At the European level, Regulation (EU) 2022/2065 (the “Digital Services Act” – DSA) aims to ensure the proper functioning of the internal market for intermediary services by establishing harmonised rules for a safe, predictable and trustworthy online environment that fosters innovation while effectively protecting fundamental rights, including consumer protection. At national level, the DSA is implemented through Law No 50/2024, which establishes measures for the application of Regulation (EU) 2022/2065. The law applies to online marketplaces, social networks and hosting service providers. Under this act, ANCOM (the National Authority for Management and Regulation in Communications) is designated as the supervisory authority and may impose strict obligations on platforms regarding the removal of illegal content and the maintenance of user protection, under the threat of significant fines.

The Digital Markets Act (DMA), Regulation (EU) 2022/1925, applies directly in Romania without requiring transposition. It imposes interoperability obligations on designated “gatekeepers” (eg, messaging services must allow communication with other apps) and prohibits self-preferencing in rankings. The DMA applies to companies with an EU annual turnover exceeding EUR7.5 billion or a market capitalisation of at least EUR75 billion, controlling a critical access point with over 45 million monthly active users in the EU. Its objective is to ensure fair digital markets and greater consumer choice.

Romania has a complex and dense legislative framework. The main challenges do not stem from a lack of regulation, but from overlapping rules and limited technical implementation capacity. Although ANCOM co-ordinates the national enforcement of the DSA, several authorities oversee the digital economy: the National Supervisory Authority for Personal Data Processing (data protection), the National Authority for Consumer Protection (consumer rights and accessibility), the Competition Council (marketing and DMA issues), and the National Directorate for Cyber Security (cyber-resilience). A single incident, such as a data breach, may simultaneously trigger General Data Protection Regulation (GDPR) liability, DSA obligations and cybersecurity concerns under Law No 58/2023.

Platforms must remove illegal content, yet the absence of clear and updated definitions for certain forms of online content (eg, subtle disinformation or algorithmic manipulation) creates legal uncertainty. Platforms face a difficult balance between avoiding fines and respecting freedom of expression.

Although Romania does not have a legal framework dedicated exclusively to digital services, the tax regime is outlined in general terms by the Fiscal Code (Law No 227/2015), which imposes strict VAT rules and differentiates the treatment of income depending on the entity: legal entities are subject to corporate income tax or micro-enterprise income tax, while individuals (such as influencers) are required to organise themselves legally and declare their income through the Single Declaration (Form 212).

In relation to this fiscal framework, the most common difficulty for digital service providers in Romania is compliance with the RO e-Invoice, which requires real-time reporting of transactions to the National Agency for Fiscal Administration (ANAF), coupled with the administrative burden of collecting evidence of customer location (such as IP addresses or the location of the issuing bank) to justify the correct application of the VAT regime through the One-Stop Shop system (Article 278 alin. (5) lit. h) Fiscal Code). However, it is important to note that these challenges are strictly administrative and do not arise from any specific or additional taxes targeting digital services per se, as they are subject to the same general tax rates as traditional commercial activities.

As previously mentioned, Romania does not have a specific tax regime dedicated exclusively to digital advertising revenues. From a tax perspective, online advertising is treated similarly to any other service provision, without benefiting from special rules determined by its digital nature. Taxation is not influenced by the medium through which the advertisement is disseminated, but by the taxpayer’s form of organisation and the tax regime applicable to it.

Consumer protection in TMT is mainly governed by OUG No 141/2021 and OUG No 34/2014. Providers must ensure continuous functionality of digital products (eg, games or streaming subscriptions), deliver security updates, and comply with strict withdrawal rules. The right to withdraw is generally lost once digital content download begins, provided the consumer was properly informed and gave express consent. Companies must ensure transparency by clearly presenting technical features, interoperability requirements and limitations before purchase. They must also obtain the consumer’s express consent to begin performance during the withdrawal period.

Complaint handling is regulated by Law No 365/2002 and the DSA, which requires platforms to implement accessible, free and transparent internal complaint-handling systems (Article 20). Additionally, many operators use alternative dispute resolution mechanisms under Government Ordinance No 38/2015, ensuring independent, impartial and efficient resolution of consumer disputes while maintaining a high level of consumer protection and supporting the proper functioning of the internal market.

Regulation (EU) 2023/1114 (MiCA) regulates the issuance and trading of crypto-assets, imposing authorisation, transparency, and consumer protection obligations on crypto-asset service providers (CASPs) and issuers of tokens. TMT companies offering digital wallets, exchange services, or issuing their own tokens no longer operate in a legislative vacuum. They are now considered CASPs and must obtain authorisations from the Financial Supervisory Authority (ASF) or the National Bank of Romania (BNR).

Among the major challenges facing Romanian legislation is the need to adapt existing regulations to keep pace with the rapid rate of innovation in this field. On the other hand, blockchain technology offers significant opportunities for modernising and streamlining European financial legislation. Utilising blockchain for the management and verification of financial data could enhance the transparency and integrity of financial markets, thereby contributing to increased investor confidence and a reduction in the risk of fraud.

Romania does not have a single “Cloud Act”. Cloud usage is governed by a patchwork of laws that are highly restrictive in the banking and finance, and the gambling sectors.

Banking and Finance

The key regulatory body is the National Bank (BNR) and the cloud restriction level is extreme. There are strict “outsourcing” rules, while critical data requires BNR prior approval and must often stay in the EU/EEA.

Gambling

Cloud restriction level is high under the National Gambling Office, the ONJN. The main restriction is data residency, which means that all game logs and financial transactions must be mirrored on physical servers in Romania.

Insurance

There is moderate cloud restriction level under the ASF. The industry follows Solvency II standards, and robust business continuity plans are required in case of cloud failures.

General Retail

The key regulatory bodies, the National Authority for Consumer Protection (ANPC) and the GDPR, maintain a low cloud restriction level. General compliance with the GDPR is required, as well as consumer protection. There are no specific “location” mandates.

Laws and Regulations

Since Romania is a member of the EU, the current legislation applicable to AI primarily consists of the EU Regulation 1689/2024 (the “AI Act”) which is directly applicable and can therefore be invoked in all claims based on AI liability. When discussing AI liability, given the current withdrawal of the Directive for AI Liability (AILD), the Romanian Civil Code sets out the general civil liability rules.

Tort and Contractual Liability

The Civil Code states the norms both for tort and contractual liability and, as a general rule, there is a fault-based liability system. This means that anyone who claims for damage caused by AI must prove the faulty behaviour, the damage and the causal link between them. Obviously, proof of fault is extremely difficult where AI is concerned.

There are some exceptions where an objective liability is sufficient in order to claim damage, such as the case where the AI is embedded in a material product such as a medical device. However, in order to be able to claim damage based on objective or fault-free liability it is necessary to be able to build a claim based on the liability for goods that are under the control of the entity, as stated in Section 5, Article 1376 of the Civil Code. In addition to the objective liability in the Civil Code, one can claim liability for defective products on the basis of Law No 240/2004 interpreted in conjunction with Directive EU 2024/2853 (the “PLD”) which includes software in the “product” category. The challenge is to prove that software incorporating AI is “defective” both according to Law No 240/2004 as well as the PLD, which is quite difficult in a court case.

Criminal Liability

Romania has not yet adopted specific criminal legislation for AI. Therefore, criminal liability must be established through existing criminal offences in the Romanian Criminal Code (Law No 286/2009), interpreted considering AI Act requirements.

According to the rules currently in force, criminal liability, even in cases where AI acts autonomously, can only be imposed on natural persons who have programmed or who use AI, or legal persons whose representatives or employees’ program or use AI on their behalf.

Deepfake technology

Romanian criminal law addresses deepfake-related conduct through several existing offences under the Romanian Criminal Code:

• Computer fraud (Article 249) – applies when deepfakes are used to generate fake accounts using real persons’ data or to manipulate digital transactions.
• Violation of privacy (Article 226) – covers the unauthorised generation and dissemination of private images of identified or identifiable persons.
• Fraud (Article 244) – applicable when deepfakes are used as fraudulent means or false qualities to obtain unjust benefits.

Additional protective measures are available under cyber-violence legislation (Law No 217/2003, as amended, and Law No 26/2024).

AI bots

Where an AI bot functions as an instrument of crime, criminal liability falls on the natural or legal person who designs, operates, configures, or benefits from its illicit activity. Depending on the specific conduct, the following offences under the Romanian Criminal Code may apply:

• Computer fraud (Article 249) – relevant when bots engage in algorithmic manipulation or generate fraudulent transactions.
• Unauthorised access to computer systems (Article 360) – applicable when bots penetrate digital platforms without authorisation.
• Unauthorised transfer of computer data (Article 361) – covers cases where bots extract or transmit data from protected systems.
• Fraud (Article 244) – applies when bots employ false qualities or fraudulent means to obtain benefits.
• Threats, blackmail or harassment (Articles 206, 207 or 208) – prosecutable when bots are used to commit these offences, with Law No 217/2003 and Law 26/2024 providing additional means of protection.

Autonomous vehicles

Romania does not yet have specific criminal legislation for autonomous vehicles. However, designers and users may be held criminally liable under general provisions for offences against life or bodily integrity (the relevant offences being those of negligence provided for in Articles 191 or 196 of the Criminal Code), if culpability can be established.

Under Romanian criminal law, culpability requires: (i) breach of a duty of care or diligence (eg, failure to implement necessary safety measures or the creation of excessive risk); and (ii) foreseeability, ie, the harmful result must have been reasonably foreseeable given the system’s intended use and known limitations.

Even in the absence of specific traffic regulations for autonomous vehicles, criminal liability may be established where the designer failed to implement adequate safety protocols or where the user deployed the vehicle in conditions exceeding its designed operational parameters. The application of Emergency Ordinance No 195/2002 on traffic safety may provide additional legal grounds as autonomous vehicle technology develops.

Industrial, commercial or medical robots

Programmers and users of industrial, commercial or medical robots may face criminal liability under two main legal frameworks:

• offences against life or bodily integrity (Articles 191 or 196) – applicable when robot malfunction or misuse causes death or injury; and
• failure to implement or respect safety and security measures at work (Article 349–350).

Law No 319/2006 on health and safety at work establishes general obligations to ensure workplace safety. Although specific regulations for robotic systems are not yet codified in primary legislation, Law No 319/2006 empowers employers and sector-specific authorities to adopt secondary regulations tailored to technological developments and industry-specific risks.

The absence of detailed AI-specific safety standards creates legal uncertainty regarding the precise standard of care required. Until such regulations are adopted, liability will be assessed based on general principles of foreseeability and the duty to prevent reasonably anticipated risks. Liability requires demonstrating that the designer or operator breached applicable safety standards or failed to implement risk mitigation measures that were reasonably available given the state of technology.

Intellectual Property in the Context of AI

The national legislation on intellectual property is unfortunately three decades old and the national landscape from 1996 when Law No 8/1996 was adopted does not fit the current challenges that have emerged when using AI.

The law recognises as author only the natural person who created a work and only this natural person may claim moral rights. Property rights, however, may be claimed by either natural persons or legal entities that have been granted such rights either by a contract or by law, such as the case of a company that may claim the rights for all works created by its employees in the execution of their labour agreement. In addition to the problems that may arise as to who may claim authorship for works created using AI, there is of course the problem, in the current outdated legislative framework, of proving the originality of the work as well as the fact that it is the authors’ intellectual creation.

In Romania, the legal framework for the Internet of Things (IoT) and Machine-to-Machine (M2M) communications is not consolidated into a single “IoT Act”. Instead, it is governed by a combination of telecommunications laws, cybersecurity mandates, and strict data protection rules, which become even more rigid when applied to regulated industries like gambling (eg, GPS tracking on slot machines).

Legislation

The primary legal pillars for IoT and M2M in Romania are:

• The Electronic Communications Law (Law No 197/2022) – This is the local transposition of the European Electronic Communications Code (EECC). It defines the regulatory status of M2M services, emphasising that providers of M2M connectivity are considered electronic communication service providers and must notify ANCOM.
• The Cyber Security Law (Law No 58/2023) – This law is crucial for IoT as it mandates that any “entities of public interest” or providers of essential services using IoT devices must implement specific security standards to prevent botnets and unauthorised access.
• Law No 141/2025 (the “Gambling GPS” Mandate) – This is a sector-specific IoT regulation that requires all land-based slot machines to be equipped with M2M devices (standalone GPS and data transmission modules) that communicate real-time location and status to the ONJN servers.

M2M Communications

In the context of regulated industries, M2M is primarily used for telemetry and fiscal monitoring. M2M devices in Romania must use specific numbering resources (eg, non-geographic numbers) regulated by ANCOM. The law distinguishes between “human-initiated” and “machine-initiated” data. For gambling, the M2M modules must be “tamper-resistant”, meaning any interruption in machine-to-server communication triggers an automatic “out of order” status for the gaming terminal.

Companies deploying IoT solutions in 2026 – particularly within the gambling industry – face a regulatory landscape that prioritises traceability, real-time accountability, and cybersecurity resilience.

Companies face several “systemic” challenges when integrating the IoT into their operations:

• Real-Time Geolocation Integrity (Law 141/2025) – The primary challenge for land-based operators is the mandatory integration of standalone GPS and M2M modules. Compliance requires ensuring these devices are tamper-resistant and maintain constant connectivity. Any signal loss or “GPS spoofing” can lead to immediate administrative fines or licence suspension.
• The “Mirroring” Latency Trap – IoT devices generate massive streams of data. Romanian law requires this data to be replicated on a local safe server in real time. The challenge is ensuring that IoT edge-processing does not create a delay that puts the operator out of sync with the ONJN’s monitoring systems.
• Supply Chain Liability (Law 58/2023) – Under the National Cybersecurity Law, companies are now responsible for the cyber-hygiene of their IoT vendors. If a hardware provider’s firmware has a vulnerability that leads to a data breach, the Romanian company (the “operator of essential services”) is held primarily liable for the lack of due diligence.

To manage these challenges, companies in Romania should implement the following governance frameworks:

• The “Zero Trust” IoT Architecture – Given that modern gaming terminals are distributed systems, companies are moving away from traditional firewalls towards Zero Trust models. Implementation – Every IoT device (slot machine, biometric sensor, or GPS module) must be re-authenticated for every data packet sent. No device is trusted by default, simply because it is on the internal network.
• Integrated Compliance Management (ICM) – Governance should not be siloed between the IT and legal departments. Large operators are establishing inter-disciplinary boards to oversee the life cycle of IoT devices – from procurement (vetting the vendor’s Class II licence) to disposal (ensuring data wiping). Under Law 58/2023, companies should implement a framework for annual technical audits performed by ONJN-accredited laboratories to verify that IoT firmware has not been modified or compromised.

In 2026, data sharing for IoT and M2M companies in Romania has shifted from a voluntary “business-to-business” (B2B) agreement model to a mandatory statutory framework. This is driven by the full application of the EU Data Act (as of September 2025) and local sector-specific mandates like Law 141/2025 for the gambling industry.

The legal requirements are now centred on the concept of data portability and access by design:

• User Access Right (EU Data Act) – As of September 2025, IoT providers must ensure that users (both individuals and businesses) have a right to access and use the data generated by their connected products.
• Design for accessibility – By 12 September 2026, all new IoT products placed on the Romanian market must be designed so that data is, by default, easily and securely accessible to the user without additional cost.
• Third-party sharing – Upon a user’s request, the “data holder” (manufacturer or service provider) is legally obliged to share the generated data with a third party (eg, a maintenance provider or a competitor) under fair and non-discriminatory terms.
• B2G (business-to-government) sharing – In cases of “public necessity” (eg, public emergencies or specific fiscal audits), companies can be compelled to share non-personal data with Romanian public sector bodies.

The data-sharing obligations apply differently based on a company’s role and size:

• Directly subject companies –
1. manufacturers of “connected products”: any company producing hardware that generates data about its environment or use (eg, smart meters, connected slot machines, industrial sensors); and
2. providers of “related services”: digital service providers whose software is necessary for the product to function (eg, cloud platforms for IoT).
• Indirectly subject companies – third-party companies that receive data at the user’s request are subject to strict “purpose limitation” rules and cannot use the shared data to develop a competing product.
• SME exemptions – small and micro-enterprises (under 50 employees and

Law No 504/2002

The regulation of the audiovisual sector in Romania is governed by a relatively complex legal framework, the primary legislative act being Audiovisual Law No 504/2002, implemented in practice through secondary legislation consisting of the rules adopted by the National Audiovisual Council, as the main supervisory and regulatory authority in the field of audiovisual media services. The national legal provisions have been progressively amended in order to transpose into domestic law the provisions of Directive 2010/13/EU (Audiovisual Media Services Directive), as subsequently amended by Directive (EU) 2018/1808. This regulatory framework ensures alignment with European standards regarding freedom of expression, the protection of minors, media pluralism and diversity, and it establishes specific rules applicable to streaming services and video-sharing platforms.

Under Law No 504/2002, audiovisual media services are divided into two main categories: linear audiovisual media services (television or radio broadcasting), characterised by the simultaneous transmission of programmes according to a predetermined schedule, and non-linear (on-demand) audiovisual media services, where the user selects the time of viewing a programme from a catalogue made available by the provider or from content generated by other users.

Linear and Non-Linear Services

Licensing and compliance

For the provision of television or radio services (linear services), operators must obtain an audiovisual licence granted by the National Audiovisual Council. In addition, such services are required to comply with rules concerning media pluralism and providing accurate information to the public, the protection of minors, media advertising, as well as the diversity of media content offered to consumers.

Streaming and video-sharing services (non-linear services) are subject to a more flexible legal regime, as they are not required to obtain a licence. However, platforms are obliged to notify the National Audiovisual Council prior to commencing their activity in Romania. They must also implement mechanisms for removing harmful content, and reporting age-verification systems, parental control tools, and clear terms and conditions governing the use of the platform.

As with the applicable requirements, the authorisation procedure differs depending on the type of service provided.

For the provision of linear television and radio services, obtaining an audiovisual licence from the National Audiovisual Council is mandatory. The procedure entails the preparation of documentation concerning the structure and organisation of the entity applying for the licence, as well as project proposals and plans regarding the content to be delivered. The documentation and editorial material are subject to an assessment from the perspective of content diversity and public interest. Moreover, in the case of limited terrestrial frequencies, a competitive selection procedure is organised in which applicants participate. In certain situations, after obtaining the audiovisual licence, the licence holder must also apply for a technical licence from the National Authority for Management and Regulation in Communications. The audiovisual licence is granted for a fixed term, generally nine years for television and seven years for radio, and may be renewed. Administrative fees and charges apply at the various stages of the licensing procedure.

For streaming and video-sharing services, no prior licence is required. However, operators of such services are obliged to notify the National Audiovisual Council before commencing their activity. Upon notification, the provider must submit information regarding the name of the service, the identification details of the operator and the state under whose jurisdiction it falls, as well as a description of the service and the content delivered to consumers. The authorities may request additional information and verify the platform’s compliance with all applicable legal requirements. There is no competitive procedure or numerical limitation applicable to such services, and the fee regime is lighter compared to that applicable to traditional linear services.

Sanctions

The legal provisions establish a graduated system of sanctions in the event of non-compliance with the applicable rules. Breaches are ascertained and sanctions are imposed by the National Audiovisual Council. Sanctions may include a public warning, an administrative fine, the obligation to broadcast the sanctioning decision, the reduction of the duration of the licence or, in serious cases, the withdrawal of the audiovisual licence. In the case of streaming and video-sharing platforms, sanctions may consist of fines and measures aimed at remedying the infringements.

European Electronic Communications Code (EECC)

The telecommunications sector in Romania is mainly governed by a layered regulatory framework, consisting of both EU legislation and national transposition measures. At European level, the fundamental instrument is the European Electronic Communications Code (EECC). The EECC was transposed into Romanian law by Law No 198/2022. The scope of Romanian telecommunications regulations extends to all electronic communications networks and services, including publicly available telephone services, internet access services, data transmission, and number-independent interpersonal communications services. Equipment used in connection with these services, including radio equipment and terminal equipment, falls under Directive 2014/53/EU (the “Radio Equipment Directive”), transposed into Romanian law, which sets out the requirements for placing these products on the market.

ANCOM Decision No 70/2023

Romania operates a general authorisation regime for electronic communications, in accordance with the EECC. The detailed requirements are set out in ANCOM Decision No 70/2023 on the general authorisation regime for the provision of electronic communications networks and services. Under this regime, any person intending to provide public electronic communications networks or electronic communications services to the public in Romania (with the exception of non number-based interpersonal communications services) must submit a notification to ANCOM no later than the day on which the activity commences. The notification procedure is free of charge and does not require the prior procurement of an individual licence or administrative authorisation.

GEO 155/2024

Under GEO 155/2024, providers of electronic communications networks and services must take appropriate and proportionate technical and organisational measures to manage risks to the security of their networks and services. These obligations include measures to prevent and minimise the impact of security incidents on users and interconnected networks. The measures must cover, among other things, risk analysis and IT system security policies, incident management, business continuity and crisis management, supply chain security, security in the procurement and development of networks and IT systems, policies for assessing the effectiveness of cybersecurity measures, and the use of cryptography. Incident reporting obligations are set out in Articles 15 and 16 of GEO 155/2024.

Net neutrality in Romania is governed directly by Regulation (EU) 2015/2120 laying down measures concerning open internet access, which is directly applicable in all EU member states without the need for national transposition. Under the Regulation, internet access service providers are prohibited from blocking, slowing down, modifying, restricting, degrading or discriminating against specific content, applications or services, except where necessary to comply with legal obligations, maintain network integrity and security, or prevent imminent network congestion. Any traffic management measures must be transparent, non-discriminatory, proportionate, and not maintained for longer than necessary.

ANCOM is the national regulatory authority designated to monitor and enforce compliance with the Open Internet Regulation in Romania. In this capacity, ANCOM monitors the internet access market, including internet access speeds, quality of service, and compliance with transparency requirements. Providers are required to include clear and understandable information in their contracts regarding the impact of traffic management measures, volume limitations, and actual available speeds.

The implementation of 5G networks in Romania is subject to a specific legal framework that goes beyond the general telecommunications regulatory regime. Law No 163/2021 on security measures for networks and information systems used in the electronic communications sector establishes a comprehensive security screening mechanism for 5G infrastructure. The law requires manufacturers of equipment used in 5G networks to obtain authorisation, granted by decision of the prime minister, based on the approval of the Supreme Council of National Defence (CSAT). Telecommunications operators may not use equipment from unauthorised manufacturers.

Romania does not currently have dedicated national legislation regulating the IoT. The integration of AI technologies in the telecommunications sector is becoming increasingly common, including for network optimisation, predictive maintenance, customer service automation, and fraud detection. The European AI Regulation (Regulation (EU) 2024/1689) introduces a risk-based classification system that has a direct impact on how AI systems are implemented in telecommunications networks and services.

General Data Protection Regulation

A primary source of complexity is the direct applicability of the General Data Protection Regulation (GDPR), supplemented by Law No 190/2018. Any technology agreement involving personal data – whether cloud services, outsourcing, managed IT or telecommunications – must incorporate the GDPR’s mandatory requirements. Particular attention must be paid to the qualification of the parties as controller, processor or joint controller, since this determines the allocation of responsibilities and liability. Article 28 of the GDPR requires detailed contractual clauses in processor agreements, including security guarantees, confidentiality, restrictions on sub-processing and audit rights. International transfers outside the European Economic Area are permissible only under the safeguards established by Articles 44–49 of the GDPR. These provisions are mandatory and cannot be derogated from by contract. Although Romania does not impose general data localisation obligations, regulated sectors may require that data remain within the EU or be accessible to supervisory authorities.

Cybersecurity Regulation

Cybersecurity regulation further conditions contractual practice. Romania has aligned its legislation with the NIS2 Directive, which strengthens risk management and incident notification duties for essential and important entities. Technology agreements involving digital infrastructure or telecommunications networks must therefore allocate responsibilities for security measures, incident reporting and co-operation with competent authorities. The absence of clear allocation may expose parties to regulatory sanctions.

Public Procurement Law

Public procurement law imposes additional constraints where the counterparty is a contracting authority. Under Law No 98/2016 on Public Procurement, substantial post-award modifications are restricted and price revision mechanisms must comply with statutory conditions. This significantly limits flexibility in long-term technology projects involving public bodies, particularly where technological evolution requires contractual adaptation.

Copyright Law

Intellectual property issues must also be addressed with precision. Software is protected under Law No 8/1996 on copyright. Economic rights may be transferred only by express written agreement, and moral rights remain inalienable. In development or customisation projects, the absence of clear ownership and licensing clauses may generate uncertainty regarding exploitation rights.

Competition Law

Competition law, aligned with EU principles, constitutes a further mandatory framework. Exclusivity provisions, restrictive licensing arrangements or market allocation clauses may attract scrutiny, especially in network industries. Such rules are of public order and cannot be excluded contractually.

Other Industry Regulations

Certain regulated industries are subject to enhanced supervision. Credit institutions supervised by the National Bank of Romania must comply with European Banking Authority outsourcing guidelines and the Digital Operational Resilience Act (DORA), which impose detailed requirements on ICT risk management, audit rights and supervisory access. Insurance undertakings supervised by the ASF are bound by Solvency II–based governance rules that condition outsourcing on the preservation of effective control. Telecommunications operators regulated by ANCOM may be subject to access, transparency and non-discrimination obligations, particularly where significant market power has been established.

Telecommunications service agreements in Romania reflect the interaction between civil law principles and sector-specific regulation under ANCOM’s supervision. Their drafting must reconcile commercial objectives with technical and regulatory requirements.

Specifications

Such agreements should clearly define the scope of services, including network access, transmission capacity, maintenance and support obligations. Technical specifications are essential to delimit performance standards. Service level provisions play a central role, establishing availability thresholds, response times and restoration commitments. These clauses allocate operational risk and may carry regulatory implications where services support essential infrastructure.

Regulatory Compliance

Regulatory compliance must be expressly addressed. Agreements should allocate responsibility for compliance with the GDPR, cybersecurity obligations and, where relevant, lawful interception requirements under electronic communications legislation. Liability clauses must be carefully calibrated. While limitation of liability is generally permissible in commercial contracts, exclusions for wilful misconduct or gross negligence are not enforceable under Romanian law. Liability caps should therefore reflect realistic exposure, particularly in cases involving personal data breaches or prolonged service interruption.

Negotiation of Terms

Negotiating favourable terms requires regulatory awareness and technical preparation. Companies should assess the counterparty’s regulatory status and determine whether sector-specific rules restrict contractual flexibility. Benchmarking service levels against market practice, securing audit rights where subcontracting is involved, and including change-in-law clauses are prudent strategies. Where public procurement legislation applies, negotiation scope may be limited by statutory constraints.

Interconnection Agreements

Interconnection agreements between telecommunications operators present distinct considerations. These agreements determine the technical and financial conditions under which networks interconnect and exchange traffic. Operators designated as having significant market power may be required by ANCOM to provide access on transparent and non-discriminatory terms. Accordingly, interconnection agreements must define interconnection points, technical standards, traffic routing and quality parameters consistently with regulatory obligations.

Pricing Mechanisms

Pricing mechanisms may in certain circumstances be subject to regulatory oversight or cost-orientation principles. Parties must therefore consider whether tariff flexibility is constrained by regulatory determinations. Dispute resolution clauses should also reflect the possibility of regulatory intervention, as ANCOM has competence to resolve specific inter-operator disputes alongside the jurisdiction of civil courts.

