Romania will introduce a new regulatory framework for crypto-asset markets, aligning with the EU’s Markets in Crypto-Assets Regulation (EU 2023/1114, MiCA).  This framework set out in a May 2025 draft Emergency Ordinance marks a major shift from the previously limited rules towards a unified, EU-harmonised approach.

Crypto businesses operating in Romania will face clear licensing requirements, oversight by national authorities ASF and BNR, defined compliance timelines, and stringent obligations and sanctions under the MiCA aligned regime. The goal is to foster a secure and transparent crypto market while supporting innovation, so understanding the new rules is important for any company offering crypto-asset services in Romania.

The EU’s MiCA Regulation is the first comprehensive legal framework for digital assets across Europe. It entered into force in mid-2023, but many provisions (especially those for crypto-asset service providers, or CASPs) only apply after a transition to give member states time to prepare. MiCA establishes uniform rules for issuing crypto-assets (like stablecoins and utility tokens) and for firms providing crypto services (exchanges, custodians, etc.), aiming to protect investors and financial stability. As of 30 December 2024, MiCA is fully applicable in all EU countries, with key requirements for CASPs.

Romania’s implementation of MiCA has come via an Emergency Government Ordinance (GEO) drafted in 2025 by the Ministry of Finance. This draft law (expected to be enacted in 2025) lays out the national measures needed to enforce MiCA’s provisions locally. It designates competent authorities, creates an authorisation and supervision framework for crypto businesses, and introduces specific compliance obligations and penalties. The ordinance covers essential aspects such as the licensing of CASPs, regulation of crypto ATMs, technical requirements, fiscal obligations, and transitional arrangements for firms already in the market. In effect, Romania is moving from a fragmented or lax crypto regulatory environment to a unified, MiCA-compliant regime that aligns with European standards. This is a significant development for crypto regulation in Romania, opening the market to EU-wide standards and MiCA compliance.

Under the new framework, two authorities share responsibility for crypto oversight in Romania:

• Financial Supervisory Authority (ASF) – Romania’s non-banking financial regulator.  This the primary authority for the crypto sector. ASF will authorise and supervise crypto-asset service providers (CASPs) and oversee most crypto market activities. In practice, ASF’s remit covers the issuance of most crypto-assets (except those treated as e-money) and the provision of crypto-asset services, expressly including Crypto ATM operations. In other words, companies offering exchange, trading, custody, advisory or ATM services for crypto in Romania will generally fall under ASF’s crypto licensing and supervision.
• National Bank of Romania (BNR) – the central bank – is tasked with areas where crypto intersects banking. BNR will oversee crypto activities conducted by credit institutions (banks) and supervise the issuance of stablecoins that qualify as e-money tokens (EMTs). For example, if a Romanian bank issues a stablecoin or token linked to fiat (an EMT), BNR is the competent authority. In contrast, if a non-bank entity issues an asset-referenced token (ART) (a crypto token pegged to a basket of assets) or any other crypto-asset, ASF would supervise that. This division ensures clear roles: ASF handles most crypto businesses, while BNR handles bank-related crypto products and crypto supervision for stablecoin issuers.

The ASF and BNR will coordinate closely. ASF is designated as Romania’s single point of contact with the European Securities and Markets Authority (ESMA), and BNR is the contact for the European Banking Authority (EBA). They can also draw on support from other state institutions for technical, fiscal, or security expertise – such as Romania’s IT and cybersecurity agencies and the consumer protection authority. Notably, before ASF grants any crypto licence, a technical clearance of the firm’s IT systems by the Authority for Digitalisation of Romania (ADR) is required. Similarly, Crypto ATM operators must obtain two technical approvals (for the ATM device from the National Institute for Informatics, and for the software system from ADR) as part of the authorisation process. These measures indicate that Romanian regulators are focusing on technological and cyber-security robustness as part of crypto oversight.

