Romania does not currently have specific regulation on the metaverse. However, legislation specific to intangible assets (such as intellectual property, e-commerce, data protection, cybersecurity, cloud, etc) would apply to the development, marketing and operation of software pertaining to the metaverse, whereas hardware (networks, devices) used for the metaverse would be governed by relevant legislation (eg, legislation on the authorisation of producers of 5G equipment).

When using NFTs in the context of metaverse, it should be borne in mind that the Romanian fiscal authorities have issued guidance on taxing NFTs. Individuals who obtain income from the sale, on specialised blockchain platforms, of content in the form of digital files (NFTs) or royalties from such sales have the obligation to declare these forms of income, regardless of whether they are made in Romania or abroad; these individuals must also pay revenue tax on these income streams.

Moreover, as the Romania is in the process of adopting legislation for digitalisation of public services, the metaverse is not at present on the agenda of Romanian legislators. Difficulties may arise due to the lack of dedicated legislation, at least until EU legislation is adopted in the field.

Romanian Law no 365/2002 on e-commerce transposes into national legislation Directive 2000/31/EC of the European Parliament and of the Council on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (the “e-Commerce Directive”) and thus applies to e-commerce as part of the digital economy.

The provisions of this law are in line with the e-Commerce Directive and thus very much focus on consumer protection, regulating, for example:

• the provision of information society services (which is not subject to any local authorisation procedures);
• commercial communications, which cannot be made without prior consent (similar to the provisions of the legislation transposing the ePrivacy Directive ‒ it remains to be seen whether the new ePrivacy Regulation will bring about changes concerning commercial communications and if consent will remain the only legal basis applicable in such cases);
• information that an e-commerce supplier must provide to the client prior to contracting (eg, technical steps to follow to conclude the contract, technical means for identifying and correcting input errors prior to the placing of the order, languages offered for the conclusion of the contract); and
• the means by which e-commerce contracts may be concluded.

Government Emergency Ordinance no 134/2014 regarding the rights of consumers in contracts concluded with professionals transposes into national legislation Directive 2011/83/EU of the European Parliament and of the Council on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council. The ordinance thus regulates consumer rights resulting from distance contracts, mainly the right to withdraw from the contract within 14 days.

Government Emergency Ordinance no 141/2021 on certain aspects regarding contracts for the supply of digital content and digital services (the “Digital Content and Digital Services Ordinance”) transposing Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services entered into force on 9 January 2022.

The stated purpose of the Digital Content and Digital Services Ordinance is to contribute to the harmonisation at the EU level of the specific, essential, and binding contractual rights of consumers in the EU, along with boosting the digital economy.

In line with the EU legislation, the Digital Content and Digital Services Ordinance:

• applies to any contracts whereby digital content or digital services are provided;
• establishes subjective and objective conformity requirements for digital content and services, such as being in line with the expectations usually associated with the specific type of content/services and to be provided along with updates and all required accessories meant to ensure functionality; and
• regulates consumers’ rights specific to digital services and content, such as the suppliers’ obligation to correct the content/services for lack of functionality or breach of intellectual property rights.

Last but not least, as certain provisions of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (the “Digital Services Act”) and Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (the “Digital Markets Act”) have entered into force (in October and November 2022), it can be argued that Romania is fairly well equipped for the digital economy from a legal perspective.

Therefore, challenges will more likely result from a practical and economical perspective rather than from a legal one, as Romania ranks last among all EU member states in the 2022 Digital Economy and Society Index. Nevertheless, according to public sources, Romania’s digital economy is expected to grow significantly in the next number of years, with certain reports claiming that by 2030 Romania’s digital economy sector could represent approximately 10% of its GDP.

In 2022, cloud computing became a major focus point for Romanian regulators. The National Recovery and Resilience Plan for Romania after the COVID-19 pandemic, for which the EU allocates funds, includes a major overhaul of public sector services by the creation of a government cloud.

In June 2022, the Romanian government adopted Emergency Ordinance no 89/2022 regarding the establishment, administration and development of cloud IT infrastructures and services used by public authorities and institutions, which represents the general framework for creating the government cloud platform. Secondary legislation is currently pending, with hopes of being adopted in 2023.

In regulated industries such as banking and insurance, using the cloud has specific rules. Cloud services are currently defined in Romanian insurance legislation as services provided via cloud computing technologies to allow universal, convenient, on-demand network access to a common set of configurable computing resources, which can be quickly made available and launched with minimal effort of management from, or interaction with, the service provider. The legislation also defines the following types of cloud:

• public cloud – IT infrastructure available for free use by the general public;
• private cloud – IT infrastructure available for use exclusively by one company; and
• hybrid cloud – IT infrastructure consisting of two or more distinct cloud infrastructures.

The legislation referred to above also imposes certain obligations that will be discussed below.

In addition, a guide on the externalisation of cloud services was released by the Financial Supervisory Authority in August 2021 for the attention of fund administrators and other entities that work with investment funds.

The guide applies from 31 July 2021 to all cloud outsourcing commitments concluded, renewed, or modified on or after this date. The relevant entities had to review and amend existing cloud outsourcing commitments to ensure that they comply with this guide by 31 December 2022. In a nutshell, relevant companies must allocate clearly delineated responsibilities for managing outsourcing contracts. Furthermore, they must monitor the outsourcing contracts on a risk-approach basis.

In the insurance sector, specific norms implement the guidelines on outsourcing to cloud service providers of the European Insurance and Occupational Pensions Authority. Companies are subject to an obligation to evaluate their cloud outsourcing partners in terms of risks posed by the cloud outsourcing activity. Insurance companies are also obliged to document their outsourcing relations in a separate registry, where the information must be kept for two years after the contractual relationship with the outsourcing partner has ended.

These norms on cloud outsourcing also provide minimum contractual provisions that must be included in the cloud outsourcing agreements. Insurance companies are obliged to ensure that cloud service providers comply with legal requirements and appropriate security standards. All critical and significant outsourced cloud operations must be notified in writing to the Financial Supervisory Authority.

Processing personal data in a cloud falls under the principles stated in the General Data Protection Regulation (GDPR). Considering the Guidelines 07/2020 on the concepts of controller and processor in the GDPR issued by the European Data Protection Board (EDPB), the cloud providers mainly act as processors (ie, processing personal data under the instructions and on behalf of the controller), even where they offer standardised cloud services. In all cases where cloud providers act as processors, the parties must conclude a data processing agreement setting forth the conditions of the processing.

Following the invalidation of the EU-US Privacy Shield through the decision of the Court of Justice of the European Union in Schrems II, special attention should be paid to the transfers of personal data to third countries.

Whilst the first step is to ensure that the personal data is stored and processed entirely within the European Economic Area, due to the potential extraterritorial effect of surveillance laws governing third countries, the standard transfer tools provided by the GDPR might not be sufficient.

In this respect, the EDPB issued recommendations on supplementary measures to be used to ensure that the transferred data benefits from the same level of protection as that ensured in the EU.

However, following the recent draft adequacy decision for the EU-US Data Privacy Framework, published by the European Commission on 13 December 2022, it is to be expected that the hurdle related to the transfers in the US will come to an end, at least until a new Schrems III (potentially) invalidates the new framework.

It is expected that, in the next six months, a new adequacy decision for the EU-US Data Privacy Framework will be adopted by the European Commission and put an end to the current problems generated by the potential transfers in the US.

The discussions on the draft AI Regulation have advanced, with the Czech Presidency presenting in November 2022 the final version of the compromise text on AI Regulation adopted by the Council on 6 December 2022.

The compromise text voted for by the Council of Europe:

• provided for a narrower definition of an AI system;
• extended the prohibited AI practices;
• regulated the general purpose of AI systems;
• made explicit references to the exclusion of national security, defence and military purposes from the scope of the regulation;
• clarified that the regulation does not apply (except for the transparency obligations) to AI systems and their outputs used for the sole purpose of research and development or when used for non-professional purposes; and
• increased transparency.

As the next steps, the European Parliament will need to express its views on the text, aiming to vote on it in the first quarter of 2023. Following the vote, it is expected that the AI Regulation will enter into the trilogue process in April 2023.

Given the substantial reach of the data protection rules when dealing with AI, in June 2021 the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) also expressed their concerns with regard to the content of the draft AI Regulation.

In this respect, the two European authorities underlined the need for the AI Proposal to expressly state that the data protection legislation in force applies to all processing of personal data which falls under the scope of the AI Proposal.

At the same time, given the high risks posed by the identification of natural persons in public places by using remote biometric techniques, both the EDPB and EDPS called for a general ban on using AI that allows for automated recognition of human features in public places. The same ban should apply where AI systems use biometrics to cluster individuals on grounds such as ethnicity, gender, and political or sexual orientation.

The EDPB and EDPS also call for a prohibition against using AI:

• in order to infer human emotions, except for specific cases where the recognition of emotions plays an important role for health reasons, such as health purposes; and
• for any type of social scoring.

It remains to be seen if the final version of AI Regulation will address these concerns while ensuring sure that its provisions will not hinder innovation in the field of AI.

Civil Liability

There are currently no specific rules with regard to AI. Thus, the general rules on civil contractual liability and tort law apply, as well as those on administrative liability, the assessment being made on a case-by-case basis.

For instance, under the Romanian Civil Code, there is an obligation for one party to repair the damages incurred by another party as a result of the use of an object. The liability sits with the person who owns or has control over the object or who uses the object in their own interest. Such a person would be held liable regardless of whether there was any fault on their behalf. It is thus not unlikely for a person owning or using AI tools to be held liable for any damages that might result from events caused independently by the AI programme, even if the latter did not receive direct instruction to that specific end.

It should be noted that on 28 September 2022, as part of the European AI Strategy, the European Commission adopted a proposal of the Directive of the European Parliament and of the Council on adapting non-contractual civil liability rules to artificial intelligence (AI Liability Directive). Its aim will be to put in place uniform rules regarding certain aspects of non-contractual civil liability for damage caused by the involvement of AI systems.

In 2022, the Senate of Romania found that the proposal for a Directive of the European Parliament and of the Council on the adaptation of the rules on extra-contractual civil liability to artificial intelligence (Directive on AI liability) – COM (2022) 496 respects the principles of subsidiarity and proportionality.

Big data, machine learning and artificial intelligence are currently not regulated in Romania. Nevertheless, there is increased interest from certain authorities in relation to these fields.

Internet of Things

At the moment, the internet of things (IoT) is not regulated in Romania. Nevertheless, when implementing IoT projects, one must bear in mind various pieces of legislation, examples of which are given below.

Data protection

As IoT products generally collect and process large quantities of personal data, every such product should be thoroughly assessed to ensure its compliance with GDPR requirements, including those referring to data processing impact assessment (DPIA).

The Romanian National Supervisory Authority for Personal Data Processing has put large-scale processing of personal data generated by sensor-based devices transmitting data through the internet or through other means (IoT applications, such as smart TVs, connected vehicles, smart metering, intelligent toys, intelligent cities or other such applications) on the list of data-processing operations for which conducting a DPIA is required prior to deployment.

Cybersecurity

As the IoT implies the use of new technology that may be subject to security vulnerabilities, IoT-based projects might also need to consider compliance with cybersecurity legislation, such as:

• Law No 362/2018 on ensuring a high common level of security of networks and information systems transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union (the “NIS Directive”); and
• Regulation (EU) 2019/881 of the Parliament and of the Council of 17 April 2019 on ENISA (the “European Union Agency for Cybersecurity”) and on information and communications technology cybersecurity certification and repealing of Regulation (EU) No 526/2013 (the “Cybersecurity Act”), which was directly applicable in Romania as of 28 June 2021.

The new Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the EU, repealing Directive (EU) 2016/1148 (the “NIS 2 Directive”) introduces the concept of “important entities” and adds new sectors where such important entities operate that would fall within the revised scope of the NIS Directive. One such sector is the manufacturing of certain critical products, such as:

• computer, electronic and optical products;
• electrical equipment;
• other machinery and equipment not elsewhere classified;
• motor vehicles, trailers and semi-trailers; and
• other transport equipment.

