Skip to content
World Watch/Bulgaria/Internet & Online Safety

Internet & Online Safety ยท Bulgaria

Online safety in Bulgaria: the EU Digital Services Act (2026)

Comprehensive lawEU Digital Services Act (Regulation (EU) 2022/2065), implemented nationally via amendments to the Electronic Communications Act designating the Communications Regulation Commission (CRC) as Digital Services Coordinator; plus EU GDPR and the Audiovisual Media Services framework (Council for Electronic Media)Country index 96 ยท A+

Bulgaria shaded by its internet & online safety status

Online safety rules in Bulgaria: comprehensive law, under EU Digital Services Act (Regulation (EU) 2022/2065), implemented nationally via amendments to the Electronic Communications Act designating the Communications Regulation Commission (CRC) as Digital Services Coordinator; plus EU GDPR and the Audiovisual Media Services framework (Council for Electronic Media).

Bulgaria's online content/safety regime is anchored by the directly-applicable EU Digital Services Act, with national implementing rules now in force. Amendments to the Electronic Communications Act adopted on 6 November 2025 (effective 25 November 2025) designate the Communications Regulation Commission (CRC) as the Digital Services Coordinator and competent authority, alongside the Council for Electronic Media (video-sharing platforms) and the Commission for Personal Data Protection. Bulgaria has no separate national age-verification law for online content; platform liability and content-moderation duties flow from the DSA's harmonised EU framework.

The Digital Services Act in Bulgaria

In Bulgaria, online platforms and intermediaries are governed by the EU Digital Services Act (DSA), a directly-applicable regulation covering illegal content, transparency and user protection.

Framework
the EU Digital Services Act (Regulation (EU) 2022/2065)
Approach
notice-and-action on illegal content, transparency reporting, clear terms, and protection of minors
Applies to
online intermediaries, hosting services and platforms offering services to users in Bulgaria, wherever established
Very large platforms
platforms and search engines with 45M+ EU users face extra systemic-risk audits, overseen by the European Commission
Maximum fine
up to 6% of global annual turnover
Oversight
the national Digital Services Coordinator, plus the European Commission for very large platforms

The DSA is an EU regulation applied directly in Bulgaria; the national Digital Services Coordinator handles day-to-day supervision.

The Digital Services Act in Bulgaria: FAQ

Does the Digital Services Act apply in Bulgaria?

Yes. As an EU member, Bulgaria is covered by the EU Digital Services Act (Regulation (EU) 2022/2065), which applies directly.

What does the DSA require of platforms in Bulgaria?

Notice-and-action mechanisms for illegal content, transparency reporting, clear terms of service, and measures to protect minors.

Who enforces the DSA in Bulgaria?

The national Digital Services Coordinator, with the European Commission supervising very large online platforms and search engines.

What are the penalties under the DSA in Bulgaria?

Up to 6% of a provider's global annual turnover for serious breaches.

Key points

DSA in force + national implementation

The DSA applies directly across Bulgaria as an EU regulation; Parliament adopted Electronic Communications Act amendments on 6 November 2025, in force 25 November 2025, completing the national framework and ending the EU infringement procedure opened in 2024.

Digital Services Coordinator

The Communications Regulation Commission (CRC) is the designated Digital Services Coordinator with supervisory and enforcement powers, including certifying out-of-court dispute-settlement bodies and awarding trusted-flagger and vetted-researcher status.

Multiple competent authorities

Supervision is split: the CRC covers intermediary services (and online-interface design and recommender-system transparency across all services), the Council for Electronic Media covers video-sharing platforms, and the Commission for Personal Data Protection covers specific privacy-related areas.

Platform liability via DSA

Intermediary/hosting liability, notice-and-action, illegal-content takedown, transparency and risk-mitigation duties are set by the DSA's harmonised EU rules rather than a separate Bulgarian statute; the EC enforces directly against Very Large Online Platforms.

Age verification, no national law

Bulgaria has no national law, technical standard or policy mandating age-verification to restrict minors' access to adult/harmful online content, and no plan to deploy an EU Digital Identity Wallet for minors; child-online-safety measures rely on the DSA minor-protection guidelines (July 2025) and a national child-violence-prevention programme.

Press/internet freedom context

The internet is open and unrestricted (Bulgaria rates 'free'); concerns center on media capture, opaque online-media ownership and SLAPP lawsuits rather than state internet censorship, and EMFA transposition has stalled.

Timeline - major decisions & events

Feb 5, 2026law
NIS2 Cybersecurity Act Amendments Enacted, 15 Months Late

Bulgaria's Parliament adopted comprehensive amendments to the Cybersecurity Act transposing Directive (EU) 2022/2555 (NIS2), expanding covered sectors from 8 to 18, introducing 'essential' vs 'important' entity tiers, and raising maximum fines to โ‚ฌ10 million / 2% of global turnover for essential entities. The law was promulgated in the State Gazette on 13 February 2026, over 15 months after the EU's 17 October 2024 deadline.

CMS Law Bulgaria โ†—
Nov 25, 2025law
Electronic Communications Act Amendments Implement DSA, Infringement Proceedings Resolved

Amendments to the Electronic Communications Act entered into force, formally empowering the Communications Regulation Commission (CRC) as Bulgaria's Digital Services Coordinator with supervisory and penalty powers under the EU Digital Services Act, and designating the Council for Electronic Media as competent authority for video-sharing services. The legislation closed the gap that had triggered EU infringement proceedings in December 2024.

Kinstellar โ†—
Dec 16, 2024enforcementofficial
European Commission Opens Infringement Proceedings Against Bulgaria for DSA Non-Compliance

The Commission sent a letter of formal notice (INFR(2024)2241) to Bulgaria for failing to legislatively empower a Digital Services Coordinator and failing to set applicable penalty rules by the 17 February 2024 DSA deadline, initiating formal infringement proceedings against Bulgaria alongside Belgium, Spain, the Netherlands, and Poland.

European Commission โ†—
Jun 13, 2024decision
Council of Ministers Designates CRC as Digital Services Coordinator

By Decision No. 405/13.6.2024, Bulgaria's Council of Ministers administratively designated the Communications Regulation Commission as the national Digital Services Coordinator under the DSA, an interim step that lacked the necessary legislative basis, leaving enforcement powers ungranted and prompting the Commission's subsequent infringement action six months later.

Bird & Bird DSA Tracker โ†—
Oct 15, 2022incident
Killnet DDoS Attack Disrupts Bulgarian Government Websites

The pro-Russian hacktivist group Killnet launched a large-scale distributed denial-of-service attack that temporarily took offline the websites of Bulgaria's Presidency, Defence Ministry, Interior Ministry, Justice Ministry, and Constitutional Court, framing it as retaliation for alleged Bulgarian support of Ukraine. The incident exposed gaps in state cyber-resilience and reinforced political pressure to accelerate NIS2 transposition.

The Record (Recorded Future News) โ†—
Aug 29, 2019enforcement
CPDP Fines National Revenue Agency BGN 5.1 Million, First Major GDPR Enforcement Action

The Commission for Personal Data Protection (CPDP) imposed a BGN 5.1 million (~โ‚ฌ2.6 million) fine on the National Revenue Agency for failing to implement adequate technical and organizational security measures following Bulgaria's largest-ever personal data breach. It was one of the earliest and largest GDPR enforcement actions in Central and Eastern Europe.

IAPP (citing CPDP decision) โ†—
Jul 15, 2019incident
NRA Data Breach: Personal Data of Over 5 Million Bulgarians Exfiltrated

A hacker breached the National Revenue Agency and extracted approximately 11 GB of tax, insurance, and personal data belonging to over five million Bulgarian citizens, nearly every working adult in the country, and leaked a portion to local media. The breach was the largest in Bulgarian history and catalysed the country's first major GDPR enforcement action.

OCCRP โ†—
Feb 26, 2019lawofficial
GDPR Implementing Law Promulgated, Personal Data Protection Act Modernised

Amendments to the Personal Data Protection Act (State Gazette No. 17, 26 February 2019) adapted the 2002 foundational Act to the EU General Data Protection Regulation and simultaneously transposed Directive (EU) 2016/680 on law-enforcement data processing, completing Bulgaria's formal GDPR alignment.

Commission for Personal Data Protection (CPDP) โ†—
Oct 31, 2018law
Cybersecurity Act Enacted, NIS Directive Transposed

Bulgaria's Parliament enacted the Cybersecurity Act, transposing EU Directive 2016/1148 (NIS) and establishing the national cybersecurity governance architecture: CERT Bulgaria, sector-specific CSIRTs, and mandatory security obligations for operators of essential services and digital service providers. The Ministry of Electronic Governance was designated the national competent authority.

CMS Law Now โ†—
Jan 1, 2007lawofficial
EU Accession: Full Digital and Communications Acquis Becomes Applicable

On joining the EU, Bulgaria became bound by the entire EU digital regulatory acquis, including the e-Commerce Directive (2000/31/EC), the Electronic Communications Framework Directives, and EU data-protection rules. The Communications Regulation Commission was established as the principal regulator under an Electronic Communications Act aligned with EU standards, creating the foundational supervisory infrastructure for online safety.

European Union official portal โ†—

Bulgaria - other topics

Internet & Online Safety in other countries

Last verified 5/25/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’