Our Expert in Romania
No results available
DORA compliance in Romania entered a new phase in 2026 when the government adopted Emergency Ordinance No. 14/2026 (Ordonanța de Urgență nr. 14/2026), transposing the EU’s Digital Operational Resilience Act, Regulation (EU) 2022/2554, into national law. The Regulation itself has applied directly across every EU Member State since 17 January 2025, but the Romanian ordinance now fills the enforcement gap by designating competent authorities, setting administrative penalties and clarifying supervisory powers for banks, non-bank financial institutions (IFNs) and credit servicers alike. This guide translates the combined EU and Romanian framework into a single enforcement-ready checklist, covering ICT risk management, incident reporting timelines, third-party contract redlines and the evidence pack supervisors will expect to see during inspections.
The article is written for chief risk officers, compliance officers, general counsel and in-house legal teams operating in Romania’s financial sector. Whether your entity is a systemic bank, a smaller IFN or a credit servicer licensed under national legislation, the obligations below apply now, not at some future date.
Regulation (EU) 2022/2554 applies to more than 20 categories of financial entity. The table below isolates the three entity types most relevant to the Romanian lending and servicing market, maps each to its competent authority and highlights the practical DORA compliance Romania obligations triggered by Emergency Ordinance No. 14/2026.
| Entity type | DORA coverage | Romanian supervisory authority |
|---|---|---|
| Credit institutions (banks) | Full scope, all five DORA pillars including TLPT for significant institutions. Must maintain the Article 28 register of information and report major ICT incidents. | National Bank of Romania (BNR) as primary competent authority, coordinating with EBA. |
| Non-bank financial institutions (IFNs) | Full scope, ICT risk management framework, incident reporting, third-party risk management, register obligations. TLPT may apply depending on size and risk profile. | BNR (for IFNs entered in the Special Register) and, where applicable, ASF for certain categories. |
| Credit servicers | Covered where they qualify as a financial entity under DORA’s definitions or where the parent/contracting bank extends obligations by contract. Credit servicer obligations under DORA include ICT risk, incident reporting and maintaining contractual audit rights. | BNR oversight where the servicer operates under a bank’s outsourcing framework; ASF where applicable to capital-market-adjacent activities. |
Entities falling outside these categories, such as ICT third-party service providers designated as critical (CTPPs), are subject to direct oversight by the Lead Overseer designated among the European Supervisory Authorities (EBA, EIOPA or ESMA), a framework established under Articles 31–44 of the Regulation.
Regulation (EU) 2022/2554 organises digital operational resilience banks Romania obligations around five pillars. Each pillar below includes priority actions to complete within the first 90 days of your implementation programme.
Under DORA, incident reporting Romania obligations require every financial entity to classify ICT-related incidents and report major incidents to the competent authority within strict deadlines. The ESA joint RTS on incident classification and reporting set out the criteria for determining whether an incident is “major” (based on factors including number of clients affected, duration, geographical spread, data losses and criticality of services impacted).
| Incident classification | Reporting deadline | Supervisory recipient and required content |
|---|---|---|
| Major ICT-related incident | Initial notification: within 4 hours of classification (no later than 24 hours after detection). Intermediate report: within 72 hours. Final report: within one month of the incident’s resolution. | National competent authority (BNR or ASF as applicable). Reports must include classification rationale, impact assessment, recovery actions and root-cause analysis (final report). |
| Other (non-major) ICT-related incidents | No mandatory external notification, but must be logged in the entity’s internal incident register for supervisory access on request. | Internal register available to supervisors during on-site inspections. Entities should be ready to produce aggregated incident statistics. |
| Significant cyber threats (voluntary reporting) | Report voluntarily once the entity determines the threat is relevant to the financial system. | Competent authority and, where applicable, sectoral CSIRT. Information-sharing protocols apply. |
Third-party risk management Romania obligations under DORA are among the most operationally intensive requirements. Articles 28–30 of the Regulation require financial entities to manage the ICT risk arising from their reliance on third-party providers throughout the entire lifecycle of the contractual relationship, from due diligence and on-boarding through to exit.
An ICT third-party arrangement supports a critical or important function when it underpins a service the failure or degradation of which would materially impair the entity’s financial performance, the continuity of its services or its compliance with regulatory obligations. Industry observers expect Romanian supervisors to scrutinise core banking platforms, cloud-hosting providers, payment-processing gateways and loan-management systems as the highest-priority targets for classification.
