Bulgaria

(a) What is the NIS2 implementation status?

The bill of amendment to the Cybersecurity Act transposing NIS2 has been promulgated in the State Gazette on 13 February 2026 and has entered into force on 17 February 2026.

(b) What is the envisaged NIS2 implementation timeline?

The amendments to the Bulgarian Cybersecurity Act implementing NIS 2 are currently in force.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Bulgarian Cybersecurity Act, as amended, provide for adoption of new underlying legislation on its application. Drafts of the new underlying legislation have not been published to date.

(d) Who will be the supervisory authority and how are they preparing the market?

The primary supervisory authority remains the Ministry of e-Government but cybersecurity compliance will be also monitored by an expanded list of authorities competent in the public sectors, including among others, national security, transport and health.

(e) What should you be doing/on the lookout for?

Clients must conduct internal analysis on their business activities to identify whether they can be classified as “essential” or “important” entities under the amended Cybersecurity Act and, accordingly, determine whether they fulfil their obligations under the Cybersecurity Act, as amended. Clients should be also aware of the increased amount of the administrative sanctions reaching the higher of EUR 10,000,000 or 2% of the total worldwide annual turnover for the entities classified as “essential” and EUR 7,000,000 or 1.4% of the total worldwide annual turnover for the entities classified as “important”.

Contact

Victoria Marincheva E: victoria.marincheva@eversheds-sutherland.bg

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page