In Romania, fintech companies operate under the supervision of several regulatory authorities, depending on the nature of their business activities. As of March 2026, the primary regulators are:

– National Bank of Romania (BNR) – the central bank and primary regulator for financial institutions, including fintech companies engaged in banking activities, electronic money issuance, and payment services. Entities wishing to provide such services must obtain authorisation from the BNR and comply with applicable banking and financial legislation, including capital adequacy, risk management, and consumer protection requirements.

– Financial Supervisory Authority (ASF) – oversees non-banking financial markets, including insurance, crowdfunding, private pensions, and capital markets. Fintech firms involved in investment services, crowdfunding, digital insurance solutions, or other financial instruments fall under ASF’s jurisdiction. Following Government Emergency Ordinance (GEO) 10/2025, the ASF was also designated as the national competent authority responsible for overseeing all crypto-asset service providers (CASPs), including crypto exchanges, under the Markets in Crypto-Assets Regulation (MiCAR).

– Romanian Authority for Digitalization (RAD) – while not a financial regulator as such, RAD plays a role in shaping the digital financial landscape by overseeing aspects relevant to fintech including digital identity, cybersecurity, and open data initiatives.

Regulatory boundaries in Romania are actively evolving. The full applicability of MiCAR since December 2024 has drawn digital asset activities firmly within the regulatory perimeter. DORA (applicable since January 2025) has imposed operational resilience obligations on all regulated financial entities including fintechs. The PSD3 and Payment Services Regulation – for which a provisional political agreement was reached on 27 November 2025, with formal adoption and Official Journal publication expected in the first half of 2026 – will further redefine the boundary between banking and non-banking payment service providers. An 18-month transitional period is expected following entry into force, meaning enforcement is not anticipated before late 2027. Embedded finance models are also emerging as an area requiring novel supervisory approaches.

We do not foresee risks to fintech growth that are unique to Romania, but several regulatory and operational challenges at the EU and national level require attention:

– MiCAR implementation fragmentation: While MiCAR has been fully applicable since 30 December 2024 and Romania transposed the Funds Transfer Regulation via GEO 10/2025 (effective March 2025), Romania’s full national CASP authorisation framework – the main implementing GEO, published in draft in May 2025 – has not yet been formally enacted. Until it is, there is no operational ASF licensing procedure for CASPs. Under Article 143(3) of MiCAR, CASPs that were providing services lawfully under applicable national law before 30 December 2024 may continue to do so until 1 July 2026 or until they are granted or refused MiCA authorisation, whichever is sooner. Romania opted for the full 18-month grandfathering period. This uncertainty around the national licensing procedure creates significant operational friction for market participants.

– EU AI Act compliance pressure: With the ban on prohibited AI practices in force since February 2025, GPAI model obligations applicable since August 2025, and the comprehensive high-risk AI obligations (covering credit scoring, AML decisioning, fraud detection) set to apply in full from August 2026, fintechs must make significant investments in AI governance, documentation, and audit infrastructure within tight timelines.

– DORA operational resilience obligations: In force since 17 January 2025, DORA imposes mandatory ICT risk management frameworks, incident reporting regimes, and third-party risk management obligations on all in-scope financial entities, including fintechs. Ensuring full supply-chain compliance (including with ICT service providers) remains an ongoing challenge.

– Consumer vulnerability and financial literacy: Romania’s financial market maturity gap means that consumer protection continues to be a primary regulatory focus. Authorities are actively collaborating with EU agencies to enhance financial education. Regulators are expected to intensify supervisory scrutiny in this area.

– PSD3/PSR readiness: The provisional political agreement on PSD3 and the Payment Services Regulation was reached on 27 November 2025. Formal adoption and publication in the Official Journal are expected in the first half of 2026, with an 18-month transitional period meaning enforcement is not expected before late 2027. However, fintechs should begin impact analysis and preparation now to avoid last-minute compliance costs.

Fintech companies operating in Romania may be required to obtain a licence or register with the relevant authorities, depending on the nature of their business. The following activities typically trigger licensing or registration requirements:

– Payment services and electronic money issuance: Entities must obtain a licence from the BNR in accordance with Law No. 209/2019 on payment services (transposing PSD2), which remains operative in Romania. Following the provisional political agreement on PSD3 and the PSR of 27 November 2025, formal adoption and publication in the Official Journal is expected in the first half of 2026, with a transitional period of approximately 18 months thereafter. PSD2 rules continue to apply until PSD3 transposition is completed by member states.

– Investment-related services: Entities fall under ASF regulatory scope per Law No. 126/2018 on markets in financial instruments (implementing MiFID II).
– Digital insurance products: Subject to licensing under Law No. 236/2018 on insurance distribution (implementing IDD).

– Crypto-asset services: Since MiCAR became fully applicable on 30 December 2024, providers of crypto-asset services (CASPs) are subject to an authorisation requirement. In Romania, the ASF has been designated as the national competent authority under GEO 10/2025, and the BNR is competent for EMT issuers that are credit institutions or e-money institutions. However, Romania’s national CASP licensing procedure is still pending formal enactment in the main implementing GEO (published in draft May 2025). Before MiCAR, the only legal requirement for CASPs to operate in Romania was ONPCSB notification/registration. Under Article 143(3) of MiCAR, CASPs that were operating lawfully under national law before 30 December 2024 may continue to do so until 1 July 2026 or until authorisation is granted or refused, whichever is sooner. Romania opted for the full 18-month grandfathering period without any additional application-by-deadline condition.

