With the exception of certain provisions within the legislation concerning insurance and financial services, at present there is no legislation in force specifically regulating cloud computing. However, there have been regulatory initiatives from industry associations (eg, the National Association for the Security of Information Systems) in the form of guides with respect to, for example, cloud security.
In addition, there are certain legislative initiatives concerning the government cloud. In this respect, the Authority for the Digitalisation of Romania has been working on a draft enactment regarding the development of cloud infrastructure to be used by public institutions. The same authority is in the process of organising public tenders in view of the development of such infrastructure.
Cloud Services in the Financial and Insurance Sector
Cloud services are currently defined only in Romanian insurance legislation as services provided via cloud computing technologies to allow universal, convenient, on-demand network access to a common set of configurable computing resources, which can be quickly made available and launched with minimal effort of management from, or interaction with, the service provider. The said legislation also defines the following types of cloud:
The legislation referred to above also imposes certain obligations that will be discussed below.
In addition, a guide on the externalisation to cloud services suppliers was released by the Financial Supervisory Authority in August 2021 for the attention of fund administrators and other entities that work with investment funds.
The guide applies from 31 July 2021 to all cloud outsourcing commitments concluded, renewed or modified on or after this date. The relevant entities are to review and amend existing cloud outsourcing commitments to ensure that they comply with this guide by 31 December 2022. In a nutshell, relevant companies must allocate clearly delineated responsibilities for managing outsourcing contracts. Furthermore, they must monitor the outsourcing contracts on a risk-approach basis.
In the insurance sector, specific norms implement the guidelines on outsourcing to cloud service providers of the European Insurance and Occupational Pensions Authority. Companies are subject to an obligation to evaluate their cloud outsourcing partners, in terms of risks posed by the cloud outsourcing activity. Insurance companies are also obliged to document their outsourcing relations in a separate registry where the information must be kept for two years after the contractual relationship with the outsourcing partner has ended.
The said norms on cloud outsourcing also provide minimum contractual provisions that must be included in the cloud outsourcing agreements. Insurance companies are obliged to ensure that cloud service providers comply with legal requirements and appropriate security standards.
All critical and significant outsourced cloud operations must be notified in writing to the Financial Supervisory Authority.
Data Privacy Aspects
Processing personal data in a cloud falls under the principles stated in the General Data Protection Regulation (GDPR).
Considering the Guidelines 07/2020 on the concepts of controller and processor in the GDPR issued by the European Data Protection Board (EDPB), the cloud providers mainly act as processors (ie, processing personal data under the instructions and on behalf of the controller), even where they offer standardised cloud services. In all cases where cloud providers act as processors, the parties must conclude a data processing agreement setting forth the conditions of the processing.
Following the invalidation of the EU-US Privacy Shield through the decision of the Court of Justice of the European Union in Schrems II, special attention should be paid to the transfers of personal data to third countries.
Whilst the first step is to ensure that the personal data is stored and processed entirely within the European Economic Area, due to the potential extraterritorial effect of surveillance laws governing third countries, the standard transfer tools provided by the GDPR might not be sufficient.
In this respect, the EDPB issued recommendations on supplementary measures to be used to ensure that the transferred data benefits from the same level of protection as that ensured in the EU.
The only Romanian enactment referring to blockchain consists of technical norms for the implementation of blockchain technology in the computing system for the monitoring of voting turnout and prevention of illegal voting, as well as in the computing system for the centralisation of data from the minutes on the recording of voting results. These were enacted in November 2020.
Thus, while there is no general legal framework on blockchain, Romania has showed interest in implementing the technology and it can only be expected that further legislation will be enacted in the future.
For instance, there are signs that the National Bank of Romania (NBR) will join other European central banks in regulating cryptocurrency. In this context, it can be expected that the NBR will issue financial regulations that touch on blockchain technology in the future.
Risk and Liability
When it comes to blockchain, particularly open-source blockchain, it may prove difficult to identify the liable party when issues occur.
Depending on the level where the underlying issue occurs and the specific nature of the issue, liability could be imposed, for example, against one or more nodes in the blockchain and against the developer or the supplier of the software granting access to the blockchain.
Depending on the same, the risks and liabilities can be:
In view of the above and the rather complex nature of blockchain technology, all the parties involved, whether it be nodes, software developers or suppliers or other entities providing various services based on blockchain technology, should assess their involvement and role in the blockchain and any potential issues that may occur at said levels so as to minimise risks and liability.
While not directly regulated under Romanian law, general norms under the Civil Code should enable any interested party residing in Romania to identify the competent court in which to claim compensation.
Nevertheless, specific legislation on blockchain would be welcome.
Blockchain is not expressly covered by Romanian legislation on intellectual/industrial property.
However, as blockchain essentially is a system that records information, it may potentially be argued that blockchain amounts to a database, which would make it subject to intellectual property rights.
At the same time, as blockchain technology can itself be used to record/register other assets to which intellectual property rights are attached, future enactments on blockchain may potentially encompass intellectual property aspects.
Due to the nature of blockchain technology, the following data privacy-related aspects are of particular interest:
In view of the above, specific guidelines on how such data protection rights may be exercised should ideally be developed at European level. To this end, the European Data Protection Board has included within its strategy for 2021–2023 the assessment of new technology, including blockchain, as one of the key actions to be implemented.
As blockchain technology is not regulated in Romania, service levels should normally follow general contractual principles imposed under the Romanian Civil Code. Thus, services should be provided within the timeframe, under the conditions and at the price provided in the relevant supply contract.
Due to its characteristics, blockchain technology is considered an essential service per Romanian Law No 362/2018 on ensuring a high common level of security network and IT systems. This encompasses services provided in the following essential areas: (i) energy; (ii) transport; (iii) the banking sector; (iv) financial market infrastructure; (v) the health sector; (vi) supply and distribution of water; and (vii) digital infrastructure.
If blockchain technology were to be used in one of the areas mentioned above, the supplier thereof would need to meet security and technical measures specific to essential services, as follows:
While blockchain technology is cross-border by nature, as the nodes thereof can be located in any country around the world and thus, at first glance, it may seem difficult to pinpoint the exact applicable jurisdiction, in the end this is achievable depending on the actual nature of the relevant dispute.
For example, when it comes to contractual relationships (eg, those between an entity providing blockchain-based software as a service and its end user, or between the licensor of such software and the licensee) between EU nationals/companies, where the parties have not established the applicable law, the same will in principle be the one of the country where the service provider/licensor has its habitual residence/registered office, in line with Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I).
In case of tort resulting from the use of blockchain technology, the applicable law would normally be the one of the countries in which the damage occurs.
When it comes to compliance matters, the applicable law would be determined according to the jurisdiction of the enforcers of the legislation infringed. For example:
One other topic to be explored is whether and when blockchain users who are individuals could be considered consumers and hence, whether and when consumer protection authorities would have jurisdiction over potential complaints from such users.
For example, when purchasing and selling cryptocurrency, it is debatable whether an individual acts as a consumer or as a professional from a Romanian law perspective. Depending on the purpose of the activity concerned, either qualification may apply. For example, if such activity is performed for personal investment/savings purposes, in particular via a third party providing financial management/advisory services, it is more likely that the former qualification will apply. However, if the activity starts to be carried out directly and on a regular basis and/or on behalf of other persons who would be charged for the same, the individual may be deemed as a professional.
It is important to determine whether an individual acts as a professional or as a consumer, as in the second scenario the provider of the blockchain services/technology will need to consider the identity and comply with the rights of consumers applicable in their country of residence, for example:
Moreover, in such a scenario, according to EU and Romanian law, the agreement shall in principle be governed by the law where the consumer has its habitual residence, provided that the supplier pursues their commercial activities in such country or directs their activities to that country.
Big data, machine learning and artificial intelligence are currently not regulated in Romania. Nevertheless, there is increased interest from certain authorities in relation to these fields.
In 2021, the Romanian Competition Council published a document called a “Study on the effects on competition of the usage of Big Data platforms” (the “Study”).
The need for the Study arose both from the rapid evolution of digital markets and the impact of big data on the economy. The absence of sufficient information in that respect caused the Romanian Competition Council to start working on the Study in 2018.
The Study has identified not only the strengths and opportunities arising from the use of big data (ie, economy of time and resources, innovation, efficiency and productivity, real-time information) but also the threats posed by such usage (ie, in the area of data confidentiality, data protection, legitimacy of data usage and control over data quality).
