[codicts-css-switcher id=”346″]

Global Law Experts Logo
dora compliance romania

DORA Compliance for Romanian Banks, Ifns and Credit Servicers: 2026 Checklist & Action Plan

By Global Law Experts
– posted 1 hour ago

DORA compliance in Romania entered a new phase in 2026 when the government adopted Emergency Ordinance No. 14/2026 (Ordonanța de Urgență nr. 14/2026), transposing the EU’s Digital Operational Resilience Act, Regulation (EU) 2022/2554, into national law. The Regulation itself has applied directly across every EU Member State since 17 January 2025, but the Romanian ordinance now fills the enforcement gap by designating competent authorities, setting administrative penalties and clarifying supervisory powers for banks, non-bank financial institutions (IFNs) and credit servicers alike. This guide translates the combined EU and Romanian framework into a single enforcement-ready checklist, covering ICT risk management, incident reporting timelines, third-party contract redlines and the evidence pack supervisors will expect to see during inspections.

The article is written for chief risk officers, compliance officers, general counsel and in-house legal teams operating in Romania’s financial sector. Whether your entity is a systemic bank, a smaller IFN or a credit servicer licensed under national legislation, the obligations below apply now, not at some future date.

Who Is in Scope? A Quick Applicability Matrix for DORA Romania

Regulation (EU) 2022/2554 applies to more than 20 categories of financial entity. The table below isolates the three entity types most relevant to the Romanian lending and servicing market, maps each to its competent authority and highlights the practical DORA compliance Romania obligations triggered by Emergency Ordinance No. 14/2026.

Entity type DORA coverage Romanian supervisory authority
Credit institutions (banks) Full scope, all five DORA pillars including TLPT for significant institutions. Must maintain the Article 28 register of information and report major ICT incidents. National Bank of Romania (BNR) as primary competent authority, coordinating with EBA.
Non-bank financial institutions (IFNs) Full scope, ICT risk management framework, incident reporting, third-party risk management, register obligations. TLPT may apply depending on size and risk profile. BNR (for IFNs entered in the Special Register) and, where applicable, ASF for certain categories.
Credit servicers Covered where they qualify as a financial entity under DORA’s definitions or where the parent/contracting bank extends obligations by contract. Credit servicer obligations under DORA include ICT risk, incident reporting and maintaining contractual audit rights. BNR oversight where the servicer operates under a bank’s outsourcing framework; ASF where applicable to capital-market-adjacent activities.

Entities falling outside these categories, such as ICT third-party service providers designated as critical (CTPPs), are subject to direct oversight by the Lead Overseer designated among the European Supervisory Authorities (EBA, EIOPA or ESMA), a framework established under Articles 31–44 of the Regulation.

The Five Pillars of DORA: Executive Checklist for Immediate Action

Regulation (EU) 2022/2554 organises digital operational resilience banks Romania obligations around five pillars. Each pillar below includes priority actions to complete within the first 90 days of your implementation programme.

Pillar 1, ICT Risk Management (Articles 5–16)

  • Establish or update an ICT risk management framework that is documented, board-approved and integrated into the entity’s overall risk governance.
  • Assign clear ownership, a senior management member or dedicated function must be accountable for ICT risk oversight.
  • Map all ICT assets, systems and dependencies including legacy platforms, SaaS tools and inter-entity connections.
  • Define risk appetite and tolerance levels specific to ICT, with board-level sign-off reviewed at least annually.
  • Implement detection, response and recovery procedures documented in a business continuity plan tested at least once per year.
  • Report ICT risk posture to the management body at least annually (more often for significant institutions).

Pillar 2, ICT Incident Reporting (Articles 17–23)

  • Classify all ICT-related incidents using the criteria set out in the ESA Regulatory Technical Standards (RTS), distinguishing major incidents from other incidents.
  • Build an internal incident register logging every ICT-related incident and significant cyber threat.
  • Prepare reporting templates for initial, intermediate and final notifications to the competent authority (detailed timelines in the next section).
  • Designate an incident reporting team with a named contact for BNR/ASF communications.
  • Rehearse incident escalation flows at least annually, including board notification within four hours of classification.

Pillar 3, Operational Resilience Testing, Including TLPT (Articles 24–27)

  • Develop a testing programme proportionate to the entity’s size and ICT risk profile, covering vulnerability assessments, network security tests and penetration testing.
  • Conduct basic testing at least annually on all critical ICT systems.
  • Prepare for Threat-Led Penetration Testing (TLPT) if your entity is designated by the competent authority, significant banks and systemic IFNs are the most likely candidates.
  • Engage only qualified, independent testers (internal or external) and retain testing evidence for supervisory review.

