MiCA Transposition Underway

Romania is currently drafting national legislation to implement the EU’s Markets in Crypto-Assets Regulation (MiCA), which entered into force on 30 December 2024. The transposition process is ongoing and aims to integrate MiCA’s provisions into Romania’s legal and supervisory frameworks. However, even as the legislative process continues, the local market has already demonstrated early and meaningful steps toward alignment.

Grandfathering framework and market continuity

Based on European Securities and Markets Authority (ESMA) guidance, crypto-asset service providers (CASPs) active before MiCA’s entry into force may continue operating without a MiCA licence until July 2026, provided they comply with Romanian AML requirements. Multiple companies have already applied under this transitional regime.

Banking co-operation

Historically, CASPs faced challenges in securing basic banking relationships essential for fiat operations. However, in light of regulatory clarity introduced by MiCA and Romania’s AML framework, a shift toward more structured co-operation is emerging, laying the groundwork for improved access to financial infrastructure in the coming year.

Market integration for blockchain

The market is increasingly recognising blockchain’s potential as a settlement layer and digital value infrastructure, even though it is not legal tender. Beyond facilitating payments, blockchain is gaining acceptance as an innovative tool for financing companies through investment rounds and instruments such as Safe Agreements for Future Tokens (SAFTs).

Next 12 Months

Until national MiCA implementation documents are finalised, the transposition of the EU’s Funds Transfer Regulation (FTR) into national law through Government Emergency Ordinance (GEO) 10/2025 (effective 13 March 2025) has introduced significant new compliance requirements into Romania’s AML framework for crypto-assets.

New terminology

The term “virtual currency” has been replaced with “crypto-asset”, defined as a digital representation of a value or right transferred and stored electronically via distributed ledger or similar technology. GEO 10/2025 also introduces the term “crypto-asset service provider”.

Authorisation and registration

The Financial Surveillance Authority (ASF) is now the national competent authority overseeing all crypto-asset service providers, including crypto exchanges, with powers to request compliance information, conduct inspections, order audits, make regulatory decisions, and impose sanctions. The National Bank of Romania (BNR) supervises credit and electronic money institutions providing crypto-asset services.

Crypto-asset service providers’ obligations

Providers must manage risks associated with unhosted addresses by implementing risk assessments, verifying customer identities during transfers, collecting additional transfer details, and conducting enhanced monitoring for high-risk transactions. For international correspondent relationships, providers must confirm partner authorisation, ensure consistent customer identity verification, and maintain comprehensive records.

Obligations for CASPs authorised in other EU member states

CASPs must appoint a local Romanian contact, notify ASF or BNR within five days of commencing local operations, and promptly supply requested documents to supervisory authorities.

FTX Bankruptcy

In autumn 2022, Romanian authorities carried out multiple co-ordinated raids across Bucharest and nearby counties, targeting individuals suspected of involvement in crypto-related financial crimes. According to official sources, a significant number of individuals either formed or joined organised groups with the purpose of defrauding tax authorities or evading tax obligations by failing to declare income from virtual currency trading between 2019 and 2022. In parallel, the General Directorate for Tax Fraud within ANAF initiated extensive audits to verify income generated between 2016 and 2021 from trading on decentralised platforms such as Binance, KuCoin, Maiar, BitMart, and FTX. These actions marked a shift toward stricter enforcement and greater regulatory oversight in Romania’s crypto market.

While initially causing major concern among retail investors and service providers, the situation has since improved, with clearer compliance expectations, better user awareness, and an evolving regulatory framework that aims to integrate crypto-assets more formally into the financial system.

In Romania, blockchain technology is being embraced across both business and individual spheres. On the business side, enterprises are adopting blockchain-based marketing analytics platforms to integrate on-chain and off-chain data, which aids in strategic decision-making and customer engagement. Additionally, many companies are piloting tokenisation projects to convert traditional assets into digital tokens, thereby increasing liquidity and reducing settlement times. Moreover, companies are implementing hybrid blockchain solutions on permissioned networks to enhance data security, streamline supply chain management, and improve traceability

Individuals, meanwhile, are engaging with blockchain through digital wallets that securely manage cryptocurrencies and NFTs. Retail users participate in decentralised finance (DeFi) activities ‒ such as trading, yield farming, lending and staking ‒ leveraging permissionless networks to access innovative financial services and alternative payment methods.

