Bulgaria implements NIS 2 Directive: key changes to the Cybersecurity Act

On 13 February 2026, the amended Bulgarian Cybersecurity Act entered into force, transposing the EU NIS 2 Directive into national law, albeit 16 months past the original deadline. The amendments introduce significant expansions in scope, stricter compliance obligations and substantially higher penalties for non-compliance.

The new framework dramatically broadens the range of entities subject to cybersecurity requirements. Beyond traditional critical infrastructure operators, the Act now covers administrative bodies, judicial authorities, educational institutions conducting R&D in designated sectors, domain registrars and organisations providing electronic administrative services. 

The critical sectors are enumerated in Annexes I and II to the Act. Annex I includes energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management and space. Annex II extends coverage to postal and courier services, waste management, chemical manufacturing and distribution, food production and processing, manufacturing of medical devices and electronics, digital service providers (including online marketplaces, search engines and social networking platforms) and scientific research. 

The Act distinguishes between "essential" and "important" entities. Essential entities include large enterprises from Annex I sectors, qualified trust service providers, top-level domain registries, DNS service providers, public electronic communications network providers, administrative bodies and critical entities under Directive 2022/2557. Important entities are those falling within Annexes I and II that do not meet the criteria for essential entity classification. 

Regulated entities must implement comprehensive risk management measures, including policies for risk analysis and information system security, incident response procedures, business continuity management, supply chain security and cybersecurity training. Managers and members of governing bodies bear direct responsibility for approving risk management measures and ensuring that both management and staff undergo appropriate cybersecurity training. The Act also introduces strict incident reporting obligations: entities must submit an early warning within 24 hours, a formal incident notification within 72 hours and a final report within one month.

 
The penalty regime represents a major shift in enforcement. Essential entities face fines of up to EUR 10m or 2 % of total worldwide annual turnover (whichever is higher), with a minimum of EUR 25,000. Important entities may be fined up to EUR 7m or 1.4 % of global turnover, with a minimum of EUR 12,500. Critically, the Act introduces personal liability for managers and members of governing bodies, with individual fines for failure to comply with statutory obligations ranging from EUR 500 to EUR 5,000. 

Detailed minimum cybersecurity requirements will be established by secondary legislation, expected within eight months. Entities potentially falling within the Act's scope should proactively assess their status and begin implementing appropriate cybersecurity measures.