Digital #5 Legislative focus

After an approval in the committees, the Romanian Senate is expected adopt a legislative initiative establishing an interinstitutional cybersecurity committee coordinated by the National Cyber Security Directorate (DNSC). The committee is designed to improve cooperation between public authorities, facilitate the analysis of reported ICT vulnerabilities, and ensure structured information exchange under the national cybersecurity framework (GEO 155/2024). The proposal also clarifies the legal status of vulnerability research and reporting, stipulating that good-faith security testing (conducted without intent to cause harm or unauthorized access) does not constitute a criminal offence. Additionally, it introduces a 48-hour reporting requirement for discovered vulnerabilities, alongside strict rules on confidentiality and system protection during disclosure.

Digital and telecom operators would benefit from clearer legal protections for ethical security testing and more structured engagement with authorities. At the same time, they may face stricter timelines and procedural expectations for vulnerability reporting and incident coordination.

If the bill will be approved, companies should review internal security testing and disclosure policies to ensure alignment with “good-faith” standards and 48-hour reporting obligations.

USR is proposing, through a new initiative, a unified national digital governance framework for public institutions, built around mandatory central registers, role-based access control, and a single authorization mechanism. Public IT systems would be required to integrate with national registers and eliminate locally managed access rights, while ensuring full interoperability through standardized APIs. In addition, all digital operations must be logged with time-stamped audit trails, and non-compliance may trigger fines and contractual penalties.

IT vendors, system integrators, and digital service providers for the public sector would face significant redesign requirements, including mandatory integration with national registers, role-based access systems, and standardized interoperability layers.

While monitoring the legislative updates, companies should assess current public-sector systems for compatibility with centralized registers and plan API and access-control upgrades. Early alignment with interoperability and audit standards will be critical to avoid implementation bottlenecks if the proposal becomes law.

Instead, the Senate (first chamber) is set to reject two legislative proposals that would have introduced a minimum age of 16 for access to social media platforms, after the committees issued rejection reports. One proposal focused on mandatory age verification mechanisms, transparency obligations, and enforcement measures for platforms operating in Romania, while also defining narrow exemptions for non-social or educational digital services. The second proposal added stricter bans on profiling children for commercial purposes and reinforced content restrictions, while involving coordination between regulators, platforms, and civil society, alongside parental responsibility measures.

Digital platforms would face significant compliance pressure around age verification, data processing limits, and content controls, while increasing regulatory fragmentation risk.

Companies should continue aligning with EU-level child protection and GDPR standards and monitor for potential revised drafts focusing on platform accountability and age assurance mechanisms.