NIS2 in Bulgaria: Your Compliance Checklist Under the Cybersecurity Act

What Bulgaria’s Late Transposition Means for Your Organisation

Bulgaria missed the EU’s October 2024 NIS2 transposition deadline by 16 months, triggering infringement proceedings and a referral to the Court of Justice in May 2025. On 5 February 2026, the National Assembly adopted comprehensive amendments to the Cybersecurity Act (Закон за киберсигурността). The amended law was promulgated in the State Gazette on 13 February and entered into force on 17 February 2026 — with no transitional compliance period.

The practical consequence: organisations that assumed they had more time to prepare do not. Core obligations are fully live. The only relief is a temporary reduction in financial penalties for violations committed before 1 June 2026, when fines are halved. After that date, standard penalty thresholds apply in full.

This guide covers who falls in scope under the Bulgarian framework, which authority oversees each sector, five areas where Bulgaria has chosen a stricter approach than the EU directive requires, and a phase-by-phase compliance checklist built around the Bulgarian-specific implementation timeline.

Does Bulgarian NIS2 Apply to Your Organisation?

The amended Cybersecurity Act follows the NIS2 dual-classification model. Most organisations determine applicability by two variables: sector and size.

The default size threshold: you qualify as a medium-sized enterprise — and therefore fall in scope — if you have at least 50 employees or an annual turnover or balance sheet total exceeding €10 million. Either criterion alone is sufficient. For a full applicability guide, see who must comply with NIS2.

Always in scope regardless of size:

• Public electronic communications network and service providers
• Qualified trust service providers
• Top-level domain (TLD) name registries and DNS service providers
• Sole providers of an essential service in Bulgaria

Criterion	Essential Entities	Important Entities
Typical sectors	Energy, transport, banking, financial infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space	Postal/courier, waste management, chemicals, food (see expanded definition below), medical device manufacturing, electronics manufacturing, digital service providers, scientific research
Supervisory intensity	High — proactive on-site inspections, mandatory audit orders, licence suspension possible via court order	Standard — reactive, risk-based oversight
Maximum penalty	€10 million or 2% of global annual turnover	€7 million or 1.4% of global annual turnover
Minimum penalty	€25,000	€12,500

Bulgaria expects 10,000 to 12,000 entities to fall within scope once the designation process is complete.

Bulgaria’s Regulatory Authority Structure

Bulgaria has not appointed a single cybersecurity regulator. Instead, the Council of Ministers designates a separate supervisory authority for each sector — a distributed governance model that means your primary contact depends on which industry you operate in.

Central coordinating authority: The State e-Governance Agency (Агенция по е-Управление, SEGA) is responsible for maintaining the national non-public register of essential and important entities and acts as the National Single Point of Contact (NSPOC). Contact: NSPOC@e-gov.bg.

National CSIRT: National CSIRT bg operates at govcert.bg and is the primary destination for incident notifications. Contact for incident reports: cert@govcert.bg.

National security oversight: The State Agency for National Security (Държавна агенция “Национална сигурност”, DANS), together with the Ministry of Defence and Ministry of Interior, has designated competent authority status for entities whose operations affect national security interests.

Sector-specific authorities:

Sector	Competent Authority
Energy	Energy and Water Regulatory Commission (EWRC)
Banking and financial markets	Bulgarian National Bank (BNB) / Financial Supervision Commission (FSC)
Electronic communications	Communications Regulation Commission (CRC)
Transport	Ministry of Transport, Information Technology and Communications
Healthcare	Ministry of Health
Digital infrastructure and services	Ministry of Transport, Information Technology and Communications
Public administration	Ministry of e-Government

Registration timeline: The Council of Ministers has 6 months from entry into force (by approximately August 2026) to adopt the entity identification methodology. Competent authorities then have a further 5 months to formally designate entities — placing formal designation at around January to February 2027. For a detailed registration walkthrough, see entity registration under NIS2.

Five Areas Where Bulgaria Exceeds the EU Baseline

Any compliance programme benchmarked against the EU NIS2 text alone may be under-built for the Bulgarian market. The 2026 amendments include five areas where Bulgaria has enacted a stricter national regime.

