Romania Has Three Months to Comply with the EU AI Act. Most Companies Don't Know It Yet.

 



  The countdown is real. On August 2, 2026, the European Union AI Act becomes fully applicable across all member states. In Brussels, large multinationals have had compliance teams running for over a year. In Bucharest, Cluj, and Iași,

  most companies are still asking the same question: does this apply to us?


  The answer, for a surprisingly large number of Romanian businesses, is yes.


  ---

  What the EU AI Act Actually Is


  The AI Act is the world's first comprehensive legal framework for artificial intelligence. It passed the European Parliament in March 2024, entered into force in August 2024, and has been rolling out in phases since. It doesn't

  regulate AI as a technology — it regulates AI as a risk.


  The framework divides AI applications into four risk tiers:


  Unacceptable risk — banned entirely. Real-time biometric surveillance in public spaces, social scoring systems like those used in authoritarian states, AI that manipulates people through subliminal techniques. These have been

  prohibited since February 2025.


  High risk — heavy compliance requirements. This is where most Romanian companies need to pay attention. High-risk AI includes systems used in employment and HR (CV screening, performance monitoring), credit and insurance scoring,

  educational assessment, critical infrastructure management, and public service delivery. If your company uses AI to screen job applications, assess loan eligibility, or manage infrastructure, you're in this tier.


  Limited risk — transparency obligations. Chatbots must disclose they're AI. Deepfake content must be labeled. Simple, but legally enforceable.


  Minimal risk — essentially unregulated. Spam filters, recommendation engines, AI in video games. The vast majority of consumer AI falls here.


  ---

  Romania's Specific Exposure


  Romania isn't a major AI developer, but it's a significant AI user — and the Act regulates users as much as developers.


  Public sector. Romanian public institutions have been integrating AI-assisted systems for document processing, benefit eligibility, and citizen services, partially funded through EU digital transformation programs. Many of these

  systems fall into the high-risk category. Public institutions have the same compliance obligations as private companies — and significantly less infrastructure to meet them.


  Financial services. Romanian banks and fintech companies using automated credit scoring or fraud detection models are operating high-risk AI systems. BNR-supervised institutions need to demonstrate risk management frameworks, human

  oversight mechanisms, and technical documentation for any AI touching credit decisions.


  HR and recruitment technology. The Romanian labor market has seen significant adoption of ATS (Applicant Tracking System) platforms with AI screening components, especially in IT and manufacturing. Under the AI Act, any AI system that

   filters or ranks job candidates is high-risk. The company deploying it — not just the vendor providing it — bears compliance responsibility.


  Transport and logistics. AI systems used in route optimization, fleet management, or predictive maintenance for public transport fall under critical infrastructure provisions. This includes monitoring and decision-support systems

  running on vehicle fleets — a category that Romania's extensive public transport network makes directly relevant.


  ---

  What High-Risk Compliance Actually Requires

  

  For Romanian companies running high-risk AI systems, the August 2026 deadline requires demonstrable compliance across several areas:


  Risk management system. A documented process for identifying, analyzing, and mitigating risks throughout the AI system's lifecycle. Not a one-time audit — an ongoing process.


  Data governance. Training data must be documented, biases identified and mitigated, and data quality ensured. For companies using third-party AI models trained on undisclosed data, this creates a difficult documentation problem.


  Technical documentation. The system must be documented in enough detail that a national authority could assess its compliance. For off-the-shelf AI tools integrated into internal processes, this means obtaining documentation from

  vendors — something many vendors are not yet prepared to provide.


  Human oversight. High-risk AI systems must be designed to allow human intervention. Fully automated decisions in high-risk domains — a loan rejection with no human review path, a CV filtered out with no appeal mechanism — don't

  comply.


  Transparency to users. People affected by high-risk AI decisions must be informed that AI was involved and must have access to meaningful explanations.


  ---

  The Romanian Compliance Gap


  Several factors make Romania's position more challenging than Western European peers.


  The national supervisory authority is still being formalized. Unlike GDPR, which Romania eventually enforced through ANSPDCP, the AI Act requires a designated market surveillance authority with technical AI expertise. Who that will

  be, and how well-resourced they'll be by August, remains unclear.


  Many Romanian companies first learned about GDPR from the fines, not the regulation. The AI Act's penalties are significantly higher — up to €35 million or 7% of global annual turnover for violations involving prohibited practices.

  The assumption that enforcement will be slow to arrive may be correct in the short term, but it's a significant operational risk as a long-term strategy.