Following the Study, the Romanian Competition Council concluded that, despite the positive impact of big data on economic growth (mainly through increased productivity and efficiency), the same has the potential to affect competition through abuses of dominance, by restricting or refusing access to data, or through collusion.
In relation to intellectual property, one issue is whether algorithms used in big data can be protected through intellectual property rights. The answer so far seems to be that such algorithms are excluded from protection under European copyright laws, since “ideas, procedures, methods of operation or mathematical concepts” are not protected under EU copyright rules.
Patent protection of algorithms is also excluded. However, to the extent algorithms are used in the creation of computer-implemented inventions that are new, involve an inventive step and are susceptible to industrial application, the possibility of patentability, although still uncertain, is not excluded.
It is debatable whether algorithms can benefit from sui generis protection under database protection laws. In order for such protection to be granted, substantial investments must be made in either the obtaining, verification or presentation of the contents to prevent extraction and/or re-utilisation of the whole or of a substantial part, evaluated qualitatively and/or quantitatively, of the contents of that database. It is unclear whether protecting algorithms can be linked to their role in obtaining or evaluating data.
Algorithms may, however, be protected as trade secrets, as long as they remain secret. However, the lack of transparency in algorithms creates its own set of issues, especially in the context of automated decision-making.
Another issue raised by AI algorithms is that of authorship. In Europe, the European Patent Office has refused two patent applications on the grounds that a machine, instead of a human, was named as inventor. This line of reasoning is likely to be followed by countries such as Romania.
The GDPR is based on observing key principles, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, integrity and confidentiality.
At the opposite end, big data implies:
Thus, ensuring that big data does not infringe GDPR principles can be a challenge.
Given the significant volume of information scattered across multiple systems, a company must have in place procedures and mechanisms enabling the swift location, extraction, rectification, restriction and/or erasure of the personal data concerned.
Artificial Intelligence and Machine Learning (as a Subset of AI)
National strategic framework
Romania has plans to develop a "national strategic framework in the field of artificial intelligence” through the project "strategic framework for the adoption and use of innovative technologies in public administration 2021–2027 – solutions for business efficiency".
In 2021, as a first step in the development of the national strategic framework, the Romanian Authority for the Digitalisation of Romania (ADR) in partnership with the Technical University of Cluj-Napoca launched a public consultation on AI. The public consultation was open to academia, businesses, consumers, professionals, and public sector entities that work with AI or for which AI represents a strategic element in the further development of Romania. The purpose of the public consultation has been to obtain qualitative data on the respondents’ view of AI.
This initiative is in line with the European vision on AI, especially in light of the Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on AI (the "Artificial Intelligence Act") and amending certain union legislative acts.
The Romanian Competition Council’s Study referred to above concluded that, due to the ability of machine learning to learn constantly and adapt following the processing of real-time data, there is a risk of collusion between companies using such machine learning, for example, based on the rapid adaptation to a competitor’s prices. However, in order for a cartel to exist, the will of more than one undertaking in this regard must still exist.
Please see the section above regarding big data for potential intellectual property aspects, equally touching on AI.
In April 2021, the European Commission put forward a Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on AI (the “AI Proposal”) with an aim to provide a co-ordinated European approach on the human and ethical implications of AI.
Given the substantial reach of the data protection rules when dealing with AI, the EDPB and the European Data Protection Superviser (EDPS) have already expressed their concerns with regard to the content of the AI Proposal.
In this respect, the two European authorities underlined the need for the AI Proposal to expressly state that the data protection legislation in force applies to all processing of personal data which falls under the scope of the AI Proposal.
At the same time, given the high risks posed by the identification of natural persons in public places by using remote biometric techniques, both the EDPB and EDPS called for a general ban on using AI, which allows for automated recognition of human features in public places. The same ban should apply where AI systems use biometrics to clusterise individuals on grounds such as ethnicity, gender, and political or sexual orientation.
The EDPB and EDPS also call for a prohibition against using AI:
As mentioned above, there are currently no specific rules with regard to AI. Thus, the general rules on civil contractual liability and tort law, as well as on administrative liability apply, the assessment being done on a case-by-case basis.
For instance, under the Romanian Civil Code there is an obligation for one party to repair the damages incurred by another party as a result of the use of an object. The liability sits with the person who owns or has control over the object or who uses the object in their own interest. Such person would be held liable, whether or not there was any fault on their behalf.
It is thus not unlikely for a person owning or using AI tools to be held liable for any damages that might result from events caused independently by the AI program, even if the latter did not receive a direct instruction to that specific end.
At the moment, the internet of things (IoT) is not regulated in Romania.
Nevertheless, when implementing IoT projects, one must bear in mind various pieces of legislation, examples of which are given below.
As IoT products generally collect and process large quantities of personal data, every such product should be thoroughly assessed to ensure its compliance with GDPR requirements, including those referring to data processing impact assessment (DPIA).
The Romanian National Supervisory Authority for Personal Data Processing has put large-scale processing of personal data generated by sensor-based devices transmitting data through the internet or through other means (IoT applications, such as smart TVs, connected vehicles, smart metering, intelligent toys, intelligent cities or other such applications) on the list of data-processing operations for which conducting a DPIA is required prior to deployment.
As the IoT implies the use of new technology that may be subject to security vulnerabilities, IoT-based projects might also need to consider compliance with cybersecurity legislation, such as:
The Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the EU, repealing Directive (EU) 2016/1148 (the ”Proposal”) introduces the concept of “important entities” and adds new sectors where such important entities operate that would fall within the revised scope of the NIS Directive. One of such sectors is the manufacturing of certain critical products, such as:
To this end, upon adoption and entry into force of the Proposal, the manufacturers of IoT devices that fall under the scope of the same will need to take key risk-management measures to manage risks to the security of network and information systems.
In Romania, IT service agreements are not subject to specific laws, but rather to general contract law and various compliance requirements (data privacy, competition, cybersecurity, etc.)
The Romanian Civil Code regulates how contracts are concluded, executed and terminated. Due to the specificity of IT services agreements, the agreement should regulate in detail all relevant aspects which are not caught by general legislation or which need to be derogated from. One aspect that cannot be adjusted, however, refers to liability waivers, as Romanian legislation allows same only as regards monetary damages and only to the extent these were not caused by severe negligence.
One noteworthy aspect in relation to copyright is that, according to Romanian law, the legitimate user of a computer program is allowed to correct errors in the program. This means that the program can be corrected even by third parties without authorisation from the copyright holder.
The legitimate user of the computer program or a person acting on their behalf may also reverse-engineer the program for the purpose of making it interoperable with other programs, without requiring the permission of the copyright holder.
In public procurement procedures, the tender book usually has the contract template that will be signed attached to it. Therefore, negotiating such agreements or having the same amended is only possible to a minimal extent.
In the banking sector, to the extent that the IT services agreement is such that the IT services provider has access to confidential data regarding the clients or other data regarding the activities of the bank, the agreement is deemed as outsourcing, and is subject to specific regulations. The outsourcing contract with a credit institution must:
Core Rules regarding Data Protection
The core rules applicable in Romania as regards data protection are those under the GDPR, which is directly applicable in Romania.
In addition, Romania has adopted Law No 190/2018 on GDPR implementing measures (“Law 190/2018”), which regulates a series of measures regarding Article 6 paragraph (2), Article 9 paragraph (4) and Articles 37–39, 42, 43, 83 paragraph (7), 85 and 87–89 of the GDPR.
The implementation measures refer to, among others:
Distinction between Companies/Individuals
Romanian data protection legislation (ie, the GDPR and Law 190/2018) does not apply to the processing of data concerning companies. Nevertheless, data belonging to companies may be considered trade secrets.
Data may be considered a trade secret if it meets the following conditions:
Misappropriation of clientele of a company by a former or current employee/representative or by any other person by using trade secrets is considered unfair competition and is subject to fines of up to RON50,000 (approximately EUR10,000).
Moreover, the disclosure, use or sale of trade secrets by a third party as a result of an act of commercial or industrial espionage, leading to the interests or activity of an entity being affected, is a crime punishable by imprisonment between three months and two years, or by a criminal fine.
General Processing of Data
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, which ensures that organisations are able to store and process non-personal data anywhere in the EU, is directly applicable in Romania.
