The Romanian fintech sector has recently emerged as a key player in Eastern Europe, driven by digital transformation, the rise of mobile and internet banking, and growing demand for alternative financial services. Over the past year, the industry has seen significant advancements, including the adoption of blockchain technology, the growth of digital lending platforms, and the integration of AI-driven tools for risk assessment and fraud detection. However, challenges remain, particularly in bridging the gap between urban and rural areas where traditional banking still dominates.

Looking ahead, the sector faces both opportunities and regulatory hurdles, especially with the enforcement of the EU AI Act and MiCA. These regulations will require fintechs to adapt their AI-powered solutions and crypto-related services to meet new transparency, security and risk management standards. As AI continues to shape the industry – through personalised financial advice, automated lending, and fraud prevention – companies must balance innovation with compliance, ensuring their models are ethical, explainable and aligned with evolving legal frameworks. The ability of Romanian fintechs to navigate these changes while maintaining growth and efficiency will determine their future success.

The fintech ecosystem in Romania is rapidly evolving, with a diverse range of business models and verticals that reflect both global trends and local innovation. The following are the predominant fintech verticals currently shaping the Romanian market.

Artificial Intelligence (AI)

AI is driving transformative change across the fintech landscape in Romania, particularly in areas such as underwriting, credit scoring, fraud detection and customer service automation. Romanian fintechs are leveraging AI to enhance decision-making processes, improve operational efficiency and deliver personalised financial services.

Payment Service Providers (PSPs)

Payment service providers are a cornerstone of Romania’s fintech sector, offering innovative solutions for both consumers and businesses. These include mobile payment systems, digital wallets and peer-to-peer (P2P) payment platforms. Technologies such as QR codes, biometric authentication and tap-and-pay solutions are increasingly prevalent, enabling seamless and secure transactions.

Core Banking Systems

Modern core banking systems are being adopted by both new entrants and legacy players in Romania. These systems facilitate the digital transformation of traditional banking services, enabling faster processing, improved scalability and enhanced customer experiences.

Blockchain and Decentralised Finance (DeFi)

Romania is witnessing growing interest in blockchain technology and its applications, including Layer 1, 2 and 3 solutions, as well as blockchain infrastructure development. Decentralised finance (DeFi) is gaining traction, with platforms offering services such as decentralised exchanges (DEXs), lending protocols, staking and stablecoins. These innovations are reshaping the financial landscape by providing alternatives to traditional intermediaries.

Neo-Banking

Neo-banks, or digital-only banks, are emerging as key players in Romania’s fintech sector. These banks operate entirely online, offering user-friendly mobile apps, low fees and innovative features tailored to tech-savvy consumers and businesses.

Factoring and Invoice Financing

Fintechs in Romania are also active in the factoring and invoice financing space, providing SMEs with faster access to working capital through digital platforms that streamline the approval and funding processes.

Real Estate Tokenisation

Real estate tokenisation is an emerging trend in Romania, enabling the fractional ownership of property through blockchain-based digital tokens. This innovation democratises access to real estate investments and enhances liquidity in the market.

Open Banking

Open banking is gaining momentum in Romania, driven by regulatory initiatives such as the Revised Payment Services Directive (PSD2). Third-party providers are leveraging APIs to access bank customer data, enabling the development of innovative financial products and services.

Regulatory Technology (Regtech)

Regtech solutions are becoming increasingly important in Romania, helping financial institutions manage compliance with evolving regulations. These technologies include tools for anti-money laundering (AML), know-your-customer (KYC) processes, fraud detection and automated reporting.

Sustainable Finance

While still in its early stages, sustainable finance is beginning to take root in Romania. Fintechs are exploring ways to integrate environmental, social and governance (ESG) criteria into their offerings, promoting investments in renewable energy, social impact projects and other sustainable initiatives.

E-Commerce Platforms

E-commerce platforms in Romania are increasingly integrating fintech solutions to enhance transactional efficiency and customer engagement. These platforms leverage embedded finance models, such as instant payment gateways, buy-now-pay-later (BNPL) services and dynamic currency conversion tools for cross-border transactions. Partnerships between e-commerce providers and fintech firms enable seamless integration of digital wallets, AI-driven personalised credit offers, and blockchain-based supply chain financing. Additionally, compliance with PSD2 has facilitated secure open banking integrations, allowing direct bank-to-platform payments and reducing reliance on traditional card networks. This vertical is further bolstered by the adoption of AI for fraud prevention and big data analytics to optimise consumer financial behaviour insights.

The regulatory landscape for industry participants in emerging sectors such as AI, payments, e-commerce, regtech, neo-banking, tokenisation, cryptocurrencies, DeFi, open banking and factoring is evolving rapidly, especially within jurisdictions like the EU and specific national regulations, including Romania’s domestic law. These sectors are subject to an interplay between local, national and supranational frameworks, which influence the compliance requirements depending on the business model.

AI

The regulation of AI is guided primarily by the EU AI Act, which introduces a risk-based approach to the regulation of AI systems. The Act categorises AI systems based on their risk levels, with specific obligations for high-risk applications. Romania, as an EU member state, directly applies these EU regulations but also aligns with national strategies and initiatives, including fostering AI innovation. In Romania, compliance with the EU AI Act is mandatory, although additional national policies may apply to specific industries such as banking, insurance or medical law where automatic decisions based on AI are restricted.

PSPs

PSPs in the EU are primarily regulated by PSD2, which harmonises the regulation of payments across the EU, focusing on improving payment security, promoting innovation and enhancing consumer protection. Romania enforces PSD2 under national law, in line with EU directives, and may also impose additional local licensing requirements for specific service providers. PSPs operating cross-border within the EU can benefit from the EU’s passporting mechanism, which allows firms licensed in one member state to provide services across other member states without needing separate licences.

E-commerce

E-commerce businesses in the EU must comply with the E-Commerce Directive (2000/31/EC), which regulates online services and marketplaces. This directive provides a framework for establishing liability exceptions for intermediary platforms. National laws, including Romania’s E-commerce Law, align with the EU directive but may include additional consumer protection regulations or requirements specific to Romania.

Regtech

Regtech companies that provide technology-driven compliance solutions fall under the broader scope of financial services regulations, including AML and KYC regulations. In Romania, the Anti-Money Laundering Law aligns with the EU’s 5th Anti-Money Laundering Directive (5AMLD). Regtech firms targeting financial institutions must comply with both the EU regulations and local enforcement by Romania’s Financial Supervisory Authority (ASF). Depending on the solution provided, regulatory compliance may vary, including data protection laws such as the GDPR.

Neo-Banking

Neo-banks operate under the same legal framework as traditional banks in the EU, primarily governed by the Capital Requirements Directive (CRD V) and PSD2. However, neo-banks may benefit from the EU’s Digital Banking Licence initiative, which facilitates a regulatory pathway for non-traditional banking models. Romania’s national financial regulatory body, ASF, applies these EU regulations at the local level, alongside any additional requirements for digital financial service providers.

