NIS2 Bulgaria Compliance Guide: Cybersecurity Act Amendments and DAEU Requirements for 2026

Bulgaria transposed the EU NIS2 Directive into national law by amending its existing Cybersecurity Act (Закон за киберсигурността), with the amendments entering into force on 17 February 2026. While Bulgaria missed the original EU transposition deadline of October 2024 by 16 months, the new law is comprehensive — expanding regulated sectors from 8 to 18, introducing significant penalties aligned with NIS2 maximums, and adding several Bulgaria-specific requirements that go beyond the Directive’s minimum standards.

This guide covers Bulgaria’s NIS2 transposition, the role of DAEU (Държавна агенция “Електронно управление” — State e-Government Agency), National CSIRT bg incident reporting, entity classification, sector-specific requirements, penalties, implementation milestones, and practical steps for compliance.

Bulgaria’s NIS2 Transposition: Where Things Stand

The Legal Framework

Bulgaria implemented NIS2 not through a standalone law but by amending its existing 2018 Cybersecurity Act via an omnibus bill:

• Cybersecurity Act (Закон за киберсигурността) — original 2018: Implemented the NIS1 Directive, establishing Bulgaria’s national cybersecurity framework, CSIRT structures, and operator obligations
• Law for Amendment and Supplementation (ЗИД ЗКС): Adopted by the 51st National Assembly on 5 February 2026, published in the State Gazette on 13 February 2026, entering into force on 17 February 2026. Expands scope to all NIS2 sectors, strengthens incident reporting, introduces personal liability for management, increases penalties, and adds national extensions
• Secondary legislation (pending): Ordinances with detailed minimum cybersecurity requirements expected by October 2026
• National Cybersecurity Strategy: Sets broader strategic objectives aligned with NIS2 principles

Key Dates and Timeline

Milestone	Status
NIS2 Directive adopted	January 2023
NIS2 transposition deadline	October 17, 2024
EC infringement proceedings opened	November 2024
EC reasoned opinion	May 7, 2025
Additional formal notice (incorrect transposition)	November 21, 2025
Amendments passed first reading	February 2025
Parliament adopted	February 5, 2026
Published in State Gazette	February 13, 2026
Law entered into force	February 17, 2026
Reduced sanctions period ends	June 1, 2026
Secondary legislation due	October 2026
Entity identification methodology	By August 2026
Competent authorities complete designation	By ~January 2027

Important: Bulgaria was 16 months late transposing NIS2. The European Commission opened infringement proceedings, sending a formal notice in November 2024 and a reasoned opinion on May 7, 2025. An additional formal notice for incorrect transposition followed in November 2025. The EC will assess Bulgaria’s adopted law for conformity with NIS2 requirements.

Comparison with Other EU Countries

Bulgaria’s approach is comparable to other EU states in our country guide series:

• Romania (ANSI): Balkan neighbor, similar timeline and multi-authority model
• Greece (ENSI): Regional neighbor, comparable scope expansion
• Czech Republic (NUKIB): Central European model, similar entity classification
• Poland (NCSA): Comparable late transposition and phased approach
• Austria (NISG 2026): Similar one-act amendment approach
• Germany (BSI): Largest EU economy, more prescriptive requirements

Key Regulatory Bodies

DAEU — State e-Government Agency (Държавна агенция “Електронно управление”)

DAEU serves as Bulgaria’s Single Point of Contact (SPOC) under NIS2:

• National SPOC for EU-level NIS2 coordination
• Entity registry coordination — works with the Minister of e-Government who maintains the national register
• EU CSIRTs Network participation — represents Bulgaria in cross-border coordination
• Policy implementation — supports the national cybersecurity framework

Contact: NSPOC@e-gov.bg

National CSIRT bg

Bulgaria’s national CSIRT operates at govcert.bg:

• Coordinates incident response across government and critical infrastructure
• Provides threat intelligence sharing with EU counterparts via the CSIRTs Network
• Manages the national cybersecurity incident reporting portal
• Issues vulnerability alerts and security advisories

Contact: cert@govcert.bg | +359 (2) 949 23 01

Sectoral Competent Authorities

Bulgaria uses a multi-authority model with sectoral regulators. The Council of Ministers must formally designate national competent authorities by August 2026:

Authority	Sector
Ministry of Energy	Energy
Ministry of Transport, IT and Communications	Transport, Digital Infrastructure, DSPs
Financial Supervision Commission	Banking, Financial Market Infrastructures
Ministry of Health	Health
Ministry of Environment and Water	Drinking Water
Communications Regulation Commission	Electronic Communications
Ministry of Defence	Defence-related entities
Ministry of Interior	Law enforcement-related entities
State Agency for National Security (SANS)	National security-related entities

Minister of e-Government

Maintains the non-public national register of essential and important entities, receiving designations from sectoral competent authorities.

Which Entities Are Affected?

Essential Entities (основни субекти)

Under NIS2, Bulgaria designates essential entities in these sectors:

Sectors without alternative legislation:

• Energy (electricity, hydrogen, district heating, petroleum, natural gas, LNG)
• Transport (air, rail, water, road)
• Banking
• Financial market infrastructure
• Health (hospitals, laboratories, medical device manufacturers)
• Drinking water supply and distribution
• Wastewater management
• Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
• ICT service management (managed security, managed IT, B2B)
• Space

Entities covered regardless of size:

• Qualified trust service providers
• Top-level domain name registries
• DNS service providers
• Public electronic communications network/service providers
• Public administration bodies
• Critical entities under Directive (EU) 2022/2557
• Existing NIS1 “essential service operators” (automatic transition)

Important Entities (важни субекти)

Bulgaria identifies important entities from additional sectors:

• Postal and courier services
• Waste management
• Chemical manufacturing and distribution
• Food production, processing, and distribution
• Manufacturing of critical products (medical devices, electronics, machinery, automotive)
• Digital providers (online marketplaces, search engines, social networks)
• Scientific research organisations

Size Thresholds

Entities fall in scope if they qualify as medium-sized enterprises or larger under Bulgaria’s SME Act:

Criterion	Threshold
Employees	≥50
Annual turnover OR balance sheet total	>€10 million

Exceptions (size threshold does NOT apply):

• Trust service providers
• Public electronic communications providers
• Top-level domain registries
• DNS service providers
• Sole providers of an essential service
• Entities whose disruption impacts public safety, security, or health

Entity Designation Process

Bulgaria does not allow self-assessment. Entities are designated through an administrative process:

1. Council of Ministers adopts identification methodology within 6 months of entry into force (by August 2026)
2. Sectoral competent authorities have 5 additional months to identify and designate entities (by ~January 2027)
3. Minister of e-Government populates and maintains the national register
4. Designated entities are formally notified of their classification

Bulgaria-Specific Requirements (Beyond NIS2 Minimums)

Bulgaria goes beyond NIS2 minimum standards in several significant ways:

Broader Food Sector Scope

• NIS2: Covers wholesale distribution and industrial production/processing only
• Bulgaria: Applies to ALL food businesses at any stage of production, processing, or distribution

More Prescriptive Risk Management

• Additional measures beyond NIS2 Article 21(2), including mandatory change management obligations and specific notification requirements

Fixed Training Intervals

• NIS2: Risk-based training approach
• Bulgaria: Mandatory periodic cybersecurity training at fixed 2-year intervals for management bodies

Stricter Registry Change Notification

• NIS2: Changes reported within 3 months
• Bulgaria: Registry changes must be reported within 2 weeks

Explicit Minimum Fines

• NIS2: Only requires maximum fines
• Bulgaria: Introduces explicit national minimum fines (€25,000 for essential entities; €12,500 for important entities)