A diverse range of blockchain applications is now prevalent in Romania. Tokenisation of real-world assets (RWA) ‒ including projects to digitise assets like real estate or bonds ‒ is growing in prominence as a means to unlock liquidity in traditionally illiquid investments. Moreover, decentralised physical infrastructure networks (DePIN) are being developed to link physical devices with blockchain-enabled verification. Companies are also exploring hybrid blockchain solutions to enhance data security and transparency, while specialised marketing analytics tools further support operational efficiency and decision-making.

The BNR has discussed tokenised bonds at a conceptual level, but no government-issued instruments have materialised. Similarly, tokenised deposits remain in the early stages of development at a select number of fintech companies.

Ownership of a Digital Asset

Under Romanian law, the concept of ownership of a digital asset is not explicitly defined in terms of private law; rather, it is assimilated to the notion of an intangible good. Unlike tangible goods ‒ where possession often implies ownership ‒ ownership of intangible goods is typically demonstrated through legal documents, registration or the exercise of control rights.

In practice, and based on existing legal principles, control of the private cryptographic key that enables a user to initiate transactions on a blockchain network is generally considered a proxy for factual control ‒ and, by extension, presumed ownership ‒ of the digital asset.

At the EU level, MiCA focuses on regulating the conduct of CASPs, including the custody and administration of assets on behalf of clients. In custodial arrangements, the legal title remains with the client, while the CASP exercises functional control, subject to strict regulatory obligations such as safekeeping and segregation of assets (Article 75, MiCA).

Last but not least, property rights and contractual obligations, may supersede the blockchain’s record. For instance, assets acquired through illicit means or subject to pre-existing legal claims might not be considered legally owned by the blockchain-identified controller. Furthermore, issues like lost or stolen private keys complicate the ownership determination.

Consequently, ownership is generally inferred from control, but in regulated contexts, legal and technical control may diverge. 

Finality of the Transfer

In blockchain networks, technical finality occurs when a transaction is validated, added to a block, and confirmed under the network’s consensus mechanism (eg, proof of stake or proof of work). At this point, the transaction becomes effectively immutable and irreversible.

However, legal finality is more nuanced and context-dependent. In private law systems such as Romania’s, a legal transfer is completed if the previous owner is authorised to transfer the digital asset, if there is a valid agreement between the parties on the transfer and if the digital asset has actually been transferred (Romanian Civil Code).

Furthermore, in regulated financial law, particularly under the EU’s Settlement Finality Directive (SFD), finality is associated with designated systems where settlement instructions become irrevocable and enforceable against third parties, including in insolvency situations.

In that sense, blockchain-based systems are not currently recognised as designated systems under the SFD, which creates a regulatory grey area and limits the legal certainty traditionally provided in conventional financial markets.

Under MiCA, legal finality in blockchain transactions is indirectly shaped by obligations CASPs. Article 76 requires CASPs to initiate settlement on the distributed ledger within 24 hours of execution, highlighting the distinction between trade execution and settlement. Finality is implied once the transaction is confirmed on-chain and, in custodial set-ups, reflected in the client’s register. Articles 77–78 further require CASPs to inform clients when their orders are final and ensure transparency and best execution.

Consequently, legal finality remains broader than technical finality. While blockchain confirmation is essential, true legal finality depends on contractual terms, the CASP’s internal rules, and national measures that are going to be implemented in Romania soon.

The classification of digital assets in Romania remains fragmented and transitional, pending full implementation of the MiCA Regulation, which introduces categories such as electronic money tokens (EMTs), asset-referenced tokens (ARTs) and utility tokens.