– Lending activities: Depending on the model, lending activities may require authorisation from the BNR or registration with the relevant authorities under the applicable credit institution framework.

Companies not directly engaged in regulated financial services must still comply with Law No. 129/2019 on anti-money laundering and counter-terrorism financing (as amended by GEO 10/2025 integrating CASPs). Given the evolving legal framework, fintech companies are advised to conduct thorough regulatory assessments of their business model.

Romania does not yet have a standalone omnibus fintech licence equivalent to a single-licence model. However, the EU regulatory framework is moving in this direction. Key developments include:

– MiCAR passporting: Under MiCAR, a fully authorised CASP may passport its services across the EU. It is important to note that CASPs operating under the Article 143(3) grandfathering transitional regime are explicitly not considered authorised CASPs under MiCAR and therefore cannot use MiCA passporting rights during the transitional period (confirmed by ESMA Q&A 2086). Only CASPs that obtain full MiCA authorisation from the ASF will benefit from EU-wide passporting. Romania’s ASF will issue MiCAR licences once the national authorisation framework is formally enacted.

– DORA as an operational layer: DORA functions as a cross-sectoral resilience standard applicable to all regulated financial entities, effectively creating a harmonised operational floor across payments, investment services, insurance, and crypto activities.

– EU regulatory convergence trends: The European Commission’s Digital Omnibus proposal (introduced November 2025) seeks to consolidate and simplify AI, data, privacy, and cybersecurity rules across the AI Act, GDPR, NIS2, DORA, and the Data Act. If adopted, this would reduce duplication for fintechs operating across multiple regulatory frameworks.

– PSD3/PSR: The political agreement of November 2025 on PSD3 and the PSR will, once formally adopted, allow certain entities already licensed under MiCAR to benefit from a simplified authorisation pathway for payment services, representing a step towards cross-framework licensing efficiencies.

In the absence of a Romanian omnibus licence, fintechs engaging in multiple regulated activities (e.g., payments and digital assets) must typically obtain separate authorisations from BNR and ASF respectively. Regulatory dialogue with both authorities from the outset is strongly recommended.

In Romania, a formal regulatory sandbox has not yet been fully implemented in the legislative sense. However, innovation-facilitating mechanisms have continued to develop:

– BNR Fintech Innovation Hub: The National Bank of Romania maintains a Fintech Innovation Hub through which fintech innovators can seek guidance on compliance matters and regulatory expectations before launching products. This platform facilitates informal dialogue with regulators and reduces the risk of compliance surprises at the product launch stage.

– ASF Fintech Hub: The Financial Supervisory Authority has established a dedicated Fintech Hub that serves as a resource and point of contact for fintech businesses operating in non-banking financial sectors (insurance, capital markets, private pensions). It supports firms in navigating applicable regulatory frameworks and has played a supporting role as the ASF assumed its new responsibilities under MiCAR.

While these hubs provide meaningful pre-authorisation dialogue, their maturity and measurable impact remain limited compared to formal sandbox regimes in jurisdictions such as the UK (FCA Sandbox) or Singapore. The absence of structured time-limited testing with regulatory forbearance means that Romanian fintech start-ups cannot fully test novel business models with the same degree of regulatory certainty as in those jurisdictions.

The key benefits that participation in innovation hubs can provide include: clearer regulatory understanding; reduced initial compliance costs; faster time-to-market through early regulatory alignment; more effective risk management; and networking and collaboration opportunities with both regulators and industry peers.

There are ongoing discussions at the EU level about harmonising sandbox frameworks across member states. Should Romania implement a formal statutory sandbox in the near term – aligning with the European Forum for Innovation Facilitators (EFIF) framework – this would represent a meaningful step forward for capital formation for fintech start-ups.

Romanian regulators are increasingly aligning with EU-level supervisory modernisation initiatives, though the pace of domestic implementation reflects the broader challenges of regulatory capacity in an emerging market:

– RegTech adoption: BNR and ASF are engaged with European supervisory authorities (EBA, ESMA, EIOPA) in monitoring RegTech developments. The DORA framework, applicable since January 2025, mandates standardised incident reporting obligations that effectively require in-scope financial entities (including fintechs) to implement technology-based reporting systems, nudging regulators towards technology-enabled oversight.

– Cross-border supervision: Under MiCAR passporting, the ASF cooperates with ESMA and NCAs across the EU in supervisory convergence work. This is particularly relevant for Romanian fintechs operating or seeking to operate across EU member states.

– Embedded finance oversight: The emergence of embedded finance – where financial services are integrated into non-financial platforms – is an area of growing supervisory attention. PSD3 and the PSR (provisional political agreement November 2025) will expand the regulatory perimeter to include certain technical service providers and telecommunications providers in scope for payment services oversight, which will require regulators to adapt their supervisory approaches further.