Moreover, Law No 109/2007 on the reuse of information from public institutions (“Law 109/2007”) regulates the conditions for publication and reuse of information existing in public institutions' databases.
Thus, the reuse of documents (and non-personal information reflected therein) held by public institutions is generally allowed.
To reuse such documents, the interested party must make a request reflecting the following:
Such request may be:
i) fully accepted by the relevant public institution;
ii) partially accepted by the relevant public institution; in such a scenario, the public institution will need to motivate why the requested information was only partially disclosed and will need to provide the applicant with the possibility to challenge such partial refusal of disclosure; or
iii) refused, where the same principles mentioned in point (ii) above apply.
Processing of Personal Data
Processing of Personal Data is regulated under the GDPR and Law 190/2018 mentioned above.
Other provisions applicable to processing of personal data are provided from time to time in specific legal enactments (eg, in legislation on the prevention and combating of money laundering and terrorism financing). Nevertheless, such provisions are secondary norms and follow the general principles and requirements under the GDPR.
Law 190/2018 lays down specific conditions that apply where electronic monitoring and/or video surveillance systems are used in the workplace for the processing of employees’ personal data, in order to achieve the employer’s legitimate interests.
Such processing activities are subject to the following specific conditions:
Thus, there are no restrictions per se in terms of monitoring and limiting the employees’ use of computer resources, but it is mandatory before engaging in such activities to observe the provisions of both the GDPR and Law 190/2018.
Government Emergency Ordinance No 111/2011 on electronic communications (“GEO 111/2011”) transposes the main EU legal provisions in the field of electronic communications and covers all activities in the field of electronic communications networks and services.
According to GEO 111/2011, an electronic communications service is a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but excluding services providing, or exercising editorial control over, content transmitted using electronic communications networks and services.
The provision of electronic communications networks and services is subject to (i) a general authorisation regime and, where applicable, (ii) licences for the use of limited resources for the provision of electronic communications networks and services (such as radio frequencies, numbering resources and other associated technical resources).
The procedure to become an electronic communications network and/or services provider under the general authorisation regime is free of charge and consists of a notification to the National Authority for Management and Regulation in Communications (ANCOM).
Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (“European Electronic Communications Code”), which came into force on 21 December 2018, extended the scope of electronic communication services. According to this European enactment, electronic communication services encompass the following types of services:
The concept of interpersonal communications services is new and refers to services normally provided for remuneration that enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s). This concept does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.
There are two types of interpersonal communications services, namely:
The number-independent interpersonal communications services include instant messaging services such as WhatsApp and Facebook Messenger. According to the European Electronic Communication Code, the National Regulatory Authorities (NRAs) have powers with regard to instant messaging services consisting of, among others, submitting requests for information, settling dispute resolutions (including potential cross-border disputes), monitoring the market and protecting end-user rights with regard to non-discrimination, providing information in contracts, ensuring transparency and the quality of service.
The European Electronic Communication Code should have been transposed into the national legislation by 21 December 2020. However, at the date of publication this had not been transposed into Romanian law.
Voice over Internet Protocol
In Romania, Voice over Internet Protocol (VoIP) services using numbering resources are electronic communication services similar to fixed telephony services provided over public switched telephone networks (PSTNs). VoIP services are subject to GEO 111/2011 in terms of numbering resources, number portability, interconnection, quality of service and access to emergency services.
In accordance with the telecoms framework, RFIDs are radio-frequency identification devices. The National Authority for Management and Regulation in Communications Decision No 311/2016 on radio frequencies and frequency bands, exempted from the licences regime, sets the technical specifications applicable to RFIDs.
The main pieces of legislation regulating audio-visual media services in Romania are Law No 504/2002 on audio-visual content (“Audio-visual Law”) and Decision No 220/2011 on the Code of regulation of audio-visual content (“Audio-visual Code”).
Analogue programme services may only be provided by a broadcaster under Romanian jurisdiction on the basis of the analogue audio-visual licence and, as the case may be, of a broadcasting licence.
Digital terrestrial programming services through a broadcasting/television multiplex operator under Romanian jurisdiction may only be provided on the basis of a licence for the use of radio frequencies in a digital terrestrial system, for the benefit of digital audio-visual licence holders.
