Cybersecurity - Bulgaria

Bulgaria missed the 17 October 2024 NIS2 transposition deadline; the Commission opened infringement proceedings in November 2024 and referred Bulgaria to the Court of Justice in May 2025. Parliament finally adopted the amending law on 5 February 2026, promulgated in the State Gazette on 13 February 2026.

Coverage expanded from 8 to 18 sectors (adding space, wastewater, ICT service management, chemicals, food, postal/courier, manufacturing, etc.). Medium-sized enterprises and above operating in covered sectors qualify as essential or important entities; the previous designation-based system was replaced by automatic size- and sector-based classification.

Significant incidents must be reported to the relevant sectoral CSIRT in three stages: an early warning within 24 hours of awareness, a full incident notification within 72 hours (with initial severity and impact assessment), and a final report within one month. CERT Bulgaria operates at the national level alongside sector-specific CSIRTs.

The Ministry of Electronic Governance is the primary national competent authority and Single Point of Contact under NIS2. It maintains a non-public register of covered entities and coordinates with sector-specific regulators (energy, finance, transport, health, etc.) that hold concurrent supervisory powers in their domains.

Essential entities face fines up to EUR 10 million or 2 % of global annual turnover (whichever is higher); important entities up to EUR 7 million or 1.4 % of global annual turnover. Members of management bodies may be held personally liable with individual fines up to EUR 5,000 for personal breaches of duty.

Bulgaria exercised its discretion to exceed NIS2 minimum requirements in several areas, including extending food-sector cybersecurity obligations to all food businesses (not only wholesale distributors and industrial producers as the Directive requires), and expanding coverage to educational institutions conducting R&D and entities providing electronic administrative services.