NIS2 in Bulgaria

A guide to NIS2 implementation and compliance in Bulgaria.

This document presents information current as of April 2026. Although all reasonable steps were taken to verify the accuracy of the content, the information is provided without guarantee of completeness or accuracy, and may be subject to change. While we anticipate making regular updates to this content on a periodic basis, readers are advised to verify critical information independently.

Bulgaria is transposing the NIS2 Directive into its national cybersecurity framework, expanding obligations for entities operating in critical and important sectors. This guide provides a structured overview of scope, governance, reporting, enforcement, and compliance expectations under Bulgaria's national regime, tailored for SME decision-makers assessing NIS2 compliance Bulgaria requirements.

1. Quick SME Applicability Snapshot in Bulgaria

Does NIS2 apply to SMEs in Bulgaria?

Yes — depending on sector and size.

Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
Small or micro entities are included only if formally designated or operating in high-criticality sectors.
Applies to entities established in Bulgaria and, in certain cases, foreign digital providers serving the Bulgarian market.

SMEs operating in regulated sectors should conduct early scope assessments under Bulgaria's national cybersecurity regime.

2. Overview of NIS2 Implementation in Bulgaria

Bulgaria has transposed NIS2 through the Law amending and supplementing the Cybersecurity Act, adopted by Parliament on 5 February 2026, promulgated in the State Gazette on 13 February 2026, and entered into force on 17 February 2026 — approximately 16 months after the EU deadline of 17 October 2024.

The amended Cybersecurity Act aligns with Directive (EU) 2022/2555 and significantly expands the scope of regulated entities, introduces the essential/important entity classification, and modernizes governance rules, incident reporting structures, supervisory authority powers, and sanction mechanisms.

Bulgaria's transposition includes two notable national deviations from the Directive baseline: the law retains an administrative designation model (entities do not self-register; competent authorities designate them via a methodology to be adopted by the Council of Ministers within six months of entry into force), and it mandates management cybersecurity training at fixed two-year intervals, which is stricter than the Directive's risk-based approach. Core obligations apply immediately, with reduced sanctions for breaches committed before 1 June 2026.

3. Scope of Application in Bulgaria

Essential Entities

Entities operating in highly critical sectors:

Important Entities

Entities operating in other listed sectors:

Bulgaria's scope mirrors Directive minimum sector categories without confirmed national expansion.

4. Size Thresholds and SME Applicability in Bulgaria

The baseline thresholds apply:

≥50 employees, and
≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope.

Small and micro enterprises may still be designated where they provide services essential to societal or economic stability.

Bulgarian authorities retain formal designation powers where systemic risk or national security considerations justify inclusion.

5. Entity Classification Framework in Bulgaria

Entities are classified as:

Essential Entities — Subject to proactive supervision and periodic compliance monitoring.
Important Entities — Primarily subject to reactive supervision triggered by incidents or evidence of non-compliance.

Classification is determined by sector and size, but is not self-assessed. Bulgaria retains an administrative designation model: the Council of Ministers must adopt a methodology within six months of the law's entry into force, after which national competent authorities have a further five months to formally identify and designate entities and notify the Minister of e-Government for inclusion in the national register. Entities should nonetheless assess their own scope independently and comply from the point the statutory criteria are met — the absence of formal designation does not defer obligations.

Bulgaria's framework reflects the Directive's two-tier structure.

6. Cybersecurity Risk Management Requirements in Bulgaria

Bulgaria's national regime aligns with the Directive baseline obligations. In-scope entities must implement proportionate technical and organizational measures addressing:

Risk analysis and system security
Incident prevention, detection, and handling
Business continuity and disaster recovery
NIS2 supply chain Bulgaria risk management
Secure acquisition and maintenance of ICT systems
Access control and authentication controls
Encryption and cryptographic safeguards
Vulnerability management and disclosure
Cybersecurity training for staff

Measures must be proportionate to risk exposure and aligned with state-of-the-art standards. Alignment with ISO/IEC 27001 and recognized Bulgarian cybersecurity guidance is encouraged.

7. Management Liability and Governance in Bulgaria

Management bodies must approve cybersecurity risk management measures and oversee their implementation.

Under Bulgaria's national framework:

Boards are accountable for compliance oversight.
Senior leadership must ensure appropriate cybersecurity expertise. Bulgaria's transposition mandates management cybersecurity training at fixed two-year intervals — stricter than the Directive's risk-based approach.
Administrative enforcement may target governance failures.
Suspension of managerial functions may be available under Directive-aligned mechanisms.

NIS2 management liability Bulgaria expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Bulgaria

Definition of a Significant Incident

A significant incident includes events causing:

Severe operational disruption
Significant financial loss
Substantial societal impact
Cross-border effects

Reporting Timeline

Reporting Stage	Deadline	Authority
Early Warning	24 hours	State e-Government Agency (SEGA)
Incident Notification	72 hours	State e-Government Agency (SEGA)
Final Report	1 month	State e-Government Agency (SEGA)

Bulgaria follows the Directive structure for NIS2 reporting deadlines unless further clarified by secondary regulation. Sectoral authorities may coordinate with SEGA where applicable.

9. Supervisory Authorities and Enforcement Model in Bulgaria

Primary authorities: National competent authorities designated by the Council of Ministers, including the Ministry of Defence, Ministry of Interior, and State Agency for National Security, depending on sector. The Minister of e-Government maintains the national register of essential and important entities.

Bulgaria operates a multi-authority supervisory model, with national competent authorities carrying primary sector supervision and the Minister of e-Government maintaining the national entity register.

