Yes, VPN usage is legal in Romania, but compliance with national cybersecurity and data protection laws is mandatory. The Romanian Cybersecurity Law (Law No. 362/2018) and GDPR-aligned provisions require VPN providers to register with the National Cyber Security Directorate (DNSC) and adhere to strict data retention and encryption standards. While individuals face no explicit bans, misuse—such as circumventing legal obligations or engaging in cybercrime—remains punishable under the Romanian Penal Code.
Key Regulations for Using a VPN in Romania
- Mandatory Provider Registration: VPN services operating in Romania must register with the National Cyber Security Directorate (DNSC) under Law No. 362/2018, ensuring compliance with EU NIS Directive requirements. Unregistered providers risk fines up to €100,000.
- Data Retention & Logging Restrictions: VPN providers cannot retain user logs beyond 30 days unless required for national security investigations, per GDPR and Law No. 506/2004 on personal data processing. Failure to comply may trigger sanctions from the National Supervisory Authority for Personal Data Processing (ANSPDCP).
- Prohibition on Illegal Activities: Using a VPN to commit cybercrimes (e.g., hacking, fraud, or copyright infringement) is criminalized under the Romanian Penal Code (Art. 325–326), with penalties including imprisonment. Authorities may request decryption under court order.
Note: While VPNs are legal for privacy and circumvention of geo-blocks, their use must not infringe on Romanian or EU legal frameworks. The DNSC’s 2026 regulatory updates further tighten oversight on cross-border VPN services, emphasizing transparency in server locations and encryption protocols.