Pillar 4, Third-Party Risk Management and the Register of Information (Articles 28–30)

  • Inventory all ICT third-party service providers and classify arrangements as critical or important in line with Article 28.
  • Populate the register of information documenting every contractual arrangement with ICT providers, the EBA has published templates for this mandatory register.
  • Review and redline existing contracts to incorporate DORA-mandated clauses on audit, sub-outsourcing, exit and data portability (detailed redlines below).
  • Assess concentration risk, identify dependencies on single providers or closely linked providers.

Pillar 5, Information Sharing (Article 45)

  • Establish or join an information-sharing arrangement with other financial entities or sectoral bodies for cyber-threat intelligence exchange.
  • Define internal protocols for what information may be shared, data-protection safeguards and recipient verification.

Incident Reporting in Romania: Categories, Timelines and Escalation Flow

Under DORA, incident reporting Romania obligations require every financial entity to classify ICT-related incidents and report major incidents to the competent authority within strict deadlines. The ESA joint RTS on incident classification and reporting set out the criteria for determining whether an incident is “major” (based on factors including number of clients affected, duration, geographical spread, data losses and criticality of services impacted).

Incident classification Reporting deadline Supervisory recipient and required content
Major ICT-related incident Initial notification: within 4 hours of classification (no later than 24 hours after detection). Intermediate report: within 72 hours. Final report: within one month of the incident’s resolution. National competent authority (BNR or ASF as applicable). Reports must include classification rationale, impact assessment, recovery actions and root-cause analysis (final report).
Other (non-major) ICT-related incidents No mandatory external notification, but must be logged in the entity’s internal incident register for supervisory access on request. Internal register available to supervisors during on-site inspections. Entities should be ready to produce aggregated incident statistics.
Significant cyber threats (voluntary reporting) Report voluntarily once the entity determines the threat is relevant to the financial system. Competent authority and, where applicable, sectoral CSIRT. Information-sharing protocols apply.

Sample Incident Notification Checklist, Fields to Complete

  • Incident reference number and internal classification (major / non-major).
  • Date and time of detection, date and time of classification.
  • Description of the incident, systems affected, services disrupted, root cause (if known).
  • Impact assessment, number of clients affected, financial losses, data compromised.
  • Geographical scope, Romanian operations only or cross-border.
  • Actions taken, containment, recovery measures, communication to affected parties.
  • Expected resolution timeline and name of the designated incident contact.

Third-Party Risk and DORA Contractual Clauses: Practical Redlines for Banks, IFNs and Servicers

Third-party risk management Romania obligations under DORA are among the most operationally intensive requirements. Articles 28–30 of the Regulation require financial entities to manage the ICT risk arising from their reliance on third-party providers throughout the entire lifecycle of the contractual relationship, from due diligence and on-boarding through to exit.

When to Treat a Provider as “Critical or Important”

An ICT third-party arrangement supports a critical or important function when it underpins a service the failure or degradation of which would materially impair the entity’s financial performance, the continuity of its services or its compliance with regulatory obligations. Industry observers expect Romanian supervisors to scrutinise core banking platforms, cloud-hosting providers, payment-processing gateways and loan-management systems as the highest-priority targets for classification.

Essential DORA Contractual Clauses, Sample Redlines

Every contract with an ICT third-party provider that supports a critical or important function must include, at minimum, the following clauses. These redlines reflect the mandatory requirements set out in Article 30 of the Regulation:

  • Right to audit and access. The financial entity and its competent authority shall have full rights of access, inspection and audit of the ICT provider, including on-site access to premises, data and documentation.
  • Sub-outsourcing controls. The provider may not sub-outsource a critical or important function without the prior written consent of the financial entity. Any authorised sub-outsourcing must not undermine the entity’s supervisory obligations.
  • Exit and termination provisions. The contract must include a detailed exit strategy with adequate transition periods, data migration support and post-termination data return/deletion obligations.
  • Data portability and return. Upon termination or disruption, the provider must return or make available all data in a format that allows the financial entity to migrate to an alternative provider or bring the function in-house.
  • Security SLAs and incident notification. The provider must meet defined security standards and notify the financial entity without undue delay of any ICT-related incident affecting the services provided.
  • Termination for regulatory reasons. The financial entity retains the right to terminate the agreement where the competent authority requires termination on supervisory grounds or where the provider can no longer meet DORA requirements.
  • Location of data processing and storage. The contract must specify the location(s) where data is processed and stored, and any transfer to third countries must comply with applicable data-protection rules.
  • Business continuity guarantees. The provider must maintain and test its own business continuity and disaster recovery arrangements and make testing results available to the financial entity.