– Travel Rule compliance: GEO 10/2025 (effective March 2025) transposed the Funds Transfer Regulation (TFR) for crypto-assets, requiring CASPs to collect and transmit sender/recipient data on crypto transfers in real time. This creates a form of automated regulatory reporting that facilitates supervisory oversight.

Romania’s regulatory interpretation of tokenisation, DeFi, and stablecoins is now primarily governed by MiCAR, which has been fully applicable since 30 December 2024, complemented by Romanian national implementation measures:

– Tokenisation and securities law: The ASF and BNR may assess whether a tokenised asset constitutes a financial instrument under MiFID II or a crypto-asset under MiCAR. Tokens conferring profit-sharing or decision-making rights analogous to shares or bonds are more likely to be classified as financial instruments subject to securities law, rather than crypto-assets under MiCAR. A thorough legal evaluation of the specific token characteristics remains essential before any issuance.

– Stablecoins – ARTs and EMTs: Under MiCAR, asset-referenced tokens (ARTs) and e-money tokens (EMTs) have been regulated since 30 June 2024. Per the draft implementing GEO (published May 2025, pending enactment), the competence split in Romania is as follows: ASF is the competent authority for the issuance of ARTs and other crypto-assets, and for the provision of crypto-asset services (including crypto ATMs). BNR is the competent authority exclusively for the issuance of EMTs by credit institutions and electronic money institutions under BNR supervision. The full domestic supervisory framework remains pending formal adoption.

– DeFi: MiCAR does not currently cover fully decentralised protocols where no identifiable intermediary exists. However, ESMA and Romanian regulators are monitoring DeFi developments closely. The degree of decentralisation is a key factual question – protocols that involve an identifiable service provider (e.g., a DAO with governance token holders who make profit) may fall within MiCAR’s scope as CASPs. Legal advice should be sought on a case-by-case basis.

GEO 10/2025 (effective March 2025) designated the ASF as the supervisory authority for CASPs for AML purposes and transposed the Funds Transfer Regulation. However, the full MiCA authorisation framework – including the formal licensing procedure for CASPs, the ASF’s powers to issue MiCA authorisations, and the detailed compliance obligations – is contained in the main implementing GEO published in draft in May 2025, which as of March 2026 has not yet been formally enacted. MiCAR itself is directly applicable in Romania in the interim.

Romania’s AML/CFT framework for virtual asset service providers has undergone significant development:

– AML framework: Law No. 129/2019 on anti-money laundering and counter-terrorism financing was amended by GEO 10/2025 (effective 13 March 2025) to replace the term ‘virtual currency’ with ‘crypto-asset’ (aligned with MiCAR definitions) and to integrate CASPs as obliged entities. The ASF is the competent supervisory authority for CASPs.

– Travel Rule: The Funds Transfer Regulation (TFR) was transposed into Romanian law via GEO 10/2025. Since December 2024, CASPs are required to collect and transmit originator and beneficiary information for every crypto-asset transfer – mirroring traditional wire transfer requirements. This applies regardless of transaction size, with no de minimis threshold for crypto. CASPs must implement KYC, transaction monitoring, and suspicious activity reporting systems.

– Self-hosted wallets: The TFR applies to transfers from or to self-hosted (unhosted) wallets where a CASP is involved. CASPs must perform additional due diligence for transactions involving self-hosted wallets above EUR 1,000. Purely peer-to-peer transfers between private individuals using self-hosted wallets without CASP involvement fall outside the direct scope, but CASPs are required to flag and manage risks arising from interactions with unhosted wallets.

Importantly, GEO 10/2025 repealed Article 301 of Law No. 129/2019, which had previously established (but never operationalised) a national CASP authorisation mechanism. This repeal means that, until the main implementing MiCA GEO is formally enacted, there is no national CASP authorisation procedure in place in Romania. Compliance with MiCAR directly and with the AML obligations under Law No. 129/2019 as amended remains mandatory.

Under MiCAR, which has been fully applicable since 30 December 2024, stablecoin issuers in the EU (including Romania) are subject to significant prudential and reserve requirements:

– Asset-referenced tokens (ARTs): Issuers must maintain a reserve of assets at least equal to the amount of outstanding ARTs. The reserve must be composed of low-risk, highly liquid assets and must be segregated from the issuer’s own assets. Regular disclosures of the reserve composition are required. Large ARTs (those reaching the ‘significant’ threshold under MiCAR) face additional requirements, including a cap on daily transaction volumes.

– E-money tokens (EMTs): EMT issuers must comply with the e-money institution requirements under the Electronic Money Directive as transposed in Romania, in addition to MiCAR’s specific EMT requirements. This includes maintaining funds equivalent to the outstanding EMTs in secure, liquid assets.

– Custody: CASPs providing custody and administration of crypto-assets must maintain client asset segregation, ensure assets are not used for proprietary purposes, and maintain adequate capital buffers in line with MiCAR’s class-based capital requirements.

Romanian implementing legislation is expected to specify the national procedural requirements for reserve management, auditing, and reporting to the ASF and BNR. Pending the enactment of this legislation, MiCAR applies directly and is enforceable.

