Bulgaria
(a) What is the NIS2 implementation status?
A draft bill for amendment of the Cybersecurity Act together with an Impact Assessment have been recently published for public consultation.
(b) What is the envisaged NIS2 implementation timeline?
Public consultation for the amendment of the Cybersecurity Act will take place from 4 July until 3 August 2024. According to the official announcements, the Cybersecurity Act should be amended and supplemented to comply with NIS2 by 17 October 2024.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The Cybersecurity Act (2018, as amended) is the main legal act regulating cybersecurity in Bulgaria, transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS1). The implementation of NIS2 in Bulgaria will require amendments to the Cybersecurity Act and the underlying legislation on its application, including the Regulation for the Minimum Network and Cyber Security Standards and the Methodology for Identification of the Essential Services Providers. Amendments to industry-specific legislation, including the electronic communication regulations, may also be expected. In addition, the Bulgarian Ministry on Electronic Governance announced an upcoming update of the Bulgarian strategy on cybersecurity, which should reflect the NIS2 requirements.
(d) Who will be the supervisory authority and how are they preparing the market?
The control over the application of the Cybersecurity Act is performed by the Ministry of Electronic Governance, which is expected to be the supervisory authority under NIS2 as well. There is no information about NIS2 of the official webpage of the Ministry of Electronic Governance, nor have any official statements, events or discussion been communicated.
(e) What should you be doing/on the lookout for?
It would be useful for clients to increase their awareness of the existing local cybersecurity legislation, as a first stage. Cybersecurity laws are often seen as instruments which are applicable in the public sector only, hence provision of reliable information on its scope to the local business could be considered. As a second stage, clients must conduct internal analysis on their business activities to identify if they fall within the scope of NIS2 and subsequently assess the potential implications. Clients should also plan suitable measures to adopt the business processes in their organisations to the new standards under NIS2 (incl. audits, trainings, internal policies review, etc). Clients should be informed of the significant sanctions provided for in NIS2 and the applicable legal and administrative procedures.
Contact
Victoria Marincheva E: victoria.marincheva@eversheds-sutherland.bg
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page