What is AI regulation in Romania?
AI regulation: countries and regions
AI regulation in Romania is mainly the EU AI Act, which applies directly, plus Romanian authority designations and existing rules on data protection, digital public administration and sector supervision. Romania is not replacing the EU regime with a separate national AI code. Instead, it is allocating oversight among ANCOM, ANSPDCP, BNR, ASF, ADR and existing product regulators, while its 2024-2027 AI strategy sets policy direction for public-sector use and governance.
What this means
If you build, buy, import or use AI in Romania, the first legal question is usually not "is there a Romanian AI law?" but "what does the EU AI Act say about this use, and what role do we play in the chain?" The answer depends on whether your system is prohibited, high-risk, subject to transparency duties or largely outside the stricter parts of the regime.
The Romanian layer matters because it tells you which authority is likely to supervise which kind of AI use. It also matters because GDPR, Romania's GDPR implementation law, workplace monitoring rules and sector supervision still apply alongside the AI Act, especially where personal data, biometrics, financial services or public services are involved.
Romania's National AI Strategy 2024-2027 and ADR's wider digital-government role give important context, especially for public administration and future testing environments. But they are not a substitute for the binding duties that already flow from EU law.
Why it matters
This matters because Romanian organisations cannot safely wait for a future domestic AI statute before acting. The AI Act is already applying in stages, and Romania now has a clearer authority map for supervision. That affects procurement, vendor due diligence, HR tools, biometric access control, financial services models and public-sector deployments.
For leaders, the practical issue is governance. You need to know which uses are banned, which are high-risk, which require human oversight and documentation, and where privacy, workplace and fundamental-rights checks still bite. In Romania, a compliance failure can mean AI Act intervention, data-protection scrutiny, procurement delays, blocked deployment or costly rework after launch.
How it works
The binding legal core is EU law
In Romania, the main binding AI rulebook is Regulation (EU) 2024/1689, the EU AI Act. It applies directly, so Romanian organisations do not need a separate national law before beginning compliance work. As at June 2026, the staged timetable is important: prohibited AI practices and AI literacy duties already apply; governance rules and obligations for general-purpose AI models already apply; and the broader regime is due to bite from August 2026. European Commission materials also reflect a politically agreed simplification package from May 2026 affecting some later dates for certain categories, so organisations should track the final amending text carefully.
Romania has chosen a distributed supervisory map
Romania's March 2026 government implementation package does not create one all-purpose AI regulator. It uses a distributed model. ANCOM is the national market surveillance authority and the single point of contact for the AI Act. In financial services, the National Bank of Romania, BNR, and the Financial Supervisory Authority, ASF, are the sector authorities for high-risk AI directly linked to those services. For certain high-risk AI in biometrics, law enforcement, border management, migration, asylum, justice and democratic processes, the National Supervisory Authority for Personal Data Processing, ANSPDCP, is the relevant market surveillance authority. Where AI is part of a regulated product, existing sector authorities under Annex I product legislation continue to matter. Romania has also publicly indicated that ADR, the Authority for the Digitalization of Romania, will handle notification of conformity-assessment bodies.
Data protection still runs in parallel
For many Romanian deployments, the hardest legal question is not naming the AI system but working out whether personal data, special-category data or automated decision-making rules are also triggered. The AI Act does not replace GDPR and does not, by itself, create the legal basis needed for solely automated decisions under GDPR. Romania's Law No. 190/2018 adds national safeguards. It says automated decision-making or profiling using biometric, genetic or health data needs explicit consent or an explicit legal basis with safeguards. It also restricts workplace monitoring, requiring justified employer interests, prior information, consultation with employee representatives and proof that less intrusive means did not work first.
Romania's digital-government context explains why ADR matters
ADR sits near the centre of Romania's digital state architecture. Under Government Decision No. 89/2020, it has roles in digital transformation, interoperability, government cloud implementation, trust services under eIDAS, electronic signatures and related public-service infrastructure. That institutional base helps explain why ADR appears in the AI Act implementation map even though it is not the front-line market surveillance authority for most AI systems.
Romania's National AI Strategy 2024-2027 is the policy backdrop, not the main source of binding duties. It frames AI as part of wider digital transformation and public-sector modernisation, supports standardisation and regulatory preparation, and points to ethics guidance, a public-sector AI catalogue, better use of public data and sandbox-type testing environments. Those measures matter for readiness, but they are not a compliance safe harbour.
What organisations usually need to do first
This depends on role. Providers, importers, distributors and deployers are treated differently, and the same Romanian business can sit in more than one role. In practice, most teams should start with an AI register, record the provider and deployer chain, and classify each use by risk and sector.
For employment, credit scoring, insurance pricing, public services, biometrics and public-authority uses, assume heightened scrutiny until proven otherwise. Check prohibited practices first, such as workplace emotion inference. If the system is high-risk, obtain the technical documentation and instructions for use, confirm the conformity route and registration position, set human oversight and logging arrangements, and embed incident escalation into contracts and internal controls. Public bodies, private entities providing public services, and deployers in creditworthiness and life or health insurance pricing should also prepare for a fundamental rights impact assessment before use.
