Romanian AI and Crypto Regulations Lag Behind Tech Deployment, Leaving Companies Liable

Romanian companies using artificial intelligence (AI) and digital assets like cryptocurrencies now confront direct legal accountability.

The European Union has established a comprehensive legal framework, with legislation such as the AI Act, the Markets in Crypto-Assets Regulation (MiCA), and the Digital Operational Resilience Act (DORA) applying directly across all member states, including Romania. This means a robust legal foundation is already in place.

Despite these foundational EU laws, the challenge arises from the rapid deployment of new technologies which often outpaces the development of local institutional guidance and company-level compliance practices. This gap shifts the burden of compliance directly onto businesses.

Companies integrating AI platforms are held fully liable for non-compliance with data protection rules. This liability stands even if the issue originates from a vendor’s default configuration, as demonstrated in a case involving an HR platform's automated candidate-scoring system.

This establishes a clear precedent: businesses cannot assume vendor compliance for integrated AI tools. The responsibility for ensuring compliant data processing and operational settings rests with the company utilizing the AI solution.

Non-compliance carries severe financial and operational risks. Breaches of digital resilience requirements under DORA, for instance, can lead to fines for entities up to 10 million lei, equivalent to about $2.2 million, or 5% of their annual turnover. Individuals face penalties up to 1 million lei.

Beyond monetary penalties, regulators can impose license suspensions or management bans, impacting operations directly. Romania has begun formalizing its supervisory architecture, designating the National Bank of Romania (BNR) and the Financial Supervisory Authority (ASF) as competent authorities for DORA.

This ongoing institutional build-out means that while the core legal framework exists at the EU level, local enforcement mechanisms are solidifying. Companies must therefore ensure their internal practices align with these established, and increasingly enforced, regulations.

Businesses in Romania must prioritize proactive compliance strategies for AI and crypto, as the regulatory landscape moves from framework establishment to active enforcement.