Romania’s business infrastructure has been shaken by a widening anti-corruption investigation into a €38 million ($44.6 million) IT project at the National Trade Registry Office (ONRC), following weeks of operational paralysis, data security concerns, and mounting audit findings that suggest systemic mismanagement.

The case, now under review by Romanian anti-corruption prosecutors, centers on a digital overhaul launched in the summer of 2024 that was intended to modernize the country’s company registration system. Instead, the platform reportedly blocked more than 130,000 business registration applications for weeks, disrupting commercial activity nationwide and undermining public trust in a system responsible for maintaining official records for more than 1.7 million individuals and companies.

The €38 million IT system was conceived as a modernization milestone for ONRC, the agency overseen by the Ministry of Justice. However, draft audits conducted by Romania’s Court of Accounts and the Justice Ministry revealed serious technical and procedural deficiencies.

Auditors concluded that the system was launched prematurely, without comprehensive testing of its functionality or cybersecurity safeguards. Crucially, they reported that the registry had never received the platform’s source code-a foundational component necessary for independent maintenance, review, and security verification.

The absence of source code access raises profound governance and security concerns. In public-sector IT procurement, failure to secure intellectual property rights or escrow arrangements can render an agency dependent on external contractors for even routine system adjustments. This dependence can create operational vulnerabilities and expose public institutions to undue leverage by vendors.

Investigators further estimated financial losses exceeding 12 million lei (approximately $2.7 million), citing failure to enforce contractual penalties for delays and incomplete testing. The audits also suggested that certain financial benefits were improperly granted during the project’s implementation phase.

The operational consequences were immediate and severe. Upon launch, the platform effectively froze business formation processes across Romania, blocking more than 130,000 applications. Entrepreneurs and legal professionals reported prolonged delays, uncertainty, and mounting administrative costs.

ONRC initially attributed the disruptions to an unexpectedly high volume of user requests. However, the Justice Ministry acknowledged that the system had been unstable and insufficiently tested at the time of deployment. Subsequent technical instability persisted intermittently beyond the initial crisis period.

Compounding the issue, the IT failure reportedly triggered a data breach affecting more than 3,000 individuals. Although details regarding the nature and scope of the exposed data have not been fully disclosed, any compromise of registry-held personal or corporate information raises compliance concerns under European data protection standards, particularly the General Data Protection Regulation (GDPR).

Given that business registries typically store sensitive data-including personal identification details, shareholder information, and company filings-the integrity and resilience of such systems are paramount. The breach underscores the risks inherent in deploying inadequately tested platforms in mission-critical environments.

The investigation also extends to former registry director Valentina Burdescu, who was dismissed in 2024 following audit findings but remains employed at the agency. Auditors noted that her husband holds a senior post within ONRC, raising concerns about potential conflicts of interest.

While no formal charges have been announced at this stage, the scrutiny highlights governance vulnerabilities in public-sector oversight mechanisms. Conflict-of-interest safeguards are central to ensuring impartial procurement and operational integrity. Any perception of nepotism or preferential treatment can erode public confidence and complicate anti-corruption enforcement.

Auditors further observed that the project had been signed off nine months before its official launch, creating what they described as legal, financial, and operational risks. This discrepancy between formal acceptance and practical readiness suggests potential deficiencies in internal controls and risk management procedures.

The principal IT contract was awarded to Vodafone Romania, which subcontracted software development to Total Soft SA. Total Soft is reportedly owned through firms registered in Cyprus and Turkey.

According to audit findings, Total Soft was contractually obligated to provide the source code to ONRC. However, it remains unclear whether the registry ever formally received it. If the code was not delivered-or was delivered under restrictive terms-ONRC may lack the capacity to independently repair, audit, or enhance the system.

Vodafone Romania stated that it had fulfilled all contractual obligations and emphasized that system implementation was coordinated by registry management. The company did not directly address questions concerning source code access or alleged vulnerabilities. Total Soft, in turn, referred inquiries back to Vodafone.

This circular attribution of responsibility illustrates a recurring challenge in complex IT procurement structures: layered subcontracting arrangements can diffuse accountability, complicating both operational oversight and legal liability.

Public Record, an investigative journalism outlet affiliated with the Organized Crime and Corruption Reporting Project (OCCRP), reported extensively on the matter. In interviews, IT manager Vlad Herescu explained that withholding source code can serve strategic purposes for contractors, including maintaining client dependency, concealing incomplete functionality, or obscuring substandard programming practices.

While such practices are not inherently unlawful, they may conflict with public procurement standards that prioritize transparency, sustainability, and security.

The Romanian case reflects a broader European challenge: large-scale digital transformation initiatives in the public sector often encounter cost overruns, implementation delays, and cybersecurity vulnerabilities. However, the scale of disruption in this instance-combined with alleged financial irregularities and data exposure-places it among the more consequential failures in recent memory.

Business registries serve as foundational infrastructure for economic activity. Delays in company formation can deter investment, disrupt supply chains, and impede access to credit and public procurement opportunities. In a competitive regional environment, administrative reliability is a critical factor in maintaining investor confidence.

Moreover, the investigation may test Romania’s anti-corruption enforcement mechanisms. The country has faced sustained scrutiny from European institutions over judicial reform and governance standards. A transparent and credible inquiry into the ONRC project could either reinforce reform narratives or exacerbate concerns, depending on its outcome.

The anti-corruption probe remains active, and the Court of Accounts’ audit is ongoing. In statements to Public Record, ONRC maintained that it considers its contractual obligations fulfilled, despite auditors’ findings to the contrary.

The divergence between the agency’s official position and audit conclusions suggests potential legal disputes ahead. If prosecutors determine that procurement laws or anti-corruption statutes were violated, criminal proceedings could follow. Alternatively, the matter may result in administrative sanctions, contract renegotiations, or civil litigation.

For Romania’s business community, the priority remains system stability and data security. For policymakers, the episode underscores the importance of rigorous pre-launch testing, enforceable penalty clauses, transparent subcontracting structures, and unambiguous ownership of intellectual property in publicly funded IT projects.

As the investigation progresses, it will likely become a case study in public-sector digital governance-illustrating how technological modernization, if inadequately managed, can expose structural weaknesses in procurement oversight and institutional accountability.

For observers and journalists alike, the Romanian registry crisis serves as a reminder that digital transformation is not merely a technical exercise. It is a governance challenge requiring legal precision, operational discipline, and uncompromising transparency-especially when public funds and sensitive data are at stake.

Please follow Blitz on Google News Channel