Romanian legislation ‒ specifically the AML Law (Law No 129/2019) ‒ has already replaced “virtual currency” with the term “crypto-asset,” defined as a “digital representation of a value or right that can be transferred and stored electronically using distributed ledger or similar technology.”

Currently, crypto-assets are not legal tender and are not automatically treated as financial instruments.

However, some digital assets may qualify as electronic money under Law No 210/2019 (transposing the EU E-Money Directive), which defines it as a monetary value stored electronically, representing a claim on the issuer, issued in exchange for funds, and accepted by parties other than the issuer. Only authorised EMIs or credit institutions may issue e-money. The issuance of crypto-assets that resemble e-money (eg, stablecoins pegged to fiat) may fall within this regulatory perimeter, particularly under MiCA’s “e-money token” category.

Consequently, until MiCA is fully implemented, the classification and regulation of such instruments in Romania depend on their features and whether they meet the legal criteria for e-money under Law No 210/2019.

Furthermore, classifying crypto-assets in practice can be challenging. ESMA’s Guidelines clarify that tokens fall into distinct categories – utility tokens, ARTs and EMTs – and must not be conflated. A provider offering EMT services may market only EMTs (not ARTs or utility tokens), and EMTs tied to different currencies are treated as separate classes.

In Romania, tokenised securities are legally characterised based on their underlying economic function, rather than their digital form. While there is no dedicated definition under national law, Law No 126/2018 on markets in financial instruments, which transposes MiFID II, governs their classification and treatment.

According to Article 2 point 34 of Law No 126/2018, financial instruments include those issued using distributed ledger technology, provided they meet the substantive criteria of transferable securities, money market instruments, units in collective investment undertakings, or derivatives. Therefore, if a token confers rights similar to ownership (eg, shares), debt (eg, bonds), or entitlements to profits, it is deemed a security, irrespective of its tokenised nature.

Issuers or distributors of such instruments must comply with applicable capital markets legislation, including prospectus requirements, market abuse rules, and ASF authorisation where relevant. In particular, offering tokenised securities to the public or admitting them to trading requires either ASF approval or notification, depending on the structure and scope of the offering.

Moreover, if a platform facilitates trading in tokenised securities, it may need to register as a regulated market, multilateral trading facility (MTF), or organised trading facility (OTF), all of which require ASF licensing.

Under the MiCA, stablecoins fall into two regulated categories: EMTs and ARTs. EMTs are crypto-assets that purport to maintain a stable value by referencing a single fiat currency and function similarly to traditional e-money. ARTs, on the other hand, reference a basket of assets such as multiple fiat currencies, commodities or other crypto-assets. To be MiCA-compliant, both EMTs and ARTs must be issued by an authorised entity and comply with strict governance, reserve and disclosure requirements.

Importantly, algorithmic stablecoins ‒ which attempt to maintain price stability through automated mechanisms rather than asset backing ‒ are not recognised under MiCA. As such, they fall outside its regulatory scope and may be restricted at the national level due to their higher systemic risk and lack of user protection.

According to the ESMA Q&A of 17 January 2025, national competent authorities (NCAs) must ensure compliance with MiCA for ARTs and EMTs by the end of Q1 2025. Article 16(1) (ARTs) and Article 48(1) (EMTs) prohibit any offering to the public or seeking admission to trading unless the issuer is authorised under MiCA. Furthermore, even third parties (eg, crypto exchanges) may only engage in such activities if they have written consent from an authorised issuer.

Notably, offering or facilitating trading of non-compliant ARTs or EMTs constitutes a regulatory breach. CASPs, including exchange platforms, must delist or restrict such tokens if the issuer is not authorised. Operators listing unregulated tokens are deemed to be seeking admission to trading themselves. Other services ‒ such as advertising, exchange or execution of orders ‒ may also amount to public offerings and thus require careful assessment.