Every contract with an ICT third-party provider that supports a critical or important function must include, at minimum, the following clauses. These redlines reflect the mandatory requirements set out in Article 30 of the Regulation:
Under Article 28(3) of Regulation (EU) 2022/2554, every financial entity must maintain a comprehensive register of information documenting all contractual arrangements with ICT third-party service providers. The EBA has published standardised reporting templates that entities must use when submitting the register to their competent authority. Key data fields include provider identification, description of the function supported, contract start and end dates, sub-outsourcing chains, data-processing locations and the assessment of criticality. IFN compliance with DORA requires the same register discipline as banks, there is no proportionality exemption for this obligation.
TLPT testing is the most technically demanding obligation under DORA. Articles 26–27 of the Regulation require entities identified by their competent authority to conduct advanced threat-led penetration testing at least every three years, using the TIBER-EU framework as the methodological baseline. This testing simulates realistic cyber-attack scenarios against live production systems.
Emergency Ordinance No. 14/2026 equips Romanian competent authorities with a robust enforcement toolkit. Non-compliance with DORA obligations may result in administrative fines of up to 10% of annual turnover or RON 23,000,000 (whichever is higher), alongside individual liability for board members and senior management who fail to discharge their ICT governance duties. In the most serious cases, supervisors retain the power to withdraw the entity’s operating authorisation.
Industry observers expect Romanian supervisors to prioritise the following areas during the first wave of inspections:
Entities that identify gaps should consider implementing a documented remediation plan with milestones and board reporting. Early indications suggest that supervisors are more likely to use enforcement powers against entities that show no evidence of having started compliance work than against those with an in-progress plan.
The following table provides a phased DORA compliance Romania action plan, organised by function, to help entities prioritise implementation work across legal, IT, procurement, risk and operations teams.
| Function | 0–90 days | 90–180 days | 180–365 days |
|---|---|---|---|
| Legal / Compliance | Gap analysis against DORA Articles and EO 14/2026. Identify all ICT third-party contracts requiring redline. | Redline and renegotiate priority contracts (critical providers first). Draft incident reporting procedures. Submit register of information in EBA template. | Complete all contract amendments. Conduct internal compliance audit. Prepare supervisor evidence pack. |
| IT / Information Security | Map all ICT assets, systems and dependencies. Establish or update the incident detection and classification process. | Implement automated incident logging. Conduct vulnerability assessments on critical systems. Test business continuity plan. | Complete first annual resilience testing cycle. Prepare for TLPT if designated. Remediate findings and document evidence. |
| Procurement / Vendor Management | Inventory all ICT third-party providers. Classify each as critical/important or non-critical. | Populate Article 28 register. Assess concentration risk. Initiate contract renegotiation with critical providers. | Finalise exit strategies for critical providers. Integrate ongoing due diligence into procurement processes. |
| Risk / Board | Board briefing on DORA obligations and enforcement risks. Designate ICT risk ownership at senior management level. | Approve ICT risk management framework and risk appetite statement. Review and approve incident escalation policy. | Annual ICT risk posture report to the board. Approve TLPT scope and remediation plan. Review KPIs for DORA compliance. |
| Operations / Credit Servicing | Identify credit servicer obligations under DORA, map which systems touch client data and critical functions. | Align servicer operational procedures with the contracting bank’s ICT risk framework. Train operational staff on incident classification. | Conduct joint incident simulation with contracting bank. Document evidence of compliance for supervisor inspection. |
When Romanian supervisors conduct an on-site inspection or request documentation under DORA, entities should be prepared to produce the following evidence pack without delay:
The combined effect of Regulation (EU) 2022/2554 and Emergency Ordinance No. 14/2026 is that DORA compliance in Romania is no longer a future obligation, it is an immediate enforcement reality. Banks must treat their ICT risk management framework, incident reporting procedures, third-party contracts and testing evidence as top-priority deliverables. IFNs and credit servicers face the same substantive obligations and should not assume that smaller size grants exemption from supervisory scrutiny. The phased action plan and evidence checklist set out above provide a practical roadmap for meeting both the letter and spirit of the EU DORA transposition as applied in Romania.
Entities that act now, completing gap analyses, redlining contracts and building their register of information, will be best positioned to demonstrate compliance during the expected first wave of supervisory inspections.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Cristiana Petropoulos at Tiller Legal, a member of the Global Law Experts network.
posted 14 minutes ago
posted 38 minutes ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 7 hours ago
posted 11 hours ago
posted 15 hours ago
posted 19 hours ago
posted 23 hours ago
posted 24 hours ago
posted 1 day ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message