Tokenisation and Cryptocurrencies

Tokenisation and cryptocurrency activities in the EU are regulated by the Markets in Crypto-Assets Regulation (MiCA), which aims to provide a comprehensive regulatory framework for digital assets. MiCA will apply uniformly across EU member states, including Romania. However, the legal treatment of crypto-assets may differ depending on whether they are classified as utility tokens, security tokens, or e-money. The classification determines the specific regulatory regime, which could involve MiCA for crypto-asset issuance, or the EU Electronic Money Directive (EMD) for digital assets treated as e-money.

Romania, like many EU countries, also applies AML/KYC regulations to cryptocurrency operators, requiring exchanges and wallet providers to register with the national authorities.

DeFi

DeFi, which aims to replicate traditional financial services using blockchain technology, faces uncertain regulatory treatment in both the EU and Romania. As of now, there is no specific DeFi regulation in the EU, but relevant laws, including MiCA and PSD2, may apply based on the specific services offered (eg, lending or exchange). National regulations, such as Romania’s Electronic Payments Law, may also apply, especially for entities offering services that intersect with traditional finance.

Open Banking

Open banking in the EU is governed by PSD2, which mandates that banks provide third-party providers with access to customer payment account information (with customer consent). Romania implements PSD2, which facilitates a regulatory environment for open banking. In addition, open banking can involve data protection and privacy laws (such as GDPR), which govern the processing of personal data, making compliance with both banking and data protection laws necessary.

Factoring

Factoring, or the purchase of receivables, falls under the broader umbrella of financial services regulation. In the EU, factoring services must comply with the Consumer Credit Directive (CCD) and the Directive on the Legal Framework for Electronic Payments. Romania enforces these EU regulations and may impose specific requirements for factoring companies, particularly regarding capital requirements and consumer protection in factoring agreements.

Digital Operational Resilience Act (DORA)

DORA, which came into effect in 2023, focuses on enhancing the operational resilience of financial institutions and their service providers in the face of ICT (Information and Communication Technology) risks. DORA applies to a wide range of financial entities, including banks, insurance companies and payment service providers, and extends to third-party providers, such as cloud services. The act outlines requirements for risk management, incident reporting and business continuity plans, with specific attention to ICT service providers that offer critical services.

In Romania, DORA is directly applicable due to its status as an EU regulation, and compliance will be monitored by the Romanian National Bank (BNR) and other relevant authorities, depending on the sector. Financial institutions must integrate operational resilience and ICT risk management into their day-to-day operations, ensuring they can withstand, respond to and recover from disruptions.

Key Issues Between Local and Supra-National Law

There are several points where local law may diverge from EU or international regulatory frameworks, particularly in the areas of enforcement and interpretation. While EU regulations, such as MiCA, PSD2, GDPR and DORA, provide harmonised rules across member states, individual countries like Romania may have nuances in their implementation and enforcement.

For example, Romania’s Electronic Payments Law may impose additional requirements or exemptions that are not found within EU law, especially concerning payment services and consumer protections. Similarly, the enforcement of AML and KYC regulations may be stricter at the national level, reflecting Romania’s commitment to compliance with international standards.

Additionally, while the EU strives for harmonisation, there may still be challenges for businesses operating cross-border, particularly in the crypto space, where some jurisdictions within the EU are more progressive in their treatment of digital assets than others.

The traveller rule, which applies to financial transfers involving virtual assets, is another key area of compliance. It is aimed at enhancing transparency and compliance with AML and Counter-Terrorism Financing (CTF) regulations. The rule is relevant for cross-border transfers of cryptocurrencies and must be adhered to by VASPs within the EU, including Romania. Non-compliance with the traveller rule and AML regulation may result in penalties or restrictions on operations.

Compensation Models and Disclosures in Romania’s Fintech Sector

Permitted compensation models

Fintech companies in Romania utilise diverse compensation models, shaped by EU directives and local regulations. Key models include the following.

• Subscription fees: Charging recurring fees for premium services (eg, advanced analytics, exclusive features). Common in neo-banking and regtech platforms.
• Transaction fees: Per-transaction charges for payments, cross-border transfers, or currency conversions. Widely used by PSPs and e-commerce platforms.
• Freemium models: Offering basic services free of charge while monetising premium upgrades (eg, enhanced credit scoring tools in AI-driven platforms).
• Interchange fees: Applied by payment processors in card-based transactions, governed by EU Interchange Fee Regulation (2015/751).
• Interest-based revenue: Charging interest on loans or BNPL (Buy-Now-Pay-Later) products, regulated under the BNR guidelines.
• Commission-based models: Earnings from facilitating third-party services (eg, insurance, investment products), often seen in open banking platforms.
• Performance-based fees: Common in investment and DeFi platforms, where fees correlate with returns or asset growth, subject to ASF (Financial Supervisory Authority) oversight.
• White-label partnerships: Licensing fintech infrastructure to third parties (eg, BaaS providers), with revenue sharing disclosed in partnership agreements.

Mandatory disclosures

Romanian law mandates transparency to protect consumers and ensure fair competition. Key requirements include the following.

Fee structure clarity

• All charges (subscription, transaction, interest) must be explicitly outlined in Romanian.
• PSD2 requires payment service providers to disclose total costs, including currency conversion fees, before transaction execution.

Total cost

• In general, for each product/service the total cost (including VAT) must be clearly displayed or presented in such a way that even a non-diligent customer can understand the implications of their purchase.
• Platforms must provide clear terms and conditions regarding pricing, delivery charges and refunds. These disclosures must be accessible and easy for the consumer to understand, ensuring no hidden fees.
• E-commerce platforms must clearly disclose the total price, including any service fees, delivery charges or commissions.
• For lending products, the Annual Percentage Rate (APR) must be disclosed, including ancillary fees.
• BNPL providers must highlight late payment penalties and debt collection terms.

Third-party involvement

• White-label partnerships and BaaS arrangements require clear identification of licensed entities (eg, banks) and their roles.

Data monetisation

• GDPR-compliant disclosures are mandatory if user data is used for personalised pricing or shared with third parties.

Risk disclosures

• Investment and DeFi platforms must warn customers about market risks, volatility and potential loss of capital, aligned with ASF’s MiFID II transposition.
• Crypto-asset providers must disclose regulatory uncertainties and risks associated with the provided services.

Cancellation rights

• Subscription-based services must inform users of free trial terms, renewal conditions, cancellation and refund procedures.

Regulatory oversight

Compliance is enforced by:

• BNR – oversees payment services, electronic money institution (EMI) holders, credit institutions;
• ASF – regulates investment, crowdfunding platforms, insurance and crypto-related activities; and
• ANPC – ensures adherence to consumer rights and fair commercial practices.

Conclusion

Romanian fintechs must balance innovation and marketing practices with rigorous transparency, ensuring disclosures are accessible, unambiguous and compliant with EU and local frameworks.

Regardless of the compensation model used, businesses operating in Romania are required to ensure that their pricing and fee structures are transparent, fair and clearly communicated to customers. The following general principles apply.

• Clarity: All charges, fees, and compensation models must be clearly communicated, with no hidden fees.
• Fairness: Compensation models must not mislead or disadvantage customers, and businesses must ensure that the cost structures are aligned with the services provided.
• Consumer rights: Disclosures must respect consumer protection laws, including the EU Consumer Rights Directive and GDPR, ensuring that consumers are informed about their rights and obligations.

