Romania’s digital transformation is rapidly reshaping how companies approach technology, regulation, and insurance. Eduard Simionescu, General Manager at GrECo Romania discusses with Paul Johannes Spittau, Head of Group Carrier Relations & Insurance Mediation at GrECo International, the key forces, risks, and regulatory shifts driving change, offering timely insights for Romanian organisations preparing for the evolving digital landscape.
Technology forces reshaping digital risk
Spittau: When we look ahead to the 2026–2030 period, digital transition is no longer optional. From your perspective, which technological forces will most strongly shape risk and insurance outcomes in Romania?
Simionescu: Three forces stand out very clearly. Artificial intelligence is quickly moving from trials to regulated use, especially in financial services, energy, large companies, and the public sector. Although AI adoption is below the EU average, the gap between ambition and maturity is creating new risks, like model errors and deep-fake fraud.
Next is cloud infrastructure, which is a vital dependency. Many Romanian companies are already heavily cloud-reliant, but governance, resilience planning and third-party risk management often lag behind investment decisions. As a result, cloud outages or misconfigurations are increasingly business-critical events rather than IT incidents. Lastly, cyber risk has become a systemic, board-level issue. Ransomware, supply-chain attacks and outsourced IT environments mean that digital risk now directly threatens revenue, continuity and reputation, not just data.
What’s changing in losses and underwriting
Spittau: How are digital transformation pressures, regulation and economic realities changing loss patterns and underwriting behaviour in Romania?
Simionescu: We are seeing a shift from frequency-driven cyber losses to severity-driven, business-impact losses. Incidents today are less about isolated breaches and more about prolonged outages, operational paralysis and supply-chain disruption.
For insurers, this has translated into much more technical underwriting. Pricing, deductibles and capacity are increasingly linked to demonstrable controls such as cloud architecture, backup maturity and incident response readiness, rather than company size alone.
Investment priorities and the regulatory push
Spittau: Where is digital investment accelerating most strongly in Romania, and why does that matter from a risk and insurance perspective?
Simionescu: Investment is accelerating most strongly in financial services, energy and utilities, manufacturing and logistics, and the public sector. These investments are reshaping demand for cyber insurance, technology E&O and non-damage business interruption solutions, while exposing gaps in how digital assets and data-driven value are insured.
Spittau: Regulation is clearly a major accelerator. Which rules are currently moving the Romanian market most?
Simionescu: NIS2 and DORA are the dominant frameworks. The challenge is not one regulation in isolation, but the fact that they apply simultaneously, overlap and require evidence, not just policies. They elevate digital risk firmly to board level and force organisations to move beyond compliance checklists toward integrated risk management.
Closing the resilience gap
Spittau: Looking ahead to the 2026 renewal season, what should companies expect?
Ionel Cantaragiu: Legislation in Romania is frequently changing making it difficult for companies to keep up with new regulations and ensure compliance. On top of this, bureaucracy is adding to the complexity of navigating regulatory environments and obtaining necessary licenses. Plus, political instability remains a persistent issue, affecting business operations and investor confidence.
Consolidation of the Broker Market and GrECo’s Unique Approach
Spittau: How is the insurance broker market evolving in Romania?
Simionescu: Renewals will become more selective and more technical. Underwriters will scrutinise cloud dependency, supply-chain exposure and resilience maturity in greater depth, with sharper differentiation between well-prepared and poorly prepared risks.
Spittau: From your discussions with Romanian companies, where do you most often see a disconnect between how organisations perceive their digital risk and the reality insurers are assessing?
Simionescu: The biggest disconnect is between perceived preparedness and actual resilience. Many organisations believe that having basic cybersecurity tools or compliance policies in place is sufficient. In reality, insurers assess how well companies understand their critical IT dependencies, particularly cloud services, outsourced providers and non-damage business interruption scenarios.
Our experience, reinforced by the recent GrECo Romania–BCR cyber study, shows that many companies still underestimate the financial impact of digital incidents and lack a realistic view of how an IT failure would affect operations, revenue and recovery time. This gap becomes very visible during underwriting and renewal discussions, as insurers increasingly require evidence of controls, governance and response readiness rather than high-level assurances.
Spittau: Finally, what three actions should companies take now to secure better outcomes?
Simionescu: First, conduct a realistic digital risk assessment. Second, integrate regulation into risk management rather than treating it as a compliance exercise. Third, approach insurance as a resilience tool, not a last-minute purchase.
Paul Johannes Spittau
Head of Group Carrier Relations & Insurance Mediation
T +43 664 537 17 42
Eduard Simionescu
General Manager
GrECo Romania
T +40 (756) 104 104
