Romania: legislative developments with immediate financial relevance

The newly adopted law amends and supplements Law no. 236/2022 on the prudential supervision of investment firms in order to align the national framework with the new European requirements introduced by Directive (EU) 2024/2994, particularly regarding concentration risk arising from exposures to central counterparties (CCPs). 

The law updates the reference to the relevant EU legislation and formally incorporates the provisions of Directive (EU) 2024/2994 into the national framework governing prudential supervision. It also introduces explicit definitions of “central counterparty” (CCP) and “qualifying central counterparty” (QCCP), aligning Romanian terminology with that used in Regulation (EU) No. 648/2012 (EMIR) and Regulation (EU) No. 575/2013 (CRR). 

Clarifying the legal status and treatment of CCPs and qualifying CCPs contributes to the alignment of the national framework with EU prudential standards related to counterparty risk and concentration risk. Financial institutions active in derivatives trading or capital markets may need to reassess internal risk management frameworks governing exposures to clearing infrastructures. From a systemic perspective, the amendment improves legal consistency between national legislation and EU financial market infrastructure regulations. 

Following its adoption by the Chamber of Deputies, the law will be sent to the President of Romania for promulgation and subsequently published in the Official Gazette. Financial institutions should monitor potential secondary regulations or supervisory guidance clarifying the practical implementation of the updated framework.

The newly adopted GEO no. 5/2026 amends several legislative acts governing credit institutions, payment services and payment systems in order to implement Regulation (EU) 2024/886, which introduces a regulatory framework for instant credit transfers in euro across the European Union. NBR becomes the competent authority responsible for overseeing the application of international sanctions in euro payments and receives extended monitoring powers over payment service providers offering instant credit transfers. The ordinance also introduces the possibility of temporary exemptions for payment service providers that are not immediately able to offer instant euro payments, and clarifies circumstances where sanctions-related obligations may not apply, such as during planned system maintenance periods. 

For banks, the impact is primarily operational and technological, as instant euro payments become a standard market feature requiring adjustments to payment infrastructure and transaction monitoring processes. The extension of NBR’s supervisory powers and the strengthening of the sanctioning framework increase compliance expectations for payment service providers. At the same time, the explicit inclusion of payment institutions and e-money institutions in payment system participation may intensify competition in the payments market, potentially affecting banks’ positioning in retail and corporate payment services. 

The ordinance is already in force following its publication in the Official Gazette. Banks and payment service providers should assess the operational and compliance implications, particularly regarding instant payment infrastructure, sanctions screening and payment system participation requirements.

The Government has adopted a new emergency ordinance (not yet published in the Official Gazette) establishing the national framework necessary for the implementation of Regulation (EU) 2022/2554 – the Digital Operational Resilience Act (DORA). The ordinance designates the National Bank of Romania and the Financial Supervisory Authority (FSA) as competent authorities responsible for supervising the application of the regulation. It introduces a national sanctioning regime for breaches of digital operational resilience requirements, with fines of up to 10% of annual turnover.  

NBR is designated as the single authority coordinating Threat-Led Penetration Testing (TLPT) exercises, which are a key element of the DORA testing framework. Entities processing payment operations will also be required to notify NBR within 30 days from the start of their activity. The ordinance further establishes procedures for cooperation between NBR and FSA and coordination with European supervisory authorities, including EBA, ESMA, EIOPA and the European Central Bank. It also regulates the procedure for challenging sanctions before the Bucharest Court of Appeal, while clarifying that appeals do not automatically suspend enforcement. 

For banks and other financial institutions, the implementation of DORA significantly strengthens requirements related to ICT risk management, cybersecurity resilience and operational continuity. Institutions will need to ensure robust frameworks for digital risk management, incident reporting, third-party ICT risk oversight and operational resilience testing. The introduction of TLPT coordination by NBR is likely to lead to more structured and rigorous testing of critical IT systems within the banking sector. 

The sanctioning framework and the enhanced supervisory cooperation mechanisms increase the compliance pressure on financial institutions to demonstrate effective governance of digital risks. 

Find more about DORA’s impact here!

The ordinance is expected to be published in the Official Gazette, after which it will formally enter into force. Secondary regulations and supervisory guidance from NBR and ASF are likely to follow, particularly regarding TLPT testing procedures and incident reporting requirements.

Financial institutions should continue their internal alignment with DORA requirements, including updates to ICT risk governance, operational resilience frameworks and third-party risk management policies.