Laws and Regulations

Electronic signatures and trust services in Romania are governed by Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (the “eIDAS Regulation”). The Regulation became applicable in Romania on 1 July 2016, except for certain provisions.

One of the objectives stated in the eIDAS Regulation is that it aims to enhance trust in electronic transactions in the internal market by providing a common basis for secure electronic communication between people, businesses and public authorities.

Article 25(1) of the eIDAS Regulation specifies that an electronic document will not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form. The Regulation also provides that a qualified electronic signature represents the equivalent of a wet signature when it comes to legal effect and that an electronic signature will not be denied legal effect just because it does not meet the requirements for qualified electronic signatures.

Types of electronic signatures

The eIDAS Regulation provides for three types of electronic signature:

• the simple electronic signature (SES) – this is not defined in the eIDAS Regulation, only in national laws;
• the advanced electronic signature (AdES) – this is defined as an electronic signature that meets the following criteria:
1. it is uniquely linked to the signatory;
2. it is capable of identifying the signatory;
3. it is created using data that the signatory can use under its own control; and
4. it is linked to the data to which it relates so that any subsequent changes in the data are detectable; and
• the qualified electronic signature (QES) – this is defined as an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures.

Besides the eIDAS Regulation, electronic signatures in Romania are also governed by National Law No 214/2024 on the use of electronic signatures, timestamps, and the provision of trust services.

Law No 214/2024 marks the alignment of national legislation with the eIDAS Regulation and aims to establish a clearer and more predictable internal legal framework, facilitating the use of electronic signatures, electronic seals, and electronic timestamps in official documents and electronic transactions.

It regulates the conditions for using electronic signatures and recognises three types of electronic signatures: the simple signature, the advanced signature, and the qualified signature.

Law No 214/2024 equates documents signed with a qualified electronic signature issued by a qualified trust services provider to handwritten signatures, except in cases requiring notarisation.

The novelty of Law No 214/2024 is that it also equates other types of electronic signatures to handwritten signatures, as long as they satisfy certain conditions.

Under current legislation in Romania, if the law requires the written form of a document for its validity, then the electronic signature used can be a qualified signature or an advanced one if it holds the same legal validity as a document signed with a handwritten signature, which, according to Law No 214/2024, occurs in any of the following situations:

• the document is signed with an AdES created with a certificate for electronic signatures issued by a public authority or public institution in Romania or by a qualified trust service provider;
• the electronic document is recognised by the party to whom it is opposed – recognition may arise from the party challenging the AdES fully or partially executing the obligations arising from the electronic document;
• the parties have expressly agreed, in a separate document signed with either a handwritten signature or a QES, to grant the AdES the same legal effects as a handwritten signature.

If the written form of a document is required only for probatory purposes, then the electronic signature used can be a QES, an AdES or even an SES.

A simple electronic signature will have the same legal effect as a document signed by a handwritten signature, in any of the following cases, according to Law No 214/2024:

• in the case of pecuniary acts, with a value of less than half of the gross minimum wage at the date of signing the act;
• where the electronic document is recognised by the opposing party, recognised explicitly, or recognition can be inferred from the unequivocal actions of the opposing party such as fully or partially executing the obligations arising from the electronic document;
• if both parties are professionals and have explicitly agreed in a separate document, signed with either a handwritten signature or a QES, to grant the SES the legal effects of a handwritten signature.

According to Law No 214/2024, an AdES has the same legal effect as a handwritten signature in the following cases:

• if the signature is created with a certificate for electronic signatures issued by a public authority, institution, or a qualified trust service provider;
• if the signature is recognised explicitly or if recognition can be inferred from the unequivocal actions of the opposing party; or
• if the parties have explicitly agreed to recognise the signature in a separate written document, signed with a handwritten signature or with a QES.

The validity of an electronic signature is determined based on the conditions at the time of signing. The expiration of the certificate used for the signature does not affect the document’s validity. If the validity of a qualified electronic signature or seal is contested, the court will verify its validity. The burden of proof rests with the party contesting or claiming the validity of the signature.

Trust Service Providers

The European Union Trusted Lists is a public list of trust service providers that are specifically accredited to offer qualified certificates for qualified electronic signatures in compliance with the eIDAS Regulation. In Romania, the active qualified trust service providers for qualified electronic signatures are: CertSIGN SA, DigiSign SA, AlfaTrust Certification SA, Trans Sped SA, “Centrul de calcul SA” and the Special Telecommunications Service.

Standards Governing Trust Services

The primary industry standards governing trust services are published by the European Telecommunications Standards Institute (ETSI) through the technical committee for Electronic Signatures and Infrastructures. Compliance with these standards is used to demonstrate that trust services meet industry-recognised good practice. Although the eIDAS Regulation does not specify any particular standards which a trust service should meet, the ETSI standards are the primary mechanism by which most trust service providers demonstrate their eIDAS compliance.

Co-Operation Between Member States on Electronic Identification

The Commission Implementing Decision (CID) EU 2015/296 establishes procedural arrangements for co-operation between member states on electronic identification pursuant to Article 12(7) of the eIDAS Regulation.

For the purposes of co-operation between the member states, Article 3 of the CID 2015/296, requires each member state to designate a point of single contact through which its relevant authorities can be reached. In Romania, that point of contact is represented by the Authority for the Digitalization of Romania.

The foundational laws regulating the industry include:

• GEO No 77/2009 – the core piece of legislation on the organisation and operation of gambling; and
• GD No 111/2016, which provides the methodological norms for the application of the primary law.

Several “pioneer” laws were recently enacted to increase state revenue and enhance social protection:

• Law No 107/2024 – this prohibits physical slot-machine venues in towns and villages with a population of fewer than 15,000 inhabitants, and substantially increases annual licence fees (eg, slot machines rose from EUR75,000 to EUR150,000 annually).
• Law No 141/2025 – this entered into force in mid-to-late 2025 and introduced the most stringent requirements to date:
1. B2B Responsibility – software providers (Class II) must now actively block unlicensed B2C operators from accessing the Romanian market or face criminal charges:
1. GPS tracking – All physical slot machines and Video Lottery Terminals (VLTs) must be equipped with standalone GPS devices for real-time traceability.
2. QR codes – Every gaming device must display a unique QR code issued by the ONJN to allow players and inspectors to verify the legality of the machine instantly.
3. Higher taxation on gross gaming revenue (GGR) – Remote gambling licence fees are now roughly 30% of GGR (up from 21%).
4. Player taxation – Winning taxes have been revised to a tiered system starting at 4% for amounts up to about EUR2,000.

