Data protection and cybersecurity laws in Romania

As an EU Member State, Romania complies with the GDPR, which is directly applicable.  In furtherance of the GDPR, Law no.  190/2018 ("Law 190") was issued to provide measures necessary for the implementation at the national level of certain GDPR provisions, such as: processing of genetic, biometric or health concerning data, processing of a national identification number, electronic surveillance of the employees at the workplace, or the sanctions applicable to public authorities in case of a GDPR breach.

In addition, the Romanian Data Protection Authority for Personal Data Processing ("RDPA") has issued secondary legislation, regulating mainly:

• data breach notification (RDPA Decision no.  128/2018);
• solving data privacy complaints (RDPA Decision no.  133/2018)
• data privacy investigations (RDPA Decision no.  161/2018);
• data processing operations which require mandatory data privacy impact assessments (RDPA Decision no.  174/2018).

In telecom sector, the e-privacy Directive was transposed into the Romanian law by Law no.  506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector ("Law 506").  The competent authorities are subject to the Law no.  363/2018 on the protection of natural persons in relation to the processing of personal data for the purpose of the prevention, detection, investigation, prosecution and combating of criminal offenses or for the execution of sanctions, educational and safety measures and the free movement of such data.

Romanian National Supervisory Authority for Personal Data Processing: www.dataprotection.ro

There are no anticipated changes to local laws in the near feature. 

Breaches of the law are sanctioned in accordance with GDPR provisions. The RDPA has set particular penalties for specific GDPR breaches for data controllers only in the public sector (i.e. public authorities/institutions). For public institutions/authorities, Law no. 190/2018 provides for a maximum threshold of RON 200,000 (approx. EUR 40,000) in fines for GDPR-related breaches. For breaches of Law 506, RDPA may apply fines ranging between RON 5,000 – RON 100,000 (approx.  EUR 1,000 – EUR 20,000), or in the case of legal persons with a turnover of over 5m RON (approx.  1m EUR), up to 2% of the turnover. RDPA may apply penalty fines per day of delay, in amount of up to RON 5,000 (approx.  EUR 1,000).

None.

RDPA may issue warnings and recommendations, and other corrective measures in accordance with GDPR provisions. Compensation can be sought for any material or non-material damage caused by GDPR breaches, based on the GDPR grounds and the Romanian tort liability rules.

Notification applies as per the GDPR (e.g. for notification of the DPO to the RDPA). Romanian law does not require a registration or authorisation for processing of personal data.

The template format of the DPO notification is provided on RDPA website.

Notification applies as per the GDPR (e.g.  for notification of the DPO to the RDPA).  Romanian law does not require a registration or authorisation for processing of personal data. The template format of the DPO notification is provided on RDPA website.

Main obligations and processing requirements

The main obligations and processing requirements are aligned with the GDPR.  However, Law 190 provides additional requirements in respect of:

• electronic monitoring of employees in the workplace;
• processing for legitimate interest of the concept "national identification number" (e.g.  personal code number, ID series and number, passport number etc. );
• processing of genetic data, biometric data, data concerning health for automated decision-making and profiling.

RDPA Decision no. 174/2018 establishes specific data processing operations that require mandatory data privacy impact assessments.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR. The template format of the data breach notification is as set out in RDPA Decision no. 128/2018 and found on the RDPA website.

Pursuant to Law 506, the rule is that e-marketing messages require the prior express consent from the recipient (e.g.  opt-in), except for email communications that meet the following conditions:

• the recipient's email was originally collected "on occasion of a sale", directly from the respective person;
• the entity sending the marketing is the same legal entity as the one that collected the recipient's email initially;
• the marketing concerns "similar" products and/or services to the ones for which the recipient's email was originally obtained;
• the recipient is given the opportunity free of charge to object to e-marketing both at the time when their email address was collected and in each subsequent communication.

Same as per the GDPR and the ePrivacy Directive.

Moderate.

• Website of the RDPA: http://dataprotection.ro/;
• Online data breach notification form: https://www.dataprotection.ro/formulare/formularBresaGdpr.do?action=view_action&newFormular=true;
• Online DPO notification form: https://www.dataprotection.ro/formulare/formularRpd.do?action=view_action&newFormular=true;
• Filing data privacy complaints: Plangeri_pagina_principala (dataprotection.ro).

Romania has transposed the EU Directive 2022/2555 (the "NIS2 Directive") by Government Emergency Ordinance No. 155/2024 establishing a framework for the cybersecurity of computer networks and systems in the national civil cyberspace (“GEO 155/2024”), which was approved by Law 124/2025.

