You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
As of 1 June 2026, the grace period is over. Managers and board members of essential and important entities will face the full weight of personal fines under Bulgaria's transposition of the NIS2 Directive.
Bulgaria's amended Cybersecurity Act transposes Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (the NIS2 Directive), establishing measures for a high common level of cybersecurity across the Union. While considerable attention has been given to the obligations imposed by the Directive on organisations, a provision that warrants particular focus is the personal administrative liability of individual members of the management body.
The Cybersecurity Act applies to public and private entities of the types listed in Annexes I and II to the NIS2 Directive – spanning sectors such as energy, transport, health and digital infrastructure – that qualify as or exceed the thresholds for medium-sized enterprises. Certain providers are within the scope regardless of their size, including providers of public electronic communications networks or services, trust service providers, top-level domain name registries and DNS service providers, as well as entities that are the sole provider of a critical service or whose disruption could significantly impact public safety, security or the economy.
The management bodies of essential and important entities are required to approve the cybersecurity risk-management measures adopted pursuant to Article 21 of the Cybersecurity Act and to oversee their implementation.
Members of the management body must personally undergo training at least every two years to acquire sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices. They are also required to offer and regularly organise similar training for employees.
The cybersecurity risk-management measures that the management body must approve encompass appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems, including, among others, risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, basic cyber hygiene practices and training, as well as multi-factor authentication where appropriate.
Where a member of the management body of an essential or important entity, or the head of a public authority, breaches these management obligations, a personal fine of EUR 500 to EUR 5,000 may be imposed. This personal fine is separate from and in addition to the pecuniary sanctions applicable to the entity itself, which may reach up to EUR 10m or 2 % of total annual worldwide turnover for essential entities and up to EUR 7m or 1.4 % of total annual worldwide turnover for important entities.
Furthermore, the competent national authority may request a court to impose a temporary prohibition on a natural person holding management functions, or the legal representative, of an essential entity from exercising such management functions.
Under the transitional provisions (Section 51) of the amended Cybersecurity Act, fines and pecuniary sanctions for infringements committed before 1 June 2026 are imposed at 50 % of the amounts stipulated in the Act. From 1 June 2026 onwards, sanctions apply in their full statutory amounts.
The message is clear: board members and managing directors of entities falling within the scope of the NIS2 Directive and the Bulgarian Cybersecurity Act can no longer rely on leniency. Whether a fine is imposed – and how severe it is – will depend on the individual's ability to demonstrate tangible actions, such as board resolutions, adopted policies, audit protocols, assigned responsibilities, completed training, effective controls and corrective measures taken in response to identified gaps.
Hristo
Hadzhiiliev
Associate
bulgaria