Illegal access to a computer system in Romania

1. Why “illegal access” is not just an IT problem

In Romanian criminal law, “illegal access to a computer system” is no longer a niche offence that only concerns hackers in hoodies or highly technical disputes. Article 360 of the Criminal Code makes it a crime to access, without right, any computer system – from your employer’s database or a cloud platform, to your partner’s e‑mail or a public authority’s internal application.

In practice, cases under Article 360 span a wide spectrum: disputes between former partners, employees who look up information they should not see, improvised “IT experts” who try to guess passwords, but also organised groups who target banking systems, crypto exchanges or public databases.

For the person under investigation, an Article 360 charge can mean a criminal record, prison or suspended sentence, long‑term restrictions on working with sensitive data, as well as reputational damage that is hard to repair. For victims – individuals or companies – it can mean data leaks, business disruption and the need to manage both legal and cybersecurity fallout.

1.1. Typical real‑world scenarios

Logging into another person’s social media account using a password found on a piece of paper or guessed based on personal details.
Accessing a former partner’s e‑mail, cloud account or phone backups, in order to read private conversations or download photos.
An employee using internal credentials to search confidential records out of curiosity (for example, a police officer querying databases for friends or acquaintances).
Using someone else’s VPN credentials to connect to a corporate network from home, long after the employment relationship has ended.
Attempting to access a protected network segment by repeatedly trying default passwords on routers or IoT devices.

At first sight, some of these situations may look like “private disputes” or minor disciplinary breaches. Once the conduct falls within the wording of Article 360, however, they become a criminal law problem that can be investigated by the police or by specialised structures such as DIICOT.

2. Legal framework: where does the offence come from?

Illegal access to a computer system is regulated in Chapter VI of the Criminal Code, which deals with offences against the security and integrity of information systems and data. The central provision is Article 360 of the Criminal Code, which criminalises “access, without right, to a computer system”.

For a consolidated version of the provision, see Article 360 of the Romanian Criminal Code on Lege5.ro.

2.1. Article 360 Criminal Code – the core definition

Article 360 criminalises access, without right, to a computer system, with higher penalties when the access is aimed at obtaining computer data or when it targets systems with restricted or prohibited access. The offence is part of the wider architecture of computer‑related crimes introduced with the new Criminal Code and aligned with international instruments on cybercrime.

2.2. Law no. 161/2003 and the cybercrime chapter

Before the current Criminal Code entered into force, the first specific framework for computer crime was created by Title III (“Prevention and combating of computer crime”) of Law no. 161/2003. That title contained definitions of “computer system”, “computer data” and the notion of a person acting “without right”, and it served as the starting point for today’s offences in Articles 360–365 of the Criminal Code.

A current, updated version of Title III can be consulted via Law no. 161/2003 on Lege5.ro (Title III – Prevention and combating of computer crime).

2.3. International layer: the Budapest Convention on Cybercrime

Romania is a party to the Council of Europe Convention on Cybercrime (the “Budapest Convention”), adopted in 2001 and ratified in Romania by Law no. 64/2004. The Convention requires States to criminalise, among other conduct, illegal access, illegal interception, data interference, system interference and misuse of devices.

An official overview of the Budapest Convention is available on the Council of Europe website: Council of Europe – Budapest Convention on Cybercrime.

At EU level, the Convention is complemented by EU policies and instruments on cybercrime and cybersecurity, including the Directive on attacks against information systems and the NIS2 framework for network and information security. Together, they form the backdrop against which Romanian authorities investigate and prosecute computer‑related offences.

3. Key elements of the offence in practice

3.1. What is a “computer system” and what are “computer data”?

Law no. 161/2003 defines a “computer system” broadly as any device or group of interconnected devices which, based on a program, processes computer data. In practical terms, this covers laptops and desktop computers, servers, smartphones, tablets, routers, cloud infrastructures and even specialised industrial systems, as long as they process data automatically.

“Computer data” covers any representation of facts, information or concepts in a form suitable for processing in a computer system – including text, images, audio, video, databases or logs. Modern practice treats system logs, authentication records and configuration files as computer data which can be crucial evidence in an Article 360 case.

3.2. What does “access” actually mean?

In doctrine and case‑law, “access” generally implies any interaction at the logical level with a system which allows the user to benefit from its resources or functions – for example by logging in, executing commands, viewing protected content or changing settings. Physical presence near a device, without any interaction, is not enough by itself, but a single successful login or command may already constitute access.