GEO 155/2024 repeals the previous local law on cybersecurity, Law no. 362/2018 on ensuring a high common level of security of network and information systems (transposing the initial NIS Directive) (“Law 362/2018”).  However, certain chapters in the Law 362/2018 remain in force until secondary legislation is adopted to replace it completely. Theoretically, are in force now only (a) the provisions on technical standards for minimum security requirements for information networks and systems, (b) notification and management of security incidents and (c) rules on security audits and (d) the authorization of Authorization of CSIRT teams – until the DNSC will adopt further implementing enactments. The norms to which these chapters refer are still in force, for instance:

• Government Decision no. 1003/2020 approving the Technical Norms for determining the impact of security incidents.
• Order no. 1323/2020 approving the Technical Norms regarding the minimum requirements for ensuring the security of networks and IT systems applicable to operators of essential services.
• For the implementation of GEO 155/2024, the Romanian Directorate for Cyber Security (the “DNSC”) has also issued secondary legislation:
• Order No. 1/2025 approving the requirements for the notification process for registration and the method of transmitting information
• Order No. 2/2025 approving the Criteria and thresholds for determining the degree of disruption of a service and the Methodology for assessing the risk level of entities
• Other relevant laws for cybersecurity are:
• Government Decision no. 1321/2021 approving Romania's Cybersecurity Strategy for the period 2022-2027 and the Action Plan for the implementation of the National Cybersecurity System for the period 2022-2027.
• Law no. 58/2023 on the cybersecurity and cyberdefense of Romania, which provides obligations for authorities, public institutions and private companies that own/ provide public networks and computer systems ("Law 58/2023"). Law 58/2023 establishes the legal and institutional framework for organizing and conducting cybersecurity and cyber defense activities in Romania. It aims to ensure the resilience, protection, and defense of networks and information systems supporting public and private services, including those of public interest. It covers private entities providing electronic communications to public authorities and those delivering public or public interest services (e.g., healthcare, utilities, infrastructure).

Additional secondary legislation for the implementation of GEO 155/2024 is expected to be adopted.

Similar to the NIS2 Directive, Romanian cybersecurity legislation applies to essential and important entities.

The following entities are considered essential, regardless of their size:

• central public administration entities in accordance with Annex 1;
• entities in Annex 1 or 2 of GEO 155/2024 identified in accordance with art. 9 of GEO 155/2024;
• entities identified as critical entities according to the legal provisions regarding the resilience of critical entities;
• DNS service providers;
• qualified trust service providers;
• TLD name registries;
• large enterprises falling within the sectors provided for in Annex 1;
• medium-sized enterprises which are providers of public electronic communications networks or providers of electronic communications services intended for the public;
• medium-sized enterprises which are providers of managed security services. 

Entities in the categories of large and medium-sized enterprises which fall under Annexes 1 and 2 and which are not identified as essential entities are considered important entities.

The following entities are considered important if they have not been identified as essential entities, regardless of their size:

• entities in Annexes 1 and 2 of GEO 155/2024 identified in accordance with art. 9 of GEO 155/2024;
• providers of public electronic communications networks and providers of publicly available electronic communications services;
• trust service providers.

Article 9 of GEO 155/2024 refers to those entities which are considered essential or important if:

• the entity is the only provider of a service that is essential for supporting critical societal and economic activities;
• the disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
• the disruption of the service provided by the entity generate a significant systemic risk, in particular for sectors where such a disruption could have a cross-border impact;
• the entity is critical due to its specific importance at national or regional level for the sector or type of services concerned or for other interdependent sectors.

We note that the Annexes 1 and 2 in GEO 155/2024 vary to a certain extent from the ones in the NIS2 Directive, so that more entities enter in the scope of the local law.

Special rules are provided in the Law 58/2023 in relation to ensuring the cybersecurity of Romania (i.e., security of the public networks and computer systems).

DNSC

Under the cybersecurity legislation, the main obligations for essential and important entities are:

• register with the DNSC;
• implement appropriate and proportionate technical and organisational measures (“TOMs”) to identify, assess and manage the risks posed to the security of network and information systems they use in carrying out their activities or providing their services, as well as to eliminate or, where appropriate, reduce the effects of incidents on the recipients of their services and other services;
• provide regular professional training to all staff in order to ensure a sufficient level of knowledge and skills;
• ensure that members of the management bodies undergo accredited professional training in order to ensure a sufficient level of knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity;
• undergo periodic audits proving compliance with the legal security requirements;
• notify DNSC of any cybersecurity incidents with significant impact on provision of their services.

Specific obligations are provided in relation to ICT products and services.

Breaches of Romanian cybersecurity legislation are sanctioned by fine. Each non-compliance with the obligations provided by GEO 155/2024 is considered a contravention.