National Security Technology Restrictions

• The Cybersecurity Council may propose restrictions on specific ICT products/services
• Organizations must discontinue restricted technologies within 3 years (shorter if high national security risk)
• Inspired by the EU 5G Toolbox but extends beyond mobile networks

Penalties and Enforcement

Entity-Level Fines

Bulgaria’s penalties are aligned with NIS2 maximum thresholds, with explicit minimums:

Violation Type	Entity Category	Minimum Fine	Maximum Fine
Risk management or reporting breach	Essential	€25,000	Higher of €10,000,000 or 2% of total worldwide annual turnover
Risk management or reporting breach	Important	€12,500	Higher of €7,000,000 or 1.4% of total worldwide annual turnover
Non-compliance with corrective measures	Both	€2,500	€25,000
Procedural breaches	Both	€200,000	€2,000,000

Personal Liability for Management

NIS2 requires Bulgaria to hold management bodies personally liable for cybersecurity failures:

Violation	Fine Range
Management member failing to perform statutory obligations	€500 – €5,000
Other responsible persons	€500 – €15,000
Temporary ban on holding management positions	Up to 3 years

Reduced Sanctions Period

Fines are decreased by 50% for violations committed before 1 June 2026, providing a brief grace period for entities to begin compliance efforts.

Public bodies are subject to corrective orders but not financial penalties.

Enforcement Powers

Competent authorities have broad enforcement powers:

• Binding instructions and compliance orders
• Mandatory security audit orders including unannounced audits
• Public disclosure of breaches
• Court orders to temporarily suspend licenses, registrations, or certificates
• Prohibition on individuals exercising management functions
• Daily penalties up to BGN 200,000

Compliance Requirements

Article 21 Risk Management Measures

Bulgarian essential and important entities must implement measures covering all 10 NIS2 Article 21 areas, plus Bulgaria-specific additions:

1. Risk analysis and information system security policies
2. Incident handling (detection, response, recovery)
3. Business continuity (crisis management, disaster recovery)
4. Supply chain security (vendor risk management)
5. Security in network and information systems (acquisition, development, maintenance)
6. Vulnerability handling and disclosure
7. Cryptography (encryption, key management)
8. Employee training and cybersecurity awareness (mandatory at 2-year intervals for management)
9. Access control including multi-factor authentication for privileged users
10. Physical security of premises and data centers
11. Change management (Bulgaria-specific addition)
12. Specific notification obligations (Bulgaria-specific addition)

Incident Reporting Requirements

Bulgarian entities must report significant incidents through National CSIRT bg (or their sectoral CSIRT):

Reporting Stage	Timeline	Content
Early Warning	Within 24 hours	Whether incident suspected to be caused by unlawful/malicious acts; whether cross-border impact possible
Incident Notification	Within 72 hours	Initial assessment: severity, impact, available technical information. (Trust service providers: 24 hours)
Final Report	Within 1 month of resolution	Detailed description, severity, impact, root cause analysis, cross-border impact, remediation measures

Entities must also notify service recipients where appropriate.

Supply Chain Security

NIS2 requires Bulgarian entities to assess and manage cybersecurity risks across their supply chain:

• Supplier audit rights in contracts
• Security requirements for critical vendors
• Concentration risk assessment (single-vendor dependencies)
• Supply chain incident reporting obligations

This aligns with our guide on NIS2 supply chain and third-party risk management.

