Bulgaria’s Cybersecurity Law

National Regulations

Objectives and scope

Bulgaria’s primary cybersecurity legislation is the Cybersecurity Act, adopted in 2018 to implement the EU Network and Information Security (NIS) Directive​. The law’s objective is to achieve a high level of network and information security across critical infrastructure and digital services​.

It applies to operators in essential sectors – such as energy, transport, banking, healthcare, and water supply – as well as to key digital service providers (e.g. e-commerce platforms, search engines, social networks, cloud computing services) that are important to the public​. The Act also extends certain requirements to public-service organisations (like utilities, hospitals, etc.) that provide services online, even if they are not formally designated as essential operators​.

Regulatory framework and authorities

The Cybersecurity Act establishes a comprehensive regulatory framework with defined authorities. The Ministry of Electronic Governance serves as the national competent authority and Single Point of Contact for cybersecurity, overseeing implementation of the law​. A multi-tier governance structure is in place: a Cybersecurity Council (for high-level policy coordination) and a national cybersecurity coordinator guide the overall strategy​. Operationally, a National Computer Security Incident Response Team (CERT Bulgaria) handles incident response at the national level, and sector-specific CSIRTs are set up within various industries (energy, finance, transport, health, digital, etc.) to manage incidents in their sectors in coordination with the national CERT​.

Sector-specific regulators (appointed by the government) also play a role in this framework – they identify the operators of essential services in each sector and are responsible for enforcing the cybersecurity requirements within their respective domains​. This structure ensures clear lines of authority for prevention, response, and oversight in cybersecurity matters.

Key provisions and compliance requirements

The Cybersecurity Act imposes several key obligations on covered entities to bolster their cyber resilience. Major compliance requirements include:

  • Security measures: Implement appropriate technical and organisational measures to manage cybersecurity risks and protect network and information systems​. This entails having internal security policies, risk management practices, and controls proportional to the risks faced by the service.
  • Incident reporting: Establish robust incident response procedures and notify authorities of cyber incidents without delay. Notably, an initial report to the relevant CSIRT must be made within two hours of becoming aware of a significant incident, with a full incident report submitted within five working days​. This rapid reporting helps national teams contain threats and coordinate responses.
  • Cooperation: Cooperate fully with designated cybersecurity authorities and incident response teams. Entities must provide any information requested by regulators or CSIRTs and assist in investigations​. If an incident may constitute a cybercrime, the law enjoins coordination with law enforcement (e.g. Bulgaria’s cybercrime unit) for further action.
  • Service continuity: Take measures to ensure the continuity of essential or digital services in the event of cyber disruptions. Businesses should be prepared to mitigate the impact of incidents and recover quickly, so that critical services remain available​. This includes contingency planning and resilience building to minimise downtime.

Enforcement mechanisms

Compliance with Bulgaria’s cybersecurity law is backed by enforcement measures and penalties. Regulators may impose administrative fines for violations of the Act’s requirements (such as failure to implement security measures or to report incidents). For organisations, fines can range from roughly €750 up to €7,500, with higher penalties (up to about €12,500) for repeated non-compliance​. Responsible individuals (e.g. officials or managers) can also be held liable, facing fines up to approximately €5,000 for breaches of their obligations​.

In serious cases where a cybersecurity incident involves criminal behavior (for example, unauthorised system intrusions or data breaches), the Criminal Code applies – cybercrimes are punishable by up to 8 years of imprisonment (and monetary fines), or up to 15 years in prison if the offense compromises state-secret information or national security​. Furthermore, the law provides that affected parties can seek civil remedies, as organisations may be held liable for damages caused by inadequate cybersecurity (allowing victims of incidents to claim compensation)​. Enforcement is overseen by the Ministry and sector regulators, ensuring that entities adhere to the standards or face legal consequences.

Recent amendments and developments

Bulgaria’s cybersecurity law continues to evolve in response to emerging threats and EU-wide initiatives. In 2021, an amendment to the Act enabled the creation of a specialised Cybersecurity Monitoring and Response Centre within the State Agency for National Security (DANS), which became operational in January 2022​. This center monitors critical information systems and coordinates responses to cyber incidents that could impact national security.

More recently, Bulgaria has been working to update its Cybersecurity Act to align with the EU’s NIS2 Directive (Directive (EU) 2022/2555), which introduces expanded requirements for cybersecurity across member states. A draft bill to amend the Act was introduced in mid-2024 to transpose NIS2 into national law​. The proposed amendments will broaden the scope of regulated entities by introducing categories of “significant” (essential) and “important” entities, thereby covering a wider range of organisations (including additional sectors and medium-sized companies that were not covered under the original NIS framework)​.These entities will face enhanced risk management obligations and stricter incident reporting duties under the new rules. The NIS2 transposition was expected to be adopted by the EU deadline of October 2024​, but as of early 2025 the legislative process is still ongoing – a draft amendment was submitted to Parliament in late 2024 and has not yet been passed into law​.

Once enacted, these updates will modernise Bulgaria’s cybersecurity law, bringing it in line with the latest European standards and extending cybersecurity oversight to more sectors of the economy.