The regulation of fintech industry participants in Romania presents notable differences when compared to the regulation of traditional, legacy players such as banks and other financial institutions. These differences arise from the nature of the business models, the innovation-driven approach of fintechs, and the regulatory frameworks that are either specifically tailored to emerging technologies or based on established financial regulations.

Traditional financial institutions, such as banks and credit institutions, are subject to strict licensing and regulatory requirements that have evolved over many years. These institutions are primarily regulated by comprehensive national and EU-level frameworks.

Depending on their business models, fintech companies may not require a banking licence. For instance, PSPs can obtain an EMI licence or a payment institution licence from the BNR while other payment-related service providers may operate without or under a third party’s licence.

There are several key differences between fintech and legacy players.

• Flexibility: fintech companies benefit from more flexible regulatory frameworks, particularly when compared to the stringent requirements imposed on traditional financial institutions.
• Innovation: fintechs are more agile in adopting new technologies and innovations, supported by regulatory frameworks like PSD2, the EU AI Act, and MiCA. Banks, on the other hand, face a more conservative and heavily regulated environment when integrating new technologies.
• Capital requirements: traditional banks are required to maintain high capital buffers and comply with extensive liquidity and solvency requirements, while fintechs typically face lighter capital obligations.
• Consumer protection: both sectors are bound by consumer protection laws like GDPR, but fintech companies, particularly those involved with digital assets, face emerging regulatory frameworks (like MiCA) to safeguard consumer interests.

While fintechs benefit from lighter prudential rules and regulatory flexibility, they face evolving obligations in areas like crypto, AI transparency and AML. Legacy players remain burdened by stringent capital and governance frameworks but enjoy consumer trust through deposit guarantees and established compliance infrastructures.

At the time of writing, Romania does not have a formal, dedicated regulatory sandbox. However, Romania is in alignment with EU frameworks and is actively considering regulatory flexibility for fintech companies, including innovative technologies like blockchain, AI and other emerging technologies.

Nevertheless, the Romanian regulatory landscape does provide mechanisms that support innovation and testing of new financial services or technologies, which resemble aspects of a regulatory sandbox. This approach generally involves granting tax facilities and flexibility to businesses in certain industries, particularly financial services, within an established regulatory framework.

In Romania, regulatory oversight of fintech and financial services participants is activity-based, meaning regulators derive jurisdiction from the specific services or features offered by a company rather than its status as a “fintech” or “legacy player”. Each regulator has strict, legally defined competence over distinct activities, and a single entity may fall under multiple regulators if it engages in diverse services.

• The ASF regulates activities like crowdfunding and capital markets.
• The BNR oversees payment services, e-money institutions and other financial services such as card issuing and money transfers.
• ANCOM supervises telecommunications and broadcasting, relevant for fintechs with telecom-based services.
• ANSPDCP enforces GDPR compliance, regulating data protection for companies handling personal data.

For example, a fintech offering both crowdfunding and payment services would be regulated by the ASF for crowdfunding and by the BNR for payment services. This activity-based regulation ensures that each regulator supervises its specific area of expertise.

Romanian regulators do not formally issue “no-action” letters as seen in other jurisdictions. They are generally reluctant to provide legal advice on the qualification of specific activities or whether certain activities fall under particular regulations. Instead, their responses typically reference general terms within the applicable laws, often providing extracts from the relevant regulations.

However, during consultancy periods, it is possible to obtain clear guidance regarding the qualification of an activity or the applicable regulations and necessary licences. While not a formal “no-action” letter, these informal consultations can lead to more specific and actionable answers regarding a company’s regulatory obligations.

Vendors must comply with specific obligations according to relevant laws and regulations when functions become regulated for outsourcing, for example, security and confidentiality of data, compliance with industry standards or enabling audit requests or other information by regulatory authorities. Outsourcing agreements usually entail due diligence, written contract and periodic performance evaluation for compliance purposes. Outsourcing does not take away liability from the contracting party concerning regulatory compliance of the outsourced function even if subcontracted to a vendor. Outsourcing such functions to a vendor already subject to regulatory control offers another layer of assurance that the vendor could understand and satisfy the legal framework – an action that may lead to reduced risk and simple compliance management. Again, it will require due diligence and defined contractual terms detailing what the vendor should do and be held accountable for regardless of this qualifying status.

Fintech providers are increasingly recognised as “gatekeepers” under EU regulations, depending on their role, market influence and services offered. Under the Digital Markets Act (DMA), large platforms with significant market power (eg, dominant payment systems or crypto exchanges) may be designated as gatekeepers, requiring them to ensure fair competition, interoperability and transparency. While the DMA primarily targets tech giants, fintechs controlling critical financial infrastructure (eg, major payment gateways) could fall under its scope.

For crypto-asset services, the MiCA imposes gatekeeper-like obligations on platforms, mandating transparency, custody safeguards and accountability for activities on their platforms. Similarly, under the Digital Services Act (DSA), fintechs hosting third-party financial services (eg, P2P lending platforms) must monitor illegal content and comply with due diligence requirements.

In Romania, fintech providers must align with these EU rules. While smaller firms may avoid “gatekeeper” status, larger platforms face heightened responsibilities, including anti-money laundering compliance, data protection and operational resilience.

Romanian regulators have taken significant enforcement actions in several key sectors. These include in respect of market manipulation and price regulation, for which large fines have been imposed in the energy sector; non-compliance with consumer protection legislation and transparency requirements in banking practices leading to sanctions in the financial sector; violations of data protection principles and the practice of unfair competition in telecommunications and IT; and misleading advertising far in excess of accepted standards and other unfair commercial practices by the retail sector. These actions reflect the active efforts of the regulators, aimed at maintaining a solid regulatory framework and safeguarding integrity in the markets and safeguarding consumer interests in the top business sectors in Romania.

The implementation of additional non-financial services regulations related to privacy, cybersecurity, social media content, and software development has significant implications for industry participants. Companies will need to adapt to stricter data protection laws and comply with enhanced cybersecurity requirements, imposing an additional burden on newer tech-driven companies to ensure robust security measures. Outdated firms with existing systems may find it quite complicated to update to the changing standards, while new-age players often have the upper hand by designing their systems in compliance with such requirements. Added to this, increased scrutiny from legislation regarding social media content has resulted in many more compliance obligations for digital services in preventing the spread of harmful material. This makes the entire regulatory landscape for compliance more complex, especially for those businesses that either have to modernise their operations, or realign their practices with the increasing number of compliance laws.       

Besides regulators, the industry is also reviewed by accounting and auditing firms, vendors and industry bodies. Such firms make certain that a set of financial reporting standards is followed, and independent audits are carried out to ascertain the truthfulness and integrity of financial statements. In particular, tech and supply chain vendors perform assessments to determine compliance with contractual obligations and industry standards. Various industry bodies and trade associations monitor actions as well, setting ethical standards and ensuring sector members adhere to sector-specific guidelines. Such requirements – while usually complementary to legal and regulatory frameworks – vary in practice within each industry, with a few companies, such as those dealing in cybersecurity, data protection and corporate governance, adopting higher standards than those of the minimum requirements.

