TVL Tech + ATIC · Romania · Q1 2026

Romania
Cybersecurity
Landscape

A deeply researched analysis of Romania's cybersecurity market, threat landscape, geopolitical context, NIS2 enforcement, industry leaders, AI impact, and quantum computing readiness — compiled from DNSC official data, financial filings, and primary sources.

Prepared by TVL Tech in collaboration with ATIC
Start with the management brief See EU law implementation
Market 2025
Malware surge 2024
Election cyberattacks
NIS2 fine (essential)
Management Brief

What leadership needs to know
in five minutes

What Changed

Cyber risk is now a board issue.

Romania moved from a mainly technical cyber conversation to a regulated, executive-accountability model. NIS2, DORA, and related EU laws now turn cyber controls into legal and governance obligations.

Why It Matters

Operational disruption is the real cost.

The most important impact is not only fines. It is service outage, reputational damage, supplier contagion, and regulatory scrutiny after an incident affecting customers, infrastructure, or public trust.

Immediate Priority

Know your scope and evidence.

Management teams need a clear view of which laws apply, who reports incidents, which suppliers matter most, and what proof of compliance exists today rather than in a slide deck.

Board Question

Could we explain our posture tomorrow?

If a regulator, shareholder, or journalist asked how the company handles cyber incidents, third parties, and product vulnerabilities, the answer should already exist in writing and be testable.

01 — Executive Overview

A market at a
strategic crossroads

Romania enters 2026 as one of the most cyber-contested countries in Central and Eastern Europe — simultaneously a significant exporter of SOC and security services to Western Europe and a country that the World Cybercrime Index 2024 ranked 6th globally as a source environment for cybercrime. That tension defines the strategic challenge of the decade.Oxford

The country faces three simultaneous pressure systems: a wave of ransomware against critical infrastructure revealing systemic unprotected gaps; an unprecedented Russian hybrid warfare campaign that annulled a presidential election; and a binding NIS2 framework now compelling tens of thousands of Romanian entities to fundamentally restructure their security posture.

Yet the fundamentals are compelling. Bitdefender's €330M revenue, Romania's 200,000+ IT specialists, and €310M in EU POCIDIF funding create a launchpad that few CEE peers can match. The question is execution velocity.

DNSC 2024 headline: Health, public administration, and energy are Romania's three most targeted sectors. 101 ransomware incidents were officially handled. Cyberfraud rose +40%. Malware attacks surged +287% year-on-year, pointing to an automation-heavy threat environment. Where this report links that surge to AI-enabled attacker productivity, it should be read as analysis rather than direct DNSC attribution.

$194M
Market size 2025
→ $326–750M by 2030–32
+287%
Malware surge 2024
DNSC official data
85,000+
Election attacks 2024
Russian hybrid operation
101
Ransomware incidents
DNSC 2024 handled
€310M
EU POCIDIF funding
Up to 70% cost coverage
15.8%
Services CAGR 2025–30
SOC nearshoring driver
02 — Threat Landscape & DNSC Official Data

Inside Romania's
attack statistics

The DNSC 2024 annual report reveals a split reality: active countermeasures are working against some vectors while malware and fraud have grown sharply. The official signal is the operational surge itself. Where this report discusses AI-enabled attacker productivity, that is an inference layered on top of official Romanian data, not a verbatim statement from DNSC. Romania is also not a passive victim: the Oxford-led World Cybercrime Index ranked it 6th globally as a source country in the 2024 edition.

+287%
▲ YoY
Malware attacks
+40%
▲ YoY
Cyberfraud
Ransomware incidents
−21%
▼ YoY
Phishing attacks
−28%
▼ YoY
Infected IPs
−39%
▼ YoY
DDoS attacks
−46%
▼ YoY
Defacement

Attack vector trends (2024)

Malware
+286.8% ▲ (commodity malware / infostealers)
Cyberfraud
+40% ▲
Ransomware
101 incidents handled
Phishing
−21% ▼
Infected IPs
−27.8% ▼
DDoS
−38.5% ▼
Web defacement
−45.8% ▼

The +287% malware surge aligns with increased infostealer and commodity malware pressure against organizations with weak MFA and fragmented endpoint hygiene. DNSC publicly named InfoStealer.AgentTesla, TrojanFormbook, and ToolCoinMiner among the dominant families. This report treats any AI contribution as an inference about attacker tooling rather than an official Romanian causal statement.

Most targeted sectors (DNSC 2024)

Healthcare
●●●
Critical, underfunded
Public Admin
●●●
Senate, Gov, Cities
Energy
●●○
IT/OT convergence
BFSI
●●○
9 major banks hit
Transport
●○○
CFR, ports, airports
Telecoms
●○○
Orange, Telekom

In 2024, DNSC intervened at Alpha Bank, BT, BCR, NBR, Exim Bank, BVB; transport (CFR, CNAIR, Constanta Port, Metrorex, both Bucharest airports); telecoms (Orange, Telekom, GTS); and central government (Senate, MFA, Interior Ministry, Bucharest City Hall). No sector was immune.

Critical incident timeline

20 DEC 2025
Apele Române — BitLocker ransomware
~1,000 systems compromised across national water authority and 10 of 11 river basin organizations. GIS, database, email, DNS, domain controllers encrypted via BitLocker (no custom payload needed). 7-day ransom window. Infrastructure was entirely outside CNI protection umbrella.
26 DEC 2025 · 01:40
C.E. Oltenia — ransomware attack on energy producer
Romania's largest coal energy producer was hit six days later by a ransomware operation that disrupted ERP, email, and website systems. The National Energy System was reported as unaffected. Two major infrastructure incidents in one holiday window highlighted how exposed critical operators remain even without any need to prove a single campaign link.
DEC 2024
Electrica S.A. — 800+ servers, 4,000+ workstations
Major ransomware across Bucharest, Ploiești, Brașov, Cluj branches. Electrica Furnizare and DEER operations disrupted. Accelerated OT segmentation planning across the entire Romanian energy sector.
2024 — BFSI
Coordinated banking sector wave
DNSC intervened across Alpha Bank, Banca Transilvania, BCR, NBR, Exim Bank, Bucharest Stock Exchange, and Bank Deposit Guarantee Fund — one of the most concentrated financial-sector intervention waves publicly described by DNSC.
2024 — TRANSPORT
Critical logistics infrastructure targeted
Attacks affected CFR, CNAIR, Bucharest National Airports, Port of Constanta, Metrorex, and Baneasa Airport. Multiple critical logistics operators were targeted within a single calendar year.
2024 — PUBLIC ADMIN
Municipal ransomware cascade
Timisoara City Hall (~112 systems), Bucharest District 5 Hall, Romanian Government, Senate, MFA, Ministry of Internal Affairs, Special Telecommunications Service. Public service continuity severely disrupted across multiple cities simultaneously.
AUG 2025
NIS2 enforcement fully activated
DNSC Orders 1/2025 and 2/2025 entered force. 30-day registration window triggered (deadline: 19 Sept 2025). Maturity self-assessment and risk profile documentation now compulsory for thousands of entities. Fines enforcement framework drafted Oct 2025.
JAN + JUL 2025
Bitdefender: two acquisitions in 2025
January: BitShield Data Defense. July: Mesh Security. Two acquisitions in a single year signal active platform expansion and a willingness to use M&A to deepen endpoint, network, and service-layer capabilities. Employee count is now approximately 2,400.

