On 17 February, the amendments to the Cybersecurity Act transposing Directive (EU) 2022/2555 (NIS 2) into Bulgarian law enter into force.
The reform significantly restructures the existing framework under the previous NIS 1 regime, broadening the scope of obliged entities, strengthening cybersecurity risk management requirements and introducing explicit governance and management accountability mechanisms.
From NIS 1 to NIS 2: Structural Reform of the Scope
Under the previous NIS 1 framework, the focus was primarily on “operators of essential services” and a narrow set of digital service providers. The 2026 amendments to the Cybersecurity Act fundamentally reframe the approach.
The new regime introduces a dual categorization of obliged entities into “essential” and “important” entities and applies, as a general rule, to medium-sized and larger enterprises in the relevant sectors. In addition, certain entities may fall within scope irrespective of size, where their activities are deemed systemically important – for example, where an entity is the sole provider of a service essential for the maintenance of critical societal or economic functions.
While the NIS 1 obliged entities generally remain in scope (including operators in the energy sector, banking and financial market infrastructures, healthcare providers, and core digital infrastructure), the new rules significantly expand the scope of regulated activities.
By way of illustration, newly affected categories of entities include:
Healthcare:
- EU reference laboratories
- Pharmaceutical research and development entities
- Manufacturers of medicinal substances and medicinal products
- Manufacturers of critical medical devices relevant in public health emergencies
Digital infrastructure or service providers:
- Data center service providers
- Content delivery network (CDN) providers
- Trust and certification service providers
- Providers of public electronic communications networks and / or services
- ICT service management and managed service providers
- Social networking platforms
Other critical sectors:
- Postal and courier service providers
- Waste management operators
- Manufacture and distribution of substances, mixtures and articles within the scope of REACH
- Food production, processing and distribution
- Manufacturing sectors, including
- medical devices and in vitro diagnostic medical devices
- computers, electronic and optical products
- electrical equipment
- machinery and equipment
- motor vehicles and other transport equipment
Overall, the reform marks a decisive shift away from the narrow concept of “critical infrastructure” under NIS 1, towards a broader systemic resilience model that captures supply chains, digital dependencies and cross-sectoral risk.
For many organizations, this means that cybersecurity compliance now becomes a regulatory concern for the first time, rather than a continuation of an existing NIS 1 compliance program.
Registration
The Act provides for the maintenance of a non-public register by the Minister of e-Government and requires specific categories of digital infrastructure and service providers to submit identification information to the competent authorities. In addition, national competent authorities are tasked with determining essential and important entities pursuant to a methodology to be adopted by the Council of Ministers.
However, the Act does not introduce a uniform self-assessment and mandatory registration procedure triggered automatically by an entity’s conclusion that it falls within scope. The detailed rules governing the register and related procedures are to be further specified in secondary legislation.
Importantly, the absence of a formal self-registration requirement does not relieve entities from the obligation to assess independently whether they fall within scope and to comply with the applicable obligations from the moment the statutory criteria are met.
Core Obligation: Cybersecurity Risk Management
The Cybersecurity Act imposes a comprehensive and risk-based obligation requiring essential and important entities to implement appropriate and proportionate technical, operational and organizational cybersecurity measures.
Proportionality is assessed against the entity’s exposure to risks, its size, the likelihood of incidents, and their potential societal and economic impact.
This risk-based approach will be structurally familiar to many newly in-scope entities, as it follows a logic comparable to the GDPR: technology-neutral, risk-based, and outcome-oriented approach.
While the obligation is framed broadly, the Act specifies a mandatory list of minimum areas that must be addressed within the entity’s cybersecurity framework. These include:
- Risk analysis and information security policies
- Incident detection and handling procedures
- Business continuity, disaster recovery and crisis management
- Supply chain security, including
- assessment of vulnerabilities of direct suppliers and service providers
- evaluation of their overall cybersecurity maturity
- consideration of relevant coordinated supply chain risk assessments
- Secure acquisition, development and maintenance of network and IT systems
- Vulnerability handling and disclosure
- Cyber hygiene and staff training
- Cryptography and encryption policies
- Human resources security and access control and asset management
- Multi-factor authentication and secure communications
- Change management procedures
Notably, supply chain security is no longer a contractual or procurement best practice – it is a statutory obligation. This significantly increases the compliance expectations toward suppliers and managed service providers and may require renegotiation of contractual security clauses, audit rights and incident notification commitments. In practice, such vendors would have to implement appropriate cyber security measures in a similar manner to the in-scope essential and important entities.
To ensure harmonized implementation across sectors, the Act provides that secondary legislation will define the minimum scope of cybersecurity measures applicable to obliged entities.
Until updated, the existing ordinance adopted under the NIS 1 regime remains applicable and provides a baseline outline of minimum required measures. However, it is expected to be revised within the statutory eight-month period to reflect the broader scope and heightened requirements introduced by NIS 2.
For obliged entities, this means that compliance cannot be deferred pending the update of the ordinance: the primary statutory risk-based obligation already applies, and the secondary legislation will likely further specify, rather than reduce, the required level of cybersecurity maturity.
Core Obligations: Incident Reporting
Essential and important entities are subject to a strict, multi-stage incident reporting regime. They must notify the competent sectoral Computer Security Incident Response Team (CSIRT) of any significant incident as follows:
- Within 24 hours: early warning
- Within 72 hours: incident notification
- Interim report: upon request
- Within one month: final report
If the incident has not been fully resolved within one month, the entity must submit an interim report and provide the final report within one month of full remediation.
This staged reporting framework mirrors the structure of NIS 2 and requires robust internal detection, classification and escalation procedures. The notification trigger is when the entity becomes aware of a significant incident – a concept that in practice requires documented internal criteria for incident qualification and escalation (similar to the GDPR).
In addition, where appropriate, entities must:
- inform service recipients where a significant incident is likely to adversely affect service provision
- notify potentially affected recipients of significant cyber threats and communicate available mitigation measures or remedies
- cooperate with law enforcement where criminal conduct is suspected
- coordinate with national security authorities where the incident affects critical systems or national security interests
The Act expressly provides that notification of an incident does not, in itself, increase the liability of the notifying entity. However, failure to notify (late notification, incomplete reporting or complete absence of a notification) constitutes a regulatory breach and may trigger supervisory measures, audits and sanctions.
For management bodies, this means that incident reporting is not merely an operational IT function. It is a compliance-controlled process that must be embedded within corporate governance and internal control systems.
Management Obligations and Management Liability
Тhe Cybersecurity Act ensures the direct involvement of management bodies in cybersecurity governance.
The Act provides that management must:
- approve and oversee the cybersecurity risk management measures
- undergo cybersecurity training at least once every two years
- organize cybersecurity training for employees
This framework elevates cybersecurity from a purely operational or IT function to a matter of corporate governance and board-level responsibility.
Managers and board members that are in breach of their obligations under the Cybersecurity Act could be subject to a fine in the range of EUR 500 – 5,000.
In addition, in cases of serious violations, including breaches of core incident reporting obligations or failure to comply with mandatory instructions issued by competent authorities, the court may order a temporary prohibition preventing the relevant manager or board member from exercising managerial functions within the obliged entity.
Company Liability
Violations of the core obligations under the Cybersecurity Act may give rise to administrative sanctions of up to:
- EUR 10,000,000 or 2% of the total worldwide annual turnover, whichever is higher, with an EUR 25,000 minimum, in the case of essential entities; and
- EUR 7,000,000 or 1.4% of the total worldwide annual turnover, whichever is higher, with an EUR 12,500 minimum, in the case of important entities.
These thresholds align with the sanctioning model introduced by NIS 2 and place cybersecurity compliance in a comparable enforcement category to other high-impact regulatory regimes within the European Union.
Conclusion
The reform of the Cybersecurity Act embeds cybersecurity firmly within the architecture of corporate governance, transforming it from a technical safeguard into a strategic board-level responsibility. It broadens the regulatory scope, strengthens supervisory powers and introduces enforceable accountability mechanisms at both corporate and management level.
The above overview is intended for general informational purposes only and does not constitute legal advice. The application of the Act depends on the specific factual and organizational context of each entity.
Our team remains available to assist clients in assessing whether they fall within scope, reviewing contractual supply chain arrangements and preparing incident response and reporting procedures aligned with the amended regulatory requirements.
Picture copyright: freepik