In Romania, industry participants – particularly fintech firms and crypto platforms – frequently offer both regulated and unregulated products or services. For example, a single entity might provide regulated payment services (under Law 209/2019, transposing PSD2) alongside unregulated crypto-asset activities. These offerings are often structured through the same legal entity, with internal operational safeguards to segregate regulated and unregulated activities. However, some firms establish separate subsidiaries for regulated services (eg, payment institutions or investment firms) to isolate risks and comply with sector-specific rules under Law 126/2018 (capital markets) or Law 129/2019 (anti-money laundering).

Romanian regulators, including the BNR and the ASF, scrutinise this practice to prevent consumer confusion, regulatory arbitrage and systemic risks. They emphasise strict governance, transparency and clear disclosure to ensure unregulated activities (eg, non-custodial crypto trading) do not undermine compliance in regulated areas. Recent guidance from the ASF aligns with EU expectations, warning against bundling products in ways that obscure risks or evade oversight.

The application of anti-money laundering (AML) and sanctions rules is presently a massive influence on both regulated and unregulated fintechs in Romania. To comply with national and EU-level regulations, regulated fintechs must develop full-scale AML systems for customer due diligence (CDD) and reporting on suspicious activities. Such regimes are precursors to the laundering of money and terrorist financing, and violations of sanctions, and have caused considerable increases in operation costs for the kind of fintechs that need to invest in systems for compliance and for the training of personnel. Unregulated fintechs do not have to comply directly with AML requirements, but there is still reduced pressure from regulators and financial institutions on these companies, since if they did come up short on AML performance, this could well hamper their access to payment services or healthy banking relationships. Due to the character and tightening nature of regulation, both types of companies must seek a balance between innovation and compliance, with the further premise that their operations would not unwittingly allow illicit activities, nor violate international sanctions.

AML rules and sanctions in Romania are in line with FATF standards. As a member of the EU, Romania is covered by the EU AML directives, which are mainly based on FATF recommendations. The measures include CDD, suspicious transaction reports, and preventive measures on freezing the assets of persons subject to sanctions. The risk-based approaches prescribed by the FATF in a regulatory framework are to bind all financial institutions, including fintechs, in assessing and mitigating money laundering and terrorist financing risks for these institutions, to which Romania commits under the FATF’s Mutual Evaluation Process for AML and sanctions standards set by the country in line with best international standards.       

Reverse solicitation is recognised in Romania in the context of financial services and other regulated products, but there are specific conditions attached to it. According to this mechanism, a service provider from abroad can offer certain regulated products or services to Romanian clients without bringing forth domestic regulations, provided however that this is initiated by the client and not actually solicited or marketed actively by the provider within Romania. For the mechanism to apply, the client must approach the provider entirely on their own, without the provider ever having made any direct solicitation, advertisement or promotional efforts in Romania. However, this exemption is narrow, and regulators will pay strict attention to arrangements of this kind to ensure that no indirect solicitation or marketing efforts are occurring within the jurisdiction. Further, the foreign provider must still follow any regulations from their home jurisdiction and may have to assess if they are subject to any EU or Romanian regulations depending on the nature of the services provided.       

The core distinctions between security tokens and cryptocurrencies would surely lead to using different types of business models due to their respective regulatory and economic environments. Because security tokens are considered securities, full compliance comes with the caveats of having to engage expensive specialists, compliance with the financing sample’s disclosure requirements, and the assumption of vector transfer restrictions by the appropriately supervised financial authority. Consequently, the business models in this division revolve around controlled issuance stages, custodial administrations and exchange frameworks operating under the supervision of monetary specialists, joining KYC/AML strategies to ensure compliance with administrative rules.

On the other hand, cryptocurrencies, typically used as a means of trading or store of value, are essentially represented by money-related services and AML directives instead of securities laws. Business models in this space emphasise exchange productivity, liquidity and decentralised back-end (DeFi), frequently leveraging decentralised transactions, rate preparation agreements and algorithmic governance structures. These models prioritise customer accessibility, automation and minimal reliance on intermediaries, aligning with the decentralised nature of cryptocurrencies.

These qualifications require businesses to have tailored procedures that adapt to the regulatory requirements and market dynamics of each asset class. Advertising compliance, securities and positioning play a crucial role in shaping sustainable and legitimately viable business operations in the evolving digital asset environment.

In Romania, traditional banks and financial institutions are cautiously integrating robo-advisory solutions, primarily by partnering with fintech firms or developing in-house digital tools to automate investment advice and portfolio management. These hybrid models blend robo-algorithms with human oversight to maintain compliance with EU regulations like MiFID II, which require suitability checks and transparency. While adoption is still modest, legacy players leverage their existing customer trust to offer low-cost, user-friendly platforms – often via mobile apps – that appeal to younger, tech-passionate investors.

In Romania, ensuring best execution for customer trades under the EU’s MiFID II rules remains a challenge, especially with market fragmentation and varying liquidity across trading venues. Firms must prioritise factors like price, speed and costs, but conflicts of interest arise when routing orders to affiliated brokers or favouring venues offering rebates. While banks and brokers use automated tools to monitor execution quality, smaller players often lack resources to analyse data effectively. Regulators, like the ASF, push for transparent execution policies and regular audits, but gaps persist – particularly in crypto markets, where price volatility and opaque platforms complicate compliance. Balancing client trust with operational costs keeps this a tightrope walk for local institutions.

There are significant differences in how fiat currency loans are regulated in Romania, depending on whether the borrower is an individual, an SME or a large business. These differences stem from consumer protection laws, banking regulations and commercial contract principles.

For individuals (consumers), loans are strictly regulated under OUG 50/2010 for general consumer credit and OUG 52/2016 for mortgage loans. These laws ensure transparency, interest rate caps, the right to early repayment, and protection against abusive clauses. Consumer loans must disclose the APR, and individuals have a 14-day withdrawal right.

For small businesses (SMEs), loans are governed by general contract law and banking regulations but lack the strict protections applicable to consumer credit. Interest rates and fees are negotiable, and banks assess credit risk based on financial viability. SMEs often rely on collateral and personal guarantees, and government-backed programs like “IMM Invest” or “Start-Up Nation” offer financial support. Unlike consumers, SMEs cannot challenge unfair contract terms under consumer protection laws.

For large businesses and corporations, loan agreements are highly flexible, governed primarily by contract law and banking regulations. There are no caps on interest rates, and financing options include loans, structured credit and capital market instruments.

In Romania, underwriting processes vary based on the type of borrower, with consumer loans being the most regulated, while SME and corporate loans allow for more flexibility.

For individuals, regulations like OUG 50/2010 and OUG 52/2016 mandate a creditworthiness assessment, checking income (via ANAF), credit history and debt-to-income ratios (capped by BNR). Mortgages require collateral evaluation, and interest rates are risk-based, but within regulatory limits.

For SMEs, underwriting is less standardised, but includes financial statement analysis, credit history (CRC), collateral evaluation and business viability checks. Government-backed programmes like IMM Invest ease collateral requirements.

For corporates, underwriting is more complex and involves financial due diligence, industry risk analysis, credit ratings, and structured financing. Loans are highly customised, often including syndicated financing and flexible repayment structures.

While consumer loans follow strict rules, SME and corporate loans depend largely on bank risk policies, but all lenders must comply with BNR credit risk regulations.