Risk matrix 2026

Critical
Ransomware on unshielded infrastructure
Significant Romanian water, energy, and transport infrastructure remains outside the CNC protection umbrella. December 2025 proved this is an active operational gap, not a theoretical risk.
Critical
Russian state hybrid warfare
34+ documented Russian hybrid attacks in 2024. Electoral infrastructure hit 85,000+ times. NoName057(16) DDoS on election re-run day. State-level adversary with persistent targeting of Romanian democratic infrastructure.
High
Malware automation (+287%) & fraud (+40%)
Commodity malware, infostealers, and scalable fraud rose sharply in 2024. AI may be increasing attacker productivity, but the verified Romanian signal is the operational spike itself. Low MFA adoption and platform sprawl still amplify exposure across Romanian enterprises.
High
NIS2 compliance gap — €10M fine exposure
Tens of thousands of Romanian essential entities must comply with GEO 155/2024 by Sept 2025. Many are late. Fines up to €10M or 2% of global turnover apply. Boards face personal accountability under Romanian transposition.
Medium
Supply chain lateral exposure
Romania's deep integration in European IT supply chains creates downstream propagation risk. Third-party incidents in Western Europe propagate rapidly into Romanian delivery centers and subsidiaries.
Emerging
Quantum "harvest now, decrypt later"
Nation-state adversaries actively harvesting encrypted Romanian state and financial data for future quantum decryption. No national PQC migration programme launched as of Q1 2026.
03 — Geopolitical Context: The Russian Hybrid Threat

A near-miss in the
heart of NATO

Romania's 2024–2025 presidential election crisis represents one of the most significant geopolitical cybersecurity episodes in the country's post-communist history — and a watershed case study for NATO and the EU on the weaponization of digital infrastructure against democratic processes.

The first round of the November 2024 election was won by Călin Georgescu, a pro-Moscow fringe candidate polling under 5% just weeks earlier, driven by approximately 150 million TikTok views in two months. Declassified intelligence assessments by Romania's CSATNA directly linked the result to "aggressive Russian hybrid actions" — a conclusion that led to the unprecedented annulment of the election by the Constitutional Court.APTechCrunch

The May 2025 re-run was itself attacked on election day by the Russian-linked hacktivist group NoName057(16), which delivered a coordinated DDoS against Romanian state websites. Pro-European reformer Nicușor Dan ultimately won, restoring democratic legitimacy — but exposing enduring vulnerabilities that adversaries will continue to probe.

The 2024 Electoral Interference — By the Numbers

Declassified intelligence revealed the scale of state-sponsored hybrid warfare against Romania's democratic infrastructure — combining technical cyberattacks with large-scale digital information manipulation.

85,000+
Cyberattacks on electoral IT
34+
Russian hybrid attacks in 2024
25,000+
TikTok accounts mobilized
5,000+
Telegram channels deployed

The hybrid warfare playbook used against Romania

PHASE 1 — INFRASTRUCTURE ATTACKS
85,000+ attacks on electoral IT systems
Stolen election-server credentials appeared on Russian hacker forums before the vote. Attacks continued intensively on election day and the night after. DNSC confirmed: "The operating mode and amplitude leads us to conclude the attacker has considerable resources specific to an attacking state."
PHASE 2 — ALGORITHM MANIPULATION
TikTok weaponized at industrial scale
TikTok algorithms fed politically balanced users three times more far-right content than any other. 25,000+ TikTok accounts and 5,000+ Telegram channels mobilized. ~150M views in two months for a candidate polling under 5%.
PHASE 3 — AI DISINFORMATION
AI-generated content at campaign scale
AI-generated content, bot networks, and troll farms amplified pro-Russian messaging. Investigations linked the operation directly to Russian hybrid warfare doctrine. The Social Design Agency (EU-sanctioned, Moscow-funded) was implicated in coordinating distribution networks.
OUTCOME — RESILIENCE
Democratic institutions held — barely
The Constitutional Court, intelligence services, and electoral authority acted decisively to prevent a foreign-manipulated outcome. Pro-European Nicușor Dan won the May 2025 re-run. Romania is now cited as a regional precedent for addressing digital-era election interference within NATO.

Geopolitical cyber implications for 2026+

Persistent Russian targeting

Intelligence assessments conclude that Russian hybrid operations against Romania will intensify, not diminish. Romania's role as a key NATO Eastern Flank ally, its support for Ukraine, and its position as a Black Sea strategic hub make it a sustained priority target.

Critical infrastructure still exposed

Romanian intelligence warned in 2025 that infrastructure vulnerabilities remain that could be exploited heading into further elections. The December 2025 attacks on Apele Române and Oltenia Energy demonstrate that adversaries are simultaneously probing physical infrastructure alongside political systems.

Regional coordination with Moldova and Ukraine

Romania is intensifying cyber-policy and incident-response coordination with Moldova and Ukraine through Bucharest-hosted meetings, Eastern Flank resilience dialogue, and EU-level forums. The strategic direction is clear even where the institutional formats are still evolving.

Bucharest Cybersecurity Conference — NATO hub

BCC2025, organized by DNSC, established Bucharest as a strategic NATO cyber diplomacy venue, hosting panels on transatlantic cooperation against hybrid threats and Romania's role as "a key NATO ally on the Eastern flank setting the standard for countering hybrid threats across Europe."

04 — NIS2 Enforcement: GEO 155/2024

The compliance
reckoning is live

Romania did not drag its feet on NIS2. GEO 155/2024 was adopted December 30, 2024 — implementing a much broader, risk-based cybersecurity regime than the prior NIS1 framework under Law 362/2018. Law 124/2025, which entered force July 10, 2025, refined and expanded scope further, explicitly adding retail pharmacies and pharmaceutical supply chains.OUG 155/2024Law 124/2025

DNSC Orders 1/2025 and 2/2025, entering force August 20, 2025, triggered the 30-day registration window (deadline: September 19, 2025) via the NIS2@RO platform. As of Q1 2026, enforcement is active. DNSC published a draft sanctions order in October 2025. Boards are personally accountable. The era of treating cybersecurity as an IT problem is legally over.

One key surprise: NIS2 Romania does not use size as a safe harbour. If an entity underpins a critical sector — even as an SME SaaS provider — it may be classified as essential and face full audit standards. Digital supply chain exposure is pulling many SMEs unexpectedly into scope.

Key obligation: 24-hour early warning → 72-hour detailed notification → 1-month final report. Miss the 24-hour window and regulatory timeouts trigger automatically. DNSC's NIS2@RO portal is the only valid submission route.

Board liability: Once DNSC formally identifies an entity, management must designate a cybersecurity-responsible person within 30 days. Boards must actively understand and oversee cyber risk — not delegate it entirely to IT.

Repeat offenders: Romanian law allows a 50% increase over the applicable fine cap for repeat violations. For a large multinational, this means exposure to €15M+. Fines are calculated on global turnover — not Romanian revenue.

Fine structure — GEO 155/2024 / Law 124/2025

Essential entities
€10M
or 2% of global annual turnover — whichever is higher
Covers energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT managed services, public administration, and space sectors. Fines calculated on worldwide revenue of the entire corporate group.
Important entities
€7M
or 1.4% of global annual turnover — whichever is higher
Covers postal services, waste management, chemicals, food, medical devices, manufacturing, digital providers (search engines, social platforms, data centres). Public sector may face compliance orders and public disclosure instead of monetary fines.

