Romania: legislative developments with immediate digital and telecom relevance

Romania has taken a major step toward digital modernization as the Ministry of Economy and Digitalization published the implementing norms for the Electronic Signature Law (Law 214/2024) in the Official Gazette. The rules now allow both companies and citizens to use advanced electronic signatures with full legal validity for a wider range of documents. The regulations set strict standards for trust service providers, covering authorization, audits, cybersecurity, insurance, and compliance with EU norms, creating a safer and more predictable environment for digital transactions.  However, the order will enter into force on April 3, 2026.

Companies using electronic signatures will benefit from a more secure and regulated system, with reduced risk of fraud and clearer standards for providers. Stricter audits, liability insurance, and cybersecurity requirements may increase costs for providers, potentially affecting pricing for end users, but overall reliability and trust in digital transactions will improve.

Trust service providers must submit updated documentation to the Authority for Digitalization of Romania within 270 days of the ordinance taking effect or before their current accreditation expires, whichever comes first. They must also comply with the new operational, audit, cybersecurity, and insurance requirements. Companies purchasing electronic signatures should verify that their providers meet these standards and ensure contracts and internal procedures reflect the updated legal obligations.

This week, Romania’s Ministry of Interior issued a draft government decision approving the National Strategy on Critical Entities Resilience. The strategy aims to protect essential services, including digital infrastructure, against physical, cyber, natural, or hybrid threats, ensuring continuity of critical services. Digital and telecom operators identified as critical entities will be required to implement resilience measures, assess risks, prepare detailed continuity plans, and report incidents and progress to authorities. Cybersecurity agencies will coordinate monitoring and information sharing, while the National Committee for Critical Entities Protection (CNCPIC) and Sectoral Competent Authorities oversee compliance and alignment with EU resilience standards.

The strategy introduces stricter obligations for critical operators, including enhanced risk management, mandatory incident reporting, and reinforced business continuity planning. Companies may face additional operational and compliance costs to meet EU-aligned resilience standards, while failure to comply could increase scrutiny and operational risk.

As a strategic framework, the decision and the strategy will only take effect once they are implemented through subsequent regulations, orders, or sector-specific projects. Until those implementing acts are issued, digital and telecom operators cannot yet take concrete action but should closely monitor the legislative process and updates to the draft decision to prepare for future obligations.

This week, two independent Romanian MPs proposed separate legislative (this and this) initiatives aiming to ban users under 16 from accessing social media platforms. The moves follow similar actions in France, Spain, Portugal, Denmark, the UK, and Norway, amid growing concerns over content on platforms like TikTok linked to harm, risky behaviours, or even fatalities among minors. The proposals require social media providers operating in Romania to implement effective, proportional, and non-discriminatory age verification mechanisms, protect minors’ personal data, and prevent the profiling or targeting of children with harmful or commercial content. Platforms must also inform users clearly about the rules and restrict access to minors under 16. Certain services, such as private messaging, educational platforms, and non-social video sharing, are excluded from these obligations.

Social media companies will need to implement robust age verification and content restriction measures, update data processing practices, and ensure transparency for users. While these requirements may increase operational complexity and compliance costs, they strengthen child protection, reduce legal risk, and enhance user trust in platforms accessible in Romania.

If adopted, providers shall prepare to comply with the laws six months after their publication, implement age verification and access restriction mechanisms, and ensure personal data handling aligns with Romanian and EU regulations. However, both proposals have almost no chance of becoming laws. Even so, we recommend close monitoring of the legislative evolution of these initiatives.

USR Senator Vasile-Ciprian Rus is proposing, through a new legislative initiative, to create the Single Digital Design System (SUDD), a national framework for standardizing the design and implementation of public digital service interfaces. The proposal ensures that citizens enjoy accessible, user-friendly, and consistent digital interactions with government services. New services and major updates will need to comply with SUDD, while existing digital services must adapt within two years. The system also introduces user rights, including access to standardized digital channels and visible mechanisms to report non-compliance.

Public digital services will become more accessible, consistent, and user-friendly, improving citizen experience and trust in online government platforms. Compliance with SUDD may require redesigns of existing services, updates to procurement processes, and training for developers, which could increase operational costs in the short term but ultimately enhance efficiency and usability.

While the law primarily affects public authorities, private companies involved in providing, developing, or operating digital public services must prepare to align with SUDD standards if the law is adopted.