While the legal framework is mandatory, the industry relies on self-regulatory codes developed by major associations to promote “responsible gambling”:

• The Ethical Code of Responsible Communication (ONJN and Associations) – this code sets standards for advertising and commercial messages;
• Minors’ Protection – this prohibits adverts targeting minors or using influencers/celebrities popular with children:
1. advertising restrictions – limits gambling adverts on TV to specific nighttime hours (typically 23h00 – 6h00), except for live sports broadcasts; and
2. content standards – adverts must not present gambling as a way to solve financial problems or as a substitute for employment.
• Association-Specific Codes (eg, ROMSLOT and AOJND) –
1. staff training: mandatory training for casino staff to recognise signs of problem gambling; and
2. self-exclusion: co-operation with the national “responsible gambling” programme, which offers psychological counselling and a self-exclusion registry for players.

The treatment of in-game purchases, loot boxes, and gambling-like elements in video games is currently characterised by a “regulatory gap” that is gradually being bridged by consumer protection laws and upcoming European mandates, rather than the gambling law (GEO 77/2009).

Under current Romanian gambling legislation, a game is classified as “gambling” only if it meets three simultaneous criteria:

• a stake – the player pays money to participate;
• an element of chance – the outcome is random; and
• a material prize – the reward must have a real-world monetary value or be convertible back into cash.

Most loot boxes provide virtual items (skins, characters) that operators claim have no real-world value and cannot be legally withdrawn as cash. Because they lack a “monetary prize”, the ONJN generally does not classify them as traditional gambling. Since these elements often fall outside the ONJN’s jurisdiction, the ANPC has become the primary regulator. Developers are increasingly required to disclose drop rates (odds) for loot boxes. Failure to provide clear information on the probability of receiving specific items is now treated as a violation of consumer transparency rights.

In Romania, the oversight of the gambling and gaming industry is handled by several specialised state authorities. While the ONJN is the central figure, the increasing complexity of digital gaming (loot boxes, esports, and digital services) has brought other regulators like ANCOM and the ANPC into the fold.

National Gambling Office (ONJN)

The ONJN remains the primary and most powerful regulator. It operates under the Ministry of Finance and has “quasi-judicial” powers to issue immediate orders. It is the only body that issues Class I (B2C) and Class II (B2B) licences. Since the 2025 reforms, the ONJN can issue orders to block unlicensed sites that must be executed by internet service providers (ISPs) and social media platforms within five hours. It monitors all financial flows and requires operators to use “mirror and safe servers” on Romanian territory for real-time data access.

The ONJN has the following enforcement powers:

• Licence revocation and suspension – In the first half of 2025 alone, the ONJN revoked 28 licences and suspended three online platforms for serious irregularities.
• Blacklisting and ISP blocking – The ONJN maintains a “blacklist” of unlicensed sites. Under current law, orders issued by the ONJN to ISPs and search engines to block access or remove content are legally enforceable within five hours of notification.
• Seizure of equipment – Inspectors can seize non-compliant physical gaming machines. In 2025, over 200 machines were confiscated during unannounced “cross-check” inspections.
• Criminal referrals – The ONJN does not just issue fines; it frequently files criminal complaints (over 48 cases initiated in 2025) for financial crimes and unlicensed operations.
• Financial penalties – Fines for operational breaches (like allowing an auto-excluded player to gamble) are capped at RON100,000 (approximately EUR20,000) per incident.

National Authority for Management and Regulation in Communications (ANCOM)

With the implementation of the EU Digital Services Act (DSA), ANCOM has taken a leading role in the “gaming” (video game) sector, as opposed to just the “gambling” sector.

National Authority for Consumer Protection (ANPC)

The National Authority for Consumer Protection (ANPC) is the “watchdog” for fair play and transparency, particularly in video games. The ANPC regulates in-game purchases and loot boxes. If a game uses “dark patterns” (manipulative design) or hides the odds of a random reward, the ANPC can issue fines. It reviews the end user licence agreements (EULAs) of gaming companies to ensure they do not contain abusive clauses that strip Romanian players of their legal rights.

The protection of intellectual property in the gambling industry is governed by a combination of General IP Laws (copyright and trade marks) and Specific Regulatory Mandates established by the ONJN under GEO 77/2009. In the absence of a specific "Gaming IP Law", Romania relies on the General Norm (Law 8/1996). While the core legal protection of a game’s code or art remains within the general IP framework (which is very old), gambling regulations elevate IP documentation into a mandatory administrative requirement for market entry.

Unlike most industries where IP registration is a defensive choice, in Romanian gambling, proving IP rights is a regulatory necessity. Under the methodological norms of GEO 77/2009, an applicant for a Class I (Operator) or Class II (B2B Provider) licence must submit formal documentation attesting to the ownership or the legal right to use the software, trade marks, and game designs. Any gambling software (slots, random number generation algorithms (RNGs), platforms) must be certified by an ONJN-accredited laboratory. The certification process effectively “locks” the IP version. The laboratory issues a certificate for a specific version of the software.

Romania is one of the few jurisdictions that requires software developers themselves to be licensed. To supply games to a Romanian operator, a developer must hold a Class II Licence. Economic operators carrying out ancillary activities in the field of remote gambling in Romania, namely: operators offering management and hosting facilities on their gaming platform, producers and distributors of gambling-specific software, payment processors, affiliates, certifiers and auditors, are required to obtain a licence from the Supervisory Committee of the NGO (National Gambling Office) to carry out such activities.

In the context of the accelerated development of the digital environment, the EU has adopted a complex regulatory framework aimed at ensuring the protection of rights, transparency, and the accountability of online service providers.

Romanian legislation in this domain is largely inspired by EU legislation and is subject to a constant process of updating and harmonisation with European norms, with a view to ensuring uniform and coherent application of the standards established at the European level.

Audiovisual Content Regulation

An essential aspect of social media is the content displayed by social networks, whether professionally produced or user generated.

At European level, such content is regulated by Directive 2010/13/EU (Audiovisual Media Services Directive), as amended by Directive (EU) 2018/1808, as well as by Regulation (EU) 2022/2065 (Digital Services Act). Under Romanian law, multimedia content provided to users is regulated by Law No 504/2002 on audiovisual services.

National and European regulations promote cultural diversity by encouraging access to a wide variety of content reflecting society, with the purpose of exposing the public to as many diverse cultures as possible. Platforms are liable both for the content they generate and provide and for user-generated content that they merely host and make available to the public.

At the same time, a distinction is made between professionally generated content and user-generated content, each being subject to a different legal regime and to more or less stringent protective measures.

Personal Data Protection

Platforms collect personal data for content personalisation, targeted advertising, or profiling, which raises major legal issues concerning consent, transparency, and data security.

These matters are regulated in detail at the European level by Regulation (EU) 2016/679 (General Data Protection Regulation). In Romania, Law No 190/2018 on personal data protection transposes the Regulation and its principles into Romanian legislation. In addition, Law No 506/2004 establishes complementary data protection obligations specifically applicable in the electronic communications sector.

Online platforms operating in Romania must comply with the harmonised principles set out in national and European regulations, ensuring transparency regarding the manner in which they collect, store and use users’ data, including for targeted advertising or algorithm-based recommendations.

Users have the right to access their data, erase it or withdraw their consent to processing, and platforms must facilitate the exercise of these rights.

Marketing and Consumer Protection

Social media has transformed marketing by providing precise targeting tools, personalised recommendations, and influencer-based campaigns.

Social media marketing is regulated through a European framework established by Directive 2005/29/EC and Directive 2011/83/EU on consumer rights. At the national level, social media marketing is interpreted considering the provisions of Law No 363/2007 on combating unfair commercial practices, which transposes the European legal framework on unfair commercial practices into Romanian law.

Legal regulations require that any commercial communication be clearly identifiable, so that users are aware when a message is a form of advertising and are not misled.

In this regard, any sponsored material or product placement must be clearly indicated, in compliance with transparency and fairness towards consumers, with accurate information regarding product characteristics, prices, and terms and conditions of purchase. Aggressive or misleading practices capable of influencing consumers’ purchasing decisions are prohibited.

Intellectual Property Protection

Social media platforms facilitate the rapid distribution of copyright-protected content, which raises legal issues related to the unauthorised use of works, the rights of affected individuals and platforms’ liability for user-generated content.

In order to harmonise copyright protection in the digital environment, the EU adopted Directive (EU) 2019/790, establishing general rules in the field of copyright. Romanian legislation regulates intellectual property through Law No 8/1996 on copyright, a law adopted long before Romania’s accession to the EU but constantly updated to ensure alignment with European legislation.

According to the applicable legislation, platforms must respect creators’ copyright when allowing users to upload and distribute content and must implement measures to identify and prevent copyright infringements and to ensure proper licensing of protected content.

Users may not use protected materials without the consent of the rights holder or without a valid legal licence, and platforms are responsible for managing infringements by blocking or monetising content in accordance with authors’ rights. The law also ensures creators’ rights to remuneration when their works are used online, either through direct distribution or through advertising or sponsored posts.

Under Romanian law, social media platforms are considered intermediaries and may benefit from liability exemptions for user-uploaded content, provided that they do not initially have actual knowledge of the illegal nature of the content and act promptly to remove it when they do.

Cybersecurity

Social media has become an essential environment for communication and information exchange, but it also represents a major target for cyberattacks and security incidents.

The European cybersecurity framework is strengthened by Directive (EU) 2022/2555 (NIS2) and Regulation (EU) 2022/2065 (Digital Services Act), which establish the EU-level framework for cybersecurity. In Romania, cybersecurity is regulated by Law No 362/2018 on cybersecurity and by Law No 190/2018 on personal data protection, which introduce measures aimed at enhancing the security of social media platforms.

In the context of social media, platforms must implement robust cybersecurity measures to protect users’ data and to prevent cyberattacks, data breaches, or unauthorised access to accounts and private messages. The law states the responsibility of operators to monitor risks, report significant incidents to the competent authorities, and implement appropriate technical measures, so as to avoid or minimise the impact on users.

Personal data protection legislation is also relevant in the field of cybersecurity, by imposing obligations on social media platforms to ensure the security of users’ personal data, protecting it against loss, unauthorised access, or disclosure.

Protection of Minors

Minors represent a vulnerable category on social media, who need to be protected from exposure to inappropriate content, aggressive or misleading advertising, and risks related to data security and online profiling.

Given the specific nature of regulations on the protection of minors on social media, the relevant European regulations include Directive 2010/13/EU, as amended by Directive (EU) 2018/1808, Regulation (EU) 2022/2065, and Regulation (EU) 2016/679. At the national level, provisions on the protection of minors are also included in Law No 504/2002 on audiovisual services, which regulates multimedia content found on virtual platforms.

The rules establish platforms’ obligation to moderate content, filter and notify users regarding potentially harmful, violent, or age-inappropriate materials, in order to limit children’s access to such content.

Platforms are required to implement parental control tools and default privacy settings for minors, as well as restrictions on advertising that may negatively influence children’s decisions or behaviour. Furthermore, in certain cases, they must obtain parents’ or guardians’ consent for the collection and processing of personal data, and implement additional security and confidentiality measures.

In 2025, Romania took an important legislative step in the field of child protection in the digital environment by proposing a draft law, currently under parliamentary debate, known as the “Online Full Age Law”.

This introduces the concept of “digital full age” at the age of 16, below which minors may not access or create accounts on online platforms without the express and verifiable consent of their parents or guardians. Parents will also have the right to suspend, restrict, or even request the deletion of a minor’s account if they consider that the minor is exposed to harmful content.

Civil Liability and Compensation for Damages

Apart from administrative, contravention, or criminal sanctions, Romanian legislation does not provide for a specific legal framework governing compensation for damages caused by the improper and harmful use of social media.

Nevertheless, the Romanian Civil Code offers specific protection for intrinsic human values. The Civil Code displays mechanisms for remedying moral damages, combining measures aimed at restoring infringed rights with the possibility of awarding financial compensation.

Thus, a person whose moral rights have been infringed or threatened has access to several alternative and independent legal remedies, and the court may order the prohibition of the unlawful act, cessation of the infringement and its prohibition in the future, as well as a declaration of the unlawful nature of the act, if the disturbance caused persists.

The injured person is also entitled to damages, and additionally, domestic legislation provides the possibility for courts to order the author of the act to publish the conviction decision or any other measures necessary to cease the unlawful act or repair the damage caused.

Accordingly, the protection is based on the fact that the viral spread of information in the online environment produces an irreversible impact on an individual’s image, which requires the prompt and urgent intervention of the courts, establishing specific mechanisms in this regard.

With the updating of national legislation in line with EU requirements and standards, Romania has created an administrative apparatus to manage key areas. Thus, there are currently several governing bodies that intervene in various aspects of interest regarding social media.

The Romanian authority responsible for multimedia content, the National Audiovisual Council, has repeatedly developed guidelines specifically tailored to social media and directly addressed to users.

The authority responsible for personal data protection is the National Supervisory Authority for Personal Data Processing, which carries out information campaigns and issues guidance on personal data protection.

Also, the National Directorate for Cyber Security develops guidelines and awareness campaigns aimed at users, with a view to increasing cybersecurity awareness and promoting concrete protective measures.

The authorities ensure the proper implementation of social media legislation in all its aspects and take measures in cases where regulations are violated.

To this end, the authorities make ordinary users aware of the relevant regulations, issue their own rules and guidelines for users, identify violations, and impose significant fines in cases of non-compliance.

Regulatory Framework

The fundamental framework is Regulation (EU) 2016/679 (GDPR), which applies directly in Romania and is the main basis for the protection of personal data. It establishes processing principles such as lawfulness, transparency, minimisation, storage limitation, integrity, and confidentiality; and defines the rights of data subjects in terms of access, rectification, erasure, objection, and portability; as well as imposing responsibilities on controllers and processors. Internally, Law No 190/2018 is currently in force, implementing the GDPR (among other things) in Romania and, more specifically, Law No 506/2004 that transposes the e-Privacy Directive in Romania and regulates data processing in the electronic communications sector.

