Internet & Online Safety ยท Bulgaria
Online safety in Bulgaria: the EU Digital Services Act (2026)
Bulgaria shaded by its internet & online safety status
Online safety rules in Bulgaria: comprehensive law, under EU Digital Services Act (Regulation (EU) 2022/2065), implemented nationally via amendments to the Electronic Communications Act designating the Communications Regulation Commission (CRC) as Digital Services Coordinator; plus EU GDPR and the Audiovisual Media Services framework (Council for Electronic Media).
Bulgaria's online content/safety regime is anchored by the directly-applicable EU Digital Services Act, with national implementing rules now in force. Amendments to the Electronic Communications Act adopted on 6 November 2025 (effective 25 November 2025) designate the Communications Regulation Commission (CRC) as the Digital Services Coordinator and competent authority, alongside the Council for Electronic Media (video-sharing platforms) and the Commission for Personal Data Protection. Bulgaria has no separate national age-verification law for online content; platform liability and content-moderation duties flow from the DSA's harmonised EU framework.
The Digital Services Act in Bulgaria
In Bulgaria, online platforms and intermediaries are governed by the EU Digital Services Act (DSA), a directly-applicable regulation covering illegal content, transparency and user protection.
- Framework
- the EU Digital Services Act (Regulation (EU) 2022/2065)
- Approach
- notice-and-action on illegal content, transparency reporting, clear terms, and protection of minors
- Applies to
- online intermediaries, hosting services and platforms offering services to users in Bulgaria, wherever established
- Very large platforms
- platforms and search engines with 45M+ EU users face extra systemic-risk audits, overseen by the European Commission
- Maximum fine
- up to 6% of global annual turnover
- Oversight
- the national Digital Services Coordinator, plus the European Commission for very large platforms
The DSA is an EU regulation applied directly in Bulgaria; the national Digital Services Coordinator handles day-to-day supervision.
The Digital Services Act in Bulgaria: FAQ
Yes. As an EU member, Bulgaria is covered by the EU Digital Services Act (Regulation (EU) 2022/2065), which applies directly.
Notice-and-action mechanisms for illegal content, transparency reporting, clear terms of service, and measures to protect minors.
The national Digital Services Coordinator, with the European Commission supervising very large online platforms and search engines.
Up to 6% of a provider's global annual turnover for serious breaches.
Key points
The DSA applies directly across Bulgaria as an EU regulation; Parliament adopted Electronic Communications Act amendments on 6 November 2025, in force 25 November 2025, completing the national framework and ending the EU infringement procedure opened in 2024.
The Communications Regulation Commission (CRC) is the designated Digital Services Coordinator with supervisory and enforcement powers, including certifying out-of-court dispute-settlement bodies and awarding trusted-flagger and vetted-researcher status.
Supervision is split: the CRC covers intermediary services (and online-interface design and recommender-system transparency across all services), the Council for Electronic Media covers video-sharing platforms, and the Commission for Personal Data Protection covers specific privacy-related areas.
Intermediary/hosting liability, notice-and-action, illegal-content takedown, transparency and risk-mitigation duties are set by the DSA's harmonised EU rules rather than a separate Bulgarian statute; the EC enforces directly against Very Large Online Platforms.
Bulgaria has no national law, technical standard or policy mandating age-verification to restrict minors' access to adult/harmful online content, and no plan to deploy an EU Digital Identity Wallet for minors; child-online-safety measures rely on the DSA minor-protection guidelines (July 2025) and a national child-violence-prevention programme.
The internet is open and unrestricted (Bulgaria rates 'free'); concerns center on media capture, opaque online-media ownership and SLAPP lawsuits rather than state internet censorship, and EMFA transposition has stalled.
Timeline - major decisions & events
Bulgaria's Parliament adopted comprehensive amendments to the Cybersecurity Act transposing Directive (EU) 2022/2555 (NIS2), expanding covered sectors from 8 to 18, introducing 'essential' vs 'important' entity tiers, and raising maximum fines to โฌ10 million / 2% of global turnover for essential entities. The law was promulgated in the State Gazette on 13 February 2026, over 15 months after the EU's 17 October 2024 deadline.
CMS Law Bulgaria โAmendments to the Electronic Communications Act entered into force, formally empowering the Communications Regulation Commission (CRC) as Bulgaria's Digital Services Coordinator with supervisory and penalty powers under the EU Digital Services Act, and designating the Council for Electronic Media as competent authority for video-sharing services. The legislation closed the gap that had triggered EU infringement proceedings in December 2024.
Kinstellar โThe Commission sent a letter of formal notice (INFR(2024)2241) to Bulgaria for failing to legislatively empower a Digital Services Coordinator and failing to set applicable penalty rules by the 17 February 2024 DSA deadline, initiating formal infringement proceedings against Bulgaria alongside Belgium, Spain, the Netherlands, and Poland.
European Commission โBy Decision No. 405/13.6.2024, Bulgaria's Council of Ministers administratively designated the Communications Regulation Commission as the national Digital Services Coordinator under the DSA, an interim step that lacked the necessary legislative basis, leaving enforcement powers ungranted and prompting the Commission's subsequent infringement action six months later.
Bird & Bird DSA Tracker โThe pro-Russian hacktivist group Killnet launched a large-scale distributed denial-of-service attack that temporarily took offline the websites of Bulgaria's Presidency, Defence Ministry, Interior Ministry, Justice Ministry, and Constitutional Court, framing it as retaliation for alleged Bulgarian support of Ukraine. The incident exposed gaps in state cyber-resilience and reinforced political pressure to accelerate NIS2 transposition.
The Record (Recorded Future News) โThe Commission for Personal Data Protection (CPDP) imposed a BGN 5.1 million (~โฌ2.6 million) fine on the National Revenue Agency for failing to implement adequate technical and organizational security measures following Bulgaria's largest-ever personal data breach. It was one of the earliest and largest GDPR enforcement actions in Central and Eastern Europe.
IAPP (citing CPDP decision) โA hacker breached the National Revenue Agency and extracted approximately 11 GB of tax, insurance, and personal data belonging to over five million Bulgarian citizens, nearly every working adult in the country, and leaked a portion to local media. The breach was the largest in Bulgarian history and catalysed the country's first major GDPR enforcement action.
OCCRP โAmendments to the Personal Data Protection Act (State Gazette No. 17, 26 February 2019) adapted the 2002 foundational Act to the EU General Data Protection Regulation and simultaneously transposed Directive (EU) 2016/680 on law-enforcement data processing, completing Bulgaria's formal GDPR alignment.
Commission for Personal Data Protection (CPDP) โBulgaria's Parliament enacted the Cybersecurity Act, transposing EU Directive 2016/1148 (NIS) and establishing the national cybersecurity governance architecture: CERT Bulgaria, sector-specific CSIRTs, and mandatory security obligations for operators of essential services and digital service providers. The Ministry of Electronic Governance was designated the national competent authority.
CMS Law Now โOn joining the EU, Bulgaria became bound by the entire EU digital regulatory acquis, including the e-Commerce Directive (2000/31/EC), the Electronic Communications Framework Directives, and EU data-protection rules. The Communications Regulation Commission was established as the principal regulator under an Electronic Communications Act aligned with EU standards, creating the foundational supervisory infrastructure for online safety.
European Union official portal โBulgaria - other topics
Internet & Online Safety in other countries
Last verified 5/25/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