On 16 January 2023, a revised EU cybersecurity directive entered into force – Directive (EU) 2022/2555 (known as the Network and Information Security Directive – NIS2) which establishes modernized and more harmonized cybersecurity framework for organizations within the European Union. NIS 2 expands its scope to cover a total of 18 sectors divided in two categories. What is important for all the companies and organizations that will be affected – and there are not a few – is that the directive is to be introduced in Bulgaria no later than 17 October 2024, and the size of the sanctions under it is similar to those under the GDPR.

A. Sectors of high criticality such as:

• energy (electricity, district heating and cooling, oil, gas and hydrogen);
• transport (air, rail, water and road);
• banking and financial market infrastructures;
• health including manufacture of pharmaceutical products including vaccines;
• drinking water and waste water;
• digital infrastructure such as: telecoms, cloud providers, data centres, trust service providers, etc.;
• ICT service management.

B. Other critical sectors such as:

• postal and courier services;
• waste management;
• chemicals and food;
• manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment;
• digital providers (online market places, online search engines, and social networking service platforms).

Any medium and large-sized entity in these sectors fall within the scope of NIS 2 (i.e. companies with more than 50 employees or more than EUR 10 million annual turnover).

In practice, this means that any company in the explicitly listed sectors with more than 50 employees will have to comply with a set of technical, operational and organisational measures that are not typical of its day-to-day business activities. For example, courier service providers, banks, medical institutions/healthcare facilities, transport sector companies (air carriers), food producers (vegetables, canned goods, confectionery, infants and young children, etc.), water suppliers and distributors, software providers and many others would fall within the scope of NIS 2. All these companies will have to bring their operations into line with the requirements of the new rules.

In addition, certain companies will be subject to the new rules regardless of their size, for example: telecom operators, trust providers, DNS providers and others. Member States will have the right to designate other entities (if their activities are particularly essential), even if they do not fall into these categories, and will also be able to automatically designate operators of essential services (as already defined in Bulgaria under NIS 1) as essential entities.

Based on the sector and their importance entities (companies) will be classified as either:

a) essential entities (e.g. entities in the sector of high criticality, telecoms, cloud providers, etc.)

or

b) important entities – these should include all other entities covered by NIS 2 but not classified as essential. In general, this should cover the entities in the critical sector (although exceptions may apply) – postal and courier services, chemicals and food, manufacturers, digital providers, etc.

The major differentiation between the two categories will be in terms of the supervisory and enforcement measures, and the fines that will be applicable to them.

Why is it important and should anybody care?

It is important as NIS 2 introduces a number of new obligations, huge penalties and a minimum set of measures that companies will have to ensure, for example:

• access control policies;
• incident handling procedures;
• supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

1. entities might be obligated to take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers, including their secure development procedures;

• the use of multi-factor authentication, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate;
• basic cyber hygiene practices and cybersecurity training (e.g. adopting zero-trust principles, software updates, device configuration).

Reporting of significant incidents

Companies will face a new multi-step process for reporting of significant incidents to the national computer security incident response team (CSIRT). It consists of:

• Initial notification within 24 hours, and
• Second notification within 72 hours; and
• An intermediate report in some cases (if requested), and
• Final report with additional information on the breach in one month.
• Notification may also be required in some cases to users that are potentially affected.

It is important to point out that an incident might be treated as significant even if it is only likely capable of resulting in/causing disruption to the entity’s services or affect other natural or legal persons by causing considerable material or non-material damage. That is, sometimes reporting will be required even if no damaged has occurred.

Considering the GDPR-like fines this would be very important to note and take into consideration (see below for more detail) as even seemingly minor incidents can turn out to be significant ones subject to reporting (see below for more details on fines).

Other novelties

The Directive also introduces a number of novelties, which we will only mention briefly:

• By 17 April 2025, Member States shall establish a list of essential and important entities, as well as of the entities providing domain name registration services.
• ENISA shall create and maintain a single registry of DNS service providers, TLD name registries, entities providing domain name registration services, providers of:

1. cloud computing services
2. data center
3. content delivery network providers
4. managed services
5. managed security services
6. as well as providers of online marketplaces, of online search engines and of social networking services platforms.

For this purpose, by 17 January 2025 these entities will be obliged to provide certain set of information to the competent authority (e.g. IP ranges, where regulated services are provided, contact data, etc.).