In response, several major platforms have started adjusting their offerings. Binance and Kraken have begun phasing out USDT, while Coinbase and OKX have already delisted it. Some platforms now allow only “sell-only” or custody functions for non-compliant stablecoins, ensuring a controlled wind-down.

Non-Fungible Tokens (NFTs)

Under Romanian law, NFTs generally fall under the classification of intangible movable property with unique characteristics. While not specifically defined in Romanian legislation, they are treated as digital representations of ownership rights.

MiCA explicitly excludes certain types of NFTs from its scope, particularly those that are truly unique and not fungible. NFTs are still subject to other areas of Romanian law, including the following.

Intellectual property and tax

Copyright of the underlying digital asset typically remains with the creator unless explicitly transferred. The NFT acts as a digital certificate of ownership of a specific digital item, not necessarily the intellectual property rights to it.

In that sense, individuals who obtain income from the sale of content in the form of digital files (NFT) on specialised platforms under the terms of Law No 8/1996 on copyright and related rights, are required to declare this income, regardless of whether this income is earned in Romania or abroad, in the single declaration on income tax and social contributions due by individuals, in compliance with the provisions of Articles 71 and 72 or Article 73, as appropriate. If the content creator obtains, after the initial sale, income from recurring/repeated sales (NFT royalties), they are also obliged to declare this income in the single declaration on income tax and social contributions due by individuals, in the same category of income

Consumer protection law

General Romanian consumer protection rules regarding digital goods and services apply to NFT transactions, ensuring rights to information, transparency, and remedies for faulty goods or misrepresentation. For instance, sellers must provide clear information about the NFT’s characteristics and the rights it confers.

Anti-money laundering regulations

If an NFT collection or marketplace exhibits characteristics of high-value transfers, AML regulations might still apply.

Governance Tokens

While not specifically defined in Romanian law, these would likely be characterised based on the rights they confer. If they provide voting rights only without economic returns, they may avoid being classified as securities.

For example, a token allowing holders to vote on development decisions for a blockchain project managed from Romania, without profit rights, would be characterised differently from investment instruments.

Digital Collectibles

Simple digital collectibles with no investment purpose are generally treated as personal property in Romania.

For example, digital trading cards or in-game items would typically fall outside financial regulations, being governed instead by standard contract and property laws.

In Romania, payments with cryptocurrencies are permissible based on mutual agreement between parties, yet they occur within an underregulated framework.

The use of cryptocurrencies is regulated by contract law rather than any particular legislative mandate, and since they are not accepted as legal tender, merchants are not required to accept them. Therefore, cryptocurrency payments are permissible provided that the parties to the transaction mutually agree. The sole requirement for the valid execution of such a payment is the consent of the parties, as the law imposes no explicit restrictions.

Practically, such payments may occur through:

• direct peer-to-peer transfers of crypto between wallets;
• utility token models embedded within specific ecosystems; and
• third-party intermediated platforms that convert crypto into Romanian leu (RON) at the point of sale.

Of these, the third method ‒ using payment platforms that convert crypto into Romanian RON ‒ is the most viable, offering legal and accounting clarity by ensuring merchants receive fiat equivalents at the point of sale.

Conversely, direct crypto-to-product exchanges suffer from significant consumer protection gaps, particularly due to the irreversible nature of such transactions and the absence of traditional dispute mechanisms.

Similarly, while utility tokens are not legally prohibited, they face constraints related to acceptance, liquidity and redemption conditions, making them unsuitable for general payments.

The BNR has historically taken a cautious approach toward cryptocurrencies but has recently signalled increased openness through its Digital RON pilot project, which forms part of a broader European Central Bank initiative. This signals a potential future convergence between crypto-payment practices and regulated financial infrastructure.

The current Romanian legal framework does not yet provide clear rules governing the use of digital assets as collateral. As an EU member state, Romania aligns with broader European frameworks, although, to date, no regulation has been transposed to directly address the secured transactions involving crypto-assets.