In general, loans in Romania are funded through bank deposits, lender-raised capital, securitisation and P2P lending, each with different regulatory implications.

Bank deposits are the main source for banks, strictly regulated under BNR rules, including reserve requirements and deposit guarantees. Banks must hold a portion of deposits as reserves with BNR, ensuring liquidity and financial stability. Depositors are protected through the Bank Deposit Guarantee Fund, which guarantees deposits up to EUR100,000 per depositor in case of a bank failure.

Lender-raised capital, including bonds, equity and interbank loans, follows capital markets laws and BNR prudential regulations. The issuance of bonds and raising of capital through equity is regulated by Law No 297/2004, ensuring transparency and fairness in the capital markets. Interbank lending is governed by regulations that ensure liquidity and the solvency of financial institutions, with BNR overseeing capital adequacy and risk management.

Securitisation allows banks to sell loan portfolios to investors, freeing up capital for new loans. This process is regulated by Law No 31/2006, which sets the rules for structuring and issuing asset-backed securities.

P2P lending is emerging and is governed by the EU Crowdfunding Regulation (Regulation (EU) 2020/1503), providing a framework for platforms that match borrowers with lenders. While the regulation is relatively lighter in oversight compared to traditional banking, it includes increasing consumer protection measures, requiring platforms to adhere to transparency and risk-management standards.

Syndicated loans are seen in Romania, especially for large-scale financing. The process involves lead arrangers or bookrunners who negotiate loan terms with the borrower and invite other financial institutions to join the syndicate. Each lender contributes a portion of the loan and shares in the risks and rewards.

The loan’s terms are documented in a syndicated loan agreement. Syndicated loans in Romania are governed by the Romanian Civil Code, Banking Law, and EU regulations, with oversight from the BNR to ensure financial stability and compliance with Basel III requirements.

Generally, payment processors in Romania or anywhere within the EU must use existing payment rails, generally compliant with the EU’s PSD2 and SEPA framework.

However, payment processors could create new payment rails or conduct on top of those already existing, with strict adherence to standard set regulations. This might include, but not be limited to, a seal of approval by regulatory authorities from national banks, for example in Romania, and licences. Any new payment infrastructure should also comply with many strict requirements related to security, consumer protection and AML measures. This content within a new rail is required to provide for interoperability, on replicating the older payments facilities in a way that would not disrupt any existing payment ecosystem and maintain EU compliance.

The overall regulations cover cross-border payments and remittances in Romania, in line with EU regulations, including the PSD2 and the AML Directive, which are in place to ensure security, transparency and consumer protection. In line with these general guidelines, the main aspects of regulation include compliance with the various standards on AML and CFT, customer due diligence, transaction alert and suspicious transaction reporting by payment service providers. Similarly, in other respects, it is also important for cross-border payment providers to ensure that their services comply with international sanctions and data protection legislation (such as GDPR) and consumer protection rules, ensuring that the consumer is fully aware of the actual fees, exchange rates and duration of transactions through the services they provide. Regulators are also paying urgent attention to the efficiency and competitiveness of the cross-border payments market while ensuring financial stability and sufficient fraud risk mitigation.

In Romania, marketplaces and trading platforms are regulated under national laws that transpose EU directives, with distinctions based on asset type.

Securities Trading Platforms

These are governed by Law 126/2018 (Romania’s capital markets law), which implements the EU’s MiFID II framework. Platforms must obtain authorisation from the ASF and comply with strict rules on transparency, investor protection and market abuse.

Cryptocurrency Trading Platforms

Romania has not enacted specific crypto laws, but platforms must adhere to Law 129/2019 (anti-money laundering), aligning with EU AML directives. Following the EU’s MiCA, applicable since December 2024, crypto platforms fall under a harmonised EU regime requiring licensing as Crypto-Asset Service Providers (CASPs). While MiCA is EU-level, it is directly enforceable in Romania, effectively integrating into the national framework.

P2P Lending Platforms

The EU Crowdfunding Regulation (Regulation 2020/1503) applies directly in Romania, requiring platforms facilitating crowdfunding or P2P lending to obtain authorisation as EU Crowdfunding Service Providers (ECSPs).

Under the EU MiCA, applicable in Romania since December 2024, crypto-assets are regulated based on their token type. Asset-referenced tokens (eg, stablecoins) and e-money tokens (used for payments) face strict requirements, including issuer authorisation, reserve asset rules and transparency obligations. Utility tokens, which provide access to specific services or products, are subject to lighter rules, primarily focusing on White Paper disclosures and consumer protection, unless they exhibit investment-like features.

In contrast, security tokens, which qualify as financial instruments (eg, representing shares or bonds), fall under Romania’s capital markets law (Law 126/2018), implementing the EU’s MiFID II framework. These tokens require authorisation from the ASF, compliance with prospectus rules and adherence to investor protection and market abuse standards.

The rise of cryptocurrency exchanges has driven Romania to align with the EU’s MiCA since December 2024. Centralised exchanges (CEXs) now require licensing as CASPs, complying with transparency, custody and AML rules under Law 129/2019. DEXs remain a regulatory challenge due to their non-custodial nature, though MiCA may apply if they involve identifiable operators. While CEXs face strict oversight (eg, transaction monitoring, investor disclosures), DEXs operate in a grey area unless offering regulated services like staking. Romania’s regulators, guided by EU standards, are exploring updates to address DeFi risks, but current rules focus on centralised platforms.

In Romania, listing standards for regulated markets (eg, Bucharest Stock Exchange) follow EU directives like MiFID II and the Prospectus Regulation, requiring issuers to publish approved prospectuses, ensure financial transparency, and meet corporate governance criteria. For SME growth markets, lighter standards apply under MiFID II, balancing investor protection with SME access. Crypto-assets, governed by the EU’s MiCA Regulation, require issuers to publish White Papers with technical, financial and risk disclosures.

Industry standards often exceed legal minimums: voluntary ESG reporting, enhanced cybersecurity protocols, and real-time trade surveillance are common. For crypto exchanges, even DEXs increasingly adopt KYC/AML practices, despite limited regulatory mandates.

For traditional financial instruments, Romanian investment firms are subject to MiFID II obligations, transposed through Law No 126/2018 on financial instrument markets and ASF Regulation No. 5/2019. These require firms to:

• promptly and fairly execute client orders;
• record, allocate and transmit client orders accurately and without undue delay;
• prevent misuse of confidential information and manage conflicts of interest; and
• apply best execution principles to ensure optimal outcomes for clients.

Under MiCA (Regulation (EU) 2023/1114), which becomes fully applicable in Romania from 30 December 2024, order handling rules will also apply to CASPs that execute orders on behalf of clients. CASPs must:

• handle and execute client orders promptly, fairly and professionally;
• prevent the misuse of client information;
• establish transparent, objective and non-discriminatory rules for order execution; and
• ensure fair treatment of client orders, especially when dealing on own account.

The rise of peer-to-peer (P2P) trading platforms challenges both traditional and fintech players in Romania. Traditional institutions face disintermediation and pressure to modernise, while fintechs must balance innovation with compliance.

Regulatorily, P2P platforms dealing in financial instruments may fall under MiFID II and Law No  126/2018, requiring authorisation. For crypto-assets, MiCA introduces mandatory licensing and conduct rules for CASPs from 30 December 2024.

P2P models raise supervisory concerns around AML, investor protection and platform accountability, especially when decentralised or operating across borders. Romanian authorities are expected to apply a functional, substance-over-form approach in assessing compliance.

Payment for Order Flow (PFOF) is generally restricted within the EU, including in Romania, due to its potential to create conflicts of interest and impair best execution.

Under MiFID II, as implemented in Romania through Law No 126/2018, investment firms must act in the best interest of clients when executing orders. PFOF arrangements – where brokers receive fees from third parties (typically market makers) for routing client orders – are viewed as incompatible with this duty unless strict transparency and conflict management rules are met. In practice, EU regulators, including the Romanian ASF, follow ESMA’s guidance discouraging PFOF. Several member states, such as Germany and the Netherlands, have introduced national bans, and the EU Retail Investment Strategy proposes an outright prohibition across the EU.

Impact on Financial Markets

These restrictions limit the development of US-style commission-free trading models in Romania. Brokers must rely on alternative monetisation models (eg, spread markups, explicit fees), ensuring greater transparency and alignment with client interests.

Under MiCA (Regulation (EU) 2023/1114), which applies from 30 December 2024, CASPs executing orders on behalf of clients are subject to rules analogous to MiFID II, including the obligation to act honestly, fairly and professionally in the client’s best interest. While MiCA does not explicitly reference PFOF, any arrangement that could impair best execution or create unmitigated conflicts of interest may be scrutinised or prohibited by competent authorities.

Impact Under MiCA

CASPs facilitating order execution will need to disclose any inducements or third-party arrangements and ensure that such relationships do not compromise execution quality. In effect, MiCA creates a regulatory environment that is hostile to PFOF practices, reinforcing investor protection and market integrity principles.

Trading activity in Romania is governed by fundamental principles of market integrity and the prohibition of market abuse, as set out under EU law and implemented in national legislation.

The key legal framework is Regulation (EU) No 596/2014 on Market Abuse (MAR), directly applicable in Romania, and supplemented by Law No 24/2017 on issuers of financial instruments and market operations.

The core principles include the following.

• Prohibition of insider dealing – trading based on material non-public information is strictly forbidden. This includes using such information for one’s own account or disclosing it unlawfully.
• Prohibition of market manipulation – practices that give false or misleading signals about the supply, demand, or price of financial instruments – such as spoofing, wash trades or spreading false information – are prohibited.
• Obligation to disclose inside information – issuers must promptly disclose inside information to the public in a manner that ensures equal and non-discriminatory access.
• Fair and transparent trading – market participants must act honestly and professionally, ensuring fair access to information and avoiding manipulative or deceptive conduct.
• Surveillance and reporting – investment firms and trading venues must monitor trading activity and report suspicious transactions to the ASF via Suspicious Transaction and Order Reports (STORs).

These rules are designed to maintain investor confidence, ensure efficient price formation and protect market integrity. Similar principles are expected to apply under MiCA, particularly in relation to the trading of crypto-assets on regulated platforms.

In the Romanian legal landscape, high-frequency trading (HFT) and algorithmic trading are mainly regulated by a set of Romanian and EU laws and overseen by the ASF and the Bucharest Stock Exchange (BVB).

This key regulatory framework includes the following.

• MiFID II (Markets in Financial Instruments Directive): This EU directive, implemented in Romania through Law No 126/2018, regulates trading activities, including HFT and algorithmic trading. It requires firms to implement risk controls, ensure market fairness, and monitor pre- and post-trade activities.
• Market Abuse Regulation (MAR): This applies to all asset classes and focuses on preventing market manipulation and insider trading in algorithmic and high-frequency trading.
• ESMA Guidelines: These guidelines focus on transparency, fairness and risk management in algorithmic trading systems.

While MiFID II applies broadly across asset classes, there are differences based on the type of asset. For example, in case of (i) equities and derivatives, there are more stringent reporting and risk management requirements, (ii) commodities, there are additional rules like position limits to curb speculation and (iii) cryptocurrencies, lighter regulation, mainly focused on AML and CTF compliance, with less emphasis on HFT or algorithmic trading.

In Romania, firms operating in a principal capacity must be licensed under Law No 126/2018 on Markets in Financial Instruments. However, not all principal traders are required to register as market makers – this depends on their trading activity.

If a firm trades solely for its own account but does not provide continuous liquidity, it must still obtain authorisation from the ASF as an investment firm or credit institution, depending on its structure.

If a firm actively provides liquidity by continuously quoting bid and ask prices, it qualifies as a market maker and must:

• register with the BVB and sign a market-maker agreement, committing to maintain minimum quoting obligations, spread limits and trading volumes;
• comply with ASF and BVB oversight, ensuring fair trading practices and market stability; and
• follow MiFID II transparency and risk control rules, preventing market manipulation and ensuring orderly trading.

Romanian regulations distinguish between investment funds and dealers (investment firms or credit institutions) engaged in proprietary trading, although both operate under Law No 126/2018 on Markets in Financial Instruments (which implements MiFID II).

Key Differences

Investment funds (such as hedge funds or alternative investment funds) typically trade financial instruments for portfolio management and investor returns, not for direct market making or client execution. They fall under ASF supervision and are regulated by the AIFMD (Alternative Investment Fund Managers Directive) or UCITS Directive, depending on the fund type.

Dealers (investment firms or banks trading on their own account) can act as market makers or proprietary traders, providing liquidity or executing trades for themselves. They require ASF licensing under MiFID II rules and, if they take deposits, BNR supervision.

Key Similarities

Both must comply with ASF regulations on transparency, reporting and risk management.

If they engage in HFT, they face additional ASF oversight and stricter risk controls under MiFID II.

In Romania, programmers who develop trading algorithms are not directly regulated, but the firms that use these algorithms are strictly supervised under Law No 126/2018.

While programmers don’t need a licence, firms using algorithmic trading must follow risk control rules, including pre-trade limits, testing and market abuse prevention under MiFID II and the Market Abuse Regulation (MAR). If an algorithm manipulates the market, the firm is responsible, though a programmer could face legal action if misconduct is intentional.

In Romania, insurance underwriting involves assessing and pricing risks before issuing policies, using data collection, historical claims analysis and financial risk evaluation. The industry leverages insurtech solutions like AI, machine learning and big data analytics to enhance accuracy, speed and risk forecasting. Underwriting is regulated by Law No 237/2015 and must comply with EU Solvency II, ensuring insurers maintain adequate capital. Consumer protection rules require transparency in risk assessment and fair treatment of policyholders, while GDPR mandates secure personal data processing. As insurtech transforms underwriting, regulators focus on market stability, policyholder protection and ethical data use.

In Romania, insurance regulations and practices vary by segment. Life insurance and annuities, involving long-term obligations, are strictly regulated under Law 237/2015 and Solvency II, ensuring capital adequacy, risk assessment and consumer protection. Insurers use conservative investments, actuarial models and advanced analytics, distributing products via financial advisers and digital platforms.

