February 6, 2026

Bulgaria Adopts NIS2: Key Changes Businesses Need to Know

Bulgaria has adopted major amendments to the Cybersecurity Act, finally transposing the EU’s second Network and Information Security (NIS2) Directive into its national legal framework

On 5 February 2026, the Bulgarian National Assembly adopted final amendments to the Cybersecurity Act, replacing the 2018 framework and fully aligning national legislation with the EU NIS2 Directive.

Key changes include:

  • Expansion of the regulated scope to 18 sectors, adding areas such as manufacturing, food production, and waste management.
  • Introduction of personal responsibility for senior management regarding the implementation and oversight of cybersecurity measures.
  • Significant penalties for essential entities, reaching up to EUR 10 million or 2% of global annual turnover.
  • A new 24‑hour incident reporting requirement, reinforcing cybersecurity as a core operational obligation for businesses in Bulgaria.
  • Temporary reduction of fines during the initial months after the Act enters into force to support a smoother transition for affected organizations.
  • Authorization for the Ministry of е-Government to restrict the use of specific applications or websites on government‑issued devices (e.g., the potential prohibition of TikTok for civil servants).
  • Provision for limiting high‑risk technologies originating from third countries, based on coordinated EU‑level risk assessments (pending implementation at EU level).

At last Bulgaria’s cybersecurity standards match those of the other EU countries, eliminating the risk of significant fines stemming from its delayed transposition of NIS2.

Nikola Stoychev
Partner

As a former football player, Nikola has mastered some of the most important virtues in the legal profession – the true meaning of team play, the responsibility of being a defender and how to deliver simple, yet effective and elegant performance.

Related insights

News

Conversion of share capital in connection with the introduction of the euro

News

DPC advised the sale of HackSoft to Waracle

News

Craft and Industrial Geographical Indications: The New Registration Procedure

News

IBEX Introduces 15-Minute Intervals in the Day-Ahead Market From 1 October 2025

How can we help you?

Innovative solutions and customer care.
Get in touch
+359 (2) 421 42 01
TeamCareersExpertiseAbout DPCInsightsContact
PRACTICES
Artificial Intelligence (AI)
Banking & Finance
Competition and Antitrust
Corporate and M&A
Data Breach Response Team
Dispute Resolution
ESG (Environmental, Social & Governance)
Employment & Benefits
Energy Law
German Desk
Intellectual Property
Life Sciences
Public Procurement
Real Estate and Construction
Restructuring & Insolvency
Tax
Technology & Data
Telecom & Media
White Collar Crime
INDUSTRIES
Aviation
Banks
Capital Markets
Consumers & Retail
Digital & Technology
Energy
Entertainment & Gaming
FinTech
Food & Beverages
Healthcare & Pharma
Infrastructure
Insurance
Manufacturing
Real Estate
Telecoms
Transport & Maritime
© All rights reserved 2007-2026 Dimitrov, Petrov & Co.
Design by StanVision
Terms & Conditions
|
Privacy policies
|
Cookie policyCookies