Domestically, the Romanian Civil Code outlines traditional forms of collateral, such as pledges and mortgages, which are based on identifiable and enforceable assets. Applying these concepts to digital assets will raise questions about how possession, control and enforceability are to be interpreted in a decentralised, digital environment. Moreover, registration of such collateral presents technical and legal difficulties given the anonymity and volatility of crypto-assets.

In conclusion, the authors’ research indicates that this hypothesis has not yet been examined in national jurisprudence or in doctrinal literature.

To the best of the authors’ knowledge, the concept of smart contracts (which are private agreements executed wholly or partly via blockchain-based computer code) has not yet been expressly addressed by any legal provision or binding national case law. However, once smart contracts are legally contextualised and their legal nature established, several “traditional” norms with applicability in this situation can be identified.

It is worth noting that Romania’s legal landscape in this area is still developing. However, the existing legislation on civil contracts, data protection and electronic signatures may already apply to various elements of smart contracts, depending on the nature and content of the agreement. For instance, a smart contract that meets the formal legal requirements of validity, such as the existence of consent, capacity, a lawful purpose, and consideration, can be considered legally binding under Romanian law, provided the parties involved intended to be bound.

In this respect, the essential legal elements that govern traditional contracts are equally relevant to smart contracts.

• Agreement: a mutual understanding between the parties is required, and consent must be freely given.
• Competence and capacity: the parties must be legally competent and capable of understanding and entering into a binding contract.
• Legal object: the contract must have a lawful purpose and cannot contravene public order or morality.
• Purpose: the objective of the agreement must be clear and achievable through the operation of smart contract code.

In the absence of specific regulations, courts analyse disputes involving smart contracts on a case-by-case basis, with the aim of identifying elements that trigger the application of certain civil law provisions. In recent years, an increasing number of disputes involving smart contracts have been brought before the courts. In most cases, the courts have ordered specialised technical expertise to explain both the functioning of the smart contract and its role in the legal relationship between the parties involved.

Thus, in the cases the authors have examined, the courts have been receptive to understanding how the civil relationship between parties is impacted by the use of smart contracts and blockchain technology in general.

In conclusion, this positive trend creates the necessary certainty for Romanian businesses to integrate smart contracts into their usual operations. Courts have shown they will treat smart contracts like any other contractual tool, applying existing civil-law principles to reach a binding decision. Romania has a modern and flexible legal framework which is able to accommodate blockchain-based agreements, which can be upheld through a final judicial ruling. As a direct benefit, businesses gain enforceability certainty and reduced legal risk, making it straightforward to deploy smart contracts and accelerate innovation.

In Romania, there are no additional legal restrictions or prohibitions on the exposure of regulated firms or investment funds to digital assets. This relatively open approach offers firms flexibility to integrate digital assets into their portfolios, which can be seen as an advantage.

As of now, the authors are not aware of any regulated sandbox dedicated to blockchain-based projects in Romania. However, there are relevant initiatives in place. For example, the ASF has launched FinTech Hub, which supports the development of new business models, products that directly impact the delivery of financial services through innovative information and communication technologies, including blockchain-based solutions, but it shall not be considered as a sandbox in the classic sense, as it does not provide a regulated testing framework, where certain regulatory requirements are disapplied. Consequently, firms operating in the digital asset space must comply with existing regulatory frameworks without the opportunity to test innovative solutions in a controlled environment under temporary regulatory relaxations.

Nevertheless, Romania is participating in the European Blockchain Regulatory Sandbox, launched by the European Commission in 2023, which allows the testing of blockchain solutions in a regulated framework, together with regulatory authorities from all member states.

Romania has not adopted a “VASP law” or directly transposed FATF or BIS recommendations or standards into national legislation. Instead, it implements them by relying on the EU’s binding rulebook, which applies directly or through national transposition. EU regulations, such as MiCA, the Funds Transfer Regulation or DORA are directly effective from their entry into force. By contrast, EU Directives, such as AMLD 5 and 6, require national implementation and have been transposed through Law No 129/2019 (see 4.1.4 Anti-Money Laundering and Counter-Terrorism (AML/CTF) Requirements).

