Romania is quickly emerging as a tech hotspot, with a growing startup scene, skilled IT workforce, and robust outsourcing market. At the same time, the country’s financial sector has been modernizing, spurred on by the National Bank of Romania (NBR) and the Financial Supervisory Authority (ASF). Now, the European Union’s Digital Operational Resilience Act (DORA) is set to unify and elevate these efforts by providing clear, standardized rules for managing ICT risk, incident reporting, and third-party oversight.
In this post, we’ll look at Romania’s steps toward implementing DORA, how they compare to other EU countries, and the local regulations that already share many of DORA’s core objectives.
Why DORA matters in Romania
Romania’s financial sector is modernizing quickly, with banks and insurance firms embracing cloud-based services, mobile apps, and digital payment platforms. DORA introduces uniform standards for ICT risk management, incident reporting, and third-party oversight—elements that resonate with this nationwide shift toward a more digitized economy. Although DORA primarily targets financial entities, it indirectly impacts any business that handles critical data or provides IT services to regulated institutions. Romanian companies well-versed in existing data protection rules will find DORA to be a natural extension of the country’s broader emphasis on cybersecurity.
Comparing Romania’s path to other EU countries
EU-wide directives often follow a similar adoption pattern: member states integrate core elements into local statutes and adjust them for national nuances. For Romania, the primary financial watchdogs include the National Bank of Romania (NBR) and the Financial Supervisory Authority (ASF). Both have issued guidelines on risk management and operational continuity in recent years, setting a relatively high bar for banking and insurance sectors.
This existing culture of regulatory oversight means Romania’s path to implementing DORA may be smoother than in countries with less established frameworks. Still, as with any new regulation, local clarifications and sector-specific rules will likely emerge to harmonize DORA’s requirements with Romanian law.
Romania’s existing regulations and their alignment with DORA
Romania has already put in place regulations and measures that parallel DORA’s core objectives, particularly in the fields of cybersecurity and data protection.
Here’s an overview of the key frameworks:
Romanian regulation or measure | Focus area | Connection to DORA |
Law No. 362/2018 | Implements the EU NIS Directive for cybersecurity of essential services | Reinforces incident reporting and risk management, mirroring DORA’s standardized approach. |
National Bank of Romania (NBR) regulations | Operational risk and internal control for credit institutions | Overlaps with DORA’s ICT governance requirements, especially in banking. |
ASF rules for insurance entities | Risk management and prudential oversight for insurance carriers | Align with DORA’s drive for consistent third-party oversight and business continuity. |
National Supervisory Authority for Personal Data Processing (ANSPDCP) guidelines | Data privacy and GDPR enforcement | Complements DORA’s emphasis on safeguarding sensitive financial data. |
Given this groundwork, many Romanian institutions may view DORA as an incremental step rather than a fundamental shift. Nonetheless, DORA’s EU-wide uniformity could require updated reporting formats and more transparent third-party governance—areas where some firms might need additional adjustments.
Impact beyond finance
Although DORA is primarily directed at financial entities (banks, insurers, investment firms), its obligations will extend to any organization that supports these institutions’ critical operations. That includes technology vendors, consultancy services, and even certain B2B suppliers. In practice, a breach or service outage in a non-financial company providing vital tech solutions to a bank could trigger a DORA-mandated incident report.
As the Romanian economy becomes more connected—particularly through digital payment networks and shared cloud infrastructures—these responsibilities are likely to spread across industries, elevating baseline cybersecurity standards.
List of DORA auditors in Romania
Auditing is an important part of DORA. The regulation does not specify a universal register of auditors, but several reputable firms in Romania have a track record of helping organizations with IT audits, cybersecurity assessments, and regulatory compliance.
Below is a brief overview:
Firm | Primary expertise | Additional notes |
Deloitte Romania | Cyber risk, operational resilience, internal audits | Global network with strong local sector knowledge |
KPMG Romania | IT governance, compliance reviews, regulatory strategy | Known for financial sector projects and consulting |
PwC Romania | GRC solutions, cybersecurity, cloud risk assessments | Offers tailored approaches for larger enterprises |
EY Romania | IT audits, data protection, digital transformation | Experience advising both local and multinational firms |
BDO Romania | Risk management, operational continuity, internal audits | Specialized in mid-market organizations |
Mazars Romania | Cybersecurity assessments, compliance consulting | Known for broad expertise in EU regulatory matters |
When choosing an auditor, Romanian businesses should ensure the firm has deep familiarity with local regulations and a proven track record in financial services. A solid understanding of both the NBR’s and ASF’s requirements can expedite the process of aligning operations with DORA’s mandates.
Looking ahead
Romania’s modernization efforts and existing cybersecurity foundations place it in a strong position to embed DORA into everyday business practices. For forward-thinking institutions, compliance is less about checking off regulatory boxes and more about building a resilient operation that can keep pace with digital demands. DORA, with its structured requirements on ICT risk and incident response, reinforces Romania’s drive toward safer, more transparent financial and technological services—ultimately benefiting the entire business community in an increasingly connected era.