DORA regulations in Romania and impact for all industries

Category:

Reviewed by: Nojus (Noah) Bendoraitis

Romania is quickly emerging as a tech hotspot, with a growing startup scene, skilled IT workforce, and robust outsourcing market. At the same time, the country’s financial sector has been modernizing, spurred on by the National Bank of Romania (NBR) and the Financial Supervisory Authority (ASF). Now, the European Union’s Digital Operational Resilience Act (DORA) is set to unify and elevate these efforts by providing clear, standardized rules for managing ICT risk, incident reporting, and third-party oversight

In this post, we’ll look at Romania’s steps toward implementing DORA, how they compare to other EU countries, and the local regulations that already share many of DORA’s core objectives. 

Why DORA matters in Romania

Romania’s financial sector is modernizing quickly, with banks and insurance firms embracing cloud-based services, mobile apps, and digital payment platforms. DORA introduces uniform standards for ICT risk management, incident reporting, and third-party oversight—elements that resonate with this nationwide shift toward a more digitized economy. Although DORA primarily targets financial entities, it indirectly impacts any business that handles critical data or provides IT services to regulated institutions. Romanian companies well-versed in existing data protection rules will find DORA to be a natural extension of the country’s broader emphasis on cybersecurity.

Comparing Romania’s path to other EU countries

EU-wide directives often follow a similar adoption pattern: member states integrate core elements into local statutes and adjust them for national nuances. For Romania, the primary financial watchdogs include the National Bank of Romania (NBR) and the Financial Supervisory Authority (ASF). Both have issued guidelines on risk management and operational continuity in recent years, setting a relatively high bar for banking and insurance sectors. 

This existing culture of regulatory oversight means Romania’s path to implementing DORA may be smoother than in countries with less established frameworks. Still, as with any new regulation, local clarifications and sector-specific rules will likely emerge to harmonize DORA’s requirements with Romanian law.

Romania’s existing regulations and their alignment with DORA

Romania has already put in place regulations and measures that parallel DORA’s core objectives, particularly in the fields of cybersecurity and data protection. 

Here’s an overview of the key frameworks:

Romanian regulation or measureFocus areaConnection to DORA
Law No. 362/2018Implements the EU NIS Directive for cybersecurity of essential servicesReinforces incident reporting and risk management, mirroring DORA’s standardized approach.
National Bank of Romania (NBR) regulationsOperational risk and internal control for credit institutionsOverlaps with DORA’s ICT governance requirements, especially in banking.
ASF rules for insurance entitiesRisk management and prudential oversight for insurance carriersAlign with DORA’s drive for consistent third-party oversight and business continuity.
National Supervisory Authority for Personal Data Processing (ANSPDCP) guidelinesData privacy and GDPR enforcementComplements DORA’s emphasis on safeguarding sensitive financial data.

Given this groundwork, many Romanian institutions may view DORA as an incremental step rather than a fundamental shift. Nonetheless, DORA’s EU-wide uniformity could require updated reporting formats and more transparent third-party governance—areas where some firms might need additional adjustments.

Impact beyond finance

Although DORA is primarily directed at financial entities (banks, insurers, investment firms), its obligations will extend to any organization that supports these institutions’ critical operations. That includes technology vendors, consultancy services, and even certain B2B suppliers. In practice, a breach or service outage in a non-financial company providing vital tech solutions to a bank could trigger a DORA-mandated incident report. 

As the Romanian economy becomes more connected—particularly through digital payment networks and shared cloud infrastructures—these responsibilities are likely to spread across industries, elevating baseline cybersecurity standards.

List of DORA auditors in Romania

Auditing is an important part of DORA. The regulation does not specify a universal register of auditors, but several reputable firms in Romania have a track record of helping organizations with IT audits, cybersecurity assessments, and regulatory compliance. 

Below is a brief overview:

FirmPrimary expertiseAdditional notes
Deloitte RomaniaCyber risk, operational resilience, internal auditsGlobal network with strong local sector knowledge
KPMG RomaniaIT governance, compliance reviews, regulatory strategyKnown for financial sector projects and consulting
PwC RomaniaGRC solutions, cybersecurity, cloud risk assessmentsOffers tailored approaches for larger enterprises
EY RomaniaIT audits, data protection, digital transformationExperience advising both local and multinational firms
BDO RomaniaRisk management, operational continuity, internal auditsSpecialized in mid-market organizations
Mazars RomaniaCybersecurity assessments, compliance consultingKnown for broad expertise in EU regulatory matters

When choosing an auditor, Romanian businesses should ensure the firm has deep familiarity with local regulations and a proven track record in financial services. A solid understanding of both the NBR’s and ASF’s requirements can expedite the process of aligning operations with DORA’s mandates.

Looking ahead

Romania’s modernization efforts and existing cybersecurity foundations place it in a strong position to embed DORA into everyday business practices. For forward-thinking institutions, compliance is less about checking off regulatory boxes and more about building a resilient operation that can keep pace with digital demands. DORA, with its structured requirements on ICT risk and incident response, reinforces Romania’s drive toward safer, more transparent financial and technological services—ultimately benefiting the entire business community in an increasingly connected era.

Automate Your Cybersecurity and Compliance

It's like an in-house cybersec & compliance team for a monthly subscription! No prior cybersecurity or compliance experience needed.

Related articles