To this end, following the transposition of the NIS 2 Directive into the national legislation (by 17 October 2024), the manufacturers of IoT devices that fall under the scope of the same will need to take key risk-management measures to manage risks to the security of network and information systems.

In 2022, Law no 242/2022 regarding data exchange between IT systems and the creation of the National Interoperability Platform was adopted. It regulates the creation, operationalisation and administration of the tools/means necessary for the delivery in an integrated format of several electronic services by implementing the interoperability platform.

Big Data

Competition

In 2021, the Romanian Competition Council published a document called a “Study on the effects on competition of the usage of Big Data platforms” (the “Study”).

The need for the Study arose both from the rapid evolution of digital markets and the impact of big data on the economy. The absence of sufficient information in that respect caused the Romanian Competition Council to start working on the Study in 2018.

The Study has identified not only the strengths and opportunities arising from the use of big data (ie, economy of time and resources, innovation, efficiency and productivity, real-time information), but also the threats posed by such usage (ie, in the area of data confidentiality, data protection, legitimacy of data usage and control over data quality).

Following the Study, the Romanian Competition Council concluded that, despite the positive impact of big data on economic growth (mainly through increased productivity and efficiency), the same has the potential to affect competition through abuse of dominance by restricting or refusing access to data or through collusion.

Intellectual property

In relation to intellectual property, one issue is whether algorithms used in big data can be protected through intellectual property rights. The answer so far seems to be that such algorithms are excluded from protection under EU copyright laws, since “ideas, procedures, methods of operation or mathematical concepts” are not protected under EU copyright rules.

Patent protection of algorithms is also excluded. However, to the extent algorithms are used in the creation of computer-implemented inventions that are new, involve an inventive step and are susceptible to industrial application, the possibility of patentability, although still uncertain, is not excluded.

It is debatable whether algorithms can benefit from sui generis protection under database protection laws. In order for such protection to be granted, substantial investments must be made in either the obtaining, verification, or presentation of the contents to prevent extraction and/or re-utilisation of the whole or of a substantial part, evaluated qualitatively and/or quantitatively, of the contents of that database. It is unclear whether protecting algorithms can be linked to their role in obtaining or evaluating data.

Algorithms may, however, be protected as trade secrets, as long as they remain secret. However, the lack of transparency in algorithms creates its own set of issues, especially in the context of automated decision-making.

Another issue raised by AI algorithms is that of authorship. In Europe, the European Patent Office has refused two patent applications on the grounds that a machine, instead of a human, was named as inventor. This line of reasoning is likely to be followed by countries such as Romania.

Data protection

The GDPR is based on observing key principles, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, integrity, and confidentiality.

At the opposite end, big data implies:

• collecting a huge amount of information;
• combining data from various sources; and
• further usage of the data in order to analyse and make decisions based on it.

Thus, ensuring that big data does not infringe on GDPR principles can be a challenge.

Given the significant volume of information scattered across multiple systems, a company must have in place procedures and mechanisms enabling the swift location, extraction, rectification, restriction and/or erasure of the personal data concerned.

Open data

In 2022, Law no 179/2022 on open data and reusing information from the public sector was adopted. The purpose of the initiative was the full transposition into national legislation of Directive (EU) 2019/1024 of the European Parliament and of the Council of June 20, 2019, regarding open data and the reuse of public sector information. The legislation aims at facilitating the use of available data from the public sector for the creation of innovative IT products, solutions and services by private companies and strengthening the free flow of information.

Artificial Intelligence

National strategic framework

Romania has plans to develop a “national strategic framework in the field of artificial intelligence” through the project “strategic framework for the adoption and use of innovative technologies in public administration 2021-27 – solutions for business efficiency”.

In 2021, as a first step in the development of the national strategic framework, the Romanian Authority for the Digitalisation of Romania (ADR) in partnership with the Technical University of Cluj-Napoca launched a public consultation on AI. The public consultation was open to academia, businesses, consumers, professionals, and public sector entities that work with AI or for which AI represents a strategic element in the further development of Romania. The purpose of the public consultation has been to obtain qualitative data on the respondents’ view of AI.

This initiative is in line with the European vision on AI, especially in light of the Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on AI (the “Artificial Intelligence Act”) and amending certain union legislative acts.

