The new requirements under the Bulgarian Cybersecurity Act now apply to a much broader range of companies than those traditionally associated with “critical infrastructure”. By the amendments promulgated in State Gazette No. 17 of 13 February 2026, Bulgaria transposed into national law the requirements of Directive (EU) 2022/2555, commonly known as NIS2 or the NIS2 Directive. 

For managers, owners, investors, IT directors and in-house counsel, the key question is no longer only whether the company has adequate technical measures in place. The more important question is whether the company falls within the scope of the law, what its legal status is, what internal rules it must adopt, how it must report incidents and what sanctions may follow in the event of non-compliance. 

The regime is not limited to telecoms, banks and public authorities. It may also affect energy companies, transport operators, hospitals, manufacturers of medicinal products and medical devices, cloud service providers, data centres, managed ICT service providers, cybersecurity service providers, postal and courier operators, businesses in the food, chemicals and waste sectors, certain manufacturers and research organisations. 

What Is the Main Change? 

The law no longer follows the previous model of “operators of essential services” and “digital service providers”. The new framework introduces two main categories: essential entities and important entities. This classification matters for supervision, inspections, evidence of compliance and sanction risk. 

At EU level, NIS2 expands the scope of cybersecurity rules, introduces clearer obligations for risk management and incident reporting, and strengthens supervisory and enforcement mechanisms. 

In Bulgarian law, this is reflected in the requirement to achieve a “high common level of cybersecurity”. This does not mean a single IT measure, but an integrated system: risk management, incident response, business continuity, supplier control, training, access control, asset management, cryptography and evidence of actual implementation. 

Which Companies Fall Within the Scope? 

The assessment starts with the company’s activities. The law sets out two main groups of sectors: highly critical sectors and other critical sectors. If a company operates in any of these sectors, its size must then be assessed, as well as whether it falls into a special category where size is not decisive. 

Highly Critical Sectors 

This group includes activities where disruption of systems may affect essential social or economic functions. 

Energy — electricity, district heating and cooling, oil, natural gas, hydrogen, network operators, storage facilities, transmission, distribution, producers, market participants and charging point operators. 

Transport — air, rail, waterborne and road transport, including airports, railway undertakings, infrastructure managers, port authorities and operators of intelligent transport systems. 

Financial sector — credit institutions, operators of trading venues and central counterparties. 

Healthcare — healthcare providers, reference laboratories, entities carrying out research and development activities in relation to medicinal products, manufacturers of pharmaceutical substances and products, and certain manufacturers of critical medical devices. 

Drinking water and wastewater — suppliers of drinking water and undertakings collecting, disposing of or treating urban, domestic or industrial wastewater, where this is not merely a non-essential part of their overall activity. 

Digital infrastructure — providers of internet exchange points, DNS services, top-level domain registries, cloud computing services, data centres, content delivery networks, trust services, public electronic communications networks and publicly available electronic communications services. 

ICT service management between businesses — managed service providers and managed security service providers. This includes companies that install, manage, maintain or administer ICT products, networks, infrastructure, applications or systems for corporate clients. 

Space — operators of ground-based infrastructure supporting the provision of space-based services. 

Other Critical Sectors 

The law also covers activities that many companies would not immediately associate with cybersecurity regulation. 

These include postal and courier services, waste management, the manufacture and distribution of chemicals, the production, processing and distribution of food, and certain manufacturing activities — medical devices, computers, electronic and optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, semi-trailers and other transport equipment. 

Certain digital services are also covered: online marketplaces, online search engines and social networking service platforms, as well as research organisations. 

For this reason, a manufacturing company, logistics operator, online platform, IT support provider or information security service provider should not automatically assume that the regime is irrelevant to its business. 

Company Size: Why the Assessment Is Not Just About Headcount 

As a general rule, the law applies to public and private entities in the covered sectors where they meet at least the criteria for medium-sized enterprises or exceed the upper threshold for medium-sized enterprises. 