Procedure for Granting Audio-visual Licences
The procedure for granting audio-visual licences is provided in Decision 277/2013 of the National Audio-visual Council (CNA) on the procedure for granting, amending, extending the validity and assignment of the licence and the audio-visual authorisation decision, except for those for digital terrestrial broadcasting, as well as the conditions for the broadcasting of local programmes, retransmissions, or takeover programmes of other broadcasters.
For terrestrial frequencies, the licence is granted based on competition among providers. If the service is provided via electronic communication networks, the licence is granted by decision of the CNA.
Both analogue or digital audio-visual licences are granted for a period of nine years, for both radio and television. They can be renewed every nine years.
The holder of the broadcasting licence or the licence for the use of radio frequencies in the digital terrestrial system has an obligation to pay, annually in advance, a tariff for the use of the spectrum.
Video-on-demand services are governed by CNA Decision No 320/2012 regarding the provision of video-on-demand services. The decision does not apply to websites that provide user-generated audio-visual content for sharing, or sharing within a community of interest, such as YouTube.
The provision of on-demand audio-visual media services through electronic communications networks using digital terrestrial television systems is possible only on the basis of a digital terrestrial audio-visual licence granted by the CNA in accordance with the law.
Other than that, any person intending to provide on-demand audio-visual media services has an obligation to notify the CNA of this intention at least seven days before the start of the activity.
The provisions of the Audio-visual Law and the Audio-visual Code apply accordingly to the audio-visual programmes broadcast on demand, considering their specificity to be viewed on request and at the time chosen by the user.
EU Directives Regulating Audio-visual Services
Romania is currently in the process of adopting legislation transposing the following EU directives:
The directives regulate, among others, the regime of content-sharing platforms. Once transposed, Romania will have a regulatory regime for video-sharing platforms.
The main legislative acts related to encryption in Romania are in the field of protection of classified information. They include the so-called INFOSEC Directives, national acts issued by the Office of the National Register of State Secret Information (ORNISS).
Order 16/2014 for the approval of the Main Directive on INFOSEC, INFOSEC 2 (”INFOSEC Directive – INFOSEC 2”) is the act which lays down guidelines for the security of information and communication systems (“SIC”) in order to protect classified information stored, processed, or transmitted through it, with a view to ensuring confidentiality, integrity, availability, authenticity and non-repudiation.
The INFOSEC Directive – INFOSEC 2 applies to SIC which store, process or transmit classified information. It may also be applied to the protection of national classified information deemed as trade secrets, as well as of NATO or EU information which is not classified but which has administrative or dissemination limitation markings.
For cryptographic products, an evaluation methodology was adopted in 2012 by order of ORNISS (Order 21/2012 on the approval of the Methodology for evaluation and certification of packages, products and protection profiles INFOSEC-INFOSEC 14). ORNISS is responsible for co-ordinating the certification processes of all INFOSEC-regulated products intended for use at the national level, for which inclusion in the National Catalogue of INFOSEC protection packages, products and protection profiles is requested.
The evaluation and certification of cryptographic products are performed by two evaluating entities belonging to two of the following institutions: the Foreign Intelligence Service, the Romanian Intelligence Service, or the Ministry of National Defence.
Romanian legislation also requires entities acting in certain fields to use encryption. These include:
Currently, there are no specific enactments in connection with the COVID-19 pandemic that are relevant for the TMT sector.
However, in the National Recovery and Resilience Plan, Romania has allocated close to EUR2.8 billion for reforms and investments to support digital objectives. This is, among others, to help the transition to EU 2025 connectivity targets and to help stimulate private investment in the deployment of very high-capacity networks, as well as to implement a scheme to support the use of communication services through different types of instruments for beneficiaries, with a focus on white areas (areas where no telecoms infrastructure exists).
The acceleration of the digitisation and digitalisation trends during the COVID-19 pandemic has led not only to a more stringent need for access to public and private services via digital means, but also to more pressing concerns regarding cybersecurity and potential threats from third-party state actors.
While the new technologies and the rapid development of the interoperability and interconnectivity of essential fields of activity are a driver for economic growth and social development, the ensuing challenges are not easy. These include fragmentation, interoperability, red tape around permits for network constructions, low digital skills, and exposure to cyber-risks.