All crypto-asset service providers targeting the Romanian market will need to register or obtain authorisation under the MiCA framework. MiCA itself sets baseline conditions: a CASP must be a legal entity established in the EU, meet prudential and organisational requirements (including minimum capital), and ensure its management is fit and proper. The Romanian ordinance builds on these by imposing several clear-cut licensing criteria for CASPs:

• Clean regulatory record: The company applying and its directors must have no outstanding tax debts to the state and no relevant criminal convictions or entries in the fiscal record.
• Defined corporate scope: Existing companies already doing crypto business will need to update their official business object (corporate purpose) to include crypto-asset services, and notify the appropriate regulator (ASF or BNR) of their activities.
• Technical and security compliance: Applicants must undergo the technical evaluation mentioned above. A crypto firm’s IT infrastructure (platform security, data protection, etc.) should meet standards set by ADR. For example, crypto trading platforms may be required to conduct technical audits and ensure secure systems before and after licensing. Crypto ATM providers, in particular, must implement security measures (user identification, encryption, secure locations for machines) as mandated by the draft rules.
• Local presence and governance: Although not explicitly stated in the ordinance text, general practice under MiCA will likely require that CASPs have a registered office in Romania or the EU and local management for effective supervision.

To streamline implementation, the draft law empowers ASF to issue secondary regulations detailing the authorisation process and technical requirements within 30 days of the ordinance’s entry into force. This means further guidance (application forms, procedures, etc.) will be released, giving crypto businesses a clear roadmap to get licensed. Before initiating an ASF licence application, however, firms must secure the ADR technical approval of their platforms. Once all conditions are met, a CASP can be authorised by ASF (or BNR for those under its remit) and entered into the official register, allowing it to legally operate in Romania under the MiCA regime.

Gaining a licence is only the first step. Crypto-asset service providers must continually meet a range of compliance obligations under MiCA and Romanian law. Key ongoing requirements include:

• Capital and prudential requirements: CASPs must maintain minimum own funds as required by MiCA (varying by the type of service, to ensure financial stability). They should also have insurance or equivalent guarantees if mandated (for instance, for custody services). These specifics come from MiCA directly.
• Anti-money laundering (AML) compliance: Romania is integrating crypto providers fully into its AML regime. The new ordinance treats CASPs like other financial institutions under Romania’s AML law (Law 129/2019), meaning they must implement robust AML programs. This includes conducting customer due diligence (KYC checks), transaction monitoring, reporting suspicious activity, and having an AML officer.
• Reporting and transparency: Firms will have to provide periodic reports to ASF/BNR on their activities and compliance. They must also be transparent with customers about fees and risks. For example, operators of crypto trading platforms or ATMs are required to clearly display their fees, terms of use, and risk warnings to users. Marketing communications must be fair and not misleading as per MiCA’s consumer protection rules.
• Technical audits and security: The draft rules call for recurring technical audits of crypto-asset platforms to ensure high security standards. If a provider suffers repeated security breaches or fails to protect users’ assets, regulators can escalate enforcement, potentially even suspending the platform’s operations for up to three years in extreme cases. Crypto businesses therefore need to invest in cybersecurity, system resilience, and IT governance. They are also obliged to provide regulators with continuous, remote access to certain data (such as a read-only mirror of transactional data) to facilitate supervision.
• Regulatory fees: Uniquely, Romania is introducing a monthly regulatory fee for authorised CASPs. Licensed crypto providers must pay 0.5% of their monthly operating income to the ASF, by the 15^th of the following month. This “supervisory tax” funds the oversight activities and creates a direct link between a firm’s success and its contribution to regulation. Importantly, failure to calculate and pay this fee on time can lead to automatic revocation of the licence.

In sum, operating a crypto business in Romania will require strict adherence to MiCA’s conduct and prudential rules, as well as additional local obligations (technical approvals, fees, notifications) aimed at ensuring a fair and secure market. Regulators will expect continuous MiCA compliance, not just one-time conformity at licensing.

Timeline and Transitional Provisions

Key dates: MiCA’s provisions start to apply through 2024, with full effect by the end of 2024. The Romanian ordinance, once adopted (likely in 2025), will immediately trigger new compliance timelines for crypto firms. To prevent market disruption, the law includes transitional measures for existing operators.