Under the EU definition of SMEs, the relevant criteria are staff headcount, annual turnover and balance sheet total. A medium-sized enterprise is an enterprise with fewer than 250 employees and either annual turnover not exceeding EUR 50 million or a balance sheet total not exceeding EUR 43 million. 

However, the assessment is not always limited to one company and one registration number. In the case of linked enterprises, partner enterprises, groups and control relationships, data from other companies may also need to be taken into account. This is particularly important for Bulgarian companies that are part of an international group or have a complex ownership structure. 

What Does “Essential Entity” Mean? 

Essential entities are entities with a higher regulatory profile. For such entities, the law assumes greater significance of the activity or more serious consequences in the event of disruption, breach or systemic incident. 

The following are generally treated as essential entities: 

• entities from highly critical sectors that exceed the upper threshold for medium-sized enterprises; 

• qualified trust service providers; 

• top-level domain name registries; 

• DNS service providers, regardless of their size; 

• providers of public electronic communications networks or publicly available electronic communications services, where they are medium-sized enterprises; 

• public administrative authorities; 

• entities that are the sole provider of a critical service or whose disruption could have a significant impact on public safety, public security, public health, systemic risk or the national/regional importance of a sector; 

• critical entities under Directive (EU) 2022/2557; 

• entities that, at the time the amendments entered into force, had already been designated as operators of essential services. 

For example, a large cloud service provider, a major energy operator, a significant hospital structure or a provider of managed ICT services to corporate clients may qualify as an essential entity if it falls within the relevant sector and meets the statutory criteria. 

What Does “Important Entity” Mean? 

Important entities are entities in the covered sectors that fall within the scope of the law but do not meet the criteria for essential entities. 

This does not mean that their obligations are merely formal. Both essential and important entities must adopt risk management measures and report significant incidents. The difference lies mainly in the intensity of supervision and the way in which authorities may exercise control. 

For example, a medium-sized food manufacturer, a medium-sized manufacturer of electrical equipment, a medium-sized managed IT service provider or a medium-sized online marketplace operator may qualify as an important entity if its activity is included in the statutory list. 

Supply Chain Providers: Direct Scope vs Contractual Impact 

A supplier to a large company does not automatically fall within the Cybersecurity Act simply because its client is an essential or important entity. 

A supplier falls directly within the scope if it: 

• operates in one of the sectors covered by the law; 

• meets the size criteria; 

• provides a service from one of the special categories where size is not decisive; 

• is the sole provider of a critical service; 

• has a role such that disruption of its service could create significant public, systemic, cross-border or sectoral risk. 

At the same time, a supplier may be affected contractually, even if it does not fall directly within the law. The reason is that essential and important entities must manage supply chain risk. The law requires them to take account of vulnerabilities specific to their direct suppliers and service providers, as well as the overall quality of their products and cybersecurity practices. 

In practice, this means stricter contracts with ICT suppliers, hosting providers, cloud platforms, ERP/CRM providers, external administrators, SOC/MSSP providers, software developers, support providers and other companies with access to systems, applications, infrastructure or data. 

Contracts are increasingly likely to include clauses on: 

• minimum security standards; 

• incident notification deadlines; 

• access to logs and technical information; 

• subcontractor rules; 

• audit rights or the provision of evidence; 

• backups and recovery; 

• cooperation during regulatory inspections; 

• liability for non-performance. 

The Register: Who Is Included, Who Provides Information and Why It Matters 

The Minister of e-Government creates, maintains and administers a register of the entities covered by the law. The register contains information such as the entity’s name, address and current contact details, IP ranges, sector, subsector, Member States in which services are provided and representative details, where applicable. The register is not public. 

Several processes should be distinguished here. 

First, national competent authorities identify essential and important entities under a methodology adopted by the Council of Ministers and notify the Minister of e-Government. 

Second, certain digital and infrastructure providers have an active obligation to provide information about their main establishment in the EU, other places of establishment or representative in the EU. This applies to DNS service providers, top-level domain registries, domain name registration service providers, cloud service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines and social networking platforms. 