This law is the sector-specific regulation for telecommunications that complements the GDPR and applies to providers of public electronic communications networks, electronic communications services, and value-added service providers and subscriber directories. The main requirements of this law relate to the confidentiality of communications and traffic data, which must be guaranteed, and interception is prohibited without consent or a legal warrant. It also stipulates that traffic data and other categories (eg, location data) may only be stored for legitimate purposes and for limited periods (up to three years for billing or specific contractual obligations), and that user consent is required in all cases for marketing, in accordance with ePrivacy rules (transposition of Directive 2002/58/EC). As a protective measure – for example, in the case of SMS/email marketing – personal data may only be processed with prior opt-in which must in all cases be documented, with an unsubscribe function in each communication.

Other laws and regulations on data privacy at national level include Law No 363/2018 on data processing by public authorities for law enforcement purposes and various methodological norms and decisions of the supervisory authority, the ANSPDCP.

Responsible Authorities

The authorities with responsibilities for data privacy in the telecommunications sector are ANCOM, which monitors the sector and promotes ethical and security rules, including the GDPR in communications, and the ANSPDCP, which authorises and monitors compliance with codes of conduct that have been submitted and approved (in accordance with Section 5 of the GDPR).

Regarding codes of conduct, both the GDPR (Article 40) and Romanian legislation encourage the development of sectoral codes of conduct, including for telecommunications. The EECC expands the definition of communications services to include OTT (over-the-top) services. In addition, there are draft codes of conduct specific to the electronic communications sector that address traffic and location data management. Some companies, such as Telekom Romania, have even implemented the Code of Conduct for the Protection of the Right to Privacy in the Handling of Personal Data.

Challenges

The main challenges for telecoms companies are managing large volumes of sensitive data (identification data, traffic data, location data, and even communication metadata are processed simultaneously), for which the major challenge is clearly separating purposes and complying with the principle of minimisation; managing consent – there are frequent problems with obtaining overly general consent (“bundle consent”); promotional SMS messages to former customers; the inability to demonstrate a timestamp; and the difficulty of quickly withdrawing consent. In practice, many systems are unable to accurately track the status of consent for each purpose.

Another challenge is the implementation of the right to erasure, which conflicts with tax obligations, the retention of billing data, and/or legal requirements in the field of telecommunications. Furthermore, traffic and location data are considered high-risk data, with multiple issues regarding reuse for analytics without consent and the lack of true anonymisation.

Challenges also arise in terms of security and data breaches, as telecoms are frequent targets for attacks.

Regarding the cross-border data transfers, GDPR rules apply, meaning that data can circulate freely within the EU and outside the EU only with adequate safeguards (Chapter V of the GDPR). For intra-EU transfers, most operators use regional data centres and European cloud providers, and for extra-EU transfers (eg, to the US, Philippines – IT/cloud support), operators must use SCC – standard contractual clauses – in some situations.

As for data localisation, Romania does not impose strict localisation, but there is indirect localisation for data requested by authorities (eg, legal interceptions, warrants), while large operators maintain local nodes and avoid complete outsourcing of the core network.

Real issues found in practice are non-EU cloud providers without SCCs, lack of transfer impact assessments (TIAs), offshore tech support with direct access to live databases, encryption keys controlled by the provider (not the controller), and privacy notices that do not mention transfers.

Telecommunications providers balance lawful interception obligations with data protection requirements by implementing dedicated interception infrastructures, strict access controls and comprehensive audit mechanisms. In theory, interception activities are carried out exclusively based on valid legal authorisations and are limited in scope, duration and target. Controllers apply data minimisation principles, segregate intercepted data from commercial systems and ensure prompt deletion following transmission to competent authorities. Organisational safeguards, including role-based access and dual control, combined with technical measures such as encryption and logging, ensure compliance with the GDPR while fulfilling statutory surveillance obligations.

In practice, however, the ANSPDCP has identified problematic situations such as: uncontrolled staff access, lack of access logs, incomplete warrants accepted, accidental retention, and/or misconfigurations that capture additional traffic.

Third-party vendors and cloud service providers operate primarily as data processors under Article 28 of the GDPR, supporting telecommunications functions such as hosting, billing, customer relationship management and network operations. Their engagement is governed by data processing agreements, SCCs where applicable, and documented TIAs. Telecommunications operators retain overall controller responsibility and implement contractual, technical and organisational safeguards to ensure GDPR compliance, including access restrictions, audit rights and EU-based data hosting for sensitive network information.

The progressive tightening of data protection regulations has materially influenced telecoms network architecture and service development, requiring privacy-by-design implementation, enhanced encryption, access segmentation and increased localisation of sensitive data within the EU. These regulatory obligations impose additional compliance costs but simultaneously drive innovation in secure cloud deployments, consent management frameworks and privacy-enhancing technologies, shaping both infrastructure modernisation and the evolution of data-driven telecommunications services.

In late 2025 and early 2026, the ANSPDCP has been particularly active in the gambling and service sectors, which often rely on telecoms infrastructure:

• Crowd Entertainment Limited (Princess Casino/Cashpot) – In December 2025, this operator was fined EUR15,000 for failing to properly handle a data access request. The investigation revealed that the operator could not prove they provided complete information regarding self-exclusion requests and account data within the legal timeframe.
• Roumasport SRL (Decathlon Romania) – In late December 2025, the operator was fined EUR10,000 following a series of cyberattacks. The ANSPDCP found that the company failed to implement adequate technical measures (Article 32 of the GDPR) to ensure the confidentiality and integrity of systems, leading to unauthorised access to names, emails, and loyalty points.
• Premier Restaurants Romania (McDonald’s) – In January 2026, a fine of EUR8,000 was issued after an attack on a local IT application compromised employee data. The investigation highlighted a failure in vendor management (Article 28 of the GDPR), as the controller did not ensure the processor provided sufficient security guarantees.

Telecoms and highly regulated companies (like gambling venues) face specific hurdles:

• “Bundle consent” and marketing – The ANSPDCP continues to identify issues where consent for marketing is “bundled” with the service contract. Under 2026 standards, consent must be granular; a user must be able to agree to “billing via email” without being forced to agree to “promotional SMSes”.
• Anonymisation v pseudonymisation – With the rise of AI-driven analytics, companies often use location data for “heat maps”. The challenge is that without true anonymisation, these datasets can often be re-identified, leading to violations of Law 506/2004.
• The right to erasure v fiscal retention – Companies struggle to reconcile the “right to be forgotten” with the mandatory ten-year fiscal retention for billing records and the six-month to three-year traffic data retention for law enforcement access.

Romania follows the standard Chapter V of the GDPR rules:

• TIAs – Since 2024, the ANSPDCP has increased audits on whether companies have performed TIAs when using US-based cloud providers (even under the Data Privacy Framework).
• The “encryption key” conflict – A major audit point in 2026 is whether the encryption keys for cloud-hosted player/subscriber data are held by the Romanian controller or the foreign cloud provider. If the provider holds the keys, the ANSPDCP increasingly views this as an “unsecured transfer”.