Under the transitional regime, crypto businesses already active in Romania can continue operating temporarily after the new law comes into force, provided they take prompt action to become authorised. Specifically, any existing CASP (including crypto exchange platforms, wallet providers, and even Crypto ATM operators) must apply for an ASF licence within 30 days of the ordinance’s entry into force. They must also start complying with the MiCA Regulation, the local GEO, and any related rules during this interim period. As long as an application is submitted in time and the firm abides by the new requirements, it may legally continue its activities while the licence is being processed.

This grace period, however, is finite. The draft ordinance stipulates that the transitional allowances expire on 30 November 2025. In other words, by that date all crypto service providers operating in Romania are expected to be fully authorised under MiCA. Firms that fail to obtain a licence by the deadline (or that miss the 30-day application window) will have to cease crypto-related operations in Romania after November 2025, unless further extensions are granted. The November 2025 cutoff is ambitious – it effectively presses ASF to review and decide on all pending licence applications within a tight timeframe. Crypto businesses would be wise not to delay preparations, as last-minute administrative bottlenecks could risk their continuity.

It’s worth noting that MiCA also enables cross-border “passporting” for authorised CASPs (allowing a firm licensed in one EU country to offer services in others, with notification rather than full re-authorisation). The Romanian draft law has caused some uncertainty by implying even EU-authorised providers might need a Romanian licence during the transition. This point may be clarified in the final law or guidance. Nonetheless, until MiCA is fully in force and passporting mechanisms are running, any crypto company focusing on the Romanian market should plan to meet Romania’s local licensing requirements.

Romania’s crypto law introduces sanctions to ensure compliance. The ASF (and BNR, for entities under its supervision) are empowered to take a range of enforcement actions if a provider breaches MiCA or local regulations:

• Administrative fines: Significant monetary penalties can be imposed on firms (and possibly responsible individuals) for violations. MiCA sets maximum fine thresholds (often tied to a percentage of annual turnover) for various infringements, and the national law will operate within those limits to punish misconduct.
• Warnings and orders: Regulators may issue formal written warnings or require a firm to undertake remedial actions. For example, ASF could demand a crypto exchange to improve its security or customer disclosures by a set deadline if shortcomings are found.
• Suspension or restriction of activities: In cases of serious or repeated non-compliance, ASF/BNR can suspend a provider’s business (or specific services) temporarily. The draft also provides the possibility of suspending a business for up to 3 years if critical security breaches persist. Suspension is a severe measure aimed at preventing ongoing harm to consumers or the market.
• Licence revocation: As an ultimate sanction, the ASF can revoke the authorisation of a CASP, stripping the firm of its legal ability to operate. Certain breaches carry automatic revocation – for instance, not paying the regulatory fee as noted above will lead to licence withdrawal. Revocation may also follow if a company is found to no longer meet the licensing conditions (e.g. losing its required capital or an executive gaining a criminal record).
• Public censure: The authorities have the power to publish the sanctions applied, i.e. naming and shaming the offending firm. Public disclosure of enforcement actions serves as a deterrent and informs users which operators have fallen foul of the rules.

Very important, the sanctioning regime distinguishes between administrative offences and criminal violations. Fraud, significant investor harm, or operating without any authorisation can attract criminal charges under existing laws (such as anti-fraud or financial crime statutes). Lesser compliance failures are dealt with via administrative fines or orders. All sanctions will include due process safeguards – for example, firms typically have the right to appeal ASF decisions in court.

Romania’s adoption of the MiCA framework is a sign of a new era for crypto businesses in the country. The combination of ASF crypto licensing, BNR oversight for bank-linked tokens, and detailed local rules means the crypto industry is coming under full financial regulation, much like traditional finance. While this entails more obligations, it also offers long-term benefits: clearer rules of the road, greater consumer confidence, and the ability for Romanian-based providers to passport services across the EU in the future.

Crypto entrepreneurs operating in Romania should prepare early: assess whether their activities fall under the new law, engage with regulators if needed, and strengthen their compliance capabilities (legal, financial, and technical). By doing so, they can turn regulation into an advantage, positioning themselves as compliant and trustworthy players in an expanding market. With the MiCA-aligned framework and the support of authorities like ASF and BNR, Romania is poised to become a credible and innovative hub for crypto-asset services provided that all participants follow the new rules.

Get expert legal guidance for crypto activities in Romania.

Contact BMA Legal today for tailored support.