The European Artificial Intelligence Regulation (AI Act) has officially entered into force, bringing concrete obligations for all companies in Romania that develop, distribute, integrate, or use AI systems. This is no longer about recommendations — it's legislation with fixed deadlines and fines of up to 35 million euros.
In this article, I analyze what the AI Act means for Romanian companies, with a focus on the tourism industry and TMC (Travel Management Company) obligations.
What is the AI Act and why does it matter for Romania?
The AI Act is the world's first legislative framework regulating artificial intelligence based on risk level. It applies to all companies operating in the EU market — including those in Romania, regardless of size.
The regulation classifies AI systems into four risk categories:
- Unacceptable risk — completely banned (subliminal manipulation, social scoring, unauthorized facial recognition)
- High risk — permitted with strict obligations (AI recruitment, credit scoring, employee evaluation)
- Limited risk — transparency obligations (chatbots, deepfakes)
- Minimal risk — no additional obligations (spam filters, AI games)
Timeline: clear deadlines
AI Act implementation follows a precise calendar that every company must know:
February 2, 2025 — Ban on unacceptable risk AI systems. From this date, no company in Romania can use AI for subliminal manipulation, social scoring, unauthorized facial recognition databases, or exploitation of vulnerable groups.
August 2, 2025 — Obligations for general-purpose AI models (GPAI). Providers of generative models and LLMs must ensure transparency (documentation, training data, computational costs, energy consumption) and respect copyright.
August 2, 2026 — Most obligations come into force, including those for high-risk AI systems and AI literacy requirements.
August 2, 2027 — Final deadline for full compliance of all high-risk AI systems.
AI Literacy obligation: it's not optional
Article 4 of the AI Act requires all organizations to ensure an adequate level of AI competence for personnel involved in operating or using AI systems.
What this means concretely:
- Sending an email with instructions is not sufficient. The European AI Office explicitly clarified: simply reading written documents does not constitute AI literacy.
- An active and documented learning process is required — trainings, workshops, competence assessments.
- It applies to all employees interacting with AI, not just the IT team.
- It must be documented — who was trained, when, what competences were covered.
For a TMC, this means that travel agents using AI chatbots, travel managers using AI analytics dashboards, and IT teams integrating AI APIs — all must be formally trained.
Internal audit: identification and classification of AI systems
Every company must conduct an internal audit to identify all AI systems in use. Many companies will be surprised by how many AI systems they already have in operation:
- Customer support chatbots (ChatGPT, Dialogflow, etc.)
- Virtual booking assistants
- Recommendation systems (hotels, flights, packages)
- Predictive analytics tools for pricing
- CV recruitment and evaluation systems
- Marketing automation tools with AI components
- BI platforms with machine learning features
Each system must be classified according to its risk level and documented.
Obligations based on company role
Developers (Providers)
Romanian companies creating their own AI models must:
- Ensure complete transparency — documentation, training data, computational costs, energy consumption
- Respect copyright in the training process
- Manage cybersecurity risks
- Clearly mark AI-generated content
Integrators
IT companies integrating external models (ChatGPT API, Claude API, LLaMA) into their own applications must:
- Verify provider compliance with AI Act
- Document the use of external models
- Inform end users about system limitations
- Maintain a registry of AI integrations
Users (Deployers)
Companies in retail, banking, healthcare, telecom, or tourism using AI must:
- Assess impact and risks to personal data
- Comply with GDPR requirements in combination with AI Act
- Ensure the right to explanation for persons affected by AI decisions
Strict requirements for high-risk AI systems
When a company uses AI for processes that directly affect people, obligations become significantly stricter:
Fairness and non-discrimination testing — The AI system must be rigorously tested for biases before real-world use.
Human oversight (human-in-the-loop) — Operators must be able to verify, understand, correct, or override AI decisions.
Transparency to affected persons — Employees or candidates must be explicitly informed they are being evaluated by AI and must have the right to explanation and appeal.
Continuous monitoring — Complete logs and a documented plan for risk management in case of errors or discrimination.
AI Act impact on Romanian tourism and TMCs
Romania's tourism industry is a significant AI user. A modern TMC uses daily:
- Customer support chatbots — classification: limited risk → transparency obligation
- Booking recommendation systems — classification: minimal to limited risk
- Travel data analytics AI — classification: minimal risk
- AI recruitment systems (if used) — classification: high risk → full obligations
- Dynamic AI-based pricing — classification: limited risk → consumer transparency
For a TMC like Weco-Travel, where I've implemented end-to-end automations, Dialogflow chatbots, and BI dashboards, the impact is direct.
Updating internal policies
The AI Act doesn't replace GDPR — it complements it. Companies must:
- Update internal regulations to reflect AI usage
- Establish control and audit procedures
- Designate an AI officer (recommended, not mandatory — but a smart decision)
- Document all processes involving AI
Penalties: fines that cannot be ignored
Non-compliance exposes companies to significant fines:
- Up to EUR 35 million or 7% of annual global turnover — for using prohibited practices
- Up to EUR 15 million or 3% of turnover — for breaching high-risk system obligations
- Up to EUR 7.5 million or 1.5% of turnover — for providing incorrect information
Personal conclusion
Accountability is always welcome. After years of wild west AI implementation, where anyone could throw a model into a business process without any accountability, the AI Act provides a necessary framework.
I don't see this regulation as a burden — I see it as an opportunity. Companies that comply first will have a real competitive advantage: the trust of clients, employees, and partners.
From my experience in travel tech, the best automations have always been those where humans remain in control. Human-in-the-loop is not a restriction — it's engineering common sense. An AI that makes decisions without oversight isn't innovative, it's irresponsible.
The deadlines are clear, the obligations are concrete, and the fines are large enough that they cannot be ignored. My advice: don't wait for the deadlines. Start your internal audit now, invest in team literacy, and document everything. It's easier to build compliance from the start than to add it later.