Nevertheless, the reforms and investments provided in its National Recovery and Resilience Plan under the Digital Transformation component aim to ensure that Romania will have a coherent and integrated digital infrastructure which will help the transition to a more digitalised economy and society.
The importance of the topic is reflected in the budget allocated in Romania’s National Recovery and Resilience Plan (endorsed by the European Commission in September 2021) to digital transformation-related investments, which represent a fifth of the total amount allocated under the plan.
In addition, Romania has continued to make headlines with its ever-flourishing technology sector, which has among other things seen a multibillion-dollar IPO, and Bucharest being designated as the venue of the EU Cybersecurity Competence Centre.
Technologies such as IoT, artificial intelligence, machine learning and 5G are expected to play an important role in Romania’s economic growth, offering numerous opportunities for investments.
Digital Transformation in the Public Sector
The digitalisation of public administration plays a key role in Romania’s National Recovery and Resilience Plan, with an emphasis on areas such as justice, employment and social protection, environment, civil service management and skills development, public procurement, cybersecurity, tax and customs. That adds up to a plan to build a secure government cloud infrastructure and to support the deployment of electronic IDs.
Romania also plans to invest in both:
The digital transformation is mainly focused on:
The process to ensure the digital transformation is to go hand in hand with the amendment of the Occupations Classification Code for the same to include the definition of new digital occupations.
The Government Cloud is contemplated under two envisaged reforms.
The National Recovery and Resilience Plan provides two legal enactments which are needed in order to develop a unitary framework for defining the architecture of a government cloud, namely:
With regard to the Government Cloud Infrastructure, the National Recovery and Resilience Plan sets out four measures, namely:
High-capacity networks and the necessary measures to ensure the transition to EU 2025 connectivity targets are both required in view of the digital transformation.
Stimulating private investment for the deployment of high-capacity networks, including through the acceleration of the national roll-out of 5G networks and through the provision of broadband coverage for white areas (where no telecoms infrastructure exists) has therefore become crucial.
In this respect, Romania is expected to take the necessary steps so that the auction for granting 5G licences may take place in the foreseeable future. This includes the transposition into national legislation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (“European Electronic Communications Code”).
Broadband coverage and speeds
With a view to ensuring the provision of broadband coverage for white areas, the National Recovery and Resilience Plan envisages the implementation of a scheme to support the use of communication services through different types of instruments for beneficiaries, with a focus on white areas. This scheme is meant to help with the provision of coverage for very high-speed internet access, namely at least 100 Mbps delivered through FTTB/H and/or 5G networks to those areas where the market cannot deliver these services on its own, ie, disadvantaged rural areas.
In order to address (i) the areas not covered with fixed networks, but which have a demand for services; and (ii) the fixed networks which do not provide for the necessary speeds to offer proper electronic communication services, investments are to be made in passive infrastructure and active network elements, backhaul and access segment, as well as in deploying new networks and upgrading the existing ones.
eHealth and telemedicine system
The pandemic increased the demand for telemedicine solutions. Although changes in the legal framework have been made to accommodate telemedicine, investments are needed in order to increase the access of rural and small urban areas, as well as of vulnerable groups, to specialised consultations via telemedicine.
The digitalisation of the National Health Insurance House and putting in place measures designed to ensure the cybersecurity of the Health Insurance IT Platform are two further important tasks for the Romanian authorities. In this respect, investments are planned to allow the integration of health institutions through digital infrastructure which will help to reduce fragmentation and increase the quality of health data.
eID and digital signature
The efforts towards the adoption of the eID are to continue, with the aim of facilitating digital interaction between citizens and public and private entities. Further to the investments set out in the National Recovery and Resilience Plan, Romania plans to deliver over eight million eIDs.
The eID will enable the authentication process when using public administration online services and will offer the possibility of holding a qualified electronic signature issued by qualified certification service providers.
All reforms and investments mentioned above are envisaged to be carried out using non-reimbursable grants.
Bucharest is the host of the European Cybersecurity Industrial, Technology and Research Competence Centre (the “EU Cybersecurity Centre”), which should play an important role in connecting public stakeholders with the relevant researchers and private sector.
The aim of the EU Cybersecurity Centre is, among other things:
Having the EU Cybersecurity Centre in Bucharest will undoubtedly consolidate Romania’s position as a significant actor in the field.