Data privacy, cybersecurity, and operational resilience have become priority supervisory areas for Romanian and EU regulators, driven by three converging regulatory frameworks:

– GDPR enforcement: The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) continues to enforce GDPR obligations. Fintechs handling personal data for credit scoring, lending, or KYC must ensure lawful processing, transparency, and, where automated decisions with significant impact are made, appropriate human oversight mechanisms.

– DORA (in force since 17 January 2025): This is arguably the most significant new operational resilience obligation for Romanian fintechs. DORA mandates: ICT risk management frameworks; mandatory incident classification and reporting to competent authorities; digital operational resilience testing (including threat-led penetration testing for significant entities); and comprehensive third-party ICT risk management, including contractual requirements for ICT service providers. Fintechs that were not previously subject to sector-specific ICT standards are now subject to a minimum operational resilience floor.

– NIS2 Directive: Transposed into Romanian law, NIS2 imposes cybersecurity obligations on entities in critical sectors, including financial services. Fintechs operating digital infrastructure that qualifies as essential or important under NIS2 must implement proportionate security measures and report significant incidents.

The EU AI Act penalty regime has been active since 2 August 2025. Enforcement of AI Act obligations for high-risk AI systems (including credit scoring, AML, and fraud detection tools under Annex III) will become fully applicable from 2 August 2026. Romanian fintechs should anticipate increasing supervisory scrutiny under both DORA and MiCAR as ASF assumes its new responsibilities as the national competent authority for CASPs. EU regulators across member states have already initiated enforcement actions against non-compliant CASPs and crypto-asset issuers under MiCAR, with licence revocations and administrative sanctions issued in multiple jurisdictions.

Cryptocurrency and blockchain companies operating in Romania should adopt a robust, multi-layered compliance programme:

– KYC/AML infrastructure: Implement comprehensive customer onboarding processes including identity verification (aligned with GEO 10/2025 requirements), risk-based due diligence, and enhanced due diligence for higher-risk clients and transactions.

– Travel Rule compliance: Implement technical solutions (such as IVMS 101-compliant messaging systems) to collect, transmit, and receive originator and beneficiary information with every relevant crypto-asset transfer. Document the technical architecture deployed.

– Blockchain analytics: Deploy on-chain analytics tools to identify transactions linked to sanctioned addresses, darknet markets, or other high-risk counterparties, and integrate these into automated transaction monitoring workflows.

– Incident response planning: Prepare written response protocols for regulatory inquiries, including clear escalation procedures, designated internal and external legal counsel contacts, and document preservation policies.

– Regulatory audit readiness: Maintain an up-to-date compliance manual, documented governance and control frameworks, training records for compliance and operations staff, and board-level oversight documentation for AML/CFT matters.

– Proactive engagement: CASPs operating under the transitional regime should proactively engage with the ASF regarding MiCAR authorisation requirements. Early dialogue is strongly advisable given the absence of a formal ASF licensing process pending enactment of the main implementing GEO.

Romanian fintech companies are navigating an evolving immigration landscape with several relevant mechanisms available for attracting international talent:

– EU Blue Card: The primary pathway for highly skilled non-EU nationals to work in Romania and, subject to conditions, across the EU. Requirements include a qualifying employment contract and relevant professional qualifications. The Blue Card facilitates cross-border mobility for senior fintech professionals.

– Highly Skilled Worker visa: Romania has established fast-track procedures for highly skilled workers in specialised fields, enabling quicker processing times for technology and compliance talent critical to fintech operations.

– Digital nomad considerations: While Romania introduced a digital nomad visa framework, fintechs should note that digital nomad arrangements typically do not confer the right to work as an employee in Romania and are more suited to self-employed professionals or contractors. Employment relationships require standard work authorisation.

– EU intra-company transfers: Multinational fintech groups expanding into Romania can use the EU Intra-Company Transfer (ICT) permit to relocate key personnel, including managers, specialists, and trainees, from non-EU entities.

Challenges persist, including processing times, documentation requirements, and ensuring salary and employment condition compliance under Romanian labour law. Engaging local legal and HR advisers experienced in fintech talent acquisition is recommended.

– EU and US sanctions: Romania-based fintechs accessing EU and global financial markets must conduct real-time sanctions screening against EU and OFAC sanctions lists. The digital asset sector faces particular scrutiny, with sanctions designations covering specific wallet addresses and entities. GEO 10/2025 has reinforced CASPs’ obligations to screen transactions against applicable sanctions lists.

– AMLA (Anti-Money Laundering Authority): Regulation (EU) 2024/1620 established the AMLA, which began limited operations in 2025 and will become fully operational on 1 January 2028. AMLA will coordinate all national AML/CFT competent authorities and directly supervise the highest-risk cross-border entities, including certain CASPs. Fintechs with cross-border operations should prepare for the shift to a more centralised EU AML supervisory model.

– CARF (Crypto-Asset Reporting Framework): Most EU member states are targeting adoption of CARF by 2026, following EU-level ratification. This will require CASPs to report certain crypto transactions to tax authorities, adding a new cross-border data reporting obligation.

– Geopolitical fragmentation: The increasing fragmentation of global payment corridors and digital asset markets due to geopolitical tensions creates compliance complexity for fintechs processing cross-border payments or facilitating crypto transfers involving high-risk jurisdictions.