Compliance opportunity: €50M+ pipeline

NIS2 mandatory spending from entities previously underinvesting creates an estimated €50M+ annual procurement opportunity for Romanian MSPs and integrators through 2027. IAM and next-gen firewalls top procurement lists.

CYRESRANGE — national cyber range

DNSC secured EU funding (€1.7M total, contract 101128088) for the CYRESRANGE project — building interconnected national cybersecurity training ranges with scenario-based exercises for CSIRTs and critical infrastructure teams.

NCC-RO — European coordination

Romania's National Coordination Centre (NCC-RO) coordinates EU cybersecurity investment under Digital Europe and Horizon Europe. Keynote at BCC2025: "Romania's cybersecurity ambition: Strengthening Europe's network through NCC-RO."

04B — European Cybersecurity Laws in Romanian Implementation

From Brussels text to
Romanian enforcement

Romania is no longer dealing with a single cyber rulebook. The legal stack now includes one transposed directive and several directly applicable EU regulations. In practice, that means compliance work is split between national law, Romanian regulators, and EU-level technical standards.

The dividing line matters. NIS2 required Romanian transposition, which Romania implemented through OUG 155/2024, later approved and amended by Law 124/2025. By contrast, DORA, the Cyber Resilience Act, and the Cyber Solidarity Act apply directly across the EU, so Romanian entities do not wait for a local copy of the law to become binding; they wait for supervisory processes, implementing standards, and national coordination mechanisms.

Implementation takeaway: for Romanian boards, the question is no longer "Which law applies?" but "Which regulator, which deadline, and which evidence set applies to this entity, this product, or this incident?"

NIS2
Transposed into Romanian law
DNSC-led national enforcement
DORA
Directly applicable since 17 Jan 2025
Financial-sector operational resilience
CRA
In force at EU level
Product security and vuln handling
CSA
EU cyber reserve & solidarity
Romania benefits via DNSC and CSIRT roles
Directive + National Law

NIS2 in Romania

EU base: Directive (EU) 2022/2555.

Romanian implementation: OUG 155/2024, approved and expanded by Law 124/2025. Romania assigned DNSC a central operational role, built the registration and reporting path around the national platform, and imposed governance duties directly on management bodies.

What implementation looks like: entity identification, registration, risk-management measures, incident reporting, vulnerability handling, supervisory review, and sanctions inside the Romanian legal system rather than through the directive text alone.

EU Regulation

DORA for Romanian finance

EU base: Regulation (EU) 2022/2554.

Romanian implementation layer: DORA does not need transposition, but Romanian supervised entities still need local supervisory interfaces. The ASF DORA page and its implementing standards page show how the regulation is operationalized for supervised firms.

What implementation looks like: ICT risk governance, incident classification and reporting, testing, third-party register discipline, and supervisory evidence for banks, insurers, investment firms, and other covered financial entities.

EU Regulation

Cyber Resilience Act and the Romanian product market

EU base: Regulation (EU) 2024/2847.

The CRA targets products with digital elements, not just operators of essential services. For Romanian software vendors, integrators, hardware distributors, and importers, the practical shift is that cybersecurity becomes a product-market access issue, with secure-by-default design, vulnerability processes, and manufacturer obligations built into the compliance model.

Key timing: the regulation is in force, vulnerability and severe incident reporting obligations start earlier, and broad application follows from 11 December 2027 according to the EUR-Lex summary.

EU Regulation

Cyber Solidarity Act and Romania's incident capacity

EU base: Regulation (EU) 2025/38.

This is not a corporate compliance rule in the same way as NIS2 or DORA. Its implementation effect is mainly institutional: it creates a framework for EU-level preparedness, a Cybersecurity Reserve, and cross-border support arrangements that Romania can use through DNSC, national CSIRT functions, and EU-funded capability projects.

What implementation looks like: stronger detection, shared response capacity, and a pathway for Romania to plug national incident response into EU-level surge support rather than relying purely on domestic capacity.

What this means for Romanian organizations

Operators now map to multiple regimes

A Romanian bank may face DORA directly, NIS2-derived obligations through national law depending on entity status, and supplier-side exposure to the CRA through the technology it buys and sells. Legal scoping is now a board-level architecture task.

Implementation is increasingly evidence-based

The laws converge around artifacts: risk registers, incident logs, supplier inventories, management accountability, testing records, and vulnerability workflows. Romanian entities should expect supervision to focus on evidence quality, not policy text alone.

Vendors are pulled into the compliance perimeter

NIS2 widened the operator perimeter, while the CRA extends cyber accountability to products. Romanian software firms and integrators can no longer treat cybersecurity regulation as something that only hits utilities, banks, or ministries.

Sources for this section

05 — Industry Players & Revenue

The companies
defining the sector

Romania's cybersecurity industry is sharply bifurcated: one globally dominant champion (Bitdefender, ~€330M revenue) and a growing ecosystem of specialist firms scaling through nearshore SOC services, penetration testing, digital trust, and EU-funded R&D. Safetech Innovations remains the only publicly listed pure-play cybersecurity firm on the Bucharest Stock Exchange. The management takeaway is straightforward: the market is no longer just one flagship company, but one flagship plus a widening bench of niche specialists.

This chart is useful for scale, not precision. Bitdefender and Safetech are grounded in reported figures; several other companies are shown as market estimates and should not be read as audited comparables.

#CompanyRevenueGrowthKey metricsStatus
01
Bitdefender
Endpoint · MDR · XDR · Cloud · Threat Intel
€330M
▲ +62.6% FY2024
 RON 1.67B revenue; RON 239.6M net profit. 30B threat queries/day. 400M endpoint telemetry. 2,400 employees. US = 40%+ revenue. GravityZone PHASR, Security Data Lake (2025). 2 acquisitions in 2025. Operation Endgame partner. PrivateGlobal
02
CyberGhost
VPN · Privacy · Consumer Security
~€30M est.
▲ Steady
 38M+ global users. Bucharest HQ. Acquired by Kape Technologies (UK). Major international VPN provider by user base. Consumer and SMB-focused privacy stack expanding into zero-trust. SubsidiaryGlobal
03
Zitec
MSSP · SOC-as-a-Service · Cloud Security
~€20M est.
▲ SOC >50% rev
 ISO 27035-aligned 24×7 SOC. Major nearshore partner for Western EU clients. Bilingual analysts. 40–60% cost differential vs. Western EU peers. Core contributor to Romanian SOC nearshoring export leadership. PrivateNearshore
04
Safetech Innovations
SOC · Pentesting · DFIR · Advisory
€11M (FY25)
▲ +53% H1 2024; FY25 RON 55M
 RON 42.3M revenue (+36%) and RON 13.5M net profit in FY2024. RON 55M revenue in FY2025. 7 of Romania's top 10 banks as clients. BVB:SAFE. Bucharest, London, Abu Dhabi. Saudi Arabia expansion 2025. Targeting 57% revenue increase in 2026. BVB ListedIntl
05
CoSoSys
Data Loss Prevention · Endpoint Protector
~€10M est.
▲ Global DLP growth
 Romanian DLP specialist with global enterprise customers. Endpoint Protector product line. CVE-2024-36075 vulnerability discovered Jan 2024 — patched. Major international footprint in regulated industries. PrivateGlobal
06
Bit Sentinel
Red Team · Pentesting · DFIR
~€4M est.
▲ High growth
 Elite offensive security firm. Strong CTF roots via UNbreakable Romania (Gold Recognition, European Digital Skills Awards finalist 2024). Boutique red-team and incident response across CEE enterprises. Private
07
PentestTools
SaaS · Automated Pentesting
~€4M est.
▲ SaaS scaling
 Romanian SaaS automated penetration testing platform. Global B2B customers. Strong SME growth driven by NIS2 compliance demand. Early Game Ventures-backed. Penetration-testing automation aligned with AI-driven continuous validation trend. SaaSGlobal
05B — Startups & Emerging Companies

The next wave of
Romanian cyber

Romania's startup story is no longer limited to one global champion. The market now has a visible second layer: AI-native SOC tooling, offensive-security automation, identity and fraud platforms, and founder-led companies that have already produced credible exits. For management teams, this matters because the local ecosystem is becoming a source of products, not just nearshore services.

