Romania and the EU AI Act: Ready or Just Warming Up?

04.12.2025

Artificial Intelligence is reshaping industries and societies worldwide. As the European Union rolls out the AI Act, Romania is at the boiling point: Is it prepared to navigate this complex regulatory landscape? While the country boasts a vibrant tech ecosystem, aligning its legislative and institutional structures with EU standards still remains a challenge. This article explores the country’s current stance, challenges, and opportunities in aligning with Europe’s landmark AI regulation.

I. Romania’s First Steps Toward AI Regulation

While the EU AI Act is directly applicable, Romania has been working on its own legislative and strategic framework to complement it.

National AI Strategy (2024-2027):

In July 2024, the Romanian government approved its National Artificial Intelligence Strategy for 2024-2027, which serves as a strategic and governance blueprint. A central element of the strategy is the creation of a dedicated authority to oversee AI implementation at the national level.

Draft Law on AI:

Romania’s current legislative landscape on AI consists of two legislative proposals:

i. Draft law Pl-x nr. 336/2024 on Artificial Intelligence.

This brief and general proposal (only two pages long) sought to broadly regulate artificial intelligence. It was rejected by both the Senate (May 2024) and the Chamber of Deputies (May 2025), signaling the need for a more detailed and robust legal framework.

ii. Draft law Pl-x nr. 184/2025 on the responsible use of artificial intelligence.

Currently under review in the Chamber of Deputies, this draft law introduces a more comprehensive set of provisions:

  1. AI systems used in public administration must be transparent and subject to regular audits; the use of AI without human oversight for administrative decisions is prohibited.
  2. In the judiciary and law enforcement sectors, AI cannot be used to make judicial decisions.
  3. AI used in medical diagnostics and treatment must be scientifically validated and approved by competent authorities; medical decisions based on AI must be confirmed by a specialist doctor.
  4. AI developers are responsible for the impact of their algorithms on end users.
  5. Any AI system used in decision-making must be audited annually by an independent entity.
  6. Individuals must be informed when interacting with AI and must have the option to request human interaction.
  7. AI systems must comply with the GDPR. Political profiling using AI without explicit consent is prohibited.
  8. Deepfakes intended to manipulate public opinion or undermine democratic processes are banned.
  9. Digital platforms must label AI-generated content.
  10. Sanctions for abusive or illegal use of AI include prison terms (2–5 years) and fines ranging from RON 500,000 to RON 100 million (approximately EUR 100,000 to EUR 20 million), with criminal liability for individuals.


Needless to say, the current form of the draft law has raised concerns among legal professionals and the business community, due to:

  1. Potential Conflicts: The draft law contains definitions and provisions that may overlap with or contradict the AI Act, including its sanctions regime.
  2. Vague Provisions: Some provisions lack clarity, such as the criteria for assessing the impact of algorithms and the certification process for AI systems.

    II. Designated National Authorities

    Under the AI Act, Member States are required to designate or establish three types of authorities:

    i. a market surveillance authority

    ii. a notifying authority

    iii. a national public authority for the protection of fundamental rights

    In accordance with Article 77(2) of the AI Act, Romania has notified the European Commission of the following public authorities responsible for monitoring or enforcing compliance with EU legislation that protects fundamental rights, including the right to non-discrimination - particularly in relation to the use of high-risk AI systems:

    1. Ombudsman (Avocatul Poporului)
    2. National Authority for Consumer Protection
    3. National Council for Combating Discrimination
    4. National Agency for Equal Opportunities between Women and Men
    5. National Supervisory Authority for Personal Data Processing
    6. National Authority for the Protection of the Rights of the Child and Adoption
    7. Ministry of Labour and Social Solidarity / Labour Inspectorate
    8. National Audiovisual Council
    9. Permanent Electoral Authority


    The National Strategy on Artificial Intelligence (2024–2027) proposes establishing a dedicated authority under the coordination of the Authority for Digitalisation of Romania and the Ministry of Research, Innovation, and Digitalisation. However, as of November 2025, Romania has not officially designated a competent national authority for enforcing the AI Act, despite the EU deadline of August 2, 2025.

    The lack of official designation remains a key area that Romania needs to address to ensure full compliance.

    III. Conclusion

    As artificial intelligence continues to evolve, so must Romania’s regulatory and institutional readiness. The country’s vibrant tech ecosystem and strategic intent offer a strong foundation, but timely and coordinated action is essential to ensure legal certainty, protect fundamental rights, and foster innovation responsibly.

    Whether Romania is truly ready or still warming up, one thing is clear: the next phase will require not just vision, but execution.

     

    Article provided by INPLP members: Adelina Iftime-Blagean and Nina Lazar (Wolf Theiss, Romania)

     

     

    Discover more about the INPLP and the INPLP-Members

    Dr. Tobias Höllwarth (Managing Director INPLP)

    What is the INPLP?

    INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.