Implementation Roadmap for Bulgarian Entities

Phase 1: Immediate Actions (February–May 2026)

• Monitor the entity identification methodology development by the Council of Ministers
• Conduct preliminary self-assessment of likely NIS2 scope (essential or important entity)
• Begin gap analysis against Article 21 requirements (see our NIS2 gap analysis guide)
• Map supply chain dependencies
• Prepare for formal designation by sectoral competent authorities

Phase 2: Foundation (June–December 2026)

• Formal designation and entry into the national register
• Appoint CISO or designate cybersecurity governance responsibility
• Begin management cybersecurity training program (mandatory 2-year cycle)
• Establish incident reporting procedures aligned with National CSIRT bg timelines
• Deploy baseline security controls (access management, encryption, logging)
• Develop cybersecurity risk management policies
• Monitor secondary legislation (ordinances expected by October 2026)

Phase 3: Full Compliance (2027+)

• Implement full technical security controls per secondary legislation requirements
• Complete supply chain security assessments
• Conduct business continuity and disaster recovery testing
• Implement vulnerability disclosure process
• Prepare for competent authority audit readiness (see our NIS2 audit preparation guide)
• Address any technology restriction requirements from the Cybersecurity Council

Cyber Insurance Implications for Bulgarian Entities

Why Bulgarian Entities Need Cyber Insurance

NIS2 creates significant new liability exposure for Bulgarian organizations:

• Fines up to €10M for essential entities — insurance can cover defense costs and regulatory investigation expenses
• 3-year management ban for repeated negligence — D&O insurance must be reviewed for cyber exclusions
• Business interruption from mandatory system shutdowns during incident response
• Third-party claims from customers affected by data breaches or service disruptions
• Mandatory security audit costs — authorities can order audits at the entity’s expense
• Explicit minimum fines (€25,000/€12,500) — even minor breaches carry significant cost

What Underwriters Should Ask About Bulgarian Entities

Cyber insurance underwriters assessing Bulgarian risks should ask:

1. Entity classification — Is the insured designated as an essential or important entity?
2. Registry status — Has the entity been formally entered into the national register?
3. Secondary legislation readiness — Has the entity begun preparing for the October 2026 ordinances?
4. Incident history — Any incidents reported to National CSIRT bg in the past 3 years?
5. Management training — Has leadership completed the mandatory 2-year cybersecurity training cycle?
6. Supply chain audit program — Does the entity audit critical vendors?
7. Business continuity testing — When was the last BCP/DR test?
8. Technology restrictions — Has the entity assessed any Cybersecurity Council technology restrictions?

Coverage Considerations

For Bulgarian entities, ensure the policy covers:

• Regulatory investigation costs under NIS2 enforcement actions
• Business interruption during authority-mandated system reviews
• Notification costs for multi-stage incident reporting (24h/72h/1-month)
• Crisis management and reputational harm
• Security audit costs when mandated by competent authorities
• Supply chain losses from vendor incidents (see supply chain attack loss scenarios)
• Management liability — D&O coverage for 3-year ban exposure
• Minimum fine coverage — even procedural breaches can trigger €200,000+ fines

Use our cyber insurance buying guide to compare coverage options and our NIS2 compliance checker to assess your current compliance status.

Key Takeaways

1. Bulgaria transposed NIS2 by amending its existing Cybersecurity Act, which entered into force on February 17, 2026 — approximately 16 months after the EU deadline
2. DAEU (State e-Government Agency) is the Single Point of Contact, while sectoral competent authorities (to be formally designated by August 2026) handle enforcement
3. National CSIRT bg handles incident reporting with strict 24-hour, 72-hour, and 1-month timelines
4. Scope expanded massively from 8 to 18 sectors, with no self-assessment allowed — entities are administratively designated
5. Bulgaria goes beyond NIS2 minimums with broader food sector scope, fixed 2-year management training, 2-week registry change notification, explicit minimum fines, and national technology restrictions
6. Penalties align with NIS2 maximums — up to €10M or 2% global turnover for essential entities, plus 3-year management bans, with explicit minimum fines
7. Reduced sanctions period ends June 1, 2026 — entities have a brief window before full penalties apply
8. Cyber insurance is essential for Bulgarian entities facing new NIS2 liability exposure, including minimum fines, compulsory audit costs, and management liability

---

For more NIS2 compliance resources, explore our NIS2 compliance checklist, penalties guide, and technical measures requirements. Compare your country’s approach with our essential vs important entity classification guide.