Third, where the information provided changes, entities must notify the relevant national competent authority within two weeks of the change. 

The register is not public because it contains operationally sensitive information, such as IP ranges and incident response contacts. For businesses, this means that there must be an internally designated process owner: who monitors the data, who updates it, who communicates with the competent authority and who is responsible when changes occur. 

The Management Body Now Has a Specific Role 

The law expressly places management bodies within the cybersecurity risk management process. They approve risk management measures and monitor their implementation. Members of management bodies must undergo training every two years so that they can identify risks and assess risk management practices and their impact on the entity’s services. 

This changes the practical organisation within companies. Cybersecurity decisions must be traceable at management level — with a plan, budget, responsible persons, deadlines, internal reporting and documented decisions. 

In the event of breach of these management obligations, the law provides for fines for heads of administrative authorities, managers or members of management bodies ranging from EUR 500 to EUR 5,000. 

What Measures Must Be Introduced? 

The measures must be appropriate and proportionate to the risk, the size of the entity, the likelihood of incidents and the potential social and economic impact. The law does not impose one specific technology, but requires a level of security appropriate to the risk. 

The minimum scope of the measures includes: 

• policies on risk analysis and information system security; 

• incident handling; 

• business continuity, backups, disaster recovery and crisis management; 

• supply chain security; 

• security in the acquisition, development and maintenance of systems; 

• vulnerability handling and disclosure; 

• procedures for assessing the effectiveness of measures; 

• cyber hygiene and training; 

• cryptography and encryption, where appropriate; 

• human resources security; 

• access control; 

• asset management; 

• multi-factor or continuous authentication, where appropriate; 

• change management for information assets. 

ENISA has published technical guidance on NIS2, providing a practical reference for digital infrastructure, ICT service management and digital providers. The guidance does not replace Bulgarian law, but is useful when building an evidence-based compliance programme. 

Three Concepts Businesses Should Understand 

Cyber hygiene means standard practices and procedures for maintaining and protecting IT systems, networks and end-user devices — training, access control, updates, backups, incident response and risk reduction. 

Significant incident means an incident that has caused or is capable of causing serious operational disruption, financial loss or significant material or non-material damage to other persons. 

Information assets are not limited to servers and software. The law includes hardware, software, documentation, supporting systems, operational processes, employees and external organisations. 

Reporting Significant Incidents 

Essential and important entities must notify the relevant sectoral computer security incident response team — CSIRT/SERICS — of every significant incident. 

The deadlines are short: 

• within 24 hours of becoming aware of the significant incident — early warning; 

• within 72 hours of becoming aware — incident notification with an initial assessment of severity, impact and available technical information; 

• for trust service providers, the incident notification deadline is 24 hours; 

• at the request of SERICS — an intermediate report; 

• within one month of the incident notification — a final report; 

• if the incident is ongoing, the final report is submitted within one month of the incident being resolved. 

Where appropriate and without undue delay, affected entities must notify recipients of their services of significant incidents that are likely to adversely affect the provision of those services. 

In the event of a cross-border incident, the national single point of contact may inform the affected Member States and ENISA while preserving security, commercial interests and confidentiality. 

Most Common Questions About Reporting 

1. Is a complete technical investigation required before the early warning?
   No. The early warning is the initial stage of reporting. The complete technical picture may develop later in the incident notification, intermediate report and final report.
2. Is every cyber incident “significant”?
   No. Significance is assessed by reference to operational disruption, financial loss and potential damage to other persons. In practice, this assessment may be difficult in cases involving ransomware, compromised accounts, service outages, supplier breaches or incidents involving personal data.
3. What should be prepared in advance?
   At a minimum: a procedure for qualifying incidents, an escalation matrix, contact persons, rules on who sends the notification, alignment with the GDPR procedure and rules for preserving evidence.