Workforce mobility remains a strategic operational challenge for fintechs expanding into Romania and across the EU: – EU freedom of movement: EU citizens can work in Romania without work permits, facilitating intra-EU talent mobility. This is a key competitive advantage compared to non-EU jurisdictions for fintechs leveraging the EU single market. – Non-EU nationals: Obtaining work permits and residence visas for non-EU technology and compliance professionals involves application processing times that can delay operational launch timelines. Romania’s fast-track procedures for highly skilled workers reduce but do not eliminate this risk. – DORA compliance implications: DORA’s requirements for ICT third-party risk management and supply chain oversight affect how fintechs structure outsourced or offshore technology teams. Any function critical to operational resilience must be properly governed regardless of where the team is located. Practical steps to mitigate talent shortages and delays include: engaging immigration counsel early in the market entry planning process; establishing EU-based entities to leverage intra-EU mobility; utilising BNR and ASF liaison processes to clarify regulatory qualification requirements for compliance roles; and developing an internal talent pipeline through university partnerships and graduate programmes in Romania’s growing technology sector.

Immigration considerations are a material factor in fintech market entry strategy in Romania and across the EU:

– EU passporting advantage: A fintech licensed in one EU member state can passport its regulated services across the EU, which means that the core regulatory and immigration footprint can initially be concentrated in a single jurisdiction, with operational expansion managed through cross-border service provision rather than establishing multiple local entities requiring separate staffing.

– Romania as a nearshore hub: Romania’s competitive talent pool in software development, AI, and financial technology, combined with EU membership and relatively lower operational costs, makes it an attractive hub for EU market entry. However, for roles requiring non-EU specialists, the visa processing timeline must be built into market entry schedules.

– Regulatory compliance staffing: As MiCAR compliance, DORA programme management, and AI Act governance roles emerge as specialised functions, fintechs must plan for the recruitment of qualified compliance talent. The scarcity of MiCAR-experienced compliance officers across EU markets is a real operational constraint in 2026.

When entering Romania specifically, fintechs must also ensure compliance with Romanian labour laws, employment contract requirements, social security contributions, and payroll tax obligations. Outsourcing certain business functions is permissible but subject to GDPR and BNR/ASF notification requirements.

Protecting proprietary algorithms and software in Romania – and the EU generally – requires a layered IP strategy, given that fintech innovations do not always fit neatly within patent law:

– Copyright protection: Romanian law automatically protects software (including smart contract code) under copyright from the moment of creation, without registration. Copyright vests in the author or, for works created in employment, in the employer (subject to the employment agreement). Practical protection measures include: maintaining clear version control and timestamped development records; using signed contributor licence agreements (CLAs) for any third-party contributions; and including explicit IP ownership clauses in all employment and consultancy contracts.

– Patents: Unlike in the US, EU and Romanian law do not typically allow patents for pure software or algorithms unless they form part of a technical invention solving a technical problem. Fintechs should conduct freedom-to-operate assessments before deployment and file patent applications for any system where a technical effect can be demonstrated.

– Trade secrets: For algorithms and AI model architectures that do not qualify for or that the company prefers not to patent (to avoid public disclosure), trade secret protection under the EU Trade Secrets Directive (transposed in Romania via GEO 25/2019) is an important alternative. This requires implementing proportionate confidentiality measures: NDAs, access controls, clean-desk policies, and documented classification schemes.

– AI Act disclosure obligations: The EU AI Act, applicable in phases since August 2024, introduces transparency requirements for high-risk AI systems and GPAI models. These requirements create a tension with trade secret protection for model architectures and training datasets. Fintechs must carefully balance transparency obligations (including documentation for regulators) against the risk of inadvertent IP disclosure.

– Open-source compliance: Fintechs using open-source components must carefully audit licence types (permissive vs. copyleft). GPL or LGPL licences may impose obligations to disclose source code of derivative works, which could compromise proprietary algorithm protection. Maintaining a software composition analysis (SCA) toolchain is essential.

In an environment where AI-generated impersonation and deepfake fraud pose growing threats to fintech brands, a multi-layered brand protection strategy is required:

– Trademark registration: The primary and most important protection mechanism. In Romania, trademarks are registered with OSIM and provide national protection. EU-wide protection is available through EUIPO. Fintechs should register their core mark, logo, and key product names across relevant classes (in particular NICE classes 36, 38, and 42).

– Domain and social media security: Securing relevant domain names (including common variations and typosquat domains) and reserving brand identifiers across social platforms reduces the surface area for impersonation attacks.

– AI-generated impersonation: The EU AI Act (applicable since August 2024) introduces obligations for providers of AI systems that generate synthetic content (deepfakes) to disclose the AI-generated nature of the content. Fintechs whose brands are targeted by AI-generated impersonation can invoke these provisions against the system provider.

– Proactive monitoring and enforcement: Automated IP monitoring tools should be deployed to detect unauthorised use of brand assets across web, social media, and digital marketplaces. Where infringement is identified, swift enforcement through cease-and-desist notices, platform takedown requests, and, where necessary, court proceedings is advisable.

