Bulgaria NIS2 Enforcement: €10M/2% Fines in Full Force After 50% Grace Period Expired June 1, 2026
On June 1, 2026, the most operationally significant threshold in Bulgaria’s NIS2 framework passed without announcement. Until that date, §51 of the amended Cybersecurity Act provided a 50% reduction in administrative fines for violations committed during the initial implementation period. From June 1 onward, essential entities face the full statutory ceiling: up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Important entities face up to €7,000,000 or 1.4% of worldwide turnover. No reduction applies.
Bulgaria’s road to NIS2 transposition was the longest in the EU. The original EU deadline was October 17, 2024. The European Commission opened infringement proceedings in November 2024, and in May 2025 referred Bulgaria to the Court of Justice for failure to notify transposition. The Bulgarian Parliament adopted the Law amending and supplementing the Cybersecurity Act on 5 February 2026, promulgated in the State Gazette on 13 February 2026, and entering into force on 17 February 2026.
This guide covers exactly what that enforcement shift means now: the Bulgarian penalty tiers and the minimum fine floors Bulgaria added beyond what the NIS2 Directive requires, what §51 meant during the grace period and what it does not protect against today, how the State e-Government Agency (SEGA) and sector-specific regulators enforce the framework, and the technology restriction mechanism that gives the Council of Ministers authority to mandate equipment replacements with a three-year compliance window.
Who Must Comply — Essential and Important Entities in Bulgaria
Bulgaria’s amended Cybersecurity Act applies to entities in 18 regulated sectors — an expansion from the 8 sectors covered under the previous NIS1 framework. The distinction between essential and important entities determines both the fine ceiling and the supervisory intensity applied.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
Essential entities operate in Annex I sectors (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and meet the large-enterprise threshold: 250 or more employees, or annual turnover exceeding €50 million.
Important entities include Annex I operators that are medium-sized, plus all operators in Annex II sectors (postal and courier services, waste management, manufacture and distribution of chemicals, food production, manufacturing, digital providers, research). Bulgaria defines a medium enterprise as an organisation with at least 50 employees OR annual turnover or balance sheet total exceeding €10 million — a threshold that brings more businesses into scope than the EU’s standard definition.
| Entity type | Sectors | Size threshold | Fine ceiling |
|---|---|---|---|
| Essential | Annex I (11 critical sectors) | 250+ employees or >€50M turnover | €10M or 2% of global turnover |
| Important | Annex I (medium) or Annex II (7 sectors) | 50–249 employees or €10M–€50M turnover | €7M or 1.4% of global turnover |
| Size-exempt | TLD registries, trust service providers, electronic communications | Any size | Applies per classification above |
Three categories fall within scope regardless of size: top-level domain name registries, trust service providers, and electronic communications providers. Municipalities with more than 50,000 inhabitants are classified as essential entities under the public administration sector. For a full scope determination, see the essential vs. important entity classification guide.
Quick-check checklist:
- Annex I sector + 250+ employees or >€50M turnover → Essential entity, €10M/2% ceiling
- Annex I + 50–249 employees or €10M–€50M turnover → Important entity, €7M/1.4% ceiling
- Any Annex II sector + meets medium-size threshold → Important entity
- TLD registry, trust service provider, or electronic communications provider → In scope regardless of size
- Bulgarian municipality above 50,000 population → Essential entity
The Bulgarian Penalty Tiers — EU Baseline Plus National Minimum Floors
NIS2 Directive Article 34(1) requires member states to ensure that administrative fines are “effective, proportionate and dissuasive, taking into account the circumstances of each individual case.” Article 34(4) sets the ceiling for essential entities at €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Article 34(5) sets €7,000,000 or 1.4% for important entities. These are EU-mandated minimums for what national maximum fines must be — member states may go higher.
Bulgaria did not raise the ceilings. Instead, it added something the NIS2 Directive does not require: explicit minimum fine floors that no supervisory authority can undercut regardless of mitigating circumstances.
Bulgarian minimum fine floors:
- Essential entities: €25,000 minimum per violation
- Important entities: €12,500 minimum per violation
| Entity type | Minimum fine | Maximum fine | Legal basis |
|---|---|---|---|
| Essential | €25,000 | €10,000,000 or 2% of global turnover (higher) | Cybersecurity Act + NIS2 Art. 34(4) |
| Important | €12,500 | €7,000,000 or 1.4% of global turnover (higher) | Cybersecurity Act + NIS2 Art. 34(5) |
These floors serve a clear mechanism: without a statutory minimum, a proportionality argument could push fines below the level needed to change behaviour for small-but-essential organisations — such as a trust service provider with a handful of employees. The floor ensures sanctions remain financially meaningful regardless of organisational size.
Procedural breach tier. Violations of notification or registration requirements — distinct from substantive security failures — carry a separate penalty tier ranging from approximately €200,000 to €2,000,000 depending on severity and duration.
Daily penalty payments. For ongoing violations, authorities may impose recurring fines of up to BGN 200,000 (approximately €102,000) per day. Article 34(6) of the NIS2 Directive explicitly permits this mechanism to compel cessation of infringements. Each day an entity fails to implement an ordered corrective measure triggers an additional payment.
Public sector carve-out. Bulgarian state institutions and public bodies are not subject to financial penalties. Supervisory authorities retain all non-financial enforcement powers against public sector entities — binding instructions, mandatory audit orders, and public disclosure requirements remain available.
The 50% Grace Period — What §51 Meant and Why It No Longer Applies
Section 51 of the February 2026 amendments to the Cybersecurity Act established an explicit transitional provision: administrative fines for violations committed before 1 June 2026 were reduced by 50%. The grace period was not a period of non-enforcement. Core obligations — entity registration, incident notification, and risk management measures under Article 21 — applied from the law’s entry into force on 17 February 2026. What §51 reduced was the financial consequence of violations during the initial implementation months.
An essential entity that violated Article 21 requirements in March 2026 faced a maximum fine of €5,000,000 (50% of €10M) rather than the full ceiling. From 1 June 2026 onward, the full statutory amounts apply without reduction.
| Period | Fine multiplier | Essential entity example (€200M revenue) |
|---|---|---|
| 17 Feb – 31 May 2026 | 50% of statutory amount | Max €5M or 1% of turnover |
| 1 June 2026 onward | 100% of statutory amount | Max €10M or 2% of turnover |
One practical clarification matters for organisations currently under investigation: §51 applies to when the violation occurred, not when it was discovered or when enforcement action was initiated. An investigation opened in July 2026 for a documented violation from March 2026 would apply the 50% reduction to that specific violation. Violations that began before June 1 and continued after it are treated based on when each individual breach of obligation occurred.
Management personal liability is not subject to a separate grace period. Individual members of management bodies face personal fines from €500 to €5,000 per violation. These personal fines are imposed independently of — and in addition to — entity-level sanctions. A board member who fails to approve and oversee cybersecurity risk-management measures faces individual liability even if the entity itself is separately fined for the same failure.
A related obligation compounds this exposure: management body members must complete cybersecurity training every two years. Failing to meet the biennial training requirement is itself a violable obligation, capable of triggering personal fine liability independently of any underlying security incident.
SEGA’s Supervisory Powers — What Enforcement Looks Like in Practice
The State e-Government Agency (SEGA) functions as Bulgaria’s central NIS2 coordinating authority. It manages the entity registration portal, maintains the national risk-management catalogue, receives cross-sector incident reports, and coordinates with sectoral competent authorities who hold primary supervisory responsibility in their domains.
Bulgaria operates a distributed supervisory model. The Bulgarian National Bank (BNB) supervises banking sector entities. The Energy and Water Regulatory Commission (EWRC) covers energy operators. The Communications Regulation Commission (CRC) has joint responsibility for electronic communications providers and co-proposes the relevant ordinances with the Ministry of Electronic Governance. SEGA coordinates this distributed architecture and holds direct supervisory authority for public administration sector entities.
