Romania's national implementation of the EU's digital services legislation has moved from a transitional phase into full enforcement. International technology companies that operate digital services directed at Romanian users now face a concrete set of compliance obligations. Missing the applicable deadline triggers enforcement powers held by the Romanian national authority, including the capacity to impose significant financial penalties under EU-aligned digital services law.
Romania has fully activated its national enforcement regime for digital services regulation, placing obligations on intermediary service providers, online platforms, and technology companies offering digital services to users in Romania. Companies above defined user-volume thresholds must comply with content moderation, algorithmic accountability, and transparency reporting requirements. The primary compliance deadline for the national enforcement layer falls in the first half of 2025, with certain obligations applying on a rolling basis from the date a threshold is crossed.
This alert covers the specific regulatory change, which business categories it affects, the applicable threshold criteria, and the immediate actions that international companies should take now.
What changed – the regulatory development and its effective date
Romania has designated its national competent authority responsible for supervising digital services legislation compliance within the country. This designation completed the enforcement chain that the EU-level digital services body coordinates at the supranational level.
The operative change is twofold. First, the national authority now holds direct investigative and sanctioning powers over providers established in Romania or – in certain circumstances – those who have designated Romania as their EU point of contact. Second, Romania's technology licensing and software liability environment has been updated to align with EU-level expectations on platform accountability.
Providers of intermediary services – covering mere conduit, caching, and hosting services – became subject to the full enforcement regime from the date the EU's digital services rules entered general application across member states. That date was February 17, 2024 for very large online platforms and very large online search engines, and it applied to all other in-scope providers from the same date under the coordinated member-state enforcement model.
Romania's national authority began exercising its supervisory powers over non-very-large providers from early 2025. Companies that have not yet completed their compliance mapping should treat this as an immediate priority. Delay creates direct exposure, not a managed risk.
The regulatory system also intersects with the EU's AI Act compliance obligations. Providers deploying recommender systems or automated decision-making tools on their platforms must address algorithmic accountability requirements. These obligations sit alongside – and in some respects reinforce – the digital services rules on transparency and user redress.
Who is affected – threshold criteria and business categories
The digital services rules apply in layers. The layer that applies to a given company depends on its service type and its user volume in the EU.
Intermediary service providers of any size operating in Romania are subject to baseline obligations. These include maintaining a single point of contact, publishing terms of service, and cooperating with Romanian authorities on lawful orders to act against illegal content.
Hosting service providers – including cloud infrastructure companies and software-as-a-service providers that store user-generated content – face additional notice-and-action obligations. They must establish mechanisms for users to flag illegal content and must act on those notices within defined timeframes.
Online platforms with Romanian users are subject to the broadest set of obligations. These include transparency reporting on content moderation decisions, algorithmic accountability disclosures for recommender systems, and restrictions on targeting minors with personalised advertising. Platforms must also implement accessible internal complaint-handling systems.
The threshold that elevates a platform to "very large" status – and triggers direct EU-level supervision rather than national supervision – is an average of 45 million monthly active users in the EU. Below that threshold, Romania's national authority is the primary regulator.
Companies providing digital services from outside the EU but directing services at Romanian users must designate a legal representative in an EU member state. Failure to designate creates an independent compliance breach, separate from any failure to meet substantive obligations. For companies assessing their technology licensing arrangements in Romania, the intellectual property dimension of platform operations is addressed in our coverage of intellectual property law in Romania.
For a preliminary review of your platform's exposure under Romania's digital services enforcement regime, contact us at info@ferrazwhitmore.com.
What to do now – immediate actions and compliance timeline
The following actions are relevant for international technology companies with Romanian users or a Romanian establishment.
- Map your service type. Determine whether your offering constitutes a mere conduit, caching service, hosting service, or online platform. Each category carries a distinct set of obligations. Misclassifying your service is one of the most common errors practitioners observe at this stage.
- Assess your EU legal representative status. If your company is established outside the EU, verify whether a legal representative has been designated in a member state. If not, this must be remedied before any substantive compliance work can proceed.
- Review your content moderation and notice-and-action procedures. Hosting providers and platforms must have operational mechanisms in place. A policy document that has not been tested against actual notice workflows will not satisfy enforcement scrutiny.
- Address algorithmic accountability obligations. If your platform uses a recommender system, you must provide at least one content option that is not based on profiling of the user. Documenting the logic of automated systems is a prerequisite for demonstrating AI Act compliance as that regulation's obligations begin to apply in parallel.
- Prepare your first transparency report. Online platforms above a defined threshold must publish transparency reports at least annually. Companies that have not reported before should begin data collection now. The report must cover content moderation decisions, notices received, and actions taken.
The risk of inaction is not abstract. Romania's national authority can initiate proceedings, issue binding orders, and – in cases of persistent non-compliance – refer matters to the EU body for enhanced enforcement measures. For companies operating across multiple EU markets, a compliance gap in Romania can expose the broader EU establishment to scrutiny.
Companies that operate in comparable EU markets should also review our alert covering digital services regulation developments in Portugal, where the enforcement context presents similar considerations. For specialist guidance on AI & technology law obligations in Romania, our dedicated practice is described at AI and technology law services in Romania.
To receive an expert assessment of your company's digital services compliance position in Romania, contact us at info@ferrazwhitmore.com.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising technology companies, institutional investors, and international businesses across 46 jurisdictions. Our AI and technology law practice covers digital services regulation, AI Act compliance, algorithmic accountability, and technology licensing across European and international markets. We combine Portuguese civil law expertise with English common law tradition to deliver cross-border regulatory counsel for companies operating across multiple EU member states. Our technology team has advised clients facing national enforcement actions under EU digital services legislation in several jurisdictions, including Romania. As an international law firm advising on technology law in Romania, Ferraz & Whitmore helps businesses build defensible compliance positions before enforcement begins. To discuss how Romania's digital services requirements apply to your company, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.
Published: March 01, 2026 | Author: Sophie Kellner, Partner, IP & Technology Law
Sophie Kellner is a Partner at Ferraz & Whitmore focusing on intellectual property protection, AI and technology regulation, and employment law across European and international markets. She advises technology companies, investors, and institutions on IP strategy, regulatory compliance, and workforce matters.