Invisible Influence: Romania’s Presidential Election Crisis
Claudia B. | 24 March 2025
BISI is proud to present this piece in collaboration with CyberWomen Groups CIC. Through this partnership, we have combined our expertise in political risk with their knowledge of cyber security to deliver a fresh perspective on emerging threats.
CyberWomen Groups CIC is a student-led initiative dedicated to diversifying STEM by supporting and connecting university students interested in or studying cybersecurity, regardless of gender identity.
Summary
Romania annulled its 2024 presidential election following extensive foreign cyber interference, exposing critical weaknesses in democratic processes.
Coordinated disinformation campaigns and cyberattacks significantly influenced voter sentiment and compromised electoral integrity.
The crisis will likely amplify geopolitical tensions, driving sustained cyber threats, and prompting the North Atlantic Treaty Organisation (NATO) and the European Union (EU) to collaboratively enhance cybersecurity defences.
In December 2024, Romania’s Constitutional Court annulled the first-round results of its presidential election after discovering Russian interference. Declassified intelligence revealed over 85,000 cyberattacks targeting electoral systems. Attackers utilised credential theft, targeted phishing campaigns, and software exploits such as Structured Query Language (SQL) injections and cross-site scripting (XSS). Stolen credentials from electoral systems were later published on Russian cybercrime forums. In parallel, social media platforms such as TikTok and Telegram were exploited for large-scale disinformation operations supporting ultranationalist candidate Călin Georgescu, whether through Artificial Intelligence (AI) generated content, bot activity, troll factories, or paid influencers.
These integrated cyber and information campaigns severely compromised the electoral process, prompting the Constitutional Court to annul the election on 6 December 2024. The annulment not only exposed systemic issues in the country, but also exemplified how digital influence operations can challenge electoral legitimacy within EU and NATO member states.
The Romanian election crisis has broader implications across political, operational, economic, and strategic spheres. Politically, the annulment has intensified polarisation and public distrust in democratic institutions, evident in nationwide protests and increasing activity from far-right groups. Recent detentions, related to an alleged Russian-supported coup attempt, further highlight internal security risks, as well as a potential increase in targeted violence.
Operationally, these cyberattacks exposed vulnerabilities in electoral infrastructure and highlighted broader threats to critical national services. Protests by state railway and power grid workers over employment conditions signal operational disruptions within essential infrastructure sectors, potentially creating additional opportunities for exploitation by cyber threat actors. Economically, Romania’s political instability has undermined investor confidence, notably within the energy and technology sectors critical to economic growth. This instability complicates Romania’s ongoing effort to manage its fiscal deficit, set to be reduced below 3% of GDP by 2030 as mandated by the EU.
Strategically, Romania’s crisis reflects its geopolitical significance as a frontline NATO and EU member. Yet, from another perspective, it also offers an opportunity for proactive leadership in European cybersecurity – by utilising the lessons learned to create measures specifically designed to counter electoral cyber threats.
Winston Tija/Unsplash
Governance Fragmentation and Disinformation Response
AI-driven influence operations are increasingly prevalent in electoral interference, using algorithmic amplification and synthetic media to target and manipulate voter sentiment. Romania’s experience during the 2024 elections highlighted critical gaps in its capability to counteract such threats. Despite Romania’s strong engagement in NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), primarily driven by the Ministry of Defence, there remains a significant disconnect between civilian cyber defence capabilities and practical responses to hybrid threats: during the 2024 election crisis, multiple agencies received reports of coordinated bot activity and fake accounts, yet none held clear authority to act.
The Romanian National Cyber Security Directorate (DNSC) was established in 2021 to secure the national civilian cyberspace. In November 2024, amid public questions about its remit, DNSC issued statements explicitly excluding social media moderation and disinformation from its responsibilities, limiting its mandate to technical cybersecurity threats centred around data confidentiality, integrity, or availability (CIA triad). It recommended that such content issues must be addressed by other competent authorities, while continuing to counter disinformation in indirect ways, such as policy recommendations to public institutions and preventative guidance to the public.
Consequently, disinformation remains largely unaddressed, leading to jurisdictional confusion and fragmented governance. The Permanent Electoral Authority (AEP) oversees procedural election integrity, with election infrastructure provided and secured by the Special Telecommunications Service (STS), whose assurances of successful cyber defence contradicted reports from the Romanian Intelligence Service (SRI). The Romanian telecom regulator (ANCOM) can report but not sanction major online platforms directly - highlighting a critical mismatch between the nature of modern hybrid threats and the institutions tasked with addressing them. As a result, disinformation operates in a regulatory vacuum, with no single agency empowered to act decisively, creating opportunities for exploitation. It was following a request from Romania's National Audiovisual Council, who is typically responsible for regulating broadcast content, that the European Commission opened formal proceedings against TikTok under the EU Digital Services Act (DSA). The EU also extended support to Romania through joint meetings and a European Commission roundtable with platform representatives.
In response, Romania implemented stricter cybersecurity measures through Emergency Ordinance 155/2024, aligning more closely with EU standards and designating DNSC as the central regulatory body. Yet, its late adoption post-electoral crisis indicates a reactive rather than proactive strategy. Moreover, new content regulations enacted in March 2025 mandate rapid removal (i.e. within a 15-minute timeframe) of harmful online content. While intended to strengthen electoral security, the vague definitions of “harmful content” and stringent requirements have raised concerns about potential infringement on free speech and operational feasibility for platforms.
The continued reliance on traditional cybersecurity models, such as the CIA triad alone, may not capture the nuances of modern hybrid threats, where influencing human perception is often the primary goal, as opposed to just infrastructure compromise. Addressing these issues proactively could be achieved through integrating technical and non-technical electoral defences under unified management, following successful models from Estonia, France, and the United States (US). Estonia’s robust digital identity verification and real-time election monitoring, France’s dedicated disinformation agency (Viginum), and the US’s classification of election infrastructure as critical national infrastructure exemplify proactive strategies that Romania could adopt.
While technical and regulatory measures are essential, Romania must also acknowledge that cultivating public digital literacy is a long-term endeavour. Given the pervasive and adaptive nature of AI-driven disinformation, empowering citizens to critically assess online content may offer the most sustainable form of defence - although it requires consistent investment and generational commitment.
Forecast
Short-term
It is very likely that the electoral rerun in May 2025 will be subject to another AI-driven disinformation campaign, as well as intensified cyberattacks, resulting in increased political risk as voter trust and democratic stability are further undermined.
It is likely that political instability and nationalist-driven protests will continue, compounded by investigations into election corruption and external interference.
Medium-term
It is likely that cyberattacks on critical infrastructure – including energy, finance, and public administration will increase.
Long-term
It is very likely that state-sponsored cyber operations will become more sophisticated, in turn necessitating sustained strategic investment in the implementation of cyber resilience frameworks across NATO and EU states.
It is very likely that threat actors will refine their tactics based on Romania's response, increasingly embedding disinformation within subtle political narratives that evade content moderation, while concurrently escalating attacks on critical infrastructure.