Supervisory powers include:

Requests for documentation and information
Security audits
On-site inspections
Binding compliance instructions
Participation in EU cybersecurity coordination
Court-ordered suspension of licences, registrations, certificates, or authorisations (essential entities)
Court-ordered prohibition on individuals exercising management functions (essential entities, serious breaches)

The enforcement model reflects Directive-level cooperation and oversight mechanisms.

10. NIS2 Fines and Sanctions in Bulgaria

Bulgaria applies Directive-aligned administrative penalties.

Essential Entities

Up to €10 million or 2% of total global annual turnover (whichever is higher)

Important Entities

Up to €7 million or 1.4% of total global annual turnover (whichever is higher)

NIS2 fines Bulgaria enforcement may also include:

Binding remediation orders
Public identification of non-compliant entities
Suspension of certification or authorization
Managerial suspension powers

11. NIS2 Supply Chain and Vendor Security in Bulgaria

Entities must implement third-party cybersecurity controls including:

Vendor risk assessments
Contractual flow-down of security requirements
Ongoing ICT supplier monitoring
Concentration risk analysis
Incident propagation mitigation

Bulgaria's framework aligns with Directive baseline expectations for supply chain oversight.

12. Registration and Self-Identification Duties in Bulgaria

Entities within scope must:

Await formal designation by national competent authorities pursuant to the methodology to be adopted by the Council of Ministers within six months of 17 February 2026. Entities are not required to self-register via a public portal.
Provide corporate identification details
Disclose sector classification
Maintain updated contact information

The Council of Ministers must adopt a designation methodology within six months of the law's entry into force (by approximately 17 August 2026). Once adopted, competent authorities have a further five months to identify and designate entities and notify the Minister of e-Government. Specific categories of digital infrastructure providers must submit identification information to competent authorities directly. Secondary legislation will further specify register procedures.

While formal self-registration is not required, entities meeting statutory criteria must independently assess whether they fall within scope and comply with all applicable obligations from the point those criteria are met — formal designation does not defer obligations.

13. Interaction With GDPR and Other Laws in Bulgaria

The General Data Protection Regulation continues to apply concurrently.

Overlap areas include:

72-hour personal data breach reporting
Supervisory authority coordination
Parallel cybersecurity and data protection investigations
Sector-specific Bulgarian cybersecurity rules

A cyber incident affecting personal data may trigger dual reporting obligations.

14. Cross-Border Applicability

Entities with their main establishment in Bulgaria are supervised by Bulgarian authorities for cross-border operations.

Foreign digital providers serving Bulgarian customers may fall within scope depending on establishment and service structure.

Representation requirements follow Directive standards for non-EU providers.

15. Implementation Timeline in Bulgaria

Directive adoption: 2022
Law adoption: 5 February 2026 (promulgated in State Gazette 13 February 2026)
Entry into force: 17 February 2026 (no transitional compliance period; reduced sanctions apply for breaches committed before 1 June 2026)
Commission notification: EC reasoned opinion issued May 2025 (pre-enactment); Commission notification completeness under review following February 2026 adoption
Designation methodology: Council of Ministers methodology due by approximately 17 August 2026 (six months post-entry into force); entity designation to be completed approximately five months thereafter

Bulgaria completed transposition in February 2026, approximately 16 months after the EU deadline. Secondary legislation and the entity designation process are ongoing; entities should conduct independent scope assessments without waiting for formal authority notification.

16. Key Takeaways for SMEs in Bulgaria

Medium-sized entities in covered sectors are automatically in scope.
Small entities may be designated if critical to societal stability.
Board-level governance is mandatory. Bulgaria mandates management cybersecurity training at two-year intervals — schedule this now.
Incident reporting follows 24h / 72h / 1 month deadlines.
Financial penalties can reach €10 million or 2% of global turnover.
Vendor and ICT risk management is required. Bulgaria's law introduces additional risk management obligations beyond the Directive baseline (including change management and supplementary notification duties) — scope these carefully if operating across multiple EU jurisdictions.
Early risk assessments reduce enforcement exposure.

FAQ: NIS2 Bulgaria SME Guide

Does NIS2 apply to small companies in Bulgaria?

Small companies are generally excluded unless designated or operating in highly critical sectors. Medium-sized entities meeting size thresholds are automatically included.

What are the NIS2 fines in Bulgaria?

Essential Entities face penalties up to €10 million or 2% of global annual turnover. Important Entities face up to €7 million or 1.4% of global annual turnover.

When does NIS2 take effect in Bulgaria?

Bulgaria completed transposition on 17 February 2026, when amendments to the Cybersecurity Act entered into force. Core obligations apply immediately. Reduced sanctions apply for breaches committed before 1 June 2026. Secondary legislation on entity designation is expected by mid-to-late 2026.

Who enforces NIS2 in Bulgaria?

Enforcement is carried out by national competent authorities designated by the Council of Ministers, including the Ministry of Defence, Ministry of Interior, and State Agency for National Security, depending on sector. The Minister of e-Government maintains the national register of essential and important entities and coordinates cross-sector oversight. Sector-specific regulators operate where applicable.

Can directors be personally liable under NIS2 in Bulgaria?

Management bodies must approve and oversee cybersecurity measures. Administrative enforcement may include managerial suspension powers in serious cases.

How does NIS2 differ from GDPR in Bulgaria?

NIS2 governs cybersecurity risk management and operational resilience, while GDPR focuses on personal data protection. Both frameworks may apply simultaneously following a cyber incident.

What qualifies as a significant incident under NIS2 in Bulgaria?

An incident causing severe disruption, financial loss, societal impact, or cross-border consequences typically meets the reporting threshold.