ROEN
AI Act: Obligations for Romanian companies and tourism impact

AI Act: Obligations for Romanian companies and tourism impact

By Marian Matinca · · 5 min read

The European Artificial Intelligence Regulation (AI Act) has officially entered into force, bringing concrete obligations for all companies in Romania that develop, distribute, integrate, or use AI systems. This is no longer about recommendations — it's legislation with fixed deadlines and fines of up to 35 million euros.

In this article, I analyze what the AI Act means for Romanian companies, with a focus on the tourism industry and TMC (Travel Management Company) obligations.

What is the AI Act and why does it matter for Romania?

The AI Act is the world's first legislative framework regulating artificial intelligence based on risk level. It applies to all companies operating in the EU market — including those in Romania, regardless of size.

The regulation classifies AI systems into four risk categories:

Timeline: clear deadlines

AI Act implementation follows a precise calendar that every company must know:

February 2, 2025 — Ban on unacceptable risk AI systems. From this date, no company in Romania can use AI for subliminal manipulation, social scoring, unauthorized facial recognition databases, or exploitation of vulnerable groups.

August 2, 2025 — Obligations for general-purpose AI models (GPAI). Providers of generative models and LLMs must ensure transparency (documentation, training data, computational costs, energy consumption) and respect copyright.

August 2, 2026 — Most obligations come into force, including those for high-risk AI systems and AI literacy requirements.

August 2, 2027 — Final deadline for full compliance of all high-risk AI systems.

AI Literacy obligation: it's not optional

Article 4 of the AI Act requires all organizations to ensure an adequate level of AI competence for personnel involved in operating or using AI systems.

What this means concretely:

For a TMC, this means that travel agents using AI chatbots, travel managers using AI analytics dashboards, and IT teams integrating AI APIs — all must be formally trained.

Internal audit: identification and classification of AI systems

Every company must conduct an internal audit to identify all AI systems in use. Many companies will be surprised by how many AI systems they already have in operation:

Each system must be classified according to its risk level and documented.

Obligations based on company role

Developers (Providers)

Romanian companies creating their own AI models must:

Integrators

IT companies integrating external models (ChatGPT API, Claude API, LLaMA) into their own applications must:

Users (Deployers)

Companies in retail, banking, healthcare, telecom, or tourism using AI must:

Strict requirements for high-risk AI systems

When a company uses AI for processes that directly affect people, obligations become significantly stricter:

Fairness and non-discrimination testing — The AI system must be rigorously tested for biases before real-world use.

Human oversight (human-in-the-loop) — Operators must be able to verify, understand, correct, or override AI decisions.

Transparency to affected persons — Employees or candidates must be explicitly informed they are being evaluated by AI and must have the right to explanation and appeal.

Continuous monitoring — Complete logs and a documented plan for risk management in case of errors or discrimination.

AI Act impact on Romanian tourism and TMCs

Romania's tourism industry is a significant AI user. A modern TMC uses daily:

For a TMC like Weco-Travel, where I've implemented end-to-end automations, Dialogflow chatbots, and BI dashboards, the impact is direct.

Updating internal policies

The AI Act doesn't replace GDPR — it complements it. Companies must:

Penalties: fines that cannot be ignored

Non-compliance exposes companies to significant fines:

Personal conclusion

Accountability is always welcome. After years of wild west AI implementation, where anyone could throw a model into a business process without any accountability, the AI Act provides a necessary framework.

I don't see this regulation as a burden — I see it as an opportunity. Companies that comply first will have a real competitive advantage: the trust of clients, employees, and partners.

From my experience in travel tech, the best automations have always been those where humans remain in control. Human-in-the-loop is not a restriction — it's engineering common sense. An AI that makes decisions without oversight isn't innovative, it's irresponsible.

The deadlines are clear, the obligations are concrete, and the fines are large enough that they cannot be ignored. My advice: don't wait for the deadlines. Start your internal audit now, invest in team literacy, and document everything. It's easier to build compliance from the start than to add it later.