The amended Cybersecurity Act gives SEGA and sector authorities a substantially expanded enforcement toolkit compared to NIS1:
1. Audit authority. Supervisory authorities may conduct three types of audit: scheduled audits announced in advance, targeted audits triggered by specific risk indicators or complaints, and unannounced audits. The unannounced audit power is new under the NIS2 framework — NIS1 did not provide for it. There is no minimum notice period for an unannounced audit, and refusal to cooperate is itself a violable obligation.
2. Binding instructions. Authorities may issue mandatory corrective orders requiring entities to implement specific security measures within defined timeframes. Non-compliance with a binding instruction does not merely delay enforcement — it triggers the daily penalty mechanism described above, compounding financial exposure for every day the order is not executed.
3. Mandatory security audit orders. Entities may be required to engage an approved external security auditor at their own cost. Audit findings are reported directly to the supervisory authority. Material gaps identified in an external audit create an independent record that can be used as the basis for further enforcement action.
4. Public disclosure requirements. Supervisory authorities may order entities to publicly disclose specific violations. This reputational sanction operates separately from financial penalties and functions as a market-facing deterrent: B2B operators in banking, healthcare, and digital services face customer and partner scrutiny that can exceed the financial impact of the fine itself.
5. Licence and certificate suspension. For essential entities, competent authorities may seek court orders temporarily suspending licences, registrations, certifications, or authorisations necessary for service provision. This is the most severe operational sanction available short of a permanent prohibition, and it applies at the service-delivery level rather than just the financial level.
6. Management function prohibition. Authorities may seek court orders prohibiting named individuals from exercising management functions in any NIS2-regulated entity for up to three years. This disqualification mechanism survives corporate restructuring — the individual cannot simply move to a new board seat at a related entity to avoid its effect.
Technology Restriction and the 3-Year Phase-Out
Bulgaria’s Cybersecurity Act introduces a supervisory power with no direct equivalent in the NIS2 Directive: the Council of Ministers may issue a decree requiring essential and important entities to use, or refrain from using, specific ICT products, services, or suppliers.
The mechanism is designed to address high-risk technologies originating from third countries where coordinated EU-level risk assessments have identified systemic threats. When such a decree is issued, regulated entities must bring their ICT environment into compliance within three years of the decree’s adoption date. The three-year window runs from publication of the decree, not from any subsequent compliance review or audit.
A shorter transition period applies when the Council of Ministers determines that national security interests require faster action. The expedited timeline is set in the specific decree rather than by statute, meaning the effective compliance window could be significantly shorter than three years in high-priority cases.
For organisations currently procuring or operating infrastructure from vendors subject to EU-level security discussions, the practical implication is straightforward: a Council of Ministers decree would start the three-year clock immediately. Procurement decisions made today with a five-to-seven-year lifecycle need to account for the possibility of a mandatory phase-out obligation arising before the end of that cycle.
Calculating Your Fine Exposure — Three Illustrative Scenarios
The penalty tiers apply through a “higher of” calculation: the fine is the larger of the absolute ceiling (€10M for essential, €7M for important) or the turnover percentage (2% or 1.4%). For large multinationals, the turnover route produces higher numbers. For smaller entities, the absolute ceiling caps the exposure.
Scenario A — Large essential entity, major violation. Annual revenue: €500M. Violation: failure to implement Article 21 incident response requirements. Calculation: 2% of €500M = €10M; absolute ceiling also €10M. Maximum fine: €10,000,000. At this revenue level the two routes converge; above €500M the turnover route exceeds the ceiling, which remains capped at €10M.
Scenario B — Small essential entity, substantive violation. Annual revenue: €30M (trust service provider, in scope regardless of size). Calculation: 2% of €30M = €600,000 — lower than the €10M absolute ceiling, so the maximum fine is €600,000. The €25,000 floor is irrelevant here because €600,000 far exceeds it, but the entity faces a materially significant penalty despite its small size.
