Detailed overview
Romania: ASF and BNR Expected MiCA Framework (Pending Implementation)
Romania is a MiCA jurisdiction at EU-law level, but its domestic implementation framework is not yet fully operational for Romanian home-state CASP authorisation.
As of the review date, Romania had not formally designated a MiCA competent authority in the ESMA competent-authority list. ESMA records Romania as “to be announced” for competent authority and single contact point.
Romanian Government materials show that a MiCA implementation emergency ordinance was under analysis in first reading in April 2026. The draft is expected to allocate responsibilities between the Financial Supervisory Authority and the National Bank of Romania, but that draft should not be treated as current binding law.
A provider that needs an EU MiCA licence now should not assume that Romania can be used as an operational home Member State until the Romanian implementation act is enacted and the competent authorities are formally empowered.
Regulator
The expected Romanian competent authorities are ASF and BNR, but the final allocation must be checked against the enacted Romanian implementation law.
Government materials indicate that the draft implementation ordinance would designate ASF and BNR as competent authorities with distinct powers over crypto-asset market participants. It would also introduce CASP authorisation and supervision rules, sanctions, fees, crypto-ATM technical approval and transitional provisions.
At the review date, no enacted Romanian MiCA implementation act was verified. The expected authority split should therefore be treated as pending.
BNR and ASF may already be relevant under sectoral laws and AML law. This is especially important for credit institutions, electronic-money institutions, payment institutions, investment firms, market operators, UCITS management companies, AIFMs, CSDs, ARTs, EMTs and other regulated financial activities.
Licensing route
A business that provides crypto-asset services in the EU generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using Article 60 or a duly authorised EU CASP passporting into Romania.
The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.
Transfer services are a separate MiCA service and should be included in the service-mapping analysis.
The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, deposits, structured deposits, fund interests, payment instruments, non-MiCA e-money arrangements, insurance products or other excluded products require separate legal analysis.
Romanian home-state authorisation
A Romanian home-state CASP authorisation route is not currently operational in the ordinary sense.
MiCA requires a CASP applicant to submit the authorisation application to the competent authority of its home Member State. Romania has not yet been formally listed by ESMA with an identified competent authority or single contact point.
A Romanian company may prepare a MiCA application package, but it should not assume that a Romanian authority can currently grant a MiCA CASP authorisation.
A credible future Romanian application should include a full service map, legal perimeter analysis, Romania home-state analysis, programme of operations, business plan, constitutional documents, proof of prudential safeguards, governance materials, management fit-and-proper evidence, qualifying-holder information, internal controls, AML and counter-terrorist-financing procedures, sanctions controls, TFR procedures, self-hosted-address controls, risk assessment, business-continuity plan, ICT and DORA materials, client-asset and client-fund segregation procedures, complaints procedures, conflicts management, outsourcing framework, custody policy where relevant, trading-platform rules and market-abuse systems where relevant, exchange commercial policy and pricing methodology where relevant, execution policy where relevant, advice and portfolio-management competence evidence where relevant and transfer-service procedures where relevant.
Article 60 notification
Article 60 is not a general shortcut for unregulated applicants. It is a notification route for specified regulated financial entities and permitted equivalent crypto-asset services.
The Article 60 route may be relevant for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and alternative investment fund managers.
In Romania, Article 60 must be analysed carefully because the national MiCA competent-authority framework is still pending.
Romanian AML law already refers to CASPs and allocates AML supervision between BNR and ASF for certain regulated entities. BNR is relevant for CASPs that are credit institutions or electronic-money institutions. ASF is relevant for CASPs that are CSDs, investment firms, market operators, UCITS management companies or AIFMs.
That AML supervisory allocation is not the same as a complete MiCA Article 60 notification procedure. The final Article 60 route should be checked once the Romanian MiCA implementation act is enacted.
An unregulated applicant cannot use Article 60.
Transitional position
Romania’s transition should be treated cautiously.
ESMA records Romania with an 18-month MiCA grandfathering period. Under MiCA Article 143, a qualifying provider that provided crypto-asset services in accordance with applicable law before 30 December 2024 may continue until 1 July 2026 or until authorisation is granted or refused, whichever comes first.
ESMA also cautions that some grandfathering periods may not yet have been incorporated into national law.