Management startup map

Company Focus Romania Link Current Signal Source
Arcanna.ai
 AI-native SOC decision intelligence Romania-linked through Siscale / SeedBlink coverage Seed-funded, product and docs live Official
TypingDNA
 Behavioral biometrics and continuous authentication Romanian-founded identity / trust story Established product with security relevance Official
Pentest-Tools
 Automated pentesting SaaS Romanian product company International B2B reach, validation automation Official
Cyberhaven
 AI-powered data security Romania-linked founders $1B valuation announced in 2025 Series D
CODA Intelligence
 Detection / endpoint security product Romanian startup-to-exit example Acquired by PDQ PDQ
Pentra
 AI-assisted pentest workflow tooling Regional / ecosystem-relevant Emerging automation-led platform Official
Black Bullet
 Cyber services and NIS2 readiness Bucharest-based scale-up European expansion signal Official
Bit Sentinel
 Red team, DFIR, education Romanian scale-up with community role Strong practitioner visibility Official
CybrOps
 Testing, CTI, resilience, NIS2 delivery Romania-based services and research posture ENISA-linked execution role Official
SCUT
 Unified cyber platform Romania launch backed by Orange Strategic launch rather than VC-first startup Official

AI cyber startups and AI-native platforms

Arcanna.ai

Arcanna.ai represents the type of AI-native SOC platform that Romanian MSSPs, SOC teams, and investors should be watching. Its positioning is not generic GenAI; it is decision intelligence for alert handling, triage, and SOC workflow acceleration. It is also relevant to the Romanian ecosystem because SeedBlink and Romanian startup media have tracked it as a product built by Romanian developers under Siscale.

TypingDNA

TypingDNA is more identity- and fraud-oriented than SOC-oriented, but it belongs in an AI-cyber watchlist because behavioral biometrics and continuous authentication sit directly in the overlap between cybersecurity, AI modeling, and digital trust.

Pentest-Tools

Pentest-Tools is not positioned the same way as Arcanna.ai, but it is relevant as an automation-led security product company. For Romanian buyers, it sits in the broader move toward continuous validation and scalable security workflows that increasingly converge with AI-enhanced operations.

Romania-linked startup and exit watchlist

Cyberhaven

Cyberhaven belongs on a Romania-linked watchlist because Romanian media identify it as founded by Romanians, while the company itself publicly announced a $1 billion valuation in April 2025. It is an AI-powered data security company with strong U.S. traction and a product category aligned with the enterprise AI-security shift.

CODA Intelligence

CODA is one of the clearest Romanian cybersecurity startup-to-exit examples. Founded in Bucharest and later acquired by PDQ, it shows that the local ecosystem can generate cyber products that are attractive enough to be absorbed into larger international platforms.

Pentra

Pentra sits in a practical niche that maps well to Romanian service firms: turning messy pentest work into structured, audit-ready output with automation and AI assistance. It is the kind of product that can emerge naturally from the region's offensive-security talent base.

Black Bullet

Black Bullet is more accurately an emerging Romanian cyber services company and scale-up than an early-stage startup, but it belongs in this section because it shows how Bucharest-based firms are turning pentesting, incident response, governance, and NIS2 readiness into a broader commercial cyber platform.

Operational scaleups and service-led challengers

Bit Sentinel

Bit Sentinel is a scaleup worth calling out separately because it combines offensive security services, incident response, cyber education, and community building. That combination gives it influence beyond raw revenue and makes it one of the more visible Romanian firms in the regional practitioner ecosystem.

CybrOps

CybrOps belongs here as a Romanian cyber scaleup focused on testing, threat intelligence, resilience, and regulated-market work. Its ENISA-linked NIS2 delivery role and research-lab posture make it more than a generic consulting shop.

SCUT

SCUT is important because it is a newly launched Romanian cyber company backed by Orange Romania and supported by Orange Cyberdefense. It represents a different path to scale: not startup-first venture growth, but a strategically backed platform built around unified cyber operations for the Romanian market.

06 — Artificial Intelligence Impact

AI as weapon
and shield

Artificial intelligence is affecting Romania's cyber landscape in two ways. First, Romanian firms led by Bitdefender are productizing AI in endpoint, MDR, and scam-detection workflows. Second, automation, deepfakes, and low-cost content generation are lowering attacker costs across fraud, influence operations, and malware delivery. The defensive product launches in this section are source-backed; any attacker-side AI attribution should be read as analysis unless an official source says so directly.

This is an illustrative trend chart designed to explain direction of travel to non-technical readers. It should be treated as a visual summary, not as an official statistical series.

▲ AI as Defender — Romanian capabilities
Bitdefender — 30 billion queries/day engine
ML models trained on 400M endpoint telemetry. GravityZone PHASR (Oct 2025): industry's first AI-driven proactive hardening for individual users — closing security gaps before exploitation. GravityZone Security Data Lake (Nov 2025): unified telemetry across endpoints, networks, clouds — cutting alert overload and investigation time.
Scam Copilot — consumer AI at scale
Scamio (Dec 2023) → WhatsApp (Apr 2024) → Discord (Oct 2024) → consolidated Scam Copilot platform (Oct 2024). Hundreds of millions of users now have access to AI-powered scam detection. Romania pioneered consumer-facing AI security at messaging platform scale — a category largely unexplored by Western peers.
DNSC SAFE Project — national AI SOC
EU grant no. 101190370 (€692,504 budget) funds an AI-powered national SOC platform. SAFE deploys AI to identify, analyse, mitigate, and respond to threats across national civil cyberspace — transforming DNSC from reactive to predictive national cyber defence posture.
Voyager Ventures — AI startup investment
Bitdefender Voyager Ventures led participation in Gambit Cyber's $3.4M seed round (Dec 2025), backing AI-driven continuous threat exposure management. Romania's flagship cyber firm is actively investing in the next generation of AI security startups, seeding ecosystem growth beyond its own products.
▼ AI as Attacker — threats confirmed against Romania
Malware automation (+287% — DNSC confirmed)
The largest single data point in Romania's 2024 threat report. Automated credential theft and commodity malware benefited from weak MFA adoption and platform sprawl. DNSC confirmed the surge and named dominant malware families; any AI contribution should be treated as an analytical explanation for attacker efficiency rather than an official Romanian attribution.
Faster ransomware operations
The energy and utilities incidents show how fast operators now need to detect and contain lateral movement and extortion activity. Whether a specific actor uses autonomous AI or simply mature automation, the management implication is the same: manual response windows are collapsing.
AI disinformation at electoral scale
The 2024 electoral interference deployed bot amplification, cheap content generation, and algorithm manipulation at campaign scale, driving enormous reach for a fringe candidate. This represents a management-relevant threat category: not infrastructure compromise alone, but digital trust erosion through industrialized information operations.
Deepfake executive fraud & shadow AI
Voice and video deepfakes of Romanian executives emerging as BEC vectors. 85% of European organizations experienced deepfake-related incidents in 2025. Romania's nearshore IT sector faces additional risk from shadow AI — developers using unsanctioned LLMs to process proprietary client code outside any governance framework.

