— de Mihai Pisică, Associate, ONV LAW —
As Romania’s fintech and blockchain ecosystem continues to grow, regulators are moving to align the country’s financial infrastructure with European Union standards for digital operational resilience and cybersecurity.
The ordinance establishes a mandatory digital resilience framework for the financial sector, effectively turning cybersecurity and operational resilience into core licensing conditions for regulated entities.
Our colleague @Mihai Pisica, Associate, has prepared a brief overview for our community highlighting the key aspects of the new regulation.
Entities covered by the ordinance
The regulatory framework applies to credit institutions, payment institutions, insurance companies, fund managers, and, explicitly, crypto-asset service providers (CASPs).
Supervisory authorities
Supervisory responsibilities are shared between the National Bank of Romania (BNR) and the Financial Supervisory Authority (ASF).
BNR oversees banks and payment institutions and coordinates penetration testing exercises, while ASF supervises the capital markets, insurance and pension sectors.
Technical obligations
Covered entities are required to implement strict ICT risk management frameworks, maintain robust digital infrastructure and may be subject to mandatory internal audits and resilience testing coordinated by the supervisory authorities.
Applicable sanctions
Non-compliance may result in administrative fines of up to 10% of annual turnover or RON 23,000,000, alongside individual liability for management and the potential withdrawal of operating authorization.
Impact on Digital Asset Sector Entities
A major legislative development is the explicit inclusion of crypto-asset service providers (CASPs) and asset-referenced token issuers within this digital resilience regime.
Emergency Ordinance No. 14/2026 on the implementation of the EU Digital Operational Resilience Act (DORA) has been published in the Romanian Official Gazette.
Under this ordinance, crypto entities are effectively aligned with traditional financial institutions regarding the obligation to maintain secure and resilient IT infrastructure. They fall directly under the supervision of ASF or BNR (for electronic money issuers) and may be subject to mandatory technical audits and resilience assessments.
As of 11 March 2026, digital resilience and cybersecurity will become fundamental compliance pillars for any blockchain or digital asset project seeking to operate legally in Romania.
Emergency Ordinance No. 14/2026 on the implementation of the EU Digital Operational Resilience Act (DORA) has been published in the Romanian Official Gazette.