As a result, all FATF- and BIS-inspired requirements are incorporated into Romania’s legislation and practice via the EU framework. For example, FATF Recommendation 16 (or the “Travel Rule”), requiring VASPs to collect and transmit originator and beneficiary information, was first given legal effect in the EU through the Funds Transfer Regulation. It was later explicitly extended to crypto-assets transfers by Regulation (EU) 2023/1113. In Romania, these EU regulations apply directly, and the ONPCSB’s travel-rule guideline implements the detailed requirements for crypto-asset service providers in accordance with FATF standards.

With regard to businesses and individuals using blockchain technology or digital assets in Romania, several institutions play a key role in overseeing and guiding related activities. These authorities establish the rules for operation, ensure compliance with applicable standards, and contribute to mitigating associated risks.

As a general rule, blockchain-based projects fall under the supervision of the ONPCSB when they involve compliance with AML regulations, and under the ASF and BNR in relation to the authorisation and operation of market participants. Each of these authorities has clearly defined responsibilities covering specific areas of blockchain technology use (see 1.1 Evolution of the Blockchain Market and 4.1.1 Regulatory Overview). However, these institutions should not be considered as the only regulatory bodies relevant to businesses or individuals utilising blockchain.

In this regard, existing regulations in the advertising sector (see 4.1.3 Marketing) or  consumer protection laws also apply to businesses operating in the blockchain field. Supervision is provided by the National Audiovisual Council (CNA) or the National Authority for Consumer Protection (ANPC) which ensure compliance with the rules on advertising and misleading content.

Blockchain-based projects are also influenced, to an equal extent, by areas such as intellectual property, corporate law and tax. Compliance with the rules in these sectors is ensured by regulatory bodies such as the State Office for Inventions and Trademarks (OSIM), the Trade Registry, and the National Agency for Tax Administration (ANAF).

Last but not least, the ONJN) is also considered a relevant regulatory body. It is responsible for granting licences in situations where market participants intend to run promotions, competitions, or similar activities that qualify as gambling.

Thus, a classification into relevant or non-relevant regulatory bodies is not entirely appropriate, as blockchain-based projects are not governed by a unified legal framework. Consequently, the involvement of specific regulatory bodies varies depending on the nature and context of each project.

In Romania, there is currently no official self-regulatory organisation with formal authority over blockchain or cryptocurrency-related activities. Still, certain professional associations and industry groups play quasi-regulatory roles by promoting standards, encouraging best practices, and engaging in dialogue with public authorities.

One such example is the Blockchain Romania Association, a non-governmental organisation whose main objectives include supporting the development of a legislative framework for blockchain-based activities, educating the public, and identifying as well as addressing bottlenecks and challenges in interactions between the private and public sectors.

Further, the Blockchain Intelligence Professionals Association (BIPA), together with the National Institute for Research and Development in Informatics (ICI), launched the Blockchain Intelligence Forum in April 2025. This event highlighted directions for blockchain transaction transparency, tools for financial and banking compliance, and how to use blockchain intelligence procedures in the investigation of illegal activities.

Both in Romania and across Europe, the blockchain sector is continuously evolving. Given Romania’s willingness to explore blockchain technology, it has implemented blockchain technology in select areas to discover the long-term benefits of its application, without formally establishing working groups or bodies.

As an example, Romania was the first EU country to use a blockchain-based vote reporting tool in national elections. The implementation of this system was intended to monitor and analyse the effectiveness of the technology in terms of detecting and preventing fraud, illegal voting or multiple voting, given that the technology does not allow any modification or change of data recorded up to a certain point in time, not even by the administrators themselves.

Another relevant example is the National Institute for Research and Development in Informatics – ICI Bucharest. Its primary mission is to support the emerging blockchain ecosystem by developing and utilising innovative products that foster the advancement of blockchain-based services in Romania. The ICI has held a government mandate since 2018, conducting research, development and innovation activities in the areas of blockchain technology, asset tokenisation and trading ecosystems.