Scenario C — Important entity, procedural breach. Annual revenue: €15M. Failure: missing the two-week registry change notification deadline. Fine category: procedural breach tier, approximately €200,000–€2,000,000. The substantive Article 21/23 fine route (1.4% of €15M = €210,000) applies only to security measure and incident notification failures, not to procedural registration violations.
| Scenario | Entity type | Revenue | Violation type | Fine ceiling |
|---|---|---|---|---|
| A | Essential | €500M | Art. 21 substantive | €10,000,000 |
| B | Essential (small) | €30M | Art. 21 substantive | €600,000 |
| C | Important | €15M | Procedural breach | €200,000–€2,000,000 |
The minimum fine floors apply as a backstop in every substantive case: no fine for an essential entity can be below €25,000 regardless of mitigating factors or organisational size. The floors also signal enforcement intent: a €25,000 minimum is a non-trivial sanction for a 15-person trust service provider, and the daily compounding mechanism means the total exposure grows rapidly if corrective orders are not executed promptly.
Frequently Asked Questions
Does the 50% grace period affect violations discovered after June 1, 2026?
No. Section 51 applies to violations committed before June 1, 2026 — the reduction is based on when the violation occurred, not when it was discovered or when enforcement proceedings were initiated. An investigation opened in July 2026 for a documented March 2026 violation still applies the 50% reduction to that specific breach.
Can SEGA fine both the company and an individual board member for the same violation?
Yes. Management personal liability (€500–€5,000) is imposed independently of entity-level fines. A single compliance failure can generate both a corporate fine and personal fines for each responsible member of the management body. Neither reduces the other.
When does the secondary legislation setting detailed minimum security requirements take effect?
The Cybersecurity Act requires the Council of Ministers to adopt implementing ordinances within eight months of the February 13, 2026 effective date — by approximately mid-October 2026. Until those ordinances are published, organisations should apply the security measures specified in NIS2 Article 21 and CIR 2024/2690 implementing regulation as the operative standards.
Does Bulgaria’s expansion to 18 sectors affect scope for food businesses?
Yes. Bulgaria expanded the food sector beyond wholesale and industrial production (the NIS2 default) to cover all food businesses at any stage of production, processing, or distribution that meet the medium-enterprise size threshold. A mid-sized food distributor that might fall outside NIS2 scope in other member states could be an important entity under Bulgarian law.
What Bulgarian Entities Should Do Now
The June 1, 2026 grace period expiry is not a theoretical compliance milestone. It is the date from which the full administrative fine structure applies, SEGA audits carry full financial consequences, and management body members face unmitigated personal liability. Organisations that deferred implementation behind the §51 umbrella are now operating under the full enforcement regime.
The immediate compliance priorities are straightforward: confirm your entity classification using the essential vs. important thresholds above, verify your registration status with the SEGA portal, ensure that Article 21 risk management measures are documented and formally approved by the management body (not just implemented at the IT level), and review the biennial cybersecurity training obligation for board members.
The minimum fine floors (€25,000 essential, €12,500 important) mean that even minor documented violations carry a financially significant sanction. The daily penalty mechanism means unresolved corrective orders compound every day. The three-year technology restriction window starts from a Council of Ministers decree — not from a compliance review — making current procurement decisions strategically relevant beyond the immediate compliance cycle.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Schoenherr — Bulgaria implements NIS 2 Directive: key changes to the Cybersecurity Act
- NIS2 Directive Article 34 — General conditions for imposing administrative fines (nis2resources.eu)
- InformationSC — The NIS2 Directive has been officially transposed into Bulgarian law
- Wolf Theiss — Bulgaria’s implementation of NIS 2: What businesses need to know
- Copla — NIS2 directive regulations and implementation in Bulgaria
- Kinstellar — Bulgaria’s long road to NIS2 is over
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