From 2023, Romania will be contributing to the NATO Innovation Fund, a multi-sovereign venture capital fund meant to provide strategic investments in start-ups developing dual-use emerging and disruptive technologies in critical areas for allied security.

Competition

The Romanian Competition Council’s Study concluded that, due to the ability of machine learning to learn constantly and adapt following the processing of real-time data, there is a risk of collusion between companies using such machine learning, for example, based on the rapid adaptation to a competitor’s prices. However, in order for a cartel to exist, the will of more than one undertaking in this regard must still exist.

Intellectual property

Please see the 5.1 Machine-to-Machine Communications Secrecy and Data Protection (Big Data) for potential intellectual property aspects, equally touching on AI.

Data protection

In April 2021, the European Commission put forward a Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on AI (the “AI Proposal”) with an aim to provide a co-ordinated European approach to the human and ethical implications of AI.

The main pieces of legislation regulating audio-visual media services in Romania are Law No 504/2002 on audio-visual content (“Audio-visual Law”) and Decision No 220/2011 on the Code of regulation of audio-visual content (“Audio-visual Code”).

Analogue programme services may only be provided by a broadcaster under Romanian jurisdiction on the basis of the analogue audio-visual licence and, as the case may be, of a broadcasting licence.

Digital terrestrial programming services through a broadcasting/television multiplex operator under Romanian jurisdiction may only be provided on the basis of a licence for the use of radio frequencies in a digital terrestrial system, for the benefit of digital audio-visual licence holders.

Procedure for Granting Audio-Visual Licences

The procedure for granting audio-visual licences is provided in Decision 277/2013 of the National Audio-visual Council (CNA) on the procedure for granting, amending, extending the validity and assignment of the licence and the audio-visual authorisation decision, except for those for digital terrestrial broadcasting, as well as the conditions for the broadcasting of local programmes, retransmissions, or takeover programmes of other broadcasters.

For terrestrial frequencies, the licence is granted based on competition among providers. If the service is provided via electronic communication networks, the licence is granted by decision of the CNA. Both analogue or digital audio-visual licences are granted for a period of nine years, for both radio and television. They can be renewed every nine years.

The holder of the broadcasting licence or the licence for the use of radio frequencies in the digital terrestrial system has an obligation to pay, annually in advance, a tariff for the use of the spectrum.

Video-on-demand services are governed by CNA Decision No 320/2012 regarding the provision of video-on-demand services. The decision does not apply to websites that provide user-generated audio-visual content for sharing, or sharing within a community of interest, such as YouTube.

The provision of on-demand audio-visual media services through electronic communications networks using digital terrestrial television systems is possible only on the basis of a digital terrestrial audio-visual licence granted by the CNA in accordance with the law. Other than that, any person intending to provide on-demand audio-visual media services has an obligation to notify the CNA of this intention at least seven days before the start of the activity.

The provisions of the Audio-visual Law and the Audio-visual Code apply accordingly to the audio-visual programmes broadcast on demand, considering their specificity to be viewed on request and at the time chosen by the user.

Scope of Telecommunications Rules and Approval Requirements

Government Emergency Ordinance No 111/2011 on electronic communications (GEO 111/2011) transposes the main EU legal provisions in the field of electronic communications and covers all activities in the field of electronic communications networks and services.

According to GEO 111/2011, an electronic communications service is a service normally provided for remuneration which consists wholly or mainly of the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but excluding services providing or exercising editorial control over content transmitted using electronic communications networks and services.

The provision of electronic communications networks and services is subject to a general authorisation regime and, where applicable, licences for the use of limited resources for the provision of electronic communications networks and services (such as radio frequencies, numbering resources and other associated technical resources). The provision of electronic communications networks and services by persons in the European Union may be limited only for reasons related to defence, public order and national security or public health. The limitation of the freedom to provide electronic communications networks and services is motivated and notified to the European Commission. The provision of electronic communications networks and services by persons outside the European Union may be limited for objective and justified reasons, by decision of the National Authority for Management and Regulation in Communications (ANCOM).

The procedure to become an electronic communications network and/or services provider under the general authorisation regime is free of charge and consists of a notification to ANCOM. Providers of interpersonal communication services that are not based on numbers do not have the obligation to notify ANCOM.