  SMEs represent the largest share of Romania's private sector, and the compliance burden for a 50-person company using an AI HR tool is not proportionally smaller than for a multinational. The Act includes some SME provisions, but the

  core obligations remain.


  ---

  What To Do Before August


  For Romanian companies that have AI systems in production or are planning deployments, three steps are immediately actionable:


  Inventory first. Map every AI-assisted process in the organization. Which ones touch employment, credit, education, infrastructure, or public services? This mapping is the prerequisite for everything else.


  Classify by risk tier. Most AI use will fall into minimal or limited risk — genuinely no action required beyond basic transparency. Identify the high-risk systems and prioritize them.


  Talk to your vendors. If you're using a SaaS platform with AI components for HR, finance, or operations, ask for their AI Act compliance documentation now. Vendors who can't provide it are creating compliance exposure for their

  customers. This question, asked repeatedly by Romanian customers, will accelerate the vendor response.


  ---

  The Other Side of the Deadline


  Compliance conversations tend to focus on risk and burden. There's another way to read August 2026.


  Romania has a substantial technology services sector that exports software and IT services across the EU. Companies that can credibly demonstrate AI Act compliance — that have the documentation, the processes, the technical

  infrastructure — have a competitive advantage in a European market where clients increasingly require it.


  The compliance gap is also a market. Romanian consulting firms, legal practices, and technical consultancies that develop genuine AI Act expertise in the next three months will be selling that expertise for the next decade.


  The deadline is the same for everyone. Not everyone is equally prepared.


  ---

  This article was written with the assistance of an AI writing program.



Comments

Post a Comment

Popular posts from this blog

Zabbix on Linux: The Monitoring Setup Most SysAdmins Overlook

Image
   I've managed Linux servers for years, and if there's one thing I've learned, it's that monitoring is always the last thing people set up properly — and the first thing they regret skipping when something breaks at 3 AM.   After going through one too many late-night disk-full incidents, I decided to actually invest time in Zabbix beyond the default templates. What I found changed how I approach infrastructure monitoring entirely.   ---   Why Zabbix Agent 2?      Most tutorials still point you to the classic Zabbix Agent. Skip it. Zabbix Agent 2 has been the default since Zabbix 5.0 and brings built-in support for more check types, better performance, and active checks out of the box.   Installation on Debian/Ubuntu: sudo apt install zabbix-agent2 sudo systemctl enable zabbix-agent2 --now   Config file lives at:   /etc/zabbix/zabbix_agent2.conf   The one line you must change:   Server=YOUR_ZABBIX_SERVER_IP   That's t...
Read more

11,000 Kilometers on a Wire I Built from Fence Insulators

Image
    I wasn't expecting much that afternoon. I was sitting in my Bucharest apartment, the Xiegu G90 humming on the desk, scanning the bands out of habit. Then, clearly — unmistakably — a Chinese station came through. Over 11,000   kilometers, received on a wire antenna I'd strung along a garden fence using insulators I'd adapted from electric livestock fencing.   That's amateur radio. And that's why I still do it the old way.   ---   How I Got Here      My path to amateur radio wasn't the typical one. I studied in the field formally, but the real spark came later — through hunting and sailing. In both activities, radio isn't a hobby, it's infrastructure. You see how a handheld VHF   saves a hunt when the group splits up in forest terrain. You see how a boat handles emergencies when every other communication fails. You stop seeing radio as retro technology and start seeing it as one of the most reliable things   humans have ever built...
Read more

Solar Cycle 25 Has Peaked. Here's Why That's Actually Good News for 40m and 20m Operators.

Image
       If you've been chasing the high bands lately — 10 meters, 15 meters — you may have noticed something: they're not as reliable as they were a year ago. That's not your antenna. That's the solar cycle.   Solar Cycle 25 peaked at the end of 2024, exceeding all original predictions in intensity. In May 2026, we're roughly eighteen months past that peak and on the descending side. The operators who built their entire HF strategy around   10m openings are now dealing with increasingly unpredictable conditions. But for those of us who primarily work 40 and 20 meters, the picture looks different — and arguably better.   ---   What Actually Happened with Cycle 25      The official NOAA Solar Cycle Progression data tells the story clearly. Cycle 25 was predicted to be a moderate cycle. It wasn't. Sunspot numbers significantly exceeded forecasts, and the peak arrived ahead of schedule, producing some    of the best HF propagat...
Read more