Romanian Government materials indicate that the draft implementation ordinance would include transitional provisions for legacy crypto operators.
A Romanian legacy provider should not market itself as MiCA-authorised merely because it operated before 30 December 2024 or because Romania is listed with an 18-month grandfathering period.
A transitional provider should preserve evidence of pre-30 December 2024 lawful activity, maintain AML and TFR compliance, and prepare for either MiCA authorisation under the enacted Romanian framework or orderly cessation by the Article 143 backstop.
Passporting into Romania
A CASP authorised in another EU Member State may provide its authorised services in Romania through the MiCA passport.
This may be the most practical route for serving Romanian clients before Romania’s home-state authorisation process becomes operational.
Passporting is service-specific. A CASP may provide only the services covered by its home-state authorisation and passport notification.
Romanian AML law also includes a local single-contact-point rule for CASPs authorised in other Member States that operate in Romania under the right of establishment other than through a branch. That contact point must support AML and counter-terrorist-financing compliance and facilitate supervision.
The single-contact-point rule should be checked against the provider’s actual Romanian footprint. A pure cross-border services model and a local establishment model may be treated differently.
Costs
Romania does not yet have a verified enacted national CASP authorisation fee schedule.
Government materials indicate that the pending MiCA implementation ordinance would introduce fees and tariffs, including for technical approval, monitoring and administration of crypto-ATM infrastructure and for alternative dispute-resolution services.
Those draft fee provisions are not current binding law.
Applicants should budget for legal, governance, AML, sanctions, TFR, self-hosted-address controls, DORA, ICT, custody, outsourcing, complaints, conflicts, audit, accounting, prudential, insurance and operational implementation costs.
The final fee framework should be checked after the Romanian implementation act is published.
Prudential safeguards
A CASP must maintain MiCA prudential safeguards at all times.
The required amount is at least the higher of the applicable permanent minimum capital requirement and one quarter of fixed overheads for the preceding year.
The MiCA class amounts are EUR 50,000 for class 1, EUR 125,000 for class 2 and EUR 150,000 for class 3.
Class 1 covers execution of orders, placing, transfer services, reception and transmission of orders, advice and portfolio management.
Class 2 includes class 1 services plus custody and administration, exchange of crypto-assets for funds and exchange of crypto-assets for other crypto-assets.
Class 3 includes class 2 services plus operation of a crypto-asset trading platform.
Where a provider offers services in more than one class, the highest applicable class applies.
Prudential safeguards may take the form of own funds, an insurance policy, a comparable guarantee or a permitted combination.
A Romanian applicant can prepare this evidence now, but final Romanian supervisory assessment depends on the enacted national framework.
AML, TFR and self-hosted addresses
Romanian AML law has already been amended for crypto-assets.
The Romanian AML framework defines crypto-assets and crypto-asset service providers by reference to MiCA. CASPs are included in the Romanian financial-institution AML framework.
CASPs must apply customer due diligence for occasional crypto-asset transactions of at least the leu equivalent of EUR 1,000, whether carried out in a single operation or several linked operations.
CASPs must identify and assess money-laundering and terrorist-financing risks associated with transfers to or from self-hosted addresses. They must adopt proportionate risk-mitigation measures, including risk-based identification and verification of the originator, beneficiary or beneficial owner, additional information on the origin and destination of the crypto-assets, enhanced ongoing monitoring and measures to mitigate sanctions-evasion risk.
BNR and ASF are designated in Romanian AML law as authorities responsible for supervising TFR compliance for entities under their respective supervision.
A Romania-facing CASP or transitional provider should maintain AML/CFT risk assessment, customer due diligence, beneficial ownership controls, sanctions screening, transaction monitoring, suspicious-activity escalation, TFR travel-rule procedures, self-hosted-address controls, outsourcing oversight, recordkeeping and staff training.
Crypto-asset advice is excluded from the Romanian AML-law CASP definition, but that does not remove MiCA licensing analysis where crypto-asset advice is provided as a MiCA service.
DORA and ICT
DORA and ICT readiness should be prepared before any future Romanian filing or EU passported launch.
