When the European Union introduced the NIS2 directive—short for Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union—many of us in cybersecurity circles saw it as both a much-needed evolution and a daunting benchmark. For Bulgaria, though, the journey from intention to implementation has been particularly tangled. Political instability has collided with complex regulatory reform, creating a limbo that leaves critical sectors vulnerable and organizations uncertain.
Without further ado, let me walk you through where Bulgaria stands on its NIS2 directive journey, what’s planned, what businesses should be bracing for, and what timelines actually look like.
Key takeaways on NIS2 Bulgaria as of April 2025
As things stand, Bulgaria has not yet transposed the NIS2 directive into national law. While a draft Law amending the Cyber-Security Act (ЗИД ЗКС) was published in August 2024, the country’s drawn-out election cycle has kept it from progressing further in Parliament. That leaves the existing Cyber-Security Act of 2018, which was built on the first NIS directive, as the current regime in force.
Here’s a snapshot of the current regulatory state:
Theme | Where Things Stand |
Transposition status | No NIS2 law yet; draft amendment published in August 2024 but not submitted to Parliament. |
Current legal framework | Cyber-Security Act 2018 still governs ≈1,000 entities designated under NIS1. |
Planned reform | Draft introduces two categories: “essential” and “important” entities, in line with NIS2. |
Supervision | National lead: State e-Governance Agency (SEGA); daily oversight by sector regulators. |
Penalties (proposed) | Up to €10 million or 2% of global turnover for essential entities; scaled penalties for others. |
Incident reporting | Draft proposes 24-hour alert, 72-hour detailed report, 30-day follow-up via SEGA portal. |
Public sector scope | All ministries and municipalities >50,000 people to be classified as essential (non-financial sanctions only). |
Despite its current limbