NIS2 in Bulgaria

1. Quick SME Applicability Snapshot in Bulgaria

Does NIS2 apply to SMEs in Bulgaria?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Bulgaria and, in certain cases, foreign digital providers serving the Bulgarian market.

SMEs operating in regulated sectors should conduct early scope assessments under Bulgaria's national cybersecurity regime.

2. Overview of NIS2 Implementation in Bulgaria

Bulgaria is implementing NIS2 through amendments to the Cybersecurity Act, which serves as the core national statute governing network and information system security.

The updated legislative framework aligns with Directive (EU) 2022/2555 and expands Bulgaria's existing cybersecurity obligations to reflect the strengthened EU requirements.

The revised statute modernizes governance rules, incident reporting structures, supervisory authority powers, and sanction mechanisms.

3. Scope of Application in Bulgaria

Bulgaria's scope mirrors Directive minimum sector categories without confirmed national expansion.

4. Size Thresholds and SME Applicability in Bulgaria

The baseline size thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope.

Small and micro enterprises may still be designated where they provide services essential to societal or economic stability.

Bulgarian authorities retain formal designation powers where systemic risk or national security considerations justify inclusion.

5. Entity Classification Framework in Bulgaria

Entities are classified as:

• Essential Entities — Subject to proactive supervision and periodic compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by incidents or evidence of non-compliance.

Classification is determined by sector and size. Competent authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Bulgaria's framework reflects the Directive's two-tier structure.

6. Cybersecurity Risk Management Requirements in Bulgaria

Bulgaria's national regime aligns with the Directive baseline obligations. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system security
• Incident prevention, detection, and handling
• Business continuity and disaster recovery
• NIS2 supply chain Bulgaria risk management
• Secure acquisition and maintenance of ICT systems
• Access control and authentication controls
• Encryption and cryptographic safeguards
• Vulnerability management and disclosure
• Cybersecurity training for staff

Measures must be proportionate to risk exposure and aligned with state-of-the-art standards. Alignment with ISO/IEC 27001 and recognized Bulgarian cybersecurity guidance is encouraged.

7. Management Liability and Governance in Bulgaria

Management bodies must approve cybersecurity risk management measures and oversee their implementation.

Under Bulgaria's national framework:

• Boards are accountable for compliance oversight.
• Senior leadership must ensure appropriate cybersecurity expertise.
• Administrative enforcement may target governance failures.
• Suspension of managerial functions may be available under Directive-aligned mechanisms.

NIS2 management liability Bulgaria expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Bulgaria

9. Supervisory Authorities and Enforcement Model in Bulgaria

Primary authority: State e-Government Agency (SEGA).

Bulgaria operates a centralized supervisory model, supported by sector-specific regulators when required.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination

The enforcement model reflects Directive-level cooperation and oversight mechanisms.

10. NIS2 Fines and Sanctions in Bulgaria

Bulgaria applies Directive-aligned administrative penalties.

NIS2 fines Bulgaria enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Managerial suspension powers

11. NIS2 Supply Chain and Vendor Security in Bulgaria

Entities must implement third-party cybersecurity controls including:

• Vendor risk assessments
• Contractual flow-down of security requirements
• Ongoing ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Bulgaria's framework aligns with Directive baseline expectations for supply chain oversight.

12. Registration and Self-Identification Duties in Bulgaria

Entities within scope must:

• Register with competent authorities
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts

Procedural deadlines follow Bulgaria's implementing framework. As of the current transposition status, Bulgaria follows the NIS2 Directive baseline framework. National implementing details may refine specific obligations.

Self-identification is required for entities meeting statutory thresholds.

13. Interaction With GDPR and Other Laws in Bulgaria

The General Data Protection Regulation continues to apply concurrently.

Overlap areas include:

• 72-hour personal data breach reporting
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Bulgarian cybersecurity rules

A cyber incident affecting personal data may trigger dual reporting obligations.

14. Cross-Border Applicability

Entities with their main establishment in Bulgaria are supervised by Bulgarian authorities for cross-border operations.

Foreign digital providers serving Bulgarian customers may fall within scope depending on establishment and service structure.

Representation requirements follow Directive standards for non-EU providers.

15. Implementation Timeline in Bulgaria

• Directive adoption: 2022
• National legislative amendments: 2024–2025
• Entry into force: Upon national publication
• Commission notification: In accordance with EU procedure
• Compliance milestone: Directive-aligned deadlines

Bulgaria's legislative process aligns with the EU transposition schedule, subject to formal notification steps.

16. Key Takeaways for SMEs in Bulgaria

• Medium-sized entities in covered sectors are automatically in scope.
• Small entities may be designated if critical to societal stability.
• Board-level governance is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor and ICT risk management is required.
• Early risk assessments reduce enforcement exposure.

FAQ: NIS2 Bulgaria SME Guide