3.3. The crucial phrase “without right”

The phrase “without right” is the heart of Article 360. Under the old Law no. 161/2003, the notion was explicitly defined and covered both completely unauthorised access and the situation where a person exceeds the limits of their authorisation. Although the definition is no longer reproduced in full in the Criminal Code, courts and scholars continue to interpret Article 360 in the light of that earlier framework and of the explanatory report to the Budapest Convention.

In practice, “without right” may include situations such as:

using someone else’s username and password without their consent;
re‑using credentials from a past job after the employment relationship ended;
accessing areas of a system that are clearly outside your role (for example, a police officer querying databases for private purposes);
using technical vulnerabilities to bypass authentication or authorisation mechanisms.

In a 2021 preliminary ruling, the High Court of Cassation and Justice stressed that, in the context of public databases, even a person who formally holds credentials can act “without right” if they query the system outside the legal and institutional framework which justifies that access. [see ICCJ Decision no. 68/2021 on Article 360 Criminal Code]

4. How investigations are built: from logs to digital forensics

4.1. Where evidence usually comes from

In an Article 360 case, investigators rarely rely on a single type of evidence. In practice, case files combine technical traces, documents and witness statements, for example:

system and application logs showing the date, time, IP address and type of access;
authentication logs from VPN gateways, domain controllers or cloud platforms;
e‑mail notifications and security alerts generated by the compromised service;
seized devices (laptops, phones, external drives) and forensic images;
internal policies, employment contracts and confidentiality agreements;
witness statements from system administrators, colleagues or affected users.

From the defence perspective, each of these elements must be analysed both for technical reliability (for example, whether logs could have been altered or are incomplete) and for legal admissibility (how the data was obtained, whether search warrants or seizure orders complied with procedural safeguards).

4.2. Typical weak points that the defence can explore

incomplete or inconsistently configured logging, which makes it difficult to attribute access to a specific person;
situations where multiple people share the same credentials or workstation, contrary to basic security practice;
seizures of devices carried out without respecting the rules on search and seizure of computer systems;
lack of clear and communicated internal policies, which casts doubt on whether the accused truly knew the limits of their authorisation.

Technical expertise (digital forensics) is frequently decisive in such cases. However, expert reports are not beyond scrutiny: an experienced defence can ask precise questions on how logs were collected, whether clocks were synchronised, how alternative explanations were ruled out and whether chain of custody for devices was properly documented.

5. Frequent factual situations and how courts look at them

5.1. Access to another person’s social media or e‑mail

One of the most common factual patterns is logging into a partner’s or relative’s online accounts (Facebook, Instagram, WhatsApp Web, e‑mail) without consent, often in the context of a personal conflict or a divorce. Even if no money is stolen and no data is publicly disclosed, the mere access to the protected account can fall within Article 360 once the system requires authentication and the user had a reasonable expectation of privacy.

In such cases, the key questions often become: how were the credentials obtained, what exactly was accessed, and for how long? The answer may influence not only the qualification of the conduct under Article 360 but also whether other offences are engaged, such as sharing nude images, blackmail or the dissemination of private messages.

5.2. Access to professional or public databases

Another recurrent scenario involves staff who are legitimately authorised to access certain databases – for example, banking officers, police officers, civil servants or medical staff – but who use that access for reasons unrelated to their duties. They may look up information about neighbours, celebrities, family members or potential business partners.

The High Court has made it clear that exceeding the limits of authorisation may amount to “without right” for the purpose of Article 360, particularly when internal rules and legal provisions clearly restrict access to certain purposes only.

5.3. Security testing, “ethical hacking” and internal IT staff

Not every interaction with vulnerabilities or security tools is automatically criminal. In many organisations, penetration testing and vulnerability scanning are carried out either by in‑house teams or by external contractors. If the testing is properly authorised and documented, it should fall outside the scope of Article 360.

However, problems arise when a person steps outside that authorisation – for example, when they test systems that were not included in the mandate, use client data for personal experiments, or attempt to monetise discovered vulnerabilities without following responsible disclosure processes. The line between legitimate security work and illegal access can be thin, and it usually depends on the existence of clear contracts, written permissions and audit trails.

6. Relationship with other computer offences

Article 360 rarely appears alone. Computer‑related investigations often combine several offences, such as data interference (Article 362 Criminal Code), system interference (Article 363), computer fraud (Article 249) or unlawful interception of communications (Article 361).

From a legal‑strategy perspective, it matters whether the prosecution relies on Article 360 as a stand‑alone offence (for example, in cases of purely curiosity‑driven access) or as a gateway to more serious charges (fraud, identity theft, large‑scale data exfiltration). The classification influences not only the applicable penalty range but also questions such as jurisdiction, competence of DIICOT and the proportionality of intrusive investigative measures.

7. Possible defence lines in Article 360 cases

7.1. Challenging the existence of “access”

In some investigations, the evidence may show only preparatory acts (for example, scanning open ports, trying to guess a password, or clicking on a phishing link) without clear proof that a protected area of the system was actually reached. In such situations, the defence can argue that the essential element of “access” is missing, or at least not proven beyond reasonable doubt.

7.2. Challenging the “without right” element

Another common defence angle is to show that the person acted within the boundaries of an existing authorisation, or that those boundaries were so poorly defined that criminal liability would violate the principle of legality. This is particularly relevant for employees and contractors who use shared credentials, work with outdated policies, or operate in environments where informal practices are tolerated for years.

Defence arguments may focus on written contracts, job descriptions, internal regulations, training materials and e‑mail exchanges, trying to demonstrate that the accused could reasonably believe they were still acting “with right” – even if their conduct raises disciplinary or civil‑law issues.

7.3. Procedural safeguards and exclusion of evidence

Because Article 360 cases often involve searches of homes and offices, as well as the seizure and forensic analysis of devices, procedural safeguards become crucial. If searches, seizures or interceptions were carried out in breach of the Code of Criminal Procedure, defence counsel can request the exclusion of evidence and, in some cases, the annulment of measures.

For example, issues may arise when devices are seized under overly generic warrants, when forensic copies are not made in the presence of the defence, when chain of custody is poorly documented or when privileged data (such as lawyer–client communications) is accessed without proper filters.

8. If you are the victim: combining criminal complaint and cybersecurity response

8.1. The first 48 hours after discovering illegal access

From a victim’s perspective, the first 48 hours after discovering illegal access often determine both the chances of successful prosecution and the extent of damage containment. Practical steps usually include:

preserving logs and any available technical evidence, before systems are reset or cleaned;
changing passwords and revoking compromised credentials;
documenting what was accessed, when, and what kind of data may have been exposed;
informing key stakeholders (management, data protection officer, legal counsel);
considering whether personal‑data breaches must be notified to the data protection authority (ANSPDCP) and to affected individuals.

8.2. Interaction with authorities in Romania

Depending on the nature and gravity of the incident, competent authorities may include the local police, specialised prosecutors (DIICOT) and sectoral regulators.

General information on the mandate of DIICOT can be found on its official website: www.diicot.ro.

For incidents that raise systemic cybersecurity concerns, organisations may also interact with the National Cyber Security Directorate (DNSC), which coordinates aspects of cyber‑incident reporting and awareness at national level.

DNSC publishes news, alerts and projects on its website: www.dnsc.ro.

9. Practical checklist: do’s and don’ts if you are accused or suspected

Do not try to “fix” or delete traces on your own devices once you are aware of an investigation – this can be interpreted as obstruction of justice.
Do not give informal statements or “clarifications” without understanding your procedural status (witness, suspect, defendant) and your rights.
Do gather and preserve documents that show the context of your access: contracts, job descriptions, internal policies, e‑mails, tickets in task‑management systems.
Do write down, as soon as possible, a detailed chronology of events while your memory is still fresh.
Do consult a lawyer experienced in both criminal procedure and IT‑related cases, ideally before the first formal interview.
Do not assume that “everybody was doing it this way” is a sufficient defence – but do explain how practices actually worked in your organisation.

10. FAQ and recurring myths

“If I know the password, it can’t be illegal access.”

Knowing a password does not automatically mean you have the legal right to use it. If the person who gave you the password had no authority to do so, or if the password was meant to be confidential and used only in a specific context, using it may still qualify as access “without right”.

“There is no damage, so there is no crime.”

Article 360 does not require proof of financial loss or material damage. The protected interest is the confidentiality and integrity of computer systems and data. Damage may become relevant for other offences (such as computer fraud) or for civil claims, but illegal access as such can be complete even if the victim never finds out about it.

“If the system had weak security, it’s the victim’s fault.”

Poor security practices – such as weak passwords or outdated systems – do not authorise others to access the system. They may be relevant when assessing civil liability or regulatory compliance, but they do not erase the criminal nature of unauthorised access.

11. Sources and further reading (Romanian and international)

This article is for general information only and does not constitute legal advice. Concrete cases of alleged illegal access to computer systems are often highly technical and fact‑specific. Anyone facing investigation or potential charges under Article 360 Criminal Code should seek individual legal advice from a qualified lawyer.