• New options for cybersecurity information-sharing arrangements are regulated. Through these, entities will be able to exchange on a voluntary basis relevant cybersecurity information among themselves (and it will be interesting to see how this would happen in practice considering competition law risks).
• Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence.
• The EU cybersecurity agency (ENISA) will get new powers and responsibilities.
• Member States will need to adopt a national plan for the management of large-scale cybersecurity incidents and crises; and need to designate the so-called cyber crisis management authority.
• A peer review mechanism to enhance Member States’ cybersecurity capabilities and policies.
• A new EU-Cyber Crises Liaison Organisation Network (EU-CyCLONe) will be formed which will act as an intermediary between the technical and political level during EU-wide cybersecurity incidents.

EU supply chain security toolbox. Cybersecurity certification schemes

NIS 2 provides that coordinated security risk assessments of critical ICT services, products, systems supply chains may be carried out at EU level. These assessments will have to take into account a range of factors, including non-technical risk factors, which, as the preamble to the act clarifies, include factors such as “undue influence of a third country on suppliers and service providers”.

Therefore, a new EU-level toolbox on supply chain security can be expected in the near future. Member States will also need to promote the use of European and international standards and will even be able to require the use of ICT products, services and processes certified under European cyber security certification schemes.

Supervision

Essential entities (e.g. energy, telecoms, cloud providers) will be subject to both ex ante and ex post supervision by the competent authorities, because they carry out activities which reflect a higher level of criticality. Important entities (e.g. postal and courier, chemicals and food, manufacturers) will be subject to ex post supervision only.

In Bulgaria, this body is expected to be the Ministry of e-Government, as it is now under NIS 1, and it will now have much more serious powers to control compliance. For example: it will be able to carry out on-site inspections, remote inspections, request access to information and documents, carry out targeted security audits, etc.

Jurisdiction

As a rule, essential and important entities would fall under the jurisdiction of the Member States where they are established. If established in more than one Member State, they will fall under the jurisdiction of each of them.

There will be exceptions, however, for some entities for which the NIS 2 (at least upon the first read.) seems to establish a one stop shop mechanism, for example:

• telecoms fall under the jurisdiction of the Member State in which they provide their services; and
• some cross-border providers (e.g. cloud computing service providers, data centre service providers, online marketplaces, online search engines), fall under the jurisdiction of the Member State in which they have their main establishment in the EU.

Cross-border providers that offer services within the EU, but are not established there, must designate a representative in the EU who should be established in one of the countries where the services are offered (similar to GDPR). In the absence of a representative in the EU any Member State in which the entity provides services may take legal actions against the entity.

Liability of management bodies in their personal capacity

Management bodies/natural persons of essential and important entities may be held personally liable for non-compliance with NIS 2. This is explicitly provided as a tool for executives in companies to be highly motivated to implement all new measures appropriately. For this purpose, management bodies of the entities will also be required to follow special training, while companies will be encouraged to offer similar training to their employees on a regular basis.

How much will infringements hurt?

NIS 2 is backed up with GDPR-like fines:

• Fines for essential entities will be in the amount of up to €10 million or 2% of their worldwide annual turnover;
• Fines for important entities may reach up to €7 million or 1.4% of the worldwide annual turnover.

Member States will have the right the impose a higher maximum at their own discretion.

Among other things, authorities will also have powers to:

• Impose or request temporary suspension of certification or authorization of the entities.
• Temporarily ban executives from duty.
• Temporarily designate a monitoring officer to oversee the compliance of the entities.

When?

NIS 2 should be turned into local law in Bulgaria by 17 October 2024 at the latest.

What will NIS 2 change in the local framework exactly?

NIS 2 will require amendments to the Bulgarian Cybersecurity Act and the respective secondary legislation, and new regulations will need to be issued.  In addition, revision of the Electronic Communications Act and the Rules on minimum security requirements for public electronic communications networks and services is expected. Other sectoral legislation will also need to be amended.

Key Takeaways

Entities need to start internal processes to evaluate their products, services, supply chain, etc. and identify if and which of their services fall under the scope of the new rules, including to:

• determine if they meet the criteria to be classified as essential or important entity,
• identify gaps and conduct risk assessments
• identify which jurisdiction they fall into, incl. if they fall within the one stop shop regime,
• start revising and/or preparing internal documentation, contracts and processes, incident/breach reporting handling,
• identify and engage in trainings/audits, incl. for the management bodies considering their personal liability,
• notify the competent authority by the deadline of 17 January 2025.

‍