Establishing a robust IP ownership framework from the outset is critical when engaging with third-party developers or entering commercial partnerships:

– Work-for-hire clauses: Contracts with external developers should include explicit work-for-hire provisions confirming that all IP created in the course of the engagement vests in the fintech. Under Romanian law, IP does not automatically transfer to the commissioning party unless there is a written assignment or specific contractual provision.

– IP assignment agreements: Where external developers contribute original code, IP assignment agreements should transfer ownership of all present and future IP arising from the project to the fintech, including any improvements or derivative works. Assignments should be registered where possible to provide notice to third parties.

– Defining joint IP: In partnership arrangements where both parties contribute to a shared innovation, the agreement must clearly allocate ownership, licensing rights, and commercial exploitation rights for any jointly developed IP. The default position under Romanian law is that joint IP is co-owned with equal rights, which can create practical difficulties for commercialisation.

– Open-source policies: A formal internal open-source policy should govern the integration of third-party open-source components, requiring licence review and approval before incorporation, and tracking usage to maintain compliance with licence conditions.

– Smart contract-specific provisions: For blockchain-based projects, IP agreements should specifically address smart contract code, including the right to fork, update, or re-deploy contracts in the event of bugs, regulatory changes, or commercial reconfiguration.

A proactive and structured IP protection programme is essential for fintechs operating in a competitive and internationally distributed market:

– Registration: Register trademarks with OSIM (Romania), EUIPO (EU-wide), and in key target markets. Patent and design registrations should be considered for any innovations meeting the applicable criteria.

– Market monitoring: Deploy automated monitoring services to track competitor filings, domain registrations, app store listings, and social media channels for potential infringements.

– Documentation of creation: Maintain comprehensive development records (version control, commit logs, internal documentation, dated design specifications) to establish authorship and priority in the event of an IP dispute.

– Enforcement response: Where infringement is identified, the initial step is typically a formal cease-and-desist letter. Escalation options include: OSIM/EUIPO invalidity or opposition proceedings; civil litigation before the competent Romanian courts (Bucharest Tribunal for most IP matters); and, for digital platforms, takedown notices or platform abuse reporting.

– Cross-border enforcement: In the EU, the IP Enforcement Directive and the Unified Patent Court (for relevant matters) provide tools for cross-border IP enforcement.

Cross-border IP enforcement for decentralised and distributed fintech products presents novel legal challenges:

– Jurisdictional ambiguity in DeFi: For smart contracts deployed on public blockchains, determining the applicable law and competent court for IP disputes is complex. The country of deployment, the country of the founding team, and the country in which harm is suffered may each assert jurisdiction.

– EU framework: Within the EU, the Brussels I Regulation (recast) governs jurisdiction for civil and commercial IP disputes. The IP Enforcement Directive provides minimum standards for injunctive relief, evidence preservation, and damages.

– EUIPO and WIPO: For trademark and design right enforcement, EUIPO procedures and the WIPO Madrid system provide internationally coordinated mechanisms that reduce the need for separate national proceedings.

In practice, fintechs dealing with decentralised code base IP should prioritise: (i) establishing and documenting clear IP ownership before deployment; (ii) incorporating governing law clauses (particularly in any accompanying terms of service or user agreements) that designate a known and enforceable jurisdiction; and (iii) engaging legal counsel with specific experience in blockchain IP before commencing cross-border enforcement.

Structuring IP licensing and sales arrangements for fintech software, smart contracts, and AI models requires careful attention to ongoing control and revenue protection:

– Licence scope and restrictions: IP licences should clearly define permitted uses, territorial scope, duration, exclusivity, sublicensing rights, and any restrictions on modification or reverse-engineering. Field-of-use restrictions can preserve the licensor’s ability to commercialise the technology in adjacent markets.

– AI model licensing – EU AI Act compliance: When licensing high-risk AI systems to EU deployers, the AI Act imposes obligations on both the provider (conformity assessment, CE marking, EU database registration for Annex III systems) and the deployer (human oversight, transparency obligations). IP licences should clearly allocate these responsibilities and include representations and warranties regarding model compliance.

– Source code escrow: For critical software licences, source code escrow arrangements protect licensees in the event of the licensor’s insolvency, while preserving the licensor’s IP ownership.

– Export control and data localisation: Certain fintech technologies (particularly encryption and AI) may be subject to export control regulations. IP licences for cross-border software transfers should include compliance representations by both parties.

– Governing law and dispute resolution: Selecting a reliable governing law and an efficient dispute resolution mechanism (e.g., ICC arbitration) is essential for cross-jurisdictional IP licences, given the diversity of IP laws across markets.

The EU AI Act – which entered into force on 1 August 2024 and is being implemented in phases – is the primary AI governance framework for EU fintechs. Its key milestones and obligations for financial services are:

– Since 2 February 2025: Prohibited AI practices are enforceable. Fintechs must have eliminated any AI systems that engage in social scoring, subliminal manipulation, or other categorically banned uses. AI literacy obligations also apply.

– Since 2 August 2025: Governance provisions and obligations for General-Purpose AI (GPAI) models are in force. The AI Act penalty regime (Article 99) also became active from this date. Fintechs developing or using foundation models / LLMs must comply with documentation, copyright compliance, and transparency requirements.

– From 2 August 2026: Full obligations for high-risk AI systems listed in Annex III apply – this is the most critical milestone for fintechs. The Act explicitly classifies the following as high-risk AI in financial services: AI systems used for creditworthiness assessment, credit scoring, and lending decisions; AI used for AML risk profiling; and certain fraud detection systems. Obligations include: risk management systems; data governance and quality controls; technical documentation; transparency and human oversight requirements; accuracy, robustness, and cybersecurity standards; and conformity assessments and EU database registration. Note: high-risk AI systems embedded in regulated products listed in Annex I (e.g. medical devices, machinery) have an extended transition period until 2 August 2027.

Robo-advisory services must also comply with existing MiFID II requirements regarding suitability, transparency, and conflicts of interest, in addition to the AI Act obligations where AI-driven recommendations constitute high-risk automated decision-making. Fintechs should begin AI system inventories and gap analyses immediately, given the August 2026 compliance deadline.

Demonstrating algorithmic fairness and explainability is both a legal obligation (under GDPR and the forthcoming AI Act high-risk obligations) and an emerging supervisory expectation in Romania and across the EU:

– GDPR and automated decision-making: Under GDPR, automated decisions (including credit scoring) with significant impact on individuals must involve meaningful human review. Individuals must be informed about AI-driven decisions and have the right to challenge them. Fintechs must implement dispute resolution mechanisms allowing manual review of automated outcomes.

– AI Act fairness requirements (from August 2026): High-risk AI systems must be trained on datasets that are representative, free of biases, and appropriate for the intended purpose. Technical documentation must demonstrate how potential discrimination risks have been identified and mitigated. Fintechs should conduct regular bias audits using diverse test datasets and document results.

– Explainability: Fintechs should deploy explainable AI (XAI) techniques – such as SHAP values, LIME, or model-specific interpretability tools – to generate human-readable explanations of AI-driven credit or AML decisions. These explanations must be intelligible to both regulators and affected consumers.

– Audit trails: Maintain comprehensive audit trails of AI model training data provenance, model version history, testing results, and deployment decisions. This is essential both for regulatory audits and for defending against civil claims of discriminatory or erroneous AI-driven decisions.

– EBA guidelines: The European Banking Authority has issued guidelines on internal governance and model risk management that are directly relevant to AI-driven credit and AML systems. Romanian fintechs should review their model validation and oversight frameworks against these guidelines.

Training proprietary AI models on financial data involves a complex intersection of IP law, data protection law, and regulatory obligations:

– GDPR compliance: Personal data used to train AI models must have a lawful basis (typically legitimate interest or contractual necessity, depending on context). Data subjects must be informed of the processing purpose, and their rights (access, erasure, objection) must be respected. Pseudonymisation or anonymisation of training datasets where feasible reduces GDPR risk, but anonymisation must be robust – partial anonymisation does not exempt processing from GDPR.

– AI Act data governance requirements (from August 2026): High-risk AI systems must be trained on datasets subject to appropriate data governance practices, including examination of potential biases, data quality controls, and documentation of data sources.

– IP ownership of training outputs: The AI model trained on financial data is a proprietary asset of the fintech. IP agreements with any third-party data providers must confirm that training outputs (the model) remain the fintech’s IP and that the data provider has no claim over model outputs or improvements.

– Data-sharing agreements: When accessing third-party financial data (e.g., through open banking APIs under PSD2/PSD3), data-sharing agreements should explicitly address the permissible uses of the data (including model training), data quality standards, purpose limitation, retention periods, and liability allocation for data breaches.

– Third-party AI tools: Fintechs using third-party AI solutions must carefully review vendor licensing terms. If proprietary financial data is processed through a third-party model, there is a risk of IP leakage, model contamination, or unintended use of confidential data. Robust vendor due diligence and contractual protections (including data processing agreements and confidentiality clauses) are essential.

Regulators in Romania and across the EU are increasingly scrutinising AI-driven investment and credit tools, applying existing consumer protection frameworks alongside the new AI governance layer:

– MiFID II and robo-advisory: AI-driven investment advisory tools must comply with MiFID II suitability requirements, conflict of interest disclosure, and best execution obligations. Regulators expect robo-advisers to provide outputs that are at least equivalent in quality and regulatory compliance to human adviser outputs. The ASF monitors compliance with these requirements for entities under its supervisory perimeter.

– Fair lending and anti-discrimination: Under GDPR and forthcoming AI Act obligations, AI credit-scoring systems must not use protected characteristics (race, gender, disability) as decision factors, directly or indirectly. Regulators increasingly expect documented model governance, including bias testing results, to be available for inspection.

– Consumer protection disclosures: Fintechs must inform consumers when an AI system is making or materially influencing decisions affecting them (e.g., a credit refusal or an investment recommendation). This obligation flows from GDPR Article 22, the AI Act’s transparency requirements, and Romania’s national consumer protection framework.

– EBA and ESMA guidance: Both the EBA and ESMA have published guidance on the use of AI and machine learning in financial services, emphasising governance, model risk management, and the need for documented human oversight. Romanian fintechs should treat this guidance as reflecting minimum supervisory expectations.

The next 12 months will see the crystallisation of AI liability frameworks in the EU, driven by the approaching August 2026 AI Act compliance deadline. Key emerging liability theories include:

– Negligent model governance: As AI Act obligations for high-risk systems become enforceable from August 2026, fintechs that fail to maintain adequate risk management documentation, conduct required conformity assessments, or implement mandatory human oversight may face both regulatory enforcement action and civil liability claims from customers harmed by defective AI outputs.

– Failure to supervise AI: Regulators in Romania and across the EU will expect documented evidence that human oversight mechanisms are genuinely operational – not merely procedural box-ticking. A pattern of unreviewed AI decisions, particularly in credit or AML contexts, will attract supervisory attention and could ground civil claims.

– Algorithmic discrimination claims: Civil litigation based on discriminatory AI outcomes is an emerging risk. GDPR’s existing right not to be subject to purely automated decisions with significant effects, combined with AI Act fairness requirements, provides a legal basis for claims by affected individuals.

– Third-party AI liability: Where a fintech deploys a third-party AI model that produces a harmful outcome, the allocation of liability between the fintech (as deployer) and the model provider (as developer) will be governed by the AI Act’s responsibility framework, supplemented by contractual arrangements. Fintechs should ensure their AI supplier contracts clearly address liability allocation, indemnities, and the obligations of both parties under the AI Act.

Building a defensible risk management framework requires: (i) conducting a comprehensive AI systems inventory and risk classification exercise now; (ii) implementing governance structures that demonstrate genuine board-level oversight of AI risk; (iii) maintaining audit trails and documentation that could support a defence in enforcement or civil proceedings; and (iv) establishing contractual protections with AI model suppliers that clearly allocate AI Act responsibilities.

Romania’s fintech landscape has continued to evolve rapidly, driven by consumer digital adoption and an increasingly favourable regulatory environment:

– Mobile and contactless payments: Contactless mobile payment services (Apple Pay, Google Pay) are now standard tools for the majority of Romanian smartphone users. Their widespread adoption has accelerated traditional banks’ digital transformation strategies, as institutions seek to remain relevant in an increasingly mobile-first market.

– Revolut’s continued expansion: Revolut remains the most prominent fintech success story in Romania and has pushed traditional financial institutions to accelerate their own digital offerings in payments, multi-currency accounts, and investment features.

– Cryptocurrency mainstreaming: The applicability of MiCAR since December 2024, combined with greater regulatory clarity, has accelerated the adoption of crypto-asset services among both retail and institutional segments in Romania. The transitional framework for CASPs has facilitated the entry of new compliant operators.

– Open banking and embedded finance: The adoption of PSD2-based open banking has enabled the integration of financial services into non-financial platforms (e-commerce, mobility, healthcare). Several Romanian fintechs and international players are leveraging open banking APIs to offer embedded lending and payment solutions to SMEs and consumers.

– AI-driven financial services: Generative AI applications in personal finance management, credit scoring, and InsurTech are increasingly adopted in Romania, with platforms incorporating AI-driven insights for savings optimisation, risk assessment, and customer onboarding automation.

Several regulatory developments on the horizon hold significant potential to accelerate fintech innovation in Romania and across the EU:

– MiCAR passporting (EU-wide): As national competent authorities (including Romania’s ASF) complete their MiCAR authorisation frameworks, EU-wide passporting for CASPs will enable Romanian fintechs to access the full EU single market for crypto-asset services from a single authorisation, substantially reducing the cost of cross-border expansion.

– PSD3 and PSR implementation: The formal adoption and publication of PSD3 and the PSR in the Official Journal is expected in the first half of 2026 (following the provisional political agreement of 27 November 2025), with an 18-month transitional period thereafter. Enforcement is not anticipated before late 2027. PSD3 will modernise the EU payments regulatory framework, further enhance open banking and open finance, mandate verification of payee for all credit transfers, and strengthen consumer protection against payment fraud.

– Financial Data Access (FIDA) framework: The proposed FIDA Regulation will extend open banking principles to a broader range of financial data (including insurance, pensions, and investments), enabling new data-driven financial services products. Romanian fintechs should monitor FIDA developments and engage with the consultation process.

– Digital Omnibus simplification: The European Commission’s Digital Omnibus proposal (November 2025), which seeks to align and simplify AI Act, GDPR, NIS2, DORA, and Data Act obligations, could significantly reduce compliance costs for fintechs operating across multiple EU regulatory frameworks, if adopted as proposed.

– AMLA and harmonised AML supervision: The AMLA becoming fully operational in 2028, combined with the harmonised EU AML framework, will reduce the cross-jurisdictional AML compliance fragmentation that currently burdens cross-border fintech operations. This should lower the compliance cost of passporting financial services across the EU over the medium term.

In summary, Romania’s fintech regulatory environment in 2026 is characterised by a newly mature crypto-asset regulatory framework under MiCAR, a rapidly evolving AI governance landscape under the EU AI Act, and significant pending reforms in payments (PSD3/PSR), data access (FIDA), and AML supervision (AMLA). Fintechs that invest in proactive regulatory alignment now will be best positioned to capitalise on the opportunities these frameworks create.