Whistleblower law in Romania #
Romania implemented Directive (EU) 2019/1937 through Legea nr. 361/2022 privind protecția avertizorilor în interes public. The Romanian framework pairs the standard 50-employee private-sector trigger with a visible role for ANI as both external authority and practical guidance body.
Applicable law #
Who must establish an internal channel #
- All public-sector entities — authorities, public institutions, and other public-law legal entities — regardless of headcount.
- Private-law entities with at least 50 employees.
- Certain Annex 3 sector entities (financial services, anti-money-laundering, insurance) — regardless of headcount.
Private entities with between 50 and 249 employees may pool or share resources for their internal channel (Art. 9(4)). Deadlines were phased: the law entered into force on 22 December 2022 for the public sector and entities with 250+ employees, while the 50–249 employee tier had until 17 December 2023 to comply (Art. 36).
Penalties and enforcement #
Failing to establish an internal reporting channel is an administrative contravention under Article 28(2)(c), not a criminal offense. The headline figures (EUR approximate at ~5 RON = €1):
| Conduct | Fine (RON) | ≈ EUR |
|---|---|---|
| Obstructing or preventing a report | 2,000–20,000 | ~€400–4,000 |
| Refusing to respond to the Agency’s requests | 3,000–30,000 | ~€600–6,000 |
| Failing to establish internal channels (Art. 28(2)(c)) | 3,000–30,000 | ~€600–6,000 |
| Non-compliance with Art. 10(1)(a) obligations | 4,000–40,000 | ~€800–8,000 |
| Breaching whistleblower confidentiality | 4,000–40,000 | ~€800–8,000 |
| Knowingly false report (Art. 29) | 2,500–30,000 | ~€500–6,000 |
An honest assessment of enforcement. The fines above are what the statute provides. In practice, no public record of a company being fined specifically for a missing internal channel has surfaced, and enforcement to date appears reactive — driven by reports reaching ANI rather than proactive audits. ANI registered 329 external reports in 2025 , 188 of them in domains regulated by Legea 361/2022; those are reports received by the authority, not sanctions issued against employers. Independent analysis (CEELI Institute, 2023 ) documents a gap between the law on paper and its implementation.
The practical conclusion: the obligation is real and the operational exposure is a report arriving at ANI with no internal channel in place — not a large fine. A compliant internal channel is best treated as low-cost infrastructure that removes that exposure, not as insurance against a penalty that has rarely, if ever, been levied.
External reporting authority #
The official external channel is the Agenția Națională de Integritate (ANI) . ANI receives reports, can redirect them to the competent authority where needed, and publishes practical guidance for both reporters and employers.
Data protection authority #
For GDPR complaints about the handling of report data, the relevant authority is the ANSPDCP .
Key compliance points #
- If a private entity has fewer than 50 workers and no internal channel, the practical route is often the external channel.
- Anonymous reports may be examined if they contain sufficient indications of a breach, but identified reporters have fuller procedural rights.
- ANI explicitly positions itself as both an intake authority and a guidance body for implementation questions.
Official sources #
Primary law and authority
- Legea nr. 361/2022 — official consolidated text (legislatie.just.ro)
- Legea nr. 361/2022 — ANI Romanian PDF
- Law 361/2022 — ANI English PDF
- ANI — whistleblower competence page
- ANI — frequently asked questions
- ANSPDCP — complaints submission (data protection)
Enforcement and independent analysis
- ANI — 2025 whistleblower reporting statistics (via Agerpres, May 2026)
- CEELI Institute — “Beyond Paper Rights: Implementing Whistleblower Protections in Central and Eastern Europe” (2023)
- EU Whistleblowing Monitor — Romania
Deploy your reporting channel →
Last updated: