Bulgaria
(a) What is the NIS2 implementation status?
A draft bill for amendment of the Cybersecurity Act (2018, as amended) was submitted to the Bulgarian National Assembly in December 2024 but has not been voted yet.
(b) What is the envisaged NIS2 implementation timeline?
The bill of amendment is pending in the parliamentary committee of the Bulgarian National Assembly. A procedure for submission of statements from interested parties on the draft legislation is now open. The draft must be approved by the parliamentary commission before passing at first hearing. The matter is not yet included in the agenda for the plenary sessions of the National Assembly.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The Cybersecurity Act (2018, as amended) is the main legal act regulating cybersecurity in Bulgaria, transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS1). The implementation of NIS2 in Bulgaria will require amendments to the Cybersecurity Act and the underlying legislation on its application, including the Regulation for the Minimum Network and Cyber Security Standards and the Methodology for Identification of the Essential Services Providers. Amendments to industry-specific legislation, including the electronic communication regulations, may also be expected.
(d) Who will be the supervisory authority and how are they preparing the market?
The main supervisory authority responsible for the application of the Bulgarian Cybersecurity Act following the transposition of NIS2 is expected to remain the Bulgarian Ministry of Electronic Governance. There are no guidelines or official statements published in this regard.
(e) What should you be doing/on the lookout for?
Although cybersecurity laws are often seen as instruments which are applicable in the public sector only, the business organisations will be also affected by the implementation of NIS2. The application of legal and administrative procedures and significant sanctions for non-compliance provided for in NIS2 must be noted. Clients must conduct internal analysis on their business activities to identify if they fall within the scope of NIS2 and subsequently assess the potential implications. Clients should also plan suitable measures to adopt the business processes in their organisations to the new standards under NIS2 (including audits, trainings, internal policies review, etc).
Contact
Victoria Marincheva E: victoria.marincheva@eversheds-sutherland.bg
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page