NIS2 makes rapid detection non-optional

NIS2's 24-hour early warning model makes faster detection and escalation operationally necessary. AI-assisted monitoring helps, but the compliance point is speed and evidence quality, not ownership of a specific AI tool.

EU AI Act creates advisory opportunity

AI systems in critical infrastructure security are high-risk under the EU AI Act, requiring conformity assessments. Romanian firms with dual AI + regulatory expertise — currently a rare combination — are positioned for a premium advisory market emerging from this intersection.

Bitdefender's data moat

400M-endpoint telemetry is an unreplicable competitive advantage — decades of Romanian R&D compounding into a dataset no new entrant can build. This positions Romania's flagship firm for sustained AI-era global relevance regardless of model commoditization trends.

07 — Quantum Computing Impact

The cryptographic
reckoning approaches

Quantum computing does not yet threaten Romanian encryption — but adversaries may already be collecting encrypted Romanian state, financial, and NATO-shared intelligence data with explicit intent to decrypt it once cryptographically-relevant quantum computers (CRQCs) arrive. This "harvest now, decrypt later" strategy is confirmed by intelligence agencies globally as actively deployed.

Google committed to full post-quantum cryptography (PQC) migration by 2029 (March 2026 announcement). NIST finalized its first PQC standards in August 2024. No publicly visible national PQC migration programme was identified for Romania as of Q1 2026. The window for methodical, cost-efficient transition is narrowing — a delayed start compresses migration into a future crisis rather than a managed programme.

Romania's NATO membership creates a collective security obligation: CISA (US), NSA, and NATO cyber commands are actively pushing PQC migration across alliance members. Romania's lagging posture is both a domestic vulnerability and a NATO-level concern.

The quantum chart is scenario-based. Its purpose is to show why migration planning starts early, not to claim a precise break date for current encryption.

2026
Harvest active. No break yet.
No CRQC exists. RSA/ECC mathematically secure. Nation-state adversaries actively harvesting Romanian encrypted data. NIST PQC finalized (CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, SPHINCS+). Romania: no national migration plan. Google: committed to migrate by 2029.
CRQC probability: <1% · Harvest threat: Active
2027–29
Critical migration window
EuroQCI targets operational status 2027 (pan-European quantum communication). Google migrates by 2029. Romanian banks and government must complete cryptographic inventories and begin hybrid PQC deployments. OT systems (15–30 year lifecycles) require planning now.
CRQC probability: 1–5%
2030–34
High-risk window — act or expose
Global Risk Institute: 17–34% CRQC probability by 2034. Romanian healthcare data (lifetime protection), classified intelligence, and NATO-shared secrets face existential retroactive exposure if not migrated. Legacy PKI becomes critical liability.
CRQC probability: 17–34%
2035+
Post-quantum era
BCG/NIST consensus: CRQCs achieve cryptographic relevance ~2035. RSA, ECC, Diffie-Hellman simultaneously vulnerable. All data without PQC protection retroactively exposed. Internet trust infrastructure must be comprehensively rebuilt from the protocol layer up.
CRQC probability: 50–79%

Romania's quantum exposure profile

Immediate · Banking & Finance
RSA-encrypted transaction records harvested today
Romanian banks process billions in daily RSA/ECC-secured transactions. The NBR has no published quantum migration timeline. BFSI leads Romanian cybersecurity spending (22.4% share) — yet quantum preparedness is effectively zero across the sector.
High Risk · Government & NATO Intelligence
Collective security obligation — not just domestic risk
Romanian SRI, diplomatic, and NATO-shared intelligence communications are high-value harvest targets with decade-long adversary planning horizons. Romania's NATO membership makes PQC preparedness a collective security obligation, not merely a domestic IT decision.
High Risk · Healthcare
Patient record lifetime exceeds CRQC window
Healthcare records require protection over decades — far beyond the CRQC arrival window. Healthcare is Romania's fastest-growing cyber segment at 16.3% CAGR. Yet PQC adoption is effectively zero, compounded by the sector's already-underfunded security infrastructure.
Medium · Energy OT Systems
Long-lifecycle infrastructure: plan now, deploy later
Energy infrastructure lifetimes of 15–30 years mean systems procured in 2026 will be operational when CRQCs arrive. OT cryptographic upgrades are operationally complex. Post-incident planning momentum from December 2025 attacks creates a rare opening for proactive quantum readiness.

Romania's recommended quantum roadmap

1. National cryptographic inventory (2026)

DNSC mandates all NIS2 essential entities to inventory RSA, ECC, and DH deployments — piggybacking existing NIS2 compliance audits at zero additional budget. Establishes migration baseline across public and financial sector simultaneously.

2. NIST PQC in all new procurement (2026–27)

CRYSTALS-Kyber and CRYSTALS-Dilithium incorporated into all new public sector IT procurement and TLS configurations. Align with Google's 2029 target and expected EU PQC mandates. Make PQC compliance a default procurement criterion, not a future retrofit.

3. EuroQCI integration — QKD for government (2027)

Accelerate Romanian integration into the European Quantum Communication Infrastructure targeting operational status 2027. Provides quantum key distribution for highest-sensitivity SRI and diplomatic communications — NATO's most urgent Romanian requirement.

4. Mandate crypto-agile architectures

All new public systems require modular cryptographic design and automated update mechanisms — per NIST's March 2025 crypto-agility memo. Build the migration capability now; execute it incrementally. Rigid implementations that cannot update rapidly carry severe long-term risk, as demonstrated by the Heartbleed precedent.

08 — Research Institutions & Academic Output

Romania's academic
cybersecurity engine

Romania has developed a substantive academic cybersecurity research ecosystem anchored by three major universities, a national research institute, and a growing conference tradition with internationally peer-reviewed publications. This academic layer is the talent pipeline feeding both the domestic industry and the ECCC — Europe's cybersecurity research headquarters, which chose Bucharest for a reason.