The Register of Information, What It Must Contain

Under Article 28(3) of Regulation (EU) 2022/2554, every financial entity must maintain a comprehensive register of information documenting all contractual arrangements with ICT third-party service providers. The EBA has published standardised reporting templates that entities must use when submitting the register to their competent authority. Key data fields include provider identification, description of the function supported, contract start and end dates, sub-outsourcing chains, data-processing locations and the assessment of criticality. IFN compliance with DORA requires the same register discipline as banks, there is no proportionality exemption for this obligation.

Operational Resilience Testing and TLPT: What to Prepare

TLPT testing is the most technically demanding obligation under DORA. Articles 26–27 of the Regulation require entities identified by their competent authority to conduct advanced threat-led penetration testing at least every three years, using the TIBER-EU framework as the methodological baseline. This testing simulates realistic cyber-attack scenarios against live production systems.

  • Scope. TLPT must cover critical functions and the ICT systems supporting them, including relevant ICT third-party providers (with provider consent).
  • Testers. External testers must be qualified, reputable and independent. Internal testers may be used only if the competent authority approves and there is no conflict of interest.
  • Board sign-off. The management body must approve the TLPT scope, methodology and remediation plan before and after each test cycle.
  • Evidence pack. Retain the full test report, findings summary, remediation action plan and board approval documentation, supervisors will request these during inspections.
  • Smaller entities. Entities not designated for TLPT must still conduct proportionate resilience testing (vulnerability assessments, scenario-based tests, open-source analysis) at least annually.

Enforcement, Penalties and Supervisory Expectations in Romania

Emergency Ordinance No. 14/2026 equips Romanian competent authorities with a robust enforcement toolkit. Non-compliance with DORA obligations may result in administrative fines of up to 10% of annual turnover or RON 23,000,000 (whichever is higher), alongside individual liability for board members and senior management who fail to discharge their ICT governance duties. In the most serious cases, supervisors retain the power to withdraw the entity’s operating authorisation.

Industry observers expect Romanian supervisors to prioritise the following areas during the first wave of inspections:

  • ICT risk management framework documentation, is it board-approved, up to date and actually implemented?
  • Incident register completeness, were all incidents logged, classified and (where major) reported within the prescribed timelines?
  • Register of information, does it cover all ICT third-party arrangements, and has it been submitted in the EBA’s standardised template?
  • Contractual compliance, do existing outsourcing agreements contain the mandatory DORA clauses, or are they still operating under pre-DORA terms?
  • Testing evidence, can the entity produce testing reports, remediation plans and board sign-off records?

Entities that identify gaps should consider implementing a documented remediation plan with milestones and board reporting. Early indications suggest that supervisors are more likely to use enforcement powers against entities that show no evidence of having started compliance work than against those with an in-progress plan.

Practical 90/180/365-Day Action Plan by Function

The following table provides a phased DORA compliance Romania action plan, organised by function, to help entities prioritise implementation work across legal, IT, procurement, risk and operations teams.

Function 0–90 days 90–180 days 180–365 days
Legal / Compliance Gap analysis against DORA Articles and EO 14/2026. Identify all ICT third-party contracts requiring redline. Redline and renegotiate priority contracts (critical providers first). Draft incident reporting procedures. Submit register of information in EBA template. Complete all contract amendments. Conduct internal compliance audit. Prepare supervisor evidence pack.
IT / Information Security Map all ICT assets, systems and dependencies. Establish or update the incident detection and classification process. Implement automated incident logging. Conduct vulnerability assessments on critical systems. Test business continuity plan. Complete first annual resilience testing cycle. Prepare for TLPT if designated. Remediate findings and document evidence.
Procurement / Vendor Management Inventory all ICT third-party providers. Classify each as critical/important or non-critical. Populate Article 28 register. Assess concentration risk. Initiate contract renegotiation with critical providers. Finalise exit strategies for critical providers. Integrate ongoing due diligence into procurement processes.
Risk / Board Board briefing on DORA obligations and enforcement risks. Designate ICT risk ownership at senior management level. Approve ICT risk management framework and risk appetite statement. Review and approve incident escalation policy. Annual ICT risk posture report to the board. Approve TLPT scope and remediation plan. Review KPIs for DORA compliance.
Operations / Credit Servicing Identify credit servicer obligations under DORA, map which systems touch client data and critical functions. Align servicer operational procedures with the contracting bank’s ICT risk framework. Train operational staff on incident classification. Conduct joint incident simulation with contracting bank. Document evidence of compliance for supervisor inspection.