Inspections, Audits and Evidence of Compliance 

Supervision is carried out by the national competent authorities, the Ministry of Defence, the Ministry of Interior and the State Agency for National Security, depending on their respective competence. 

For essential entities, the authorities may carry out planned and ad hoc inspections, on-site or remote inspections, regular and targeted audits, ad hoc audits in the event of a significant incident or breach, and may request information, documents and evidence of implementation of policies. 

Important entities may also be subject to on-site inspections, subsequent remote supervision, targeted audits, requests for information, access to documents and evidence of implementation of cybersecurity policies. 

The costs of a targeted security audit carried out by an independent body are generally borne by the audited entity, unless the national competent authority decides otherwise in a duly justified case. 

In practice, this means that a company must be able to show not only a cybersecurity policy, but also evidence that it is actually implemented — decisions, training records, protocols, supplier contracts, technical evidence, audit results, recovery plans, backup tests, asset registers and corrective actions. 

Coercive Measures and Sanctions 

In the event of breaches, the authorities may issue warnings, mandatory instructions and orders, including for the remedying of deficiencies, cessation of infringements, implementation of risk management measures, compliance with reporting obligations and public disclosure of an infringement. 

For essential entities, the law also allows more severe measures — temporary suspension of a licence, registration, certificate or authorisation relating to all or part of the relevant services or activities, as well as a request for a temporary prohibition on a person with management functions exercising such functions within the essential entity. 

The sanctions are significant: 

• for failure to comply with a coercive administrative measure — from EUR 2,500 to EUR 12,000, and in the event of repeated infringement from EUR 5,000 to EUR 25,000; 

• for an essential entity that fails to comply with its risk management and reporting obligations — up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover for the preceding financial year, whichever is higher, but not less than EUR 25,000; 

• for an important entity — up to EUR 7,000,000 or up to 1.4% of total worldwide annual turnover, whichever is higher, but not less than EUR 12,500; 

• for breach of management obligations — a fine of EUR 500 to EUR 5,000 for heads of administrative authorities, managers or members of management bodies. 

As of the date of this article, a transitional rule is also relevant: for infringements committed before 1 June 2026, fines and pecuniary sanctions are imposed at a rate reduced by 50% of the amount provided by law. This is not an exemption from liability, but a temporary reduction in the amount of the sanction. 

Practical Risk Table 

Potential Issues	How We Can Assist
Incorrect assessment of scope: the company assumes that the law does not apply, although it operates in a covered sector, meets the relevant size threshold or performs a critical function.	Legal and factual applicability analysis: we assess the sector, size, group links, services, suppliers and possible grounds for classification as an essential or important entity.
Insufficient preparation for the register: inaccurate contacts, IP ranges, Member State data, representative details or no internal process owner.	Regulatory preparation package: we assist with structuring the data, internal responsibilities and communication with the competent authority.
Unclear incident procedure: the company cannot quickly determine whether an event is a significant incident and who must submit the notification.	Incident response and reporting procedure: we prepare an escalation matrix, legal criteria, draft notifications, GDPR alignment and evidence rules.
Insufficient ICT supplier contracts: clauses on incidents, audits, subcontractors, logs, recovery and assistance during inspections are missing.	Contract review and redrafting: we prepare cybersecurity, supply chain, notification, audit rights, liability and operational assistance clauses.
Inspection or sanction: the authority requests documents, evidence, audit results or imposes an order, pecuniary sanction or other measure.	Defence in inspections and proceedings: we represent clients before authorities and courts, prepare objections, appeals and a strategy to limit regulatory and reputational damage.

Connection With GDPR, DORA and Sector-Specific Regimes 

A cyber incident often has consequences beyond the Cybersecurity Act. If it affects personal data, a separate assessment under the GDPR and the Bulgarian Personal Data Protection Act is required. The law provides that competent authorities must notify the Commission for Personal Data Protection where they identify an infringement that could lead to a personal data breach. 