Key academic institutions

Bucharest · Host of ECCC Headquarters
Politehnica University of Bucharest (UPB)
A major Romanian technical university and host institution of the European Cybersecurity Competence Centre (ECCC) — the first EU body headquartered in Romania, located in UPB's Campus building. UPB offers an Advanced Cybersecurity master's programme and actively participates in EU-funded research consortia. Key faculty include Prof. Emil Simion (cryptography) and Dr. Andrei-George Oprina (security). UPB also operates the E2 Center in partnership with the US Government and Nuclearelectrica.
Cluj-Napoca · EIT Digital Partner
Babeș-Bolyai University (UBB)
UBB's Faculty of Mathematics and Computer Science runs a visible Cyber Security MSc programme in partnership with EIT Digital — the European Institute of Innovation and Technology's digital innovation network. Dr. Darius Bufnea leads cybersecurity education programmes with 40+ research papers across networking, congestion control, and cybersecurity topics. UBB has directed multiple Romanian national research grants and participated in several EU-funded research projects.
Bucharest · Military & National Security Research
"Carol I" National Defence University
+ Military Technical Academy
Carol I NDU's Department of Cybersecurity (head: Col. Dănuț Turcu) focuses on cyber defence in the context of hybrid warfare, geopolitical security, and NATO interoperability. The Military Technical Academy offers an Information Technology Security Master's programme and has participated in joint research contracts (PCCDI #17/2018) with Politehnica Bucharest, UPB, and Bucharest University of Economic Studies.
Bucharest · National Research Institute
ICI Bucharest — National Institute for Research & Development in Informatics
ICI Bucharest is Romania's primary national informatics R&D institute, led by Dr. Adrian Victor Vevera (former CERT-RO General Director). ICI serves as Scientific Director through Dr. Carmen Cîrnu, publishes the Romanian Journal of Computer Science and Automation and the Romanian Cyber Security Journal, and regularly participates in European research consortia. ICI is a key partner in the CYRESRANGE project (EU-funded national cyber range network).
Bucharest · Economic Security Research
Bucharest University of Economic Studies (ASE)
ASE hosts the Cyber Knowledge Club (non-profit, CIF 31079668), organizer of the SecITC conference — Romania's leading international cryptography and information security conference. ASE's IT Security programme produces graduates specializing in cybersecurity for financial and regulatory environments. The university hosted the 18th SecITC 2025 international conference in November 2025.

Key research conferences & publications

SecITC — Springer LNCS Series (Annual, Bucharest)

Romania's flagship international cryptography conference, now in its 18th year. SecITC 2025 (November 20–21, ASE Bucharest) published 20 full papers selected from 44 submissions, covering: Cryptographic Primitives & Protocols · Post-quantum Cryptography · AI Techniques for Security · Application, System & Network Security. Published as Springer LNCS volume — internationally indexed.

Past LNCS volumes: 2024 (vol. 15595, 16 papers from 49 submissions) · 2023 (vol. 14534) · 2022 (vol. 13809) · 10 consecutive annual volumes since 2015.

CyberCon Romania 2025 (November, EC Representation)

Organized by RAISA (Romanian Association for Information Security Assurance), held at the European Commission Representation in Romania — emphasizing EU-level significance. IC3 Proceedings Vol. XII, 2025 (ISSN 2393-0837) included:

"AI-Assisted Anomaly Detection for Cybersecurity in IMS Core Networks: A KPI-Driven Study Based on Real-World Telecom Data" (Văduva, Politehnica) · "Enhancing the Security of High-Responsibility Information Systems Through Fault Tree Modeling" (Copaci, Bacivarov) · "Enhancing 5G Infrastructure to Withstand Emerging Digital Threats" (Benchea) · "Post-Quantum Cryptography: Encryption Methods and Performance Evaluation" (Copaci, Copaci).

Bucharest Cybersecurity Conference (BCC) — Annual policy event

DNSC's annual flagship conference and a high-profile regional cybersecurity policy event. BCC2025 (October 6–8, 2025) was co-organized with ECCC, ENISA, and NCC-RO. Partners included IEEE Romania, Carol I NDU, Politehnica Bucharest, ICI Bucharest, and the FBI at the U.S. Embassy. The conference covers hybrid warfare, critical infrastructure, AI/quantum security, and transatlantic cooperation — reinforcing Bucharest's role as an Eastern Flank cyber diplomacy venue.

Romanian Cyber Security Journal · Romanian Journal of CS & Automation

Two nationally-indexed academic journals published by ICI Bucharest covering cybersecurity research, policy, and applied computer science. Combined with the Springer LNCS SecITC proceedings, Romania now has a multi-tier academic publication ecosystem spanning national to international indexing.

Intelligence reports and landscape reads

Operational baseline: ENISA + Romania's legal stack

Management teams that want a grounded view of Romania should start with the EU's own maturity and threat framing, then map that back to Romania's enforcement model under DNSC. ENISA gives the sector-wide benchmark; the Romanian transposition explains how that benchmark turns into obligations on the ground.

Romania in global cyber context

The Oxford-led World Cybercrime Index is one of the clearest reference points for understanding why Romania appears so often in cyber intelligence discussions. It does not describe the whole market, but it does explain why threat, law-enforcement, and governance questions matter so much in this landscape.

Track Romania through ECCC and EU programmes

Because Bucharest hosts the ECCC, Romania's cyber landscape is influenced not just by national policy but by the flow of EU programmes, calls, events, and matchmaking. Following ECCC pages is now part of following Romania.

Recent papers and journals with Romanian relevance

Governance and critical infrastructure

Romanian institutes are publishing more on governance, resilience, and large-scale infrastructure than on purely academic cryptography alone. That makes the local research output increasingly useful to CISOs and public-sector leaders, not just to academics.

Romania in peer-reviewed conference output

SecITC remains the strongest single publication signal in the Romanian scene because it places Bucharest on the Springer LNCS circuit. For management readers, that means Romania is producing research that is visible in international security and cryptography channels, not only in local proceedings.

Applied telecom, 5G, and post-quantum research

Romanian conference and journal output is increasingly focused on practical security engineering themes that line up with market demand: telecom resilience, anomaly detection, 5G hardening, and post-quantum evaluation. Those are the subjects most likely to translate into funded projects and enterprise demand.

Emerging companies and specialist firms

Pentest-Tools

Pentest-Tools is one of the clearest Romanian product stories in offensive security and validation. It shows that Romania is not only exporting services; it is also producing usable security software with global reach from a local base.

Bit Sentinel

Bit Sentinel matters less because of absolute size and more because it sits at the intersection of red teaming, incident response, education, and community. Its role in UNbreakable Romania gives it disproportionate influence on talent formation and the local offensive-security culture.

TypingDNA

TypingDNA broadens the Romanian cyber story beyond classic SOC and endpoint language. Its behavioral-biometrics angle is relevant because digital identity, fraud prevention, and continuous authentication are increasingly part of the cyber budget even when vendors are not labeled as pure-play cybersecurity firms.

Conferences, speakers, and convening power

DefCamp

DefCamp remains one of Romania's best-known hacker conference brands and one of the clearest signs that Bucharest is not just a policy venue but also a practitioner venue. The 2025 speaker announcements included names such as Johnny Xmas, Victoria Shutenko, and Inbar Raz, reinforcing its international draw.

Digital Innovation Summit Bucharest

ICI's Digital Innovation Summit Bucharest is useful because it connects cyber, government, and policy audiences rather than staying purely inside the security community. For management readers, it is one of the better windows into how Romanian institutions frame digital trust and resilience.

Bucharest as a regulatory venue

The Romanian capital is also becoming a location for EU regulatory and market-shaping events. That matters because the country's influence is no longer limited to implementation of Brussels rules; it increasingly hosts the discussions that shape how those rules are operationalized.

TVL Tech + ATIC ecosystem context

TVL Tech ATIC

Why this report is co-branded

TVL Tech brings the management, delivery, and market-reading lens. ATIC adds institutional ecosystem context from Romania's long-running IT&C association network. Together, that framing makes the report more useful as a practical market brief rather than only a static research note.

ATIC's relevance to the cyber ecosystem

ATIC describes itself as an independent, non-governmental, apolitical professional association for Romania's IT&C sector. On its official pages it also presents itself as Romania's oldest association of its kind and as an active member of CEPIS, WITSA, and IT STAR. That matters here because ATIC functions as a convening layer between companies, professionals, international industry networks, and public institutions.