P&C insurance focuses on operational efficiency, fraud detection and claims management, with regulators like ASF emphasizing fair practices and transparency. Insurers leverage real-time data, telematics, and IoT for accurate underwriting and fraud prevention, adopting dynamic pricing and diverse distribution channels. While all sectors follow solvency and consumer protection rules, their regulatory and operational approaches differ based on risk, policy duration and capital strategies.

Under Romanian law, regtech providers do not fall under any specific regulatory framework or licensing structure. However, the current regime with respect to data protection, digital identity verification, financial services (including insurance), electronic communications, consumer protection, AML and cybersecurity might be potentially applicable to such institutions based on their service offerings. Regtech companies thus have to overcome a convoluted and fragmented legal landscape, ensuring compliance across industry-specific laws that were not originally conceived with their business models in mind. They are also subject to the same general accounting, tax, employment and corporate conditions that apply to other businesses operating in Romania.

Even for key functions like regtech, cloud computing, payment processing and other outsourced parts of a financial firm’s operations, contractual safeguards are imposed on technology providers in terms of performance, accuracy and compliance, especially concerning the regulatory aspects.

A service level agreement (SLA) generally governs such contracts covering specific performance metrics like uptime guarantees, transaction processing speed and error rates.

More often than not, firms expect audit rights to facilitate period assessments of such service providers’ compliance with data security, risk management and operational resilience standards.

Romania’s traditional financial sector is cautiously integrating blockchain technology to improve efficiency and security, balancing innovation with regulatory compliance. Cross-border payments are a key focus, with institutions piloting blockchain solutions to reduce costs and processing times for international transactions – particularly remittances, a critical market given Romania’s EUR5 billion annual inflow from overseas workers.

Interest in blockchain also extends to digital identity management, where financial firms aim to streamline customer onboarding and securely share KYC data. However, GDPR requirements, such as the “right to be forgotten”, complicate the use of immutable ledgers, prompting exploration of hybrid models. Trade finance is another priority, with institutions testing smart contracts to automate agreements like letters of credit, reducing delays and fraud risks through partnerships with enterprise-grade blockchain platforms.

Romanian regulators, including the BNR and the ASF, are taking a cautious yet proactive approach to blockchain technology. While no comprehensive local regulations specific to blockchain have been introduced, authorities are closely aligning with EU frameworks and exploring ways to balance innovation with financial stability and consumer protection.

The EU’s MiCA, effective since 2024, is a key driver of regulatory developments in Romania. MiCA will establish a unified framework for crypto-assets and blockchain-based services across the EU, and Romanian regulators are preparing to implement these rules locally. This includes creating guidelines for licensing, transparency and operational requirements for crypto-asset service providers.

In the meantime, Romanian authorities have issued warnings about the risks associated with cryptocurrencies, such as volatility, fraud and money laundering. They emphasise the need for compliance with existing AML and CFT regulations, which apply to blockchain-based transactions. The BNR has also expressed interest in exploring central bank digital currencies (CBDCs), in line with the European Central Bank’s digital euro project, though no concrete plans have been announced.

In summary, Romanian regulators are adopting a wait-and-see approach, prioritising alignment with EU regulations like MiCA while monitoring blockchain developments. Their focus remains on mitigating risks, ensuring compliance, and preparing for the broader integration of blockchain technology into the financial system.

Not all blockchain assets are considered regulated financial instruments in Romania. While some tokens may fall under existing financial regulations, many – particularly utility tokens – do not qualify as financial instruments and remain outside the scope of financial markets oversight. This distinction creates challenges in classifying and regulating blockchain assets, especially as the technology evolves and new use cases emerge.

As of March 2025, Romania does not have a distinct national classification system for blockchain assets. Instead, it relies on the regulatory framework established at the EU level, particularly the provisions of the MiCA and other relevant EU directives. Under MiCA, crypto-assets are categorised into asset-referenced tokens (ARTs), e-money tokens (EMTs), and other crypto-assets, with tailored regulatory requirements for each. Additionally, existing financial regulations apply where a token qualifies as a financial instrument under Law No 126/2018 on financial instruments or falls within the scope of payment services regulations.

For example, if a token exhibits characteristics of a security (eg, representing ownership or offering investment returns), it may be subject to Law No 126/2018. Similarly, payment tokens used for transactions could fall under PSD2 regulations. Romania has also transposed the EU’s Fifth Anti-Money Laundering Directive (5AMLD) into national law (Law No 129/2019), which defines virtual currencies for AML purposes. However, this definition does not establish a broader classification of blockchain assets beyond anti-money laundering obligations.

In summary, while some blockchain assets may be regulated as financial instruments under EU law, most – particularly utility tokens – are not. Romania does not have an independent classification framework for blockchain assets, relying instead on the provisions of MiCA and above-mentioned national laws.

In Romania, the regulation of issuers of blockchain assets and the initial sale of such assets follows the framework established at the EU level, as there are no specific national laws that independently govern these activities.

Instead, issuers must comply mainly with MiCA and other applicable provisions from Romanian laws that implement European regulations, particularly Law No 129/2019 on anti-money laundering, Law No 126/2018 on financial instruments and Law No 209/2019 on payment services.

Issuers of blockchain assets are subject to different regulatory requirements depending on the type of asset they issue. Under MiCA, the issuers of asset-referenced tokens and e-money tokens will need to obtain authorisation from the relevant national authority – the authorities most likely to be assigned with regulatory oversight being BNR and the ASF, and comply with transparency, governance and reserve requirements. Issuers of other crypto-assets, including utility tokens, will be required to publish a White Paper with key information about the asset but will not need specific authorisation unless the asset qualifies as a financial instrument under Law No 126/2018.

The initial sale of blockchain assets, including token sales and ICOs, is regulated based on the asset’s classification. If a token is considered a security under Law No 126/2018, the issuer must comply with prospectus obligations and investor protection rules. If the asset is used for payment purposes, it may fall under the scope of Law No 209/2019, which regulates payment services and electronic money issuance.

Law No 129/2019 also imposes AML obligations on crypto-asset issuers and service providers, including registration, KYC requirements and reporting duties.

In Romania, the regulatory environment for blockchain asset trading platforms is currently undergoing a transition, especially with the introduction of the MiCA Regulation. Platforms offering exchange services for blockchain assets could continue operating under a “grandfathering” provision until 30 December 2024. This means that these platforms did not need to comply with the new licensing requirements set by MiCA until after this date. Following this deadline, platforms will be required to meet the new regulatory standards within an 18-month adjustment period, giving them time to align with the updated framework and national legislation set to come into force during this period.

Importantly, even though there are no specific licensing requirements at this stage, these platforms must still comply with AML regulations as they must implement measures to prevent money laundering and terrorist financing, aligning with Romania’s broader obligations under EU law.

For exchange platforms, this grandfathering provision is a key opportunity to continue operations without immediate regulatory disruption. However, they must be aware that MiCA, once fully enforced along with relevant Romanian laws, will bring more stringent requirements, particularly around asset classification, investor protection and platform oversight.

Secondary market trading, whether facilitated by intermediaries or conducted peer-to-peer, also operates under a somewhat unclear regulatory environment. While there are no specific national regulations for peer-to-peer trading, participants must still adhere to AML standards. As the MiCA regulation rolls out, further clarification on these activities is expected.