For the financial sector, Regulation (EU) 2022/2554 — DORA — must also be taken into account. The law provides for cooperation between the competent authorities under the Cybersecurity Act and the authorities under DORA, including in relation to critical ICT third-party service providers. 

In addition, if sector-specific legislation contains equivalent requirements for risk management measures or notification of significant incidents, certain provisions of the Cybersecurity Act may not apply to the entities concerned. This assessment is specific and should not be made mechanically. 

What Should Businesses Do Now? 

The first step is scope mapping. A company should determine whether it performs activities in covered sectors, whether it qualifies at least as a medium-sized enterprise, whether it is part of a group, whether it provides cross-border services and whether it falls into a special category regardless of size. 

The second step is status determination — essential or important entity. This is not merely a terminological issue, because it affects supervision, evidence, inspection risk and communication with authorities. 

The third step is a gap analysis against the statutory risk management measures: policies, incidents, backups, recovery, asset management, access control, suppliers, vulnerabilities, encryption, training and change management. 

The fourth step is contract review. Suppliers with access to systems, infrastructure, applications or data should be assessed and contractually bound by security, notification and cooperation requirements. 

The fifth step is incident preparedness. The procedure must work in real time. If the 24-hour deadline cannot be met under the current organisation, the risk is already managerial and legal, not merely technical. 

Frequently Asked Questions About the New Obligations Under the Cybersecurity Act 

1. How do we know whether we are an essential or important entity?
   The assessment covers the sector, type of service, size of the enterprise, group structure, cross-border activity and any critical role of the service. A check of the company’s main economic activity code alone is not sufficient.
2. If we are a supplier to a company in the energy or healthcare sector, do we automatically fall within the law?
   Not necessarily. Direct applicability depends on your own sector, size and type of service. However, if you are a direct ICT provider, managed service provider, security provider or critical supplier, you are likely to be affected contractually.
3. What evidence should the management body have?
   In practice, it is advisable to have a decision adopting the measures, an implementation plan, designated responsible persons, evidence of training, periodic reports, a risk register and documents demonstrating supplier control.
4. What happens if a cyber incident occurs on a non-working day?
   The statutory deadlines are not tied to working hours. If the incident is significant, the early warning must be submitted within 24 hours of becoming aware of it. This requires pre-defined contacts, deputies, templates and an internal escalation procedure.
5. Do we also need to notify the Commission for Personal Data Protection?
   If the incident involves personal data, a separate GDPR assessment is required. Notification to the Commission for Personal Data Protection and/or to affected individuals may be required in addition to the obligations under the Cybersecurity Act.
6. What should we do if we receive an order or document request from a competent authority?
   The legal basis, scope of the request, deadline, sensitivity of the information and available evidence must first be clarified. Incomplete or inaccurate responses may worsen the company’s position.

Conclusion 

The amendments to the Cybersecurity Act following NIS2 affect a much broader range of companies than the classic operators of critical infrastructure. For entrepreneurs, managers, investors and in-house counsel, the key issue is not whether the company has an IT risk, but whether it now has a statutory obligation to manage, document and prove the management of that risk. 

The practical consequences are specific: classification as an essential or important entity, inclusion in a non-public register, management training, policies and procedures, supplier control, short reporting deadlines, inspections, audits, mandatory instructions and significant sanctions. 

If you would like us to assess whether the new regime applies to your business and what concrete steps are needed, contact us. Vassilev & Partners Law Firm can assist with a legal assessment of scope, preparation of internal rules, contract review, communication with competent authorities, training of management and operational teams, and defence in inspections and sanction proceedings. 

Disclaimer 

The information contained in this article is for general informational purposes only and provides basic guidance on the subject matter in light of the legal framework as at the date of publication. Although we strive to ensure the accuracy of the content, legal rules and their interpretation evolve over time. To verify the current wording of the applicable provisions and their application to your specific situation, you should contact us directly. We accept no liability for any damage resulting from independent use of the information in this article without prior individual legal advice. This article does not constitute a legal opinion.