Supervisor-Ready Checklist and Evidence Pack

When Romanian supervisors conduct an on-site inspection or request documentation under DORA, entities should be prepared to produce the following evidence pack without delay:

  • Board-approved ICT risk management framework, current version with revision history.
  • ICT risk appetite statement, signed by the management body, with annual review evidence.
  • Internal incident register, complete log of all ICT-related incidents and significant cyber threats, with classification rationale.
  • Major incident notification records, copies of all initial, intermediate and final reports submitted to the competent authority, with timestamps.
  • Register of information (Article 28), exported in the EBA standardised template, covering all ICT third-party arrangements.
  • Contractual file for critical providers, executed agreements incorporating all mandatory DORA clauses (audit, exit, sub-outsourcing, data portability, SLAs).
  • Concentration risk assessment, documented analysis of dependencies on single or closely linked providers.
  • Testing reports and evidence, vulnerability assessments, penetration test results, TLPT reports (if applicable), remediation plans and board sign-off.
  • Business continuity and disaster recovery plans, with evidence of annual testing.
  • Staff training records, evidence that personnel involved in ICT risk management, incident handling and third-party oversight have received appropriate training.
  • Information-sharing arrangement documentation, membership details and protocols (where the entity participates in a sharing arrangement).

DORA Compliance Romania: Conclusion and Next Steps

The combined effect of Regulation (EU) 2022/2554 and Emergency Ordinance No. 14/2026 is that DORA compliance in Romania is no longer a future obligation, it is an immediate enforcement reality. Banks must treat their ICT risk management framework, incident reporting procedures, third-party contracts and testing evidence as top-priority deliverables. IFNs and credit servicers face the same substantive obligations and should not assume that smaller size grants exemption from supervisory scrutiny. The phased action plan and evidence checklist set out above provide a practical roadmap for meeting both the letter and spirit of the EU DORA transposition as applied in Romania.

Entities that act now, completing gap analyses, redlining contracts and building their register of information, will be best positioned to demonstrate compliance during the expected first wave of supervisory inspections.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Cristiana Petropoulos at Tiller Legal, a member of the Global Law Experts network.

Sources

  1. EUR-Lex, Regulation (EU) 2022/2554 (DORA)
  2. Romanian Legislative Portal, Ordonanța de Urgență nr. 14/2026
  3. EBA, Digital Operational Resilience Act (DORA)
  4. EIOPA, Digital Operational Resilience Act (DORA)
  5. ESMA, Digital Operational Resilience Act (DORA)
  6. European Commission, Digital Finance: Cyber Resilience

FAQs

What is DORA and does it apply to banks and IFNs in Romania?
DORA is Regulation (EU) 2022/2554, the Digital Operational Resilience Act. It applies directly to all EU financial entities, including Romanian banks and IFNs. Emergency Ordinance No. 14/2026 designates Romanian competent authorities and enforcement penalties for non-compliance.
Major ICT-related incidents must be reported to the competent authority with an initial notification within four hours of classification (and no later than 24 hours after detection), an intermediate report within 72 hours and a final report within one month of resolution.
Credit servicers operating as or on behalf of financial entities must maintain an ICT risk management framework proportionate to their operations. In practice, this is often integrated with the contracting bank’s framework, but the servicer must document its own controls and procedures.
The register must document all contractual arrangements with ICT third-party providers, including provider identification, function supported, contract dates, sub-outsourcing chains, data-processing locations and criticality assessments. The EBA has published standardised reporting templates for this register.
Under Emergency Ordinance No. 14/2026, non-compliance may result in administrative fines of up to 10% of annual turnover or RON 23,000,000, individual liability for management, and potential withdrawal of operating authorisation.
Contracts with ICT providers supporting critical functions must include clauses on audit and access rights, sub-outsourcing controls, exit and data portability, security SLAs, incident notification, termination for regulatory reasons and data-processing locations, as required by Article 30 of the Regulation.
Supervisors will typically request the board-approved ICT risk framework, the incident register, major incident notification records, the Article 28 register of information, contractual files for critical providers, resilience testing reports and business continuity plan testing evidence.
citizenship by investment st lucia
By Jonathon Richards

posted 23 hours ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

DORA Compliance for Romanian Banks, Ifns and Credit Servicers: 2026 Checklist & Action Plan

Send welcome message

Custom Message