A Romanian or Romania-facing CASP should prepare ICT governance, cybersecurity controls, incident-management procedures, business-continuity planning, outsourcing controls, wallet and custody technology controls, operational-resilience evidence and ICT third-party risk management.
A CASP authorised in another EU home Member State and passporting into Romania will need to satisfy the DORA and ICT requirements of its home-state authorisation and ongoing supervision.
Crypto-ATMs
Crypto-ATM rules should be monitored separately.
Romanian Government materials indicate that the pending MiCA implementation ordinance would create technical approval and monitoring rules for crypto-ATM infrastructure, including a national registry and technical approval functions involving the National Institute for Research and Development in Informatics.
These rules were not verified as enacted in this session.
A business operating crypto-ATMs in Romania should not rely only on MiCA service classification. It should monitor the final Romanian implementation act and any technical approval, registration, monitoring, AML and reporting rules.
Token issuance and white papers
CASP authorisation and token-offer compliance are separate.
A Romanian home-state white-paper or token-offer process is affected by the same competent-authority issue as CASP authorisation. Until the Romanian competent authority is formally designated and empowered, Romania should not be assumed to be an operational home Member State for MiCA white-paper filings.
ARTs, EMTs and crypto-assets other than ARTs and EMTs have different MiCA treatment.
A CASP licence should not be treated as covering public offers, admission to trading, ART issuance, EMT issuance or white-paper obligations.
Stablecoin, wallet, exchange, settlement and payment-like structures should be reviewed separately for EMT, ART, e-money and payment-services implications.
Tax reporting
Romania has adopted crypto-asset tax-reporting concepts in separate tax-reporting legislation.
Those rules define crypto-assets and reporting crypto-asset service providers by reference to MiCA concepts. They are not a substitute for MiCA authorisation.
A Romania-facing CASP should prepare data-capture, onboarding, user-identification and transaction-reporting systems with tax-reporting obligations in mind.
Ongoing obligations
A Romania-facing CASP must comply with MiCA, applicable Romanian AML law, TFR, sanctions rules and DORA, and should monitor the Romanian MiCA implementation act once enacted.
Core obligations include governance, management suitability, qualifying-holder controls, prudential safeguards, internal controls, risk management, AML and counter-terrorist-financing procedures, sanctions controls, transaction monitoring, TFR implementation, self-hosted-address controls, business continuity, ICT and DORA controls, outsourcing oversight, complaints handling, conflicts management, custody safeguards, client-asset and client-fund segregation, recordkeeping, fair and non-misleading client information, cost and fee transparency, market-abuse systems where relevant and service-specific conduct rules.
For Romania specifically, the provider should also monitor any final rules on crypto-ATMs, local contact points, alternative dispute resolution, technical approvals, fees and national sanctions.
Enforcement risk
Romania is not a low-risk jurisdiction. The main risk is implementation uncertainty.
MiCA requires Member States to implement administrative penalties and supervisory measures for CASP infringements, including public statements, cease-and-desist orders, benefit-based fines, natural-person fines and legal-person fines.
Romania’s final national MiCA sanction framework was not verified as enacted in this session. Government materials indicate that sanctions are part of the pending implementation ordinance.
Romanian AML and TFR obligations already apply to CASPs and transitional operators within their scope.
The main enforcement risks are operating without valid MiCA authorisation, assuming that Romania can already grant a home-state CASP licence, relying on transition without meeting the Romanian conditions once enacted, using Article 60 without eligibility or procedure, ignoring AML/TFR obligations, weak self-hosted-address controls, weak DORA readiness, unapproved crypto-ATM operations once the final rules are enacted, and misleading authorisation or marketing claims.
Practical assessment
Romania is not currently suitable as an immediate MiCA home-state licensing jurisdiction for a new unregulated CASP.
It may be relevant as a host market served through a valid MiCA passport from another EU Member State.
Romania may become an ASF and BNR-led MiCA jurisdiction once the implementation emergency ordinance is enacted and the competent authorities are formally empowered.
The main execution risks are domestic implementation uncertainty, no verified operational Romanian CASP authorisation process, the 1 July 2026 MiCA transition backstop, service misclassification, Article 60 misuse, AML/TFR non-compliance, self-hosted-address control failures, crypto-ATM uncertainty and public claims that overstate draft-law or transitional status.