The DNSC may issue a warning or a fine.

GEO 155/2024 provides ranges for the fines applicable depending on the breach. Some contraventions are considered more serious (such as failure to implement the appropriate TOMs) are sanctioned as follows: 

• for important entities, a fine ranging from 5,000 lei to a maximum of 7,000,000 euros in the equivalent in lei or a maximum of 1.4% of the net turnover, taking into account the highest of these amounts;
• for essential entities, a fine ranging from 10,000 lei to a maximum of 10,000,000 euros in the equivalent in lei or a maximum of 2% of the net turnover, whichever is higher;

Other contraventions (such as not observing the obligation to register with the DNSC while in scope of the law) are sanctioned as follows:

• for important entities, a fine ranging from 1,000 lei to 300,000 lei;
• for essential entities, a fine ranging from 1,500 lei to 500,000 lei;

There is an exception to the above sanctions in case of newly established legal entities and legal entities that did not record any turnover in the financial year preceding the sanction: fine ranging between one and 50 times the gross minimum wage.

Other specific obligations, such as for TLD registers to collect data, also have different corresponding fines applicable in case of non-compliance.

Sanctioned entities may pay half of the amount if the fine is paid within 15 days as of communication of the sanctioning minutes.

In case of repeated violations, the limits of the fine are increased by half.

In addition to warnings or fines, the DNSC may also order:

The DNSC may order, as appropriate, the following:

• the adoption of measures when necessary to prevent or remedy an incident, as well as deadlines for the implementation of these measures, including an ad hoc audit;
• the remedy of identified deficiencies;
• the cessation of infringing conduct;
• the implementation of recommendations made following a security audit;
• the designation of a member of the control staff with well-defined tasks for a specified period of time, responsible for supervising the compliance of the essential entity concerned with the provisions of Articles 11-14 of GEO 155/2024;
• compliance with the cybersecurity risk management measures provided for in Articles 11-14 of GEO 155/2024 and the reporting obligations provided for in Article 15 of GEO 155/2024, in a specific manner and within a specific time frame;
• the publication by the entity of the breach of GEO 155/2024.

The DNSC may also:

• notify the competent authorities, institutions, or entities in the sector to temporarily suspend the certification or authorization issued to the entity in question, for some or all of the relevant services provided or activities carried out by that entity;
• notify the competent authorities, institutions, or entities to impose a temporary ban on exercising the function of executive director or legal representative in the entity concerned.

The obstruction of audits, providing of false information, restricting access to personnel designated by the DNSC to the premises subject to inspection and to the data and information necessary for the inspection or failure to comply with DNSC orders is also sanctioned under GEO 155/2024 with fines ranging from 3,000 lei to 600,000 lei.

Breaches of cybersecurity law do not trigger criminal liability. Criminal sanctions are only applied to cybercrimes, for instance:

• Hacking (i.e. illegal access to a computer system);
• Disruption of computer systems;
• Computer fraud (e.g.  deleting computer data);
• Unauthorised transfer of computer data.

The above criminal offences are punished by around one to seven years' imprisonment for natural persons, a sanction that is commuted to an equivalent fine for legal persons.

Compensation can be sought for any material or non-material damage caused by violations of cyberlaw under the Romanian tort liability rules. 

Yes, the DNSC is the national CSIRT.

Essential entities, important entities, and sectoral competent authorities may also establish their own or sectoral CSIRTs or may purchase specialized services from CSIRT-specific service providers authorized by the DNSC.

The management of cybersecurity incidents and crises at the national level is carried out in accordance with the National Cybersecurity Crisis Management Plan in peacetime, as drafted by the DNSC.

The National Cybersecurity Crisis Management Plan in peacetime aims to manage large-scale cybersecurity incidents and cyber crises and provides for at least:

• the objectives of preparedness measures and activities;
• the tasks and responsibilities of cyber crisis management authorities;
• cyber crisis management procedures, including their integration into the overall national crisis management framework and information exchange channels;
• preparedness measures, including exercises and training activities;
• relevant public and private sector stakeholders and infrastructure involved;
• national procedures and agreements between relevant national authorities and bodies to ensure Romania's effective participation in the coordinated management of large-scale cybersecurity incidents and crises at European Union level and the support provided by the EU.

There is currently no public information confirming the adoption of the plan by DNSC.

The DNSC is continuously involved in projects aimed to enhance cyber security in Romania. The most recent one is SIEMBIOT, an open collaboration platform for cybersecurity research to facilitate the creation and effective dissemination of new vulnerability detection methods, advanced threat search queries, and response runbooks. More information can be found at the following link: https://www.dnsc.ro/pagini/proiect-siembiot

• https://dnsc.ro