Cybersecurity · Bulgaria
Cybersecurity regulation in Bulgaria (2026)
Bulgaria shaded by its cybersecurity status
Bulgaria transposed the NIS2 Directive by amending its Cybersecurity Act, adopted by Parliament on 5 February 2026 and in force from 13 February 2026 — after infringement proceedings and a May 2025 CJEU referral by the European Commission for late transposition. The amended Act introduces a dual classification of 'essential' and 'important' entities across 18 sectors, mandates tiered incident-reporting to sectoral CSIRTs, and imposes GDPR-scale administrative fines. In several areas Bulgaria opted for stricter national rules than the NIS2 minimum, notably expanding food-sector obligations beyond the Directive's scope.
Key points
Bulgaria missed the 17 October 2024 NIS2 transposition deadline; the Commission opened infringement proceedings in November 2024 and referred Bulgaria to the Court of Justice in May 2025. Parliament finally adopted the amending law on 5 February 2026, promulgated in the State Gazette on 13 February 2026.
Coverage expanded from 8 to 18 sectors (adding space, wastewater, ICT service management, chemicals, food, postal/courier, manufacturing, etc.). Medium-sized enterprises and above operating in covered sectors qualify as essential or important entities; the previous designation-based system was replaced by automatic size- and sector-based classification.
Significant incidents must be reported to the relevant sectoral CSIRT in three stages: an early warning within 24 hours of awareness, a full incident notification within 72 hours (with initial severity and impact assessment), and a final report within one month. CERT Bulgaria operates at the national level alongside sector-specific CSIRTs.
The Ministry of Electronic Governance is the primary national competent authority and Single Point of Contact under NIS2. It maintains a non-public register of covered entities and coordinates with sector-specific regulators (energy, finance, transport, health, etc.) that hold concurrent supervisory powers in their domains.
Essential entities face fines up to EUR 10 million or 2 % of global annual turnover (whichever is higher); important entities up to EUR 7 million or 1.4 % of global annual turnover. Members of management bodies may be held personally liable with individual fines up to EUR 5,000 for personal breaches of duty.
Bulgaria exercised its discretion to exceed NIS2 minimum requirements in several areas, including extending food-sector cybersecurity obligations to all food businesses (not only wholesale distributors and industrial producers as the Directive requires), and expanding coverage to educational institutions conducting R&D and entities providing electronic administrative services.
Timeline - major decisions & events
Bulgaria's comprehensively amended Cybersecurity Act, transposing EU Directive 2022/2555 (NIS2), became operative on 17 February 2026 — more than 16 months after the EU deadline. The new framework expands covered sectors from 8 to 18, introduces the essential/important entity classification, mandates biennial management cybersecurity training, sets a two-week registration-change deadline, and requires the Council of Ministers to adopt a new National Cybersecurity Strategy.
Kinstellar ↗The Bulgarian National Assembly passed the Law Amending and Supplementing the Cybersecurity Act on 5 February 2026 (promulgated in the State Gazette on 13 February). The reform restructures oversight around essential and important entities, builds out the national register of in-scope entities, and introduces explicit governance and management accountability mechanisms aligned with the NIS2 model.
CMS Law Bulgaria ↗After Bulgaria missed the 17 October 2024 NIS2 transposition deadline, the European Commission formally opened infringement proceedings for failure to transpose Directive 2022/2555 into national law. This initiated an escalating EU enforcement process that would culminate in a reasoned opinion in May 2025.
European Commission — Digital Strategy ↗Pro-Russian hacker group Killnet launched coordinated DDoS attacks knocking offline the websites of the Presidential Administration, Defense Ministry, Interior Ministry, Justice Ministry, and Constitutional Court, citing Bulgaria's weapons support to Ukraine. No sensitive data was exfiltrated, but the incident exposed gaps in government digital resilience and spurred calls for stronger incident-response capabilities.
The Record (Recorded Future News) ↗The Cybersecurity Monitoring and Response Centre within the State Agency for National Security (DANS) became operational, pursuant to 2021 amendments to the Cybersecurity Act. The Centre is responsible for monitoring critical information systems and coordinating responses to cyber incidents with national security implications.
CMS Expert Guide — Bulgaria ↗The Council of Ministers adopted an updated National Cybersecurity Strategy superseding the 2016 strategy, extending the planning horizon to 2023 and aligning with evolving EU policy including the anticipated NIS2 Directive. The strategy reinforced objectives around critical-infrastructure protection, incident response, and international cyber diplomacy.
ENISA — National Cyber Security Strategies ↗Bulgaria's Commission for Personal Data Protection (CPDP) imposed a fine of 5.1 million BGN (~€2.5 million) on the National Revenue Agency for failing to implement adequate technical and organisational security measures, marking the largest data-protection enforcement action in Bulgarian history under the GDPR.
Wolf Theiss ↗A hacker exploited a SQL injection vulnerability in a VAT refund service to exfiltrate approximately 11 GB of data covering over 5 million Bulgarian citizens (virtually the entire adult population), including national ID numbers, income figures, health and pension records. The breach prompted a parliamentary inquiry, an EU-level inquiry, and the largest GDPR fine issued in Bulgaria.
European Parliament — Parliamentary Question E-2019-002962 ↗The Bulgarian Parliament enacted the Cybersecurity Act on 31 October 2018, transposing EU Directive 2016/1148 (NIS 1). The law established the national governance architecture for cybersecurity, designated national and sector-specific competent authorities, created CERT Bulgaria, and set binding security and incident-notification obligations for operators of essential services and digital service providers.
CMS Law Bulgaria ↗The Council of Ministers adopted Bulgaria's inaugural National Cybersecurity Strategy on 13 July 2016, establishing nine strategic objectives: building the national cybersecurity system, ensuring network and information security, protecting critical infrastructure, improving the regulatory framework, fighting cybercrime, strengthening cyber defence, raising public awareness, fostering R&I, and advancing cyber diplomacy. The strategy laid the policy foundation for the 2018 Cybersecurity Act.
ENISA — National Cyber Security Strategies Map ↗Bulgaria - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →