Bulgaria’s implementation of NIS 2: What businesses need to know

Bulgaria is to officially adopt a far‑reaching reform of its national Cybersecurity Act (“CA”), aligning the country with the requirements of Directive (EU) 2022/2555 (“NIS2”).

The amendment was adopted by the National Assembly on 5 February 2026 and should soon be promulgated in State Gazzete. This reform represents the most extensive modernisation of the Bulgarian cybersecurity framework since 2018. With its adoption, cybersecurity becomes not only a regulatory obligation but a strategic business priority affecting governance, operations, supply chains and risk management across almost all critical and economically relevant sectors.

Strategic background and policy direction

The newly adopted amendment to the CA reshapes Bulgaria’s cybersecurity landscape by shifting from compliance as documentation towards compliance‑as‑capability. The amended CA complies with the requirements of NIS2 and embeds European cybersecurity standards into national legislation and elevates cybersecurity to a fundamental component of business resilience, public trust and national security.

The legislative focus moves to operational readiness, demonstrable risk management and coordinated incident response. The reform reflects the reality that cyber risks have systemic impact across public and private sectors and that regulatory expectations now require proactive, measurable and continuously maintained cyber maturity.

Key structural changes introduced in the CA

The CA’s terminology is now aligned with EU law, replacing “network and information security” with the unified term “cybersecurity” and introducing the concept of achieving a “high common level of cybersecurity.”

A central, non‑public register of essential and important entities will be maintained by the Ministry of e‑Government, enabling structured, risk‑based national oversight. At the same time, the reform modernises national strategic planning: Bulgaria now operates under an expanded national cybersecurity strategy and a new National Response Plan for Large‑Scale Cyber Incidents, ensuring stronger coordination between state institutions, regulators and the private sector.

Mandatory risk‑management measures and incident reporting

Leadership accountability is one of the core pillars of the amended CA. Executive bodies of essential and important entities must approve cybersecurity risk‑management measures and ensure their ongoing implementation. Executive and management teams must undergo cybersecurity training at least every two years, institutionalising cyber awareness at governance level.

The CA requires organisations to implement comprehensive risk‑management frameworks covering incident response, business continuity, disaster recovery, vulnerability management, encryption, identity and access management, secure development practices, supply‑chain risk and continuous monitoring.

Incident reporting is now standardised in three mandatory phases:

• Early warning within 24 hours.
• Detailed incident notification within 72 hours.
• Final incident report within one month.

These obligations require organisations to establish real 24/7 monitoring and response capabilities and to rehearse escalation pathways well in advance of regulatory scrutiny.

Oversight, enforcement & sanctions

Supervisory authorities now operate with significantly expanded powers, including scheduled, targeted and unannounced audits, mandatory requests for evidence and the ability to require corrective measures, suspend licenses or mandate public disclosure of breaches. Sanctions reach levels comparable to GDPR‑style regimes.

Essential entities (enumerated in Anex 1 of the CA, such as those in energy, finance, healthcare, transport and digital infrastructure) may face fines up to 2% of global annual turnover, with a minimum threshold of BGN 20 million (approx. EUR 10.2 million). Important entities (those that are not classified as essential) may be fined up to 1.4% of global turnover, but not less than BGN 14 million. Management representatives may also face individual administrative liability.

This enforcement framework signals that cybersecurity failures may have major financial, legal and reputational consequences.

Expanded sectoral scope: 18 regulated sectors

The CA dramatically widens its scope from 8 to 18 sectors, covering not only traditional critical infrastructure but also high‑impact industries previously outside the cybersecurity regulatory perimeter. In addition to energy, transport, healthcare, finance, digital infrastructure and public administration, the law now applies to:

• postal and courier services;
• waste‑management operators;
• food and chemical production;
• scientific research institutions;
• ICT service management between enterprises;
• numerous industrial manufacturing subsectors; and
• space‑related ground infrastructure.

Digital infrastructure receives particular attention, including DNS providers, domain registries, cloud services, data centres, CDNs, electronic communications operators and qualified trust service providers. For these categories, the act expects high levels of operational maturity and rapid incident‑response capability.

Business implications: Operational, governance and contractual impact

For businesses, the CA transforms cybersecurity into a central governance and contractual matter. Supplier agreements will require updates to include cybersecurity clauses, audit rights, incident‑notification obligations, technology substitution mechanisms and supply‑chain security requirements.

Organisations must maintain updated inventories of systems, data and external dependencies and implement continuous monitoring, incident‑response playbooks and regularly tested business continuity and disaster‑recovery plans. Multinational companies must also ensure alignment across jurisdictions, particularly in relation to reporting timelines and cross‑border regulatory coordination.

With the amendments in the CA already adopted, organisations should:

• determine whether they qualify as an essential or important entity;
• conduct a gap assessment against article 22 risk‑management obligations;
• review and update contracts with suppliers and cloud providers;
• implement or enhance 24/7 security monitoring and incident response;
• update business continuity and recovery procedures;
• train executive and operational teams; and
• prepare for regulatory audits and evidence‑based compliance.

The amended CA marks a decisive shift towards enforced cyber maturity. Organisations that act early will not only reduce regulatory exposure but will also strengthen resilience and stakeholder trust.

Wolf Theiss has established a dedicated cybersecurity advisory and response team which, based on our extensive regional and sectoral experience, will guide and accompany our clients in complying with this new legislation. In collaboration with leading IT consultancy and advisory providers, we are prepared to assist with all aspects of cybersecurity compliance for both local and cross-border businesses.