For this report, the most relevant ATIC signals are its institutional-partner role for Cybersecurity Forum in Bucharest on March 16, 2026 and its role in the national selection process for the WITSA World Cup for Scaleups. Those are ecosystem indicators, not just branding details.

Press releases and press articles to monitor

Press releases: ecosystem signals

Company and institutional press releases often surface the first concrete signs of movement in the Romanian market: acquisitions, new EU projects, framework contracts, and capability launches. For a management dashboard, these are often more actionable than broad commentary.

Press articles: politics, platforms, and trust

The most important media coverage on Romania is not always about malware. The election-interference story pushed cyber policy into mainstream political reporting, which is exactly why management teams need to watch press coverage as well as technical sources.

Management filter: what these sources are good for

Press coverage is best used to detect narrative shifts, regulatory pressure, and reputational spillover. Press releases are best used to detect budget, product, and partnership moves. Combining both gives a better management picture than relying on technical reporting alone.

Romania's academic cybersecurity talent pipeline

Large tech graduate pipeline

Romania is widely cited as one of the larger technology talent pools in Europe, with strong annual ICT graduate output and better female ICT participation than many regional peers. For management teams, the practical point is talent depth: Romania can still supply engineers, analysts, and product builders at scale relative to its market size.

Key feeder universities: UPB (Bucharest), UBB (Cluj-Napoca), "Alexandru Ioan Cuza" University (Iași), and Politehnica Timișoara — all running dedicated security programmes.

UNbreakable Romania — CTF pipeline

The national CTF competition for high-school and university students, operated by Bit Sentinel on the CyberEDU platform. UNbreakable received the Gold Recognition from the Global Cybersecurity Education Framework (2025 edition, 1,200+ projects analysed) and was named a finalist in the European Digital Skills Awards 2024 (Cybersecurity Skills category) — for the second consecutive year.

2026 edition adds local CTF rounds at schools and universities, plus "Girls in Cyber" bootcamp (20 participants, mentorship and career guidance).

Safetech EU R&D investment — published financial data

Safetech Innovations' BVB FY2025 annual report confirms: "income from the production of fixed assets rose 8% to RON 17.9M, reflecting investments in intangible assets and cybersecurity solutions financed through both EU funds and Company's own resources."

Headcount grew from 73 to 78 employees specifically to staff "ongoing projects financed by European and national funds." Safetech participates in 5 EU/national R&D projects with combined value ~RON 14M.

09 — European Grants & Romanian Beneficiaries

Romania at the
heart of EU funding

Romania occupies an advantageous position in EU cybersecurity funding: it hosts the ECCC headquarters, participates actively in Horizon Europe and Digital Europe consortia, has secured multiple DNSC project grants, and now has an ENISA framework contract held by a Romanian-led consortium. The total EU cybersecurity investment flowing through or to Romanian entities is substantial — and accelerating under the 2025–2027 work programmes.

ECCC — Romania's strategic anchor

European Cybersecurity Competence Centre — Bucharest

The ECCC is the first EU body headquartered in Romania, located at Politehnica University of Bucharest (Campus building, inaugurated Oct 2024). It manages EU cybersecurity investment under Digital Europe and Horizon Europe programmes.

Since establishment, the ECCC has invested over €600 million in cybersecurity projects across Europe, with an additional €400 million expected by 2027. Romania's strategic positioning as the ECCC host gives Romanian entities close proximity to funding decisions, consortium calls, and matchmaking events — including the Access-2-Market series connecting buyers and suppliers.

€600M+
Invested since establishment
€400M
Additional by 2027
€145.5M
2025 open call budget

Active Romanian EU projects (confirmed)

ECCC Grant · Digital Europe · Active 2025
DNSC — SAFE Project (Grant 101190370)
Budget: €692,504 (50% non-reimbursable). Purpose: AI-powered national SOC platform for detecting, sharing, responding to, and recovering from cyber threats and IoT vulnerabilities. Partners: Datasentics (CZ). DNSC budget: €346,252 non-reimbursable EU contribution.
ECCC Grant · Digital Europe · Active 2024–2025
DNSC — CYRESRANGE (Grant 101128088)
Total project value: €1,746,240 (€1,101,643 non-reimbursable). Purpose: National cyber range network — interconnected Cybersecurity Centers of Excellence based on cyber ranges. Partners include ICI Bucharest RA. Key outputs: unified cyber range API, gamification platform, large-scale exercise scenarios for CSIRTs and critical infrastructure operators.
ECCC Grant · Digital Europe · Active 2025
POLITEHNICA Bucharest — SOCcare (Grant 101145843)
Purpose: Build better insights into cyber threats by enhancing analysis of digital artifacts and sharing threat intelligence across Eastern Europe. Partners: NRD Cyber Security (LT), RevelSI, Politehnica Bucharest. March 2025: first threat dataset sharing phase activated. Focus: enhanced cyber resilience across the Digital Europe region.
CEF Grant · JTAN · Active
DNSC — JTAN (Grant INEA/CEF/ICT/A2020/2373165)
CEF/ICT-funded JTAN project includes free network traffic monitoring sensors offered to Romanian SMEs — 150 sensors distributed at no cost to enable early cyber threat detection and network vulnerability identification. Target: SMEs that cannot afford commercial security monitoring.
DNSC Project · Active 2024–2026
DNSC — SIEMBIOT (Open Collaboration Platform)
SIEMBIOT is DNSC's open collaboration platform for cybersecurity research — facilitating creation and dissemination of vulnerability detection methods, advanced threat search queries, and response runbooks. National R&D initiative complementing the EU-funded SAFE and CYRESRANGE projects.
DNSC Project · Active 2024
DNSC — IRIS Project (IoT & AI Threat Response)
IRIS creates a framework to support European CERTs/CSIRTs for detecting, sharing, responding to, and recovering from cybersecurity threats in IoT and AI-based ICT systems. A Platform-as-a-Service (PaaS) against AI and IoT cyber threats. Three core technology components integrate with CSIRT operational workflows.

The grants chart mixes Europe-wide programs and Romania-specific projects on a log scale so that large and small programs can be seen together. It is meant to show relative order of magnitude.

Romanian companies winning European contracts

certSIGN + Bit Sentinel + CybrOps — ENISA Contract (Sep 2025)

A Romanian-led consortium secured a framework contract with the European Union Agency for Cybersecurity (ENISA) following a competitive international tender. certSIGN leads, with Bit Sentinel and CybrOps as partners. Budget: up to €900,000 over three years.

Scope: Cybersecurity preparedness and response services for Romania under the NIS2 Directive implementation. DNSC coordinates delivery to NIS2-regulated entities. This is a notable ENISA operational contract held by a Romanian-led consortium — a significant signal of maturity in the Romanian cybersecurity services market.

certSIGN: Romania-based, specialized in cryptographic solutions and digital trust services. Operates a private CSIRT accredited by Trusted Introducer. CEO: Adrian Floarea, PhD (cryptographic algorithms).

Safetech Innovations — 5 EU/national R&D projects (active 2025)

From Safetech's BVB FY2025 filing: the company participates in 5 EU and national research projects with a combined value of approximately RON 14 million. Projects include European consortia focused on cybersecurity for healthcare, industrial control systems, and critical infrastructure.

