to attract copyright protection under current Romanian law.

Key Aspects

• Where a human artist or author uses AI as a creative tool, the resulting work may be protected by copyright to the extent that the human contribution is sufficiently original and significant.
• For works that do qualify for copyright protection, ownership vests in the human author. Where the work is created in the context of employment, the employer may acquire certain rights under the work-for-hire provisions of the Copyrights Law. For commissioned works, ownership depends on the contractual arrangements between the parties. 
• Moral rights under Romanian law are inalienable and remain with the human author.
• In the absence of copyright protection, AI-generated works may be freely copied by third parties. Businesses may seek alternative forms of protection through trade secret law, unfair competition provisions, or contractual restrictions.

Enterprises in Romania must assess whether their models comply with the upstream licence, including any restrictions on commercial use, attribution requirements, or copyleft obligations. Commercial use of foundation models and open-source AI carries the usual IP risks including potential copyright infringement, patent infringement, and violation of licence terms. These issues are assessed under general copyright and contract law principles.

Romania has not, to date, introduced any AI-specific data protection legislation – general data protection obligations are therefore applicable.

Legal Basis

The GDPR requires a lawful basis for processing personal data used in AI training datasets, the most common being:

• consent;
• legitimate interests; and
• for research organisations, the research exception.

GDPR Principles

• Purpose limitation: Personal data may be collected for specified, explicit and legitimate purposes, and may not be further processed in a manner incompatible with those purposes.
• Data minimisation: Personal data processed must be adequate, relevant and limited to what is necessary.
• Accountability: Organisations must document their data protection compliance.

Data Subjects’ Rights

Data subjects whose personal data is used in AI training retain their GDPR rights. The exercise of these rights in the AI training context presents practical challenges, particularly where personal data has been integrated into a trained model and cannot easily be isolated or removed.

Special Categories of Data

The processing of special category data (including health data, biometric data, data revealing racial or ethnic origin, political opinions, and religious beliefs) for AI training requires an explicit legal basis under the GDPR.

In Romania, Law No 190/2018 provides additional safeguards for the processing of certain categories of special data.

Measures

For AI training, this includes maintaining records of processing activities, conducting data protection impact assessments (DPIAs) where required, and documenting the lawful basis, data sources, and safeguards applied.

While Romania has not introduced AI-specific data protection legislation, a deployer of an AI system must take into account a number of requirements arising from national data protection laws in order to ensure compliance, particularly in areas such as automated decision-making, profiling and the use of sensitive data.

Transparency Obligations

Organisations deploying AI systems that process personal data must provide clear and accessible information to data subjects about the processing, including the purposes, the lawful basis, the categories of data processed, and the logic involved in any automated decision-making. Hence, privacy notices should be updated to reflect the use of AI.

Automated Decision-Making and Profiling

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. Exceptions apply where the decision is (i) necessary for a contract, (ii) authorised by law, or (iii) based on explicit consent. Where exceptions apply, the data controller must implement suitable safeguards, including the right to obtain human intervention, to express a view, and to contest the decision.

Romanian data protection law also imposes stricter conditions in relation to the use of special categories of data in automated processing contexts. Details are included in 17.1 AI Training and Data Protection.

In parallel, sector-specific rules reinforce this approach. Under Law No 506/2004, the use of automated communication systems for direct marketing purposes, in particular those not involving human intervention, is prohibited unless the user has provided prior explicit consent.

Data Retention and Deletion

Personal data may not be kept for longer than necessary to fulfil the envisaged scope. AI systems that retain personal data in trained models or for ongoing processing must comply with data retention requirements, and mechanisms must be in place to honour erasure requests.

Children’s Data

AI applications targeting or processing the data of children are subject to enhanced protections under the GDPR and Romanian law. Romania has set the age of digital consent at 16 years. AI systems interacting with children or processing their data must implement appropriate safeguards.

The DPIA

The GDPR requires DPIAs for processing that is likely to result in a high risk to the rights and freedoms of natural persons. AI systems frequently trigger the DPIA requirement, particularly where they involve systematic and extensive evaluation of personal aspects (profiling), large-scale processing of special category data, or innovative use of new technologies.

The ANSPDCP has published a list of processing operations subject to the DPIA, which includes:

• systematic and comprehensive evaluation of personal aspects relating to natural persons, based on automated processing and/or profiling, resulting in legal or significant effects on the data subjects;
• the processing on a large scale of special categories of data, or data relating to criminal convictions and offences;
• the processing on a large scale of personal data relating to vulnerable persons, by means of automated monitoring and/or systematic recording of behaviour;
• the large-scale processing of personal data through innovative use or implementation of new technologies, in particular where such operations limit the ability of data subjects to exercise their rights;
• the large-scale processing of data generated by sensor devices that transmit data via the internet or by other means (Internet of Things applications); and
• the large-scale and/or systematic processing of traffic and/or location data of natural persons (such as Wi-Fi monitoring, processing of the geographical location data of passengers on public transport or in other such situations) where the processing is not necessary for the provision of the service requested by the data subject.

Data Protection by Design and by Default

Data controllers have to implement data protection by design and by default. For AI systems, this means integrating data protection principles into the design and development process, including minimising personal data processing, using pseudonymisation and encryption, and building in mechanisms for the exercise of data subject rights. 