Requirement	EU NIS2 Directive	Bulgarian Cybersecurity Act 2026
Food sector scope	Wholesale distributors and large-scale processors only	All food businesses — any undertaking involved at any stage of production, processing, or distribution
Registry change notification	3 months after a change	2 weeks after a change
Management training interval	Risk-based — no fixed interval mandated	Mandatory every 2 years, fixed interval, regardless of risk assessment
Technology restrictions	Not addressed at directive level	Council of Ministers may restrict specific ICT products, technologies, or services; existing users get a 3-year phase-out window (shorter if elevated national security risk)
Administrative fines	Maximum thresholds only — no floor set	Explicit national minimums: €25,000 for essential entities, €12,500 for important entities

The food sector expansion is the most operationally significant deviation. A food logistics company, a restaurant chain supplying institutional clients, or a regional food processor may qualify as an important entity under Bulgarian law even though it would be out of scope in most other EU member states. If your business touches food at any stage, run the applicability check with the Bulgarian definition in mind.

The technology restriction mechanism introduces a new category of compliance risk. When the Council of Ministers designates a product or vendor as restricted, affected entities have a 3-year deadline to replace it — a procurement planning obligation that needs to be tracked from the moment a restriction is announced, not from the expiry date.

Core Security Obligations Under the Amended Act

The ten security measures from NIS2 Article 21 are reproduced in the amended Bulgarian Cybersecurity Act, with additional obligations added in several areas. All in-scope entities must implement proportionate measures across:

1. Risk management — documented risk methodology, risk register, and treatment plan with management sign-off
2. Incident handling — detection, classification, internal escalation, and external notification procedures
3. Business continuity — business impact analysis, backup and recovery procedures, crisis management plan
4. Supply chain security — supplier criticality assessment, security clauses in contracts, critical supplier register. See NIS2 supply chain requirements
5. Security in system acquisition and maintenance — secure development requirements, change management controls
6. Effectiveness measurement — KPIs, audit schedule, regular reporting to management
7. Training and awareness — mandatory 2-year management training cycle; role-based staff training
8. Cryptography and encryption — encryption policy covering data at rest and in transit
9. Access control and asset management — least-privilege principle, joiner/mover/leaver process, privileged access management
10. Multi-factor authentication and secure communications — MFA across critical systems, secured communication channels

Secondary legislation (ordinances specifying technical requirements in detail) is expected within 8 months of entry into force — by approximately October 2026. Until those ordinances are published, compliance is assessed against the amended Act’s framework and ENISA’s technical guidance.

Incident Reporting to CERT.bg: The Three-Stage Timeline

When a significant incident occurs, Bulgarian law follows the NIS2 notification cascade — but with trust service providers subject to a compressed timeline.

Stage	Deadline	Content required
Early warning	24 hours after becoming aware	Nature of incident, potential cross-border impact, suspected criminal or malicious cause
Incident notification	72 hours after becoming aware (24 hours for trust service providers)	Updated assessment, severity, indicators of compromise, initial containment actions
Final report	1 month after incident notification	Root cause analysis, full impact assessment, remediation measures taken

Report to: cert@govcert.bg (National CSIRT bg / govcert.bg).

A “significant incident” under the Bulgarian framework follows Art. 23 criteria: material operational impact, substantial financial damage, large numbers of persons affected, or potential for serious societal or economic disruption. For the full reporting procedure and template forms, see NIS2 incident reporting.

Penalties, Enforcement Powers, and Management Liability

Bulgaria has set explicit minimum fine floors — a tighter framework than the EU directive, which only specifies maximum thresholds. This means there is no expectation of a nominal fine for serious non-compliance: the floor applies regardless of mitigating factors.

Entity type	Maximum fine	Minimum fine	Individual manager fine
Essential entities	€10 million or 2% of global annual turnover (whichever is higher)	€25,000	€500–€5,000
Important entities	€7 million or 1.4% of global annual turnover (whichever is higher)	€12,500	€500–€5,000

Beyond fines, competent authorities hold a broad enforcement toolkit:

• Binding instructions requiring specific security measures
• Mandatory security audit orders at the entity’s expense
• Public disclosure of the non-compliance finding
• Daily financial penalties for ongoing violations
• Court-ordered temporary suspension of licences, registrations, or authorisations (essential entities)
• Prohibition on holding management functions

Management liability is personal. Management body members bear direct responsibility for approving cybersecurity risk management measures and ensuring the mandatory training programme is in place. A management function ban can be imposed independently of whatever financial penalty the entity itself receives. For the full liability framework, see NIS2 management and board obligations.

Grace period: Violations committed before 1 June 2026 are fined at 50% of the standard rate. This is not a compliance exemption — the obligations are fully in force from 17 February 2026. The grace window reduces financial exposure during the early enforcement phase only.

NIS2 Bulgaria Compliance Checklist

Phase 1 — Determine your scope (Do now)

• Identify which of the 18 covered sectors your organisation operates in
• Check size thresholds: 50 or more employees, or annual turnover/balance sheet above €10 million
• Check automatic scope rules: telecom provider, trust service, TLD or DNS?
• For food businesses: apply the expanded Bulgarian definition — all stages of production, processing, and distribution
• Classify as essential or important entity based on sector and size

Phase 2 — Governance (Do now)

• Obtain formal management body approval for the cybersecurity risk programme
• Assign a compliance lead (CISO or equivalent) with board-level reporting line
• Schedule management cybersecurity training — establish a 2-year recurring cycle starting in 2026
• Define the cybersecurity risk reporting cadence to the management body

Phase 3 — Risk assessment (Obligations live now)

• Adopt or update your risk assessment methodology
• Identify and classify assets across IT, OT, and digital service layers
• Perform a risk assessment aligned with all 10 Article 21 security measures
• Create a risk treatment plan and obtain management sign-off on residual risks

Phase 4 — Technical measures (By Q4 2026)

• Implement or audit all 10 Article 21 security measures against the amended Act
• Deploy MFA across critical systems and all privileged accounts
• Review and update encryption policies for data at rest and in transit
• Map supply chain dependencies; initiate supplier security assessments for critical suppliers

Phase 5 — Incident response (By Q3 2026)

• Document incident detection and classification procedures
• Set up 24-hour alert chain to CERT.bg (cert@govcert.bg)
• Define what constitutes a significant incident for your organisation
• Run a tabletop exercise to test the reporting workflow

Phase 6 — SEGA registration (When portal opens — expected H2 2026)

• Register with SEGA’s national entity register once the portal is live
• Ensure registry information is current and notify SEGA of any changes within 2 weeks

Phase 7 — Technology restriction monitoring (Ongoing)

• Monitor Council of Ministers announcements on restricted ICT technologies
• For each restriction designated, assess your exposure and begin phased replacement planning
• Build a 3-year phase-out timeline into procurement and vendor contracts from day one of any designation

For organisations starting from scratch, the 90-day NIS2 SME roadmap provides a week-by-week implementation guide. For a printable version covering all 10 Article 21 measures, see the NIS2 compliance checklist.

Frequently Asked Questions

Does Bulgarian NIS2 apply to SMEs?
The law applies to medium-sized enterprises — 50 or more employees or more than €10 million in annual turnover. Smaller businesses are generally out of scope unless they operate as a sole provider of an essential service, or fall into a size-exempt category such as telecom providers, trust services, or DNS/TLD operators.

When does registration with SEGA open?
The SEGA registration portal is expected in H2 2026, after the Council of Ministers adopts the entity identification methodology (due by approximately August 2026). Formal entity designation by sector authorities follows within a further 5 months. Monitor announcements at e-gov.bg and prepare documentation now so you can register promptly.

Who is my competent authority?
Your primary authority depends on your sector. Use the sector authority table above. For digital service providers or mixed-sector entities, the Ministry of Transport, Information Technology and Communications is the likely lead authority. Initial enquiries can be directed to SEGA at NSPOC@e-gov.bg.

How is Bulgaria’s approach different from other EU countries?
Five Bulgarian-specific provisions go beyond the EU directive: the expanded food sector scope, the 2-week registry change notification (vs 3 months in the directive), mandatory 2-year fixed management training intervals, the technology restriction mechanism with a 3-year phase-out, and explicit minimum fine floors. Most EU member states have not introduced minimum fines or technology restriction powers at this stage.

Is there still a grace period on fines?
A partial one. Fines for violations committed before 1 June 2026 are imposed at 50% of the standard rate. However, the compliance obligations themselves are fully in force from 17 February 2026 — the grace window applies only to the financial penalty calculation, not to whether the obligation exists.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. CMS Law — Bulgaria Adopts NIS2-Aligned Cybersecurity Law
2. Kinstellar — Bulgaria’s Long Road to NIS2 Is Over
3. Wolf Theiss — Bulgaria’s Implementation of NIS2: What Businesses Need to Know
4. European Commission — NIS2 Directive Implementation in Bulgaria
5. Schoenherr — Bulgaria Implements NIS2 Directive: Key Changes to the Cybersecurity Act
6. Diamatix — Bulgaria Advances Cybersecurity Law Changes as NIS2 Enforcement Begins
7. IBA — The Transposition of the NIS2 Directive in Bulgaria — www.ibanet.org/nis2-directive-bulgaria-overlapping-rules-telcos