CASPs in Romania
The February 2024 draft Government Decision that would have operationalised art. 30¹ of Law 129/2019 by creating a two‑year national licensing regime for virtual‑asset exchange and wallet providers has never been promulgated—it remains posted only in the public‑consultation portal and has not appeared in the Official Gazette. The legal basis for that licence was effectively removed when OUG 111/2020 introduced the authorisation obligation but made its entry into force conditional on a later government decision, and was subsequently abrogated outright by OUG 10/2025, which aligned Romanian law with the EU MiCA package and deleted art. 30¹, substituting a future single‑passport authorisation under Regulation (EU) 2023/1114. Consequently, as of July 2025 no Romanian licence can be obtained; startups need only observe the general AML/CTF duties in Law 129/2019 while preparing for MiCA‑level authorisation once the EU framework takes full effect.
The Ministry of Finance acts through the Commission for Foreign‑Exchange Licensing, while the Authority for Digitalisation of Romania (ADR) grants the separate technical clearance for remote platforms. Other authorities (ONPCSB, ANAF, ANPC, MAI) participate according to their mandates.
-
Authorisation – mandatory for Romanian legal entities that will operate an exchange and/or wallet platform. It is valid for two years.
-
Registration – mandatory for EU/EEA/Swiss entities already licensed or registered in their home State. Validity mirrors the foreign licence’s own expiry.
-
To be admitted to authorisation a company must, cumulatively:
-
be incorporated under Company Law 31/1990 with CAEN code 6499 “Other financial intermediation n.e.c.”;
-
own a remote platform linked to at least one .ro domain and hosted in the EU/EEA/CH;
-
hold at least one Romanian bank account in fiat;
-
have no final convictions for tax evasion, customs, money‑laundering or terrorist‑financing offences and no tax‑fraud filings in the fiscal record;
-
ensure that significant shareholders, administrators and ultimate beneficial owners have spotless criminal and fiscal records and were not involved in a VASP whose licence was revoked in the preceding five years;
-
secure a valid technical clearance (aviz tehnic) from ADR;
-
present proof that the entity, its managers and AML officers are “persoane potrivite și competente” (fit‑and‑proper) and trained in AML/CFT;
-
have no unpaid central or local tax debts and are not in bankruptcy.
-
-
Foreign VASPs seeking Romanian market access must:
-
already be legally authorised/registered at home;
-
appoint a single representative residing or established in Romania with a clean criminal/fiscal record and AML competence;
-
link their platform to at least one .ro domain and host the server in the EU/EEA/CH;
-
open a Romanian fiat bank account;
-
file a professional‑liability policy “in valoare de 1 % din valoarea tranzacțiilor din anul anterior… dar nu mai puțin de 100 000 EUR”.
-
-
The file must include (non‑exhaustive extract):
-
signed application (Romanian language);
-
shareholder/management lists and UBO declaration;
-
criminal and fiscal certificates (or written consent for the Ministry to obtain them);
-
bank‑account extracts;
-
ADR technical clearance;
-
AML policies and proof of specialised training;
-
declarations confirming fit‑and‑proper status and absence of licence revocations;
-
tax‑clearance certificate from ANAF.
-
In addition to the points above (as applicable), file:
-
certified & apostilled copy of home‑State licence/registration;
-
recent trade‑registry excerpt translated and legalised;
-
certified mandate of the Romanian representative;
-
professional‑liability insurance policy;
-
representative’s criminal‑record consent
-
-
Minimum security & functionality. The platform must guarantee confidentiality, integrity, non‑repudiation, strong client authentication, full transaction traceability, encrypted real‑time transmission of KYC and transactional data to Romanian/EU authorities, five‑year data retention and an EU‑based server.
-
Pen‑testing. An annual penetration test conducted by a team holding one of the recognised certifications (e.g., OSCP, GPEN, LPT) is obligatory; the report must be approved by the legal representative.
-
Evaluation report. A conformity report from an accredited eIDAS assessment body, structured as per Annex 2.3, accompanies the application.
-
ADR decision. Issued within 45 days of a complete file; validity two years; suspension or withdrawal automatically suspends or voids the Ministry licence.
-
-
Services must be delivered only via digital wallets that store at minimum the client’s identifying data.
-
Providers freely set exchange rates and must display buy/sell quotations and any fees prominently online in prescribed font sizes.
-
The licence or registration certificate must be published on the website; the original is kept at the fiscal domicile or representative’s office.
-
A real‑time electronic register must record every wallet, every transaction and the IP geolocation of each client, indexed by unique identifiers.
-
Mandatory notifications (10 working‑day limit) cover changes in shareholding, management, representatives, headquarters, domains, servers or AML officers, and any criminal‑record changes.
-
See MICAR Requirements
MiCA already grants legal certainty and future passporting rights, but a startup must earn those benefits: first by qualifying for (or coping without) the transitional window, and then by securing full authorisation under EU-wide standards.
Behind Licentium
Our Edge
Licentium is a specialized platform that connects crypto-asset issuers and service providers with an international network of lawyers, regulatory consultants, and former supervisors. Projects can map applicable rules in key jurisdictions through a single interface, obtain jurisdiction-specific launch advice, arrange the drafting of white papers and licensing applications, and schedule ongoing compliance health-checks. The platform’s curated expert pool spans financial services, data protection, and corporate law, enabling founders to address cross-border requirements—from MiCA in the EU to securities, AML, and consumer-protection regimes elsewhere—within coherent project timelines and budgets.
