Digital #6 Legislative focus

Shortly before the government’s dismissal, an emergency ordinance amended GEO No. 89/2022 on cloud infrastructure, allowing STS to procure operating system and database licenses for the government cloud before intergovernmental agreements are concluded. The change addresses delays in cloud implementation caused by restrictive procurement sequencing and is intended to ensure faster rollout of cloud services and better use of EU funds under Romania’s PNRR targets for migrating public applications to IaaS/PaaS. The bill is now in the Senate for the start of the debates and approval process.

For companies and operators involved in government infrastructure, the measure accelerates procurement flows and reduces dependency on lengthy intergovernmental approval processes. It enables earlier acquisition of core cloud software components while maintaining centralized control through STS.

Companies should align with STS procurement processes, prepare for faster purchasing cycles, and ensure readiness to support government cloud migration projects under PNRR timelines.

Despite an approval in the committees, the Romanian Senate rejected a legislative initiative that clarifies the legal status of vulnerability research and reporting, stipulating that good-faith security testing does not constitute a criminal offence. It also established an interinstitutional cybersecurity committee coordinated by the National Cyber Security Directorate (DNSC), to ensure structured information exchange under the national cybersecurity framework (GEO 155/2024). Additionally, it introduces a 48-hour reporting requirement for discovered vulnerabilities, alongside strict rules on confidentiality and system protection during disclosure. Now the bill awaits the final decision in the Chamber of Deputies.

Digital and telecom operators would have benefited from clearer legal protections for ethical security testing and more structured engagement with authorities. At the same time, they would have faced stricter timelines and procedural expectations for vulnerability reporting and incident coordination. But now the approval of this bill doesn’t seem likely.

If the bill gets approved, companies should review internal security testing and disclosure policies to ensure alignment with “good-faith” standards and 48-hour reporting obligations.

The Senate (first chamber) has rejected two legislative proposals that would have introduced a minimum age of 16 for access to social media platforms, after the committees issued rejection reports. One proposal focused on mandatory age verification mechanisms, transparency obligations, and enforcement measures for platforms operating in Romania, while also defining narrow exemptions for non-social or educational digital services. The second proposal added stricter bans on profiling children for commercial purposes and reinforced content restrictions, while involving coordination between regulators, platforms, and civil society, alongside parental responsibility measures. Both proposals reached the Chamber of Deputies for a final debate, despite low adoption chances.

If adopted, digital platforms would face significant compliance pressure around age verification, data processing limits, and content controls, while increasing regulatory fragmentation risk.

Companies should continue aligning with EU-level child protection and GDPR standards and monitor for potential revised drafts focusing on platform accountability and age assurance mechanisms.