NIS2 Country Guide

NIS2 Bulgaria: Draft Law, What’s Changing & How to Get Ready

See where Bulgaria stands in implementing the NIS2 Directive (EU) 2022/2555 — which entities will be in scope, how the current Cybersecurity Act is expected to change, and what organisations should do now to prepare.

Get Ready Checklist Get Consultation
Bulgaria NIS2 transposition: draft law in progress Existing regime: Cybersecurity Act 2018

Introduction: NIS2 Directive & the Bulgarian context

The NIS2 Directive strengthens cybersecurity rules for essential and important entities across the EU. Bulgaria already has a Cybersecurity Act based on the first NIS Directive, but this regime only covers a relatively narrow set of operators.

To align with NIS2, Bulgaria is updating its Cybersecurity Act and extending the rules to many more sectors, including digital infrastructure and key services that support the economy and public administration.

Quick link: Before diving into the Bulgarian specifics, read “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Bulgaria

Bulgaria has transposed the NIS2 Directive through amendments to the Cybersecurity Act of 2018, adopted by Parliament on 5 February 2026. The revised framework expands the scope of entities and aligns national cybersecurity obligations with the NIS2 model of essential and important entities. The amendments update risk-management requirements, supervision and incident reporting obligations, with further detail to be provided through secondary legislation where applicable.

Because the EU transposition deadline passed in October 2024 without full implementation, Bulgaria is under pressure to complete the process. Once the revised law enters into force, it is expected to apply immediately, with details clarified in secondary legislation.

Status

NIS2 has been transposed through amendments to the Cybersecurity Act, adopted by Parliament on 5 February 2026. The revised framework is in force, with secondary legislation and supervisory guidance supporting implementation.

Current regime

The Cybersecurity Act (2018), as amended to transpose NIS2 in February 2026, now governs cybersecurity obligations for essential and important entities under the expanded national framework.

What has changed

The amended Cybersecurity Act introduces the NIS2 categories of essential and important entities, expands the list of in-scope sectors and entities, and updates the rules on risk management, supervision and incident reporting in line with the Directive.

NIS2 Bulgaria: what to expect for compliance & obligations

Bulgaria has transposed NIS2 through amendments to the Cybersecurity Act. Organisations operating in NIS2 sectors and meeting the applicable size thresholds must comply with the expanded cybersecurity obligations for essential and important entities.

Scope (expected)

  • Entities operating in NIS2 Annex I sectors (e.g. energy, transport, health, drinking water, digital infrastructure, public administration).
  • Entities operating in NIS2 Annex II sectors (e.g. postal and courier services, waste management, food, manufacturing of key products).
  • Medium-size and larger organisations (meeting NIS2 staff / turnover thresholds).
  • Certain providers in scope regardless of size (e.g. DNS, TLD registries, cloud services, managed service providers).

Core obligations (expected)

  • Implement risk-management and security measures for relevant network and information systems.
  • Adopt policies for incident prevention, detection, response and recovery.
  • Report significant incidents and threats to the national CSIRT or competent authority within NIS2 timeframes.
  • Manage supply-chain and third-party risks, including contractual security requirements for key suppliers.
  • Ensure management-level oversight, training and accountability for cybersecurity.

Standards & frameworks

The amended Cybersecurity Act and its implementing ordinances set out minimum technical and organisational measures in line with NIS2. While no single certification standard is mandated, aligning with recognised international frameworks such as ISO/IEC 27001 or NIST CSF is a practical way to structure and demonstrate compliance.

Competent authorities & CSIRT

Bulgaria already has a national Single Point of Contact and a national CSIRT. Under NIS2, these roles will be expanded and complemented by sector-specific supervisory authorities.

RoleAuthorityNotes
Single Point of Contact / coordination State e-Government Agency Acts as the national NIS contact point, coordinating NIS2 implementation, registration and information exchange with EU bodies and other Member States.
National CSIRT GovCERT Bulgaria (GovCERT.bg) Handles incident notifications, provides early-warning and threat information, and supports response coordination.
Sectoral competent authorities Various ministries and regulators Sector-specific supervision (e.g. energy, transport, finance, health, water, digital services) is expected to be carried out by designated authorities under the amended law.

NIS2 timeline & key dates (Bulgaria)

27 Dec 2022 — Directive (EU) 2022/2555 (NIS2) is published in the Official Journal of the European Union.
18 October 2024 — EU date from which NIS2 rules apply in principle; Bulgaria has not yet fully transposed the Directive.
2024 — Bulgarian draft law amending the Cybersecurity Act is published and submitted to Parliament.
2025 — Parliamentary debates and committee stages continue.
5 Feb 2026 — Parliament adopts amendments to the Cybersecurity Act transposing NIS2.
Expected 2026 — NIS2-based obligations become fully enforceable.

Sector-specific notes for Bulgaria

  • Energy: electricity, gas and related infrastructure operators are expected to be classified as essential entities with strict obligations.
  • Transport: air, rail, road and maritime operators, as well as key logistics infrastructure, will likely fall in scope under NIS2.
  • Health: hospitals, clinics, laboratories and critical e-health service providers are expected to be covered as essential or important entities.
  • Water services: drinking water and wastewater operators are expected to be explicitly covered.
  • Finance & public administration: selected public bodies and financial-sector actors will have duties aligned with NIS2 and other EU sector rules.
  • Digital infrastructure & ICT: data centres, cloud providers, electronic communications networks, hosting and managed service providers will play a central role and are explicitly targeted by NIS2.

Penalties for non-compliance (planned)

The amended Cybersecurity Act implements the NIS2 administrative penalty framework. That means:

  • For essential entities, maximum fines may reach the higher of a fixed euro amount (up to €10 million) or 2% of total worldwide annual turnover.
  • For important entities, maximum fines may reach the higher of a fixed euro amount (up to €7 million) or 1.4% of total worldwide annual turnover.
  • Competent authorities may impose corrective orders, inspections and mandatory remediation measures where deficiencies are identified.
  • In cases of serious or repeated non-compliance, management may face individual liability in accordance with applicable national law.

How to prepare for NIS2 in Bulgaria

  1. Check if you are likely in scope: map your services and customers against NIS2 sectors and size thresholds.
  2. Perform a gap assessment: compare your current controls to NIS2 requirements for risk management, incident handling and governance.
  3. Strengthen governance: define clear roles for cybersecurity, assign board-level accountability and ensure regular reporting.
  4. Prepare for registration: collect organisational and contact information that will be required when Bulgaria launches its NIS2 registries.
  5. Improve incident readiness: set up monitoring, logging, incident response playbooks and escalation paths to the national CSIRT.
  6. Review third-party risk: update supplier contracts to include security obligations, audit rights and incident-notification clauses.
  7. Align with a recognised framework: begin or strengthen implementation of an ISMS based on ISO 27001 or an equivalent framework.
  8. Train staff: run awareness campaigns and exercises so employees recognise and respond correctly to cyber incidents.
Run Eligibility Check Start Readiness Test

Official links & resources

🏛️ European Commission — NIS2 status for Bulgaria
🧑‍💻 State e-Government Agency — national NIS2 contact
🛡️ GovCERT Bulgaria — national CSIRT
📚 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Bulgaria

Has Bulgaria fully transposed NIS2?
Yes. Bulgaria has transposed NIS2 through amendments to the Cybersecurity Act adopted in February 2026. The revised framework aligns national law with the Directive, with further detail provided through secondary legislation where applicable.
Which law will implement NIS2?
NIS2 is implemented through amendments to the existing Cybersecurity Act, rather than through a new standalone law.
Who is the main NIS2 contact in Bulgaria?
The State e-Government Agency acts as the Single Point of Contact and coordinates with the national CSIRT (GovCERT.bg) and sectoral regulators.
Are we affected if we were not covered by the old Cybersecurity Act?
Very likely. NIS2 significantly expands the number of sectors and entities in scope, including many medium-sized companies and digital service providers that were not regulated before.
Should we wait for the final law before acting?
No. Organisations falling within NIS2 sectors should assess their scope, risk management, incident response and governance structures and begin aligning with the amended legal framework without delay.
Information provided for general guidance; always consult official Bulgarian sources and legal counsel for final NIS2 compliance requirements.