Key initiatives led by ICI include the following.

• The “National Blockchain Network (NBN)” project – this initiative aims to create a multi-institutional infrastructure to support the research, development and implementation of blockchain solutions at a national level, in collaboration with state authorities and the Romanian industry.
• ICI D|SERVICES – launched in April 2023, this is the first European institutional platform for digital asset trading. The platform seeks to integrate state institutions into the blockchain and Web3 ecosystem. It manages NFTs and operates using decentralised blockchain technologies.
• The partnership with ChainArgos – initiated in the spring of 2024, this collaboration with the blockchain intelligence firm aims to provide specialised training in blockchain intelligence and to establish both the Blockchain Intelligence Academy (BIA) and the Cryptoactive Investigation and Compliance Center (CICC).

To date, Romania has no ongoing litigation directly impacting the blockchain sector. However, it is important to closely monitor this emerging field, given the continued growth of blockchain-based projects and activities that are likely to lead to future legal disputes.

Given that the legal framework in Romania is still evolving, primarily through the implementation of EU-level regulatory measures, there is currently no well-defined or fully operational enforcement mechanism.

Nevertheless, it is worth mentioning some events that, although not considered as formal enforcement actions, have played an important role in helping market participants better understand the legal boundaries governing blockchain activity in Romania.

• In March 2023, Romanian and Moldovan authorities, co-ordinated by Eurojust, took down a fraudulent cryptocurrency scheme that deceived investors through fictitious platforms and influencer-backed promotions. This co-ordinated action clarified that unlicensed investment operations and misleading marketing practices involving blockchain are outside the regulatory perimeter. It signalled that all blockchain-based investment services must adhere to consumer protection and anti-fraud requirements.
• Through the adoption of the Fifth Anti-Money Laundering Directive, Romania imposed AML and KYC obligations on virtual asset service providers. This made it clear that offering crypto exchange or wallet services without prior registration and a formal risk assessment filed with the ONPCSB is not permitted, even for fully digital operations.
• Additionally, recent enforcement actions in Romania have underscored the importance of data protection and cybersecurity compliance. For instance, in August 2023, a technology company was fined approximately EUR70,000 by the Romanian Data Protection Authority for failing to implement adequate technical and organisational measures, resulting in a data breach that exposed personal information of around 600,000 users of its online platform. The sanctions were issued under Articles 25 (Data protection by design and by default), and 32 (Security of processing) of the GDPR and under Law No 102/2005.
• Furthermore, in November 2023, an energy sector company faced a fine of EUR110,000 for insufficient data protection measures that led to unauthorised internal access and illegal disclosure of customer data, which was subsequently used to obtain loans fraudulently. The Romanian Data Protection Authority found violations of Regulation (EU) 2016/679.

These developments are complemented by Romania’s recent legislative efforts to implement the EU’s NIS2 Directive. In late 2024, the Romanian government adopted GEO No 155/2024, transposing NIS2 into national law and assigning supervisory responsibilities to the National Cybersecurity Directorate (DNSC).Thus, while further enforcement measures are expected as activity in the blockchain technology sector continues to emerge, these actions are also likely to provide market participants with clearer guidance on key aspects such as registration, regulatory reporting, and the active monitoring of suspicious activities under the oversight of national authorities.

Romania has recently taken steps to update its tax regime for digital assets. In November 2024, the Romanian Parliament approved a temporary exemption from income tax on capital gains based on cryptocurrency transactions. The exemption will apply until 31 July 2025, promoting a more favourable tax environment for crypto investors. This measure highlights the growing recognition of blockchain technology and digital assets in Romania’s legal framework.

The exemption shall apply exclusively to income tax. Individuals whose total annual income exceeds thresholds equivalent to 6, 12, or 24 times the gross minimum wage will still be required to pay health insurance contributions.