Safetech has also executed cybersecurity projects for securing critical infrastructure in: USA, Canada, Brazil, Morocco, EU, Singapore, Philippines, India, China, and New Zealand — demonstrating that Romanian cybersecurity expertise now operates at global scale.

FY2025 income from intangible asset development (largely EU-funded R&D): RON 17.9M (+8% YoY). EU project participation directly funded 78 full-time employees in 2025.

EU funding landscape for Romanian entities (2025–2027)

Digital Europe Programme — Cyber WP 2025–27

The ECCC's DEP Cyber Work Programme 2025–2027 (adopted March 2025, amended June 2025) covers: Transition to post-quantum PKI (€15M) · AI-based cybersecurity systems for national SOCs (€15M) · SME cybersecurity uptake (open call) · National Cyber Hubs (€2M) · Advanced enabling technologies for SOCs.

Total 2025 open call budget: €55M under Digital Europe. Romanian entities (companies, SMEs, public bodies, universities) are directly eligible. ECCC's Bucharest location means Romanian applicants have unique proximity to programme managers.

Horizon Europe — Cluster 3 Civil Security (2025)

Horizon Europe 2025 call (HORIZON-CL3-2025-02-CS-ECCC) totals €90.55M across 6 topics: Generative AI for cybersecurity (€40M) · Advanced operational cybersecurity tools (€23.55M) · Privacy Enhancing Technologies (€11M) · Post-Quantum Cryptography security evaluations (€4M + €6M + €6M).

Romanian universities and research institutions (UPB, UBB, ICI Bucharest, Military Technical Academy) are natural consortium partners for PQC and AI security topics given their established research track records in these areas.

POCIDIF National Programme (ongoing)

The national POCIDIF programme allocates €160M for R&D and €150M for advanced digital tools, covering up to 70% of eligible cybersecurity costs. Quarterly award rounds create a predictable pipeline.

Beneficiaries bundle grants with bank credit, stretching subsidies across licence renewals and multi-year services. SME CAGR of 17.2% through 2030 is directly driven by POCIDIF subsidy-enabled adoption of endpoint detection, MFA, and zero-trust solutions. DigiLocal (200M lei) additionally targets municipalities.

Cyber Solidarity Act — EU Reserve (Feb 2025)

The EU Cyber Solidarity Act entered force February 4, 2025. It establishes a €36M EU Cybersecurity Reserve (ENISA-managed) for trusted incident response services across critical sectors, and funds National + Cross-Border Cyber Hubs (€2M per hub, Dec 2025 call).

Romania's DNSC is positioned to benefit from both the Reserve (as a national CSIRT receiving EU surge capacity support) and the Cyber Hub funding — which aligns with the ongoing CYRESRANGE national cyber range programme already operational.

EIT Digital — UBB Cybersecurity MSc

Babeș-Bolyai University's Cyber Security MSc programme is delivered in partnership with EIT Digital — the European Institute of Innovation and Technology's digital innovation network. This positions UBB's graduates within EIT Digital's pan-European talent network, connecting them to European tech companies and startups.

Programme contact: cyber-master@cs.ubbcluj.ro (European/EIT Digital path). UBB appears to offer one of the clearest Romanian pathways into EIT Digital's cybersecurity network — a meaningful differentiator for students and employers alike.

RoEduNet EU-funded network security

The EU-financed overhaul of RoEduNet (Romania's national education and research network) deploys 14.4 Tbit/s routers and elastic cloud nodes, with approximately 20% of project value earmarked for security appliances — including deep packet inspection, SASE gateways, and automated compliance reporting.

This creates a significant procurement opportunity for Romanian security vendors with education sector expertise, particularly for endpoint protection, network monitoring, and academic cloud security.

European initiatives shaping Romania's 2026 agenda

Digital Europe and ECCC acceleration

Romania's relevance rises when ECCC spending rises. The 2025-2027 programme cycle matters because it turns Bucharest into a practical gateway for projects on national SOCs, post-quantum migration, SME uptake, and shared European capability-building.

Bucharest as an EU cyber meeting point

Romania benefits from more than money. It benefits from convening power. ECCC board meetings, NCC gatherings, and CRA-focused events in Bucharest mean Romanian institutions are increasingly part of the room where implementation decisions and relationships are formed.

Ukraine-linked resilience and Eastern Flank cooperation

Romania's cyber role increasingly overlaps with the wider Eastern Flank resilience agenda. Bucharest-hosted ECCC and NCC meetings have included Ukrainian participation, which matters because Romania's strategic relevance is increasingly tied to regional resilience, not only domestic compliance.

10 — Strategic Outlook 2026–2030

Seven forces shaping
the decade

Romania stands at a rare convergence of legislative mandate, EU funding at scale, a globally recognized champion, a deepening talent ecosystem — against the fastest-growing and most geopolitically charged threat landscape in Romanian digital history. The December 2025 attacks and 2024 election interference together forced a national reckoning that may ultimately accelerate the transformation that slow-moving market forces alone could not.

NIS2 compliance demand surge

GEO 155/2024 creates mandatory security spending across tens of thousands of previously underinvesting entities. A €50M+ annual procurement opportunity for Romanian MSPs through 2027.

IAM, next-gen firewalls, and 24/7 SOC monitoring top procurement lists. Boards now face personal accountability — transforming cybersecurity from IT cost to governance priority.

SOC nearshoring leadership

Romania delivers 24×7 SOC monitoring and engineering capacity at a significant cost advantage versus Western Europe. Services growth remains one of the clearest strategic strengths in the local market.

Regional cooperation with Moldova and Ukraine, together with Romania's ECCC role, reinforces Bucharest's position as an Eastern Flank cyber hub.

EU funding acceleration

POCIDIF's €310M covers up to 70% of eligible cybersecurity costs. DigiLocal's 200M lei targets municipalities — the most critically underprotected segment. CYRESRANGE (€1.7M) builds national cyber training ranges.

Quarterly award rounds create predictable pipeline for integrators. SME CAGR of 17.2% driven by subsidy-enabled adoption of endpoint detection, MFA, and zero-trust.

Critical infrastructure remediation

December 2025 created the political will to accelerate CNC integration for water, energy, and transport infrastructure previously outside the protection umbrella. This represents both an urgent security need and a significant procurement opportunity.

DNSC Steps already taken to integrate Apele Române. Energy OT security is the priority target sector for 2026.

Bitdefender remains the ecosystem anchor

Bitdefender's scale, telemetry, R&D footprint, and 2025 acquisitions make it the most important single company in the Romanian ecosystem. Its product roadmap and hiring posture influence the market well beyond its direct revenue share.

For management teams and investors, the relevant point is not a specific IPO timeline but the continued presence of a Romanian cyber champion with global reach.

Healthcare & OT frontier

Healthcare at 16.3% CAGR — underfunded infrastructure plus high-value patient data plus NIS2 explicit inclusion. IT/OT convergence in energy creates specialist demand currently among the scarcest skills in the Romanian talent market.

Both sectors represent underserved, high-margin opportunities for firms with genuine domain expertise and government relationships.

Geopolitical cyber defence — NATO role

Romania's role as a NATO Eastern Flank cyber venue is hardening. Bucharest now regularly hosts high-level cybersecurity diplomacy, regulation, and capability-building meetings involving EU and alliance stakeholders.

ENISA cooperation, ECCC coordination, and the EU Cyber Solidarity framework position Romania for sustained strategic significance even beyond the domestic market story.