In Romania, the provision of staking services related to cryptocurrencies is not expressly regulated under any specific national laws.

However, under MiCA Regulation, the situation is expected to change as staking service providers may be required to obtain a CASP licence. This is particularly relevant if the staking service involves any form of custody or control over the staked assets.

At the time of writing, lending services related to cryptocurrencies are not expressly regulated under specific Romanian laws.

Under the MiCA Regulation, crypto lending activities may, in certain circumstances, fall under the requirement to obtain a CASP licence. Specifically, if a lending service involves custody, control over client assets or even portfolio management services, it will likely need to comply with MiCA’s stringent transparency, operational and consumer protection standards, including obtaining the appropriate licence.

Romania’s current laws lack explicit rules for cryptocurrency derivatives (eg, futures, options). While Law 129/2019 (aligned with EU AML rules) requires crypto exchanges and wallets to register and comply with AML standards, it does not regulate derivatives.

The EU’s MiCA Regulation, effective since December 2024, introduces comprehensive rules for crypto-assets, including derivatives, mandating transparency, risk disclosures and investor safeguards.

Until fully implemented, providers must adhere to general financial regulations and AML obligations. The ASF has not issued specific guidance, so firms should seek legal counsel to ensure compliance with MiCA’s stricter governance and operational requirements.

Currently, there is no specific regulation on DeFi in the European Union, but the sector is impacted by cryptocurrency provisions and other general financial regulations, such as AML and CFT legislation. As regards the new MiCA Regulation, fully decentralised DeFi services that do not have an intermediary are not directly covered. MiCA only covers partially decentralised services – ie, those that have components or intermediary entities managing the platforms. However, if a party facilitates the trading of securities tokens or cryptocurrencies, it must comply with local securities regulations, financial instruments and AML/CFT obligations, regardless of whether the service is decentralised. Therefore, the statement that such services are unregulated due to the lack of intermediaries could be challenged by Romanian regulators, who could interpret the activity as falling under the existing legal frameworks regulating financial markets and cryptocurrency transactions.

In Romania, funds investing in blockchain assets are regulated under Law 126/2018 (for traditional investment vehicles like UCITS/AIFs) if they hold security tokens or crypto-assets classified as financial instruments. For non-security tokens (eg, utility tokens), the EU’s MiCA Regulation, applicable since 30 December 2024, now governs crypto-asset services, requiring funds to comply with transparency, custody and investor protection rules. MiCA mandates that issuers and platforms (including funds) meet strict operational standards for crypto-assets like stablecoins or utility tokens. All funds must also adhere to AML obligations under Law 129/2019

Romania’s regulation of blockchain and cryptocurrencies aligns closely with EU frameworks to ensure coherence with broader European digital market standards. Under GEO 111/2020, virtual currencies are defined as digital representations of value not issued by central authorities, usable as a medium of exchange but not legally recognised as traditional money. This mirrors the EU’s approach, treating them as exchangeable digital assets rather than currency.

Blockchain assets – including virtual currencies, security tokens and utility tokens – are set for enhanced oversight under the EU MiCA.

NFTs currently fall outside Romania’s fintech regulatory scope but may face oversight if they function like regulated crypto-assets (eg, facilitating financial transactions). While not explicitly covered by the EU’s MiCA Regulation, NFTs could be included if they mirror regulated crypto-asset traits. Stakeholders must monitor evolving rules and prioritise compliance, particularly tax obligations.

Romania, like other nations, is adapting tax frameworks to address digital assets. Even non-fiat transactions (eg, buying NFTs with crypto) are taxable based on their RON value. Selling crypto to acquire NFTs triggers taxable events for both transactions. Authorities aim to balance fair taxation with innovation, requiring individuals to report all digital asset activities, regardless of fiat conversion. Compliance remains critical as regulations evolve.       

Romania’s approach to open banking is largely shaped by the EU’s PSD2, which was brought into Romanian law through Law 209/2019. This rule requires banks to let third-party apps securely access customer accounts (with permission), paving the way for services like budgeting apps, instant payments and better financial tools. The idea is to boost competition and give consumers more control over their money. The BNR oversees this system, making sure banks and fintechs follow strict security rules and protect user data under the GDPR.

However, the rollout has not been smooth. While PSD2 set the stage, many Romanian banks have been slow to adopt the tech needed for seamless integration, leaving smaller fintechs stuck in limbo.

On the upside, PSD2 has pushed Romania into the EU’s open banking ecosystem, and recent tweaks – like clearer tech standards and sandbox programmes – hint at better days ahead. The BNR is now pushing for smoother collaboration between banks and fintechs, which could finally turn the promise of open banking into an everyday reality for Romanians.

In Romania and Europe, banks and technology providers are looking into data privacy and security issues raised by open banking through a mixture of regulatory compliance, advanced security measures and transparent data handling practices. Under GDPR and PSD2, banks need to obtain express customer consent when accessing the data of users, apply state-of-the-art encryption protocols and create a process for strong user authentication via a two-factor process. Technology providers integrate secure APIs that allow third-party services access to data without revealing sensitive information, allowing tokenisation, thus reducing the risk to users. Such measures include regular audits, compliance with cybersecurity standards and co-operation with the relevant regulators that help ensure banks and technology providers reduce the various risks in relation to data breaches and unauthorised access. Even with these measures, however, challenges remain in terms of the balancing act between innovation and the need to protect consumer privacy, which must still respond in real-time to evolving threats in the digital landscape.

In Romania, fraud in financial services and fintech is analysed through the “fraud triangle” framework (opportunity, justification, pressure), per Emergency Ordinance 66/2011. Opportunity arises from weak internal controls or cybersecurity gaps (eg, flawed authentication, unsecured APIs). Justification involves rationalising actions (eg, “borrowing” funds, exploiting system loopholes). Pressure stems from financial instability (personal debt, corporate losses) or greed.

For fintech, digital risks like identity theft, payment fraud or smart contract manipulation amplify these elements.

Romanian regulators, including the BNR and ASF, prioritise combating authorised push-payment (APP) fraud, where victims are tricked into sending payments to fraudsters via social engineering. This is amplified by rising digital banking and instant payment adoption. Identity theft and account takeover fraud are also key concerns, exploiting weak authentication or data breaches in fintech platforms.

Under PSD2 (transposed via Law 209/2019), banks and payment providers must implement strong customer authentication (SCA) and transaction monitoring to detect anomalies. Regulators also target investment scams (eg, fake crypto or high-yield schemes) and money laundering via fintech services, enforcing AML rules under Law 129/2019. With the EU’s MiCA Regulation now applicable, crypto-related fraud (eg, fake ICOs, “rug pulls”) faces stricter oversight.

In Romania, fintech providers’ liability for customer losses hinges on service type, compliance, and fault. Under PSD2 (payment services), they must reimburse unauthorised transactions unless the customer was negligent (eg, shared credentials). For crypto-assets, MiCA imposes liability for custody failures or inadequate risk disclosures. Investment platforms face liability under MiFID II for flawed advice or misrepresented risks. GDPR holds providers accountable for data breaches due to poor cybersecurity. Contractual breaches (eg, platform outages) are actionable under the Romanian Civil Code. Customer negligence or force majeure (eg, unpreventable cyberattacks) may limit liability.