However, the enforceability of this tax regime remains unclear and, therefore, may be subject to changes, as the legislative package has not yet entered into force pending a challenge submitted by the President of Romania to the Constitutional Court. The objection does not pertain to the crypto-related provisions, but to unrelated tax clauses included in the same regulation. As a result, the enactment of the tax exemption is currently pending the Court’s decision, with a preliminary ruling expected by the end of April 2025.

Romania has made a significant legislative stride towards aligning its sustainability disclosure regime with the EU’s broader ESG policy framework through the enactment of the Ministry of Finance Order No 85/2024 (OMF 85/2024). This enactment implements the provisions of the EU’s Corporate Sustainability Reporting Directive (CSRD), establishing phased reporting obligations predicated on the size and status of the reporting entity. As of 1 January 2024, public interest entities (PIEs) with a workforce exceeding 500 employees are mandated to incorporate sustainability-related disclosures within their annual directors’ reports. These disclosures are expected to adhere to the prescribed standards under the CSRD, encompassing ESG dimensions. However, Romania’s current transposition of the directive does not introduce ESG-specific reporting requirements directly addressing digital assets or crypto-assets, leaving a regulatory lacuna for market participants engaged in blockchain-based financial instruments and operations.

At the supranational level, Romania is also involved in ongoing EU partnerships aimed at reducing environmental impact by imposing reporting and transparency standards, including those related to the use of digital assets. In this regard, the European Green Deal, which aims to achieve climate neutrality by 2050, is expected to influence digital asset regulations and ESG requirements, particularly through directives such as CSRD and MiCA. In addition, the Green Digital Coalition promotes the use of digital assets, including blockchain, to support sustainability goals, encouraging companies to measure and reduce their digital footprint on the environment.

For the same purpose, the EESMA has begun articulating sustainability-related obligations for CASPs under the MiCA. ESMA’s proposed indicators focus explicitly on the environmental externalities of crypto activities, particularly the carbon and energy profiles of various consensus mechanisms. CASPs may soon be required to disclose quantitative data such as total energy consumption and greenhouse gas emissions on a per-transaction basis ‒ disclosures that will vary based on whether the underlying blockchain employs energy-intensive Proof-of-Work (PoW) or more sustainable Proof-of-Stake (PoS) systems.

Complementing these regulatory initiatives, Romanian academia has also contributed to the discourse. Research undertaken by the University Politehnica of Bucharest has explored the energy efficiency of cryptocurrency mining operations, offering performance benchmarks and strategic recommendations aimed at reducing environmental harm while preserving operational viability.

In view of the evolving European regulatory landscape and the nascent local framework, market actors operating in the digital asset space would be well advised to proactively monitor legislative developments at both national and EU levels.

From a regulatory perspective, there are currently no specific Romanian laws or regulations addressing data privacy concerns ‒ such as the right to be forgotten ‒ in the context of blockchain-based products or services, beyond the general implementation of the General Data Protection Regulation (GDPR) and existing electronic communications privacy laws. Romania mainly follows the EU regulatory framework, with no distinct local provisions that address the challenges posed by the immutability of blockchain technology.

Although blockchain technology is still in the early stages of adoption, its gradual expansion is already beginning to create, in certain cases, inconsistencies between the inherent characteristics of the technology and the requirements of the GDPR. Applying GDPR in the blockchain context is complex, as blockchain is, by nature, immutable as once data is recorded, it cannot be modified or deleted. For this reason, in April 2025, the European Data Protection Board (EDPB) adopted new guidelines clarifying how GDPR applies to blockchain technologies. These guidelines emphasise the importance of early implementation of technical and organisational safeguards, clear allocation of roles among blockchain participants, and the need for a Data Protection Impact Assessment (DPIA) when blockchain processing is likely to pose high risks.

The EDPB advises avoiding the storage of personal data directly on the blockchain when it contradicts core data protection principles and stresses the importance of upholding individual rights, particularly with respect to data transparency, rectification and erasure. These developments indicate that EU-level regulatory guidance is evolving, and Romania is expected to align with these emerging standards as blockchain adoption increases domestically.