Cybersecurity is now the responsibility of senior management, not just the IT department

Recent amendments to Bulgaria’s Cybersecurity Act, implementing the EU’s NIS2 Directive, mark a significant shift in how cybersecurity obligations are structured and enforced. The focus is now placed squarely on the transition from formal, document-based compliance to demonstrable, results-driven security measures. The new framework significantly expands the scope of affected sectors, introduces strict organisational and technical requirements and, notably, places direct responsibility on senior management, exposing directors to personal liability and substantial financial penalties.

Originally authored in Bulgarian by Alexander Glavchev and published on Capital.bg, the article draws on insights shared by Oleg Temnikov during his participation in a Digitalks podcast episode earlier this year. The article provides a detailed overview of the practical implications of the new regime, including the challenges faced by businesses, the impact on market participants and the broader regulatory context at EU level. It also highlights emerging risks related to supply chains, enforcement and institutional preparedness. For companies operating in or connected to the Bulgarian market, the discussion offers valuable insight into compliance expectations and the strategic adjustments required under the evolving cybersecurity landscape.