Processor/Controller Relationships

AI supply chains typically involve multiple parties acting as controllers and processors.

Where an organisation deploys an AI system provided by a third-party vendor, the relationship is typically governed by a data processing agreement. The parties must clearly define their respective obligations, including security measures, sub-processing arrangements, and data breach notification procedures. 

Cross-Border Data Transfers

The GDPR restricts transfers of personal data to countries outside the EEA unless an adequate level of protection is ensured. Standard contractual clauses (SCCs), adequacy decisions, and binding corporate rules are the principal mechanisms for lawful transfers.

The Romanian Competition Council reviews mergers and acquisitions that meet materiality turnover thresholds provided under Competition Law No 21/1996 (“Competition Law”). Apart from this, all transactions are subject to the same review criteria related to post-transaction market impact. This could also refer to reviewing the impact of AI or big data in the context of a certain transaction, but there are no specific rules directly related to AI markets.

Price Fixing

From the perspective of pricing algorithms, abuse of dominance or vertical agreements, the use of AI algorithms (eg, in dynamic pricing, market alignment, market monitoring or similar processes) raises concerns about collusion.

The key question when reviewing the risk of collusion is related to how AI could help support or ensure a transfer of commercially sensitive information. Conversely, if there were to be a case of the use of public information, or unilateral decisions taken based on public information, the issue of collusion would probably not be applicable.

Abuse of Dominance

In terms of dominance, AI-driven data advantages or control over essential AI infrastructure may face abuse-of-dominance claims. Among other things, concerns include self-preferencing by platforms using AI algorithms, discriminatory access to AI-related infrastructure, or tying of AI services.

Vertical Integration

Vertical integration may be relevant from a Competition Law perspective, both in the case of merger control and potential abuse of dominance.

Nonetheless, the EU norms on AI or the DMA would be directly applicable in Romania and the Competition Council would have an interest in aligning its practices with those of the European Commission.

National Cybersecurity Framework

Romania has a well-developed cybersecurity framework. Emergency Ordinance No 155/2024, on the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace, transposed the NIS2 Directive (Directive (EU) 2022/2555).

AI systems deployed by entities within the scope of NIS2 are subject to its cybersecurity requirements. The National Cyber Security Directorate (DNSC) is the national competent authority for cybersecurity.

Cybersecurity Requirements for AI Systems

The general cybersecurity obligations under NIS2 and the Cyber Resilience Act (Regulation (EU) 2024/2847) impose cybersecurity requirements on products with digital elements. 

Secure AI Development

Organisations developing AI systems in Romania are expected to follow secure development practices, including secure coding, vulnerability management, testing against adversarial attacks, and incident response planning. The ENISA (EU Agency for Cybersecurity) guidelines on securing AI systems provide practical reference points.

Incident Reporting

Under NIS2, significant cybersecurity incidents must be reported to the DNSC within the prescribed timeframes.

AI for Cybersecurity Defence

Romanian organisations, including the DNSC and private sector companies, increasingly deploy AI for cybersecurity defence purposes, including threat detection, anomaly identification, and automated response. The use of AI for defensive cybersecurity is generally encouraged but must comply with data protection and privacy requirements, particularly where personal data is processed. 

Supply Chain Security

The Cyber Resilience Act, GEO No 155/2024 and the EU AI Act address supply chain security for digital products and AI systems. Romanian organisations procuring AI systems must assess the cybersecurity posture of their suppliers and ensure appropriate contractual protections.

ESG Dimensions of AI Environmental Impact

While Romania benefits from a diverse energy mix (including significant hydroelectric and nuclear capacity), the carbon footprint of AI operations is subject to increasing scrutiny.

EU sustainability reporting requirements, including the Corporate Sustainability Reporting Directive (CSRD), may require large Romanian companies to disclose AI-related energy consumption and environmental impacts as part of their sustainability reports. The social dimensions of AI in Romania include algorithmic fairness, workforce displacement and transformation, and digital inclusion. 

Governance Dimensions

AI governance structures, including AI ethics committees, responsible AI frameworks, and risk oversight mechanisms, are becoming standard practice for large organisations operating in Romania, particularly multinational companies applying group-level governance frameworks. 

ESG Due Diligence for AI Investments

Investors and procurement functions in Romania are beginning to incorporate AI-related ESG considerations into their due diligence processes. This includes assessing the environmental impact of AI infrastructure, the fairness and bias risks of AI systems, and the governance frameworks of AI providers. The Corporate Sustainability Due Diligence Directive (CSDDD), once transposed, will impose due diligence obligations on large companies regarding adverse human rights and environmental impacts in their value chains, which may extend to AI supply chains. 

Regulatory Requirements for AI-Related ESG Disclosure

The CSRD, applicable to large Romanian companies and listed SMEs, requires sustainability reporting that may encompass AI-related environmental impacts, social risks, and governance arrangements. The European Sustainability Reporting Standards (ESRS) provide the framework for these disclosures.

Romania does not yet have a standalone AI-specific legal framework. The legal landscape governing AI systems therefore falls under the EU AI Act.