Enforcement is becoming clearer, but the Romanian layer is still maturing
As of June 2026, Romania has moved from strategy and discussion to a recognisable authority map, but it is still early in institutional practice. The core AI Act deadlines are only now taking effect, public complaint and guidance channels are still maturing, and businesses should expect further Romanian detail on procedure, coordination and potentially penalties. The safest approach is to treat the AI Act itself, plus Romanian data-protection law and sector rules, as the live baseline rather than waiting for a single Romanian handbook.
Examples
In March 2026, ANSPDCP investigated Arrise Live SRL after reports that it planned to introduce facial-recognition access control for staff. The authority noted that card-based access already existed and warned that the proposed biometric processing would fail legality, necessity and proportionality tests, recommending less intrusive means. For Romanian employers, this is a strong signal that biometric AI for convenience can be hard to justify.
If a Romanian employer buys CV-filtering or candidate-scoring software, it is not just buying office automation. Under the AI Act, recruitment and candidate evaluation fall within the high-risk employment category. The buyer should therefore ask for the provider's documentation, define who keeps human control over shortlisting and hiring, train staff, and avoid add-on features that drift into prohibited or privacy-heavy uses, such as workplace emotion inference.
If a Romanian bank or insurer uses AI to assess a person's creditworthiness or to price life or health insurance, that goes beyond ordinary analytics. These uses sit in the AI Act's high-risk list, and Romania's supervisory map points to BNR or ASF in the relevant financial sector. Before go-live, the institution should verify documentation and oversight, and assess whether a fundamental rights impact assessment and a data-protection assessment are required.
Common misunderstandings
Myth: Romania has no AI rules until Parliament passes a special AI law. Correction: The EU AI Act already applies directly in Romania, in stages.
Myth: Only AI developers are covered. Correction: Buyers, deployers, importers and distributors can all have duties, depending on their role.
Myth: The AI Act replaces GDPR. Correction: In Romania, GDPR and Law No. 190/2018 still apply in parallel, especially for biometrics, workplace monitoring and automated decision-making.
Myth: ANCOM will supervise every AI use case by itself. Correction: Romania uses a shared model, with ANCOM central, but BNR, ASF, ANSPDCP and product-sector regulators also matter.
Myth: The national AI strategy gives you a compliance safe harbour. Correction: The strategy sets direction and capacity-building priorities, but it does not remove the need for the statutory checks.
Risks and boundaries
This page is about Romania's layer, not a full restatement of the whole EU AI Act, the entire conformity-assessment process or the complete rulebook for general-purpose AI models. Those are adjacent topics.
Romania's National AI Strategy is not itself the main enforcement instrument. The March 2026 government implementation step is important because it identifies the institutional map, but some domestic detail on procedure, coordination, complaint handling, sandbox operation and penalties is still evolving. That uncertainty is real and should be treated as a live compliance risk, not ignored.
As of June 2026, European Commission materials also reflect a politically agreed EU simplification package, but some revised dates will only become fully settled once the amending legislation is final and published. Until then, organisations should distinguish clearly between the AI Act as currently in force and changes that are agreed in principle but not yet final in text.
Also note that the AI Act does not cover every digital system. Many low-risk uses face few AI-specific duties, while defence and national-security uses sit outside the AI Act's scope and remain governed by other legal regimes.
What to do next
Build one Romania-facing inventory of every AI system you develop, buy, embed or let staff use. Tag each item by business function, vendor, personal-data use, sector and likely AI Act risk.
Assign joint ownership between legal, compliance, procurement, security and the business team. For any use touching recruitment, biometrics, public services, credit scoring, insurance pricing or regulated products, require documentation before procurement, define human oversight, train staff for AI literacy and decide whether a data-protection impact assessment or a fundamental rights impact assessment is needed.
Finally, watch the right Romanian authorities. For most issues that means ANCOM, but finance teams should monitor BNR or ASF, and any project involving biometrics or sensitive public-authority uses should track ANSPDCP as well. Do not wait for a future Romanian handbook before doing the basic classification and control work.
FAQs
Does the EU AI Act apply directly in Romania?
Yes. Romania does not need to copy the AI Act into a separate national statute for the main EU duties to apply.
Is there a separate Romanian AI code that replaces the AI Act?
No. Romania's main task is to designate authorities, provide procedure and align existing national laws and institutions around the EU regime.
Which Romanian authority is the main front door for AI Act supervision?
In general, ANCOM is the central market surveillance authority and single point of contact, but finance, biometrics and regulated products can shift the picture to other authorities.
Does GDPR still matter if my system is covered by the AI Act?
Yes. The AI Act and GDPR run in parallel. In Romania, Law No. 190/2018 adds extra safeguards for special-category data and workplace monitoring.
If I only buy an off-the-shelf AI tool, do I still have duties?
Often yes. A deployer or buyer can still have duties around use, human oversight, staff training, impact assessment and cooperation with authorities.
Are all HR AI tools high-risk?
Not all software used in HR is automatically high-risk, but tools that analyse or filter applications, evaluate candidates, monitor workers or influence work terms are exactly the kind of uses the AI Act treats very seriously.
Does Romania already have an operational AI sandbox?
The AI Act requires at least one national sandbox to be operational by 2 August 2026, and Romania's strategy refers to sandbox-type testing environments. Note that the European Commission has proposed a digital Omnibus package that could defer some high-risk obligations, so the 2 August 2026 dates should be read as the current legal position rather than a settled certainty. But organisations should verify the actual operational scheme and entry conditions before relying on one.