Home/Blog/NIS2 in Bulgaria

NIS2 in Bulgaria — Cybersecurity Obligations (2026)

A practical guide for essential and important entities: the 10 mandatory measures, 24/72-hour reporting, personal liability of directors and sanctions up to EUR 10M.

Legal Framework

Directive (EU) 2022/2555 — commonly known as NIS2 — replaces the old NIS Directive 2016/1148 and sets up a much broader and significantly stricter cybersecurity framework across the European Union. It aims to harmonise the level of cyber resilience in Member States, extend the scope of sectors that must implement mandatory technical and organisational measures, and introduce real accountability of the management bodies.

The transposition deadline for NIS2 for all Member States was 17 October 2024. The Bulgarian transposition, as was the case for most EU jurisdictions, was delayed by several months but was adopted through amendments to the Cybersecurity Act and entered into force during 2025. The competent authorities in Bulgaria are the National Cybersecurity Coordinator, together with sectoral regulators (BNB for banks, CRC for electronic communications, FSC for capital markets, etc.).

NIS2 applies horizontally — regardless of the legal form of the entity — and covers both private and public organisations. Unlike NIS1, there is no national discretion in identifying obligated persons: if you meet the quantitative and sectoral criteria, you are automatically an "essential" or "important" entity and your obligations run by operation of law, without any regulator decision.

For full Bulgarian context, see our dedicated article on gdprbg.com — with the latest implementation status, secondary legislation and practical compliance checklists.

Obligated Entities — Essential vs Important

NIS2 distinguishes two types of obligated persons: Essential Entities and Important Entities. The difference is not so much at the level of obligations — both types are required to implement the same 10 minimum measures — but at the level of supervision and size of sanctions. Essential entities are subject to proactive supervision (planned inspections, requests for information), while important entities are subject to reactive supervision (only when there are indications of a breach).

Essential Entities — 250+ employees OR EUR 50M turnover

  • Energy — production, transmission, distribution of electricity, gas, oil, district heating, hydrogen
  • Transport — air, rail, maritime, road
  • Banking and financial markets — credit institutions, trading venue operators
  • Healthcare — hospitals, manufacturers of medicines and medical devices
  • Drinking water — water utility operators
  • Wastewater
  • Digital infrastructure — IXP, DNS, TLD, data centres, cloud providers, CDN, electronic communications operators
  • Public administration — central and (selectively) regional
  • Space — ground-based infrastructure, satellite operators
  • ICT service management — MSPs and MSSPs

Important Entities — 50+ employees OR EUR 10M turnover

  • Postal and courier services
  • Waste management
  • Manufacture and distribution of chemicals
  • Food production and distribution
  • Critical manufacturing — automotive, electronics, machinery, medical devices
  • Digital providers — online marketplaces, search engines, social networks
  • Research organisations

Importantly: even micro and small undertakings may fall within the scope if they are the sole provider in the Member State, if disruption of their services would affect public order, or if they are DNS, TLD, TSP, MSP and certain other key categories — for them the size threshold does not apply.

Cybersecurity Obligations (Article 21)

Article 21 of NIS2 sets out ten minimum technical, organisational and operational measures that all obligated entities — essential or important — must implement on the basis of an all-hazards approach. The list is not exhaustive — entities are required to go beyond the minimum in proportion to their size, exposure and risk profile.

  1. Policies on risk analysis and information system security — documented methodology, periodically reviewed.
  2. Incident handling — detection, response, escalation, post-mortem.
  3. Business continuity and crisis management — BCP/DR plans, backup strategy, testing.
  4. Supply chain security — including the relationships between each entity and its direct suppliers and service providers.
  5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
  6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
  7. Basic cyber hygiene practices and cybersecurity training.
  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
  9. Human resources security, access control policies and asset management.
  10. Multi-factor authentication, continuous authentication solutions, secured voice/video/text communications and secured emergency communication systems within the entity.

Each of these measures is covered by the service package at gdprbg.com/#services — from risk assessment and policy drafting to supply chain audits and board-level training.

Incident Reporting (Article 23)

One of the most critical aspects of NIS2 is the multi-stage reporting regime for significant incidents. A "significant" incident is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected other natural or legal persons by causing considerable material or non-material damage.

StageDeadlineWhat is reported
Early warning24 hoursNotification on whether the incident is suspected to be caused by malicious acts or has a cross-border impact
Incident notification72 hoursUpdate to the early warning, overall incident assessment, severity, indicators of compromise (IoC)
Intermediate reportOn requestUpdate on the assessment and status of the investigation
Final report1 monthDetailed description, cause, mitigation measures applied and planned, cross-border impact

Reports are addressed to the national CSIRT or the competent authority and, in case of cross-border incidents, to ENISA as well. Entities must also notify recipients of their services if the incident may affect them.

Is your incident response plan ready? See our detailed 72-hour plan on gdprbg.com — a breach response template compatible with both GDPR and NIS2.

Management Liability (Article 20)

Article 20 is the key change from NIS1 and the most painful novelty for Bulgarian directors. For the first time in EU law, cybersecurity is positioned not as a matter for the IT department, but as a corporate and personal commitment of the management.

  • Members of the management bodies are personally required to approve cyber-risk management measures and supervise their implementation.
  • Directors are required to undergo cybersecurity training and provide similar training to employees.
  • In the event of breaches, personal liability — both civil and administrative — may arise.
  • In certain cases, competent authorities may impose a temporary ban from holding managerial positions on persons responsible for serious breaches.

This clause is particularly relevant for foreign owners of Bulgarian companies who until now relied on a "local management layer" without personal exposure. NIS2 pushes accountability directly to the Board level — including members of management boards of corporate groups.

Our clients' directors receive specialised GDPR and NIS2 training via gdprbg.com/#services — with documentation that can be presented to a regulator during inspections.

Sanctions

NIS2 introduces a sanctions regime strongly inspired by GDPR — with a two-tier structure and a percentage of global turnover. The difference is that the caps here are different for essential and important entities.

Entity TypeMaximum Sanction
Essential entitiesUp to EUR 10 million OR 2% of global annual turnover, whichever is higher
Important entitiesUp to EUR 7 million OR 1.4% of global annual turnover, whichever is higher
Periodic penalty paymentsAdditional — for continuing breaches

On top of the monetary fines, non-monetary measures are available: warnings, binding instructions to implement specific measures, public announcement of the breach, certification requirements, temporary limitation or suspension of licences, and a temporary ban on natural persons from holding management positions.

Registration with the Competent Authorities

Unlike NIS1, NIS2 introduces mandatory self-declaration registration. Essential and important entities must, within 3 months of falling within scope, submit information to the competent national authority (in Bulgaria — the National Cybersecurity Coordinator or sectoral regulator). The required information includes:

  • Name and legal form of the entity;
  • Current registered address and addresses of companies in the same group;
  • Sector and sub-sector under Annex I/II of NIS2;
  • Number of employees and annual turnover (for size verification);
  • List of Member States in which the entity provides services;
  • Public URLs, IP address ranges, list of DNS records (for digital service providers);
  • Contact details — legal representative, CISO, DPO.

Failure to register is a stand-alone ground for sanction — regardless of the entity's actual technical level of compliance.

Additional Obligations for ICT Service Providers

ICT service providers (MSP, MSSP, cloud, hosting, CDN, SaaS) have additional obligations because they are "fourth-party" and "nth-party" risk factors for their clients:

  • Verification and due diligence of the supply chain — including sub-processors and subcontractors;
  • Cybersecurity contractual clauses in framework agreements with subcontractors — minimum controls, audit rights, incident notification, termination for cause;
  • Periodic audits of suppliers with risk above a defined threshold;
  • Backup and Disaster Recovery plans with testing — a minimum of one RTO/RPO test per year;
  • Control of outbound data flows and of privileged access by subcontractors.

Regulators also expect internal vendor risk assessments with a documented methodology, which can be produced upon request.

NIS2 vs DORA — Differences

DORA (Digital Operational Resilience Act — Regulation (EU) 2022/2554) and NIS2 were adopted in the same package but have different focus. DORA is specific to the financial sector and has the status of lex specialis, meaning that where DORA regulates a given matter, it applies instead of NIS2.

  • Scope: DORA — credit institutions, investment firms, insurers, fund managers, payment institutions, crypto asset service providers, ICT trust providers to the financial sector. NIS2 — all other sectors from Annex I/II.
  • Technical standards: DORA has detailed RTS/ITS from the ESAs (EBA, ESMA, EIOPA), while NIS2 relies on Commission Implementing Acts and national law.
  • Reporting: DORA has its own deadlines and formats; NIS2 — 24/72 hours under the general framework.
  • Testing: DORA requires TLPT (Threat-Led Penetration Testing) for significant financial entities; NIS2 does not.

If you are a financial institution, also see our DORA guide on gdprbg.com — with a detailed applicability map and practical compliance plan.

Practical Implementation Steps

Below is the 10-step plan we use when implementing NIS2 for Bulgarian clients — from applicability assessment to annual review:

  1. Self-assessment — essential or important? Do I meet the size criteria? Am I in scope?
  2. Gap analysis against the 10 measures of Article 21 — what we have, what we are missing, what we need to fix.
  3. Implementation plan with budget, resources, owners, deadlines.
  4. Formal approval by the director/Board — with a written resolution for documentation.
  5. Implementation of technical measures — MFA, log management, EDR, vulnerability management, backup.
  6. Staff training — basic cyber hygiene, phishing awareness, incident reporting.
  7. Incident response plan — with runbooks, escalation matrix, templates for 24h/72h notification.
  8. Registration with the competent authority — submission of the required information.
  9. Audit — internal, and for essential entities also external independent audit.
  10. Annual review — update of the risk assessment and all policies.

Our team at gdprbg.com performs all 10 steps — including registration with the National Cybersecurity Coordinator and continuous monitoring after implementation.

Frequently Asked Questions

When did NIS2 enter into force in Bulgaria?
The transposition deadline was 17 October 2024. Bulgaria's transposition was delayed by several months but was adopted through amendments to the Cybersecurity Act and entered into force during 2025. We track the current status on gdprbg.com.
What is the difference between essential and important entities?
Essential entities come from highly-critical sectors with 250+ employees or EUR 50M turnover and are subject to proactive supervision. Important entities — 50+ employees or EUR 10M turnover — are subject to reactive supervision. The obligations are the same, but fines and the supervision regime differ.
What are the incident reporting deadlines?
Early warning — 24 hours, incident notification — 72 hours, intermediate report on request, final report — 1 month. See also our 72-hour plan.
Is the director personally liable?
Yes. Article 20 of NIS2 introduces personal liability for members of the management bodies for approving and supervising cyber-risk management measures, as well as a training obligation.
What are the maximum sanctions?
For essential entities — up to EUR 10M or 2% of global annual turnover, whichever is higher. For important entities — up to EUR 7M or 1.4%. Non-monetary measures are added on top.
Do we need to register?
Yes. Essential and important entities must submit information on name, address, sector, size, URLs and IP ranges to the competent authority within 3 months of falling within scope.
How does NIS2 interact with DORA?
DORA is lex specialis for the financial sector. If you are a financial institution, you apply DORA instead of NIS2 for matters that DORA explicitly regulates. Detailed comparison at gdprbg.com.

Need NIS2 Compliance?

Our specialised cyber security and GDPR team at gdprbg.com delivers end-to-end implementation — from gap analysis and registration to annual independent audit. Request a free consultation.