In 2023, ANCOM aims to amend the general authorisation framework to bring it in line with the new amendments to the GEO 111/2011 brought by the transposition into the national legislation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (“European Electronic Communications Code”).

Instant Messaging

The European Electronic Communications Code, which came into force on 21 December 2018, extended the scope of electronic communication services. According to this European enactment, electronic communication services encompass the following types of services:

• internet access services;
• interpersonal communications services; and
• services consisting wholly or mainly in the conveyance of signals, such as transmission services used for the provision of machine-to-machine services and for broadcasting.

The concept of interpersonal communications services is new and refers to services normally provided for remuneration that enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipients. This concept does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

There are two types of interpersonal communications services, namely:

• number-based interpersonal communications services, where the interpersonal communications service connects with publicly assigned numbering resources or enables communication with a number or numbers in national or international numbering plans; and
• number-independent interpersonal communications service, where the interpersonal communications service does not connect with publicly assigned numbering resources or does not enable communication with a number or numbers in national or international numbering plans.

The number-independent interpersonal communications services include instant messaging services such as WhatsApp and Facebook Messenger. According to the European Electronic Communication Code, the national regulatory authorities (NRAs) have powers with regard to instant messaging services consisting of, among other things, submitting requests for information, settling dispute resolutions (including potential cross-border disputes), monitoring the market and protecting end-user rights with regard to non-discrimination, providing information in contracts, ensuring transparency and the quality of service.

The European Electronic Communication Code was transposed into GEO 111/2011 through Law 198/2022 for the modification and completion of some normative acts in the field of electronic communications and for the establishment of measures to facilitate the development of electronic communications networks.

Voice over Internet Protocol

In Romania, Voice over Internet Protocol (VoIP) services using numbering resources are electronic communication services similar to fixed telephony services provided over public switched telephone networks (PSTNs). VoIP services are subject to GEO 111/2011 in terms of numbering resources, number portability, interconnection, quality of service and access to emergency services.

Radio-Frequency Identification Devices (RFIDs)

The National Authority for Management and Regulation in Communications Decision No 311/2016 on radio frequencies and frequency bands, exempted from the licences regime, sets the technical specifications applicable to RFIDs.

In Romania, technology agreements are not regulated as separate contracts in the Civil Code, the general law of contracts in Romania. However, specific regulations can be found in fields such as those identified below.

Competition – Technology Transfer Agreements

In competition law, technology transfer agreements refer to licences where the licensor allows the licensee to exploit the technology that is the subject of the licence for the production of goods or the provision of services. Competition law provisions regulate how technology transfer agreements can take place if the transaction has a national scope. EU provisions are also incident when the transfer has an EU dimension.

Data Storage Location

In relation to the soon-to-be-built government cloud, a draft government decision states that the government cloud services are hosted and offered on a core infrastructure located on the territory of EU member states.

Financial Institutions

Please see the 3.1 Highly Regulated Industries and Data Protection.

Electronic Signatures

From the perspective of electronic signature and trust services, in Romania, Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (“eIDAS Regulation”) is applicable.

Romania also has a national law, Law 455/2001 on electronic signatures, which is obsolete. The Romanian legislature is in the process of drafting a new national law for electronic signatures, focused on the areas where the eIDAS Regulation allows for member states to follow their own approaches.

Digital Identity

In a Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity, the European Commission found that the eIDAS Regulation has not achieved its potential, given that:

• only a limited number of electronic identifications (eIDs) have been notified, limiting the coverage of notified eID schemes to about 59% of the EU population;
• the acceptance of notified eIDs at the level of both member states and service providers is limited;
• only a few of the services accessible through domestic eID are connected to the national eIDAS infrastructure; and
• the added value of the eIDAS Regulation with regard to electronic identity is limited due to its low coverage, uptake and usage.

Therefore, a reform is expected to increase the usage of electronic identification.

So far, Romania is testing a pilot program of issuing electronic identity cards, which is currently ongoing in Cluj county (at least 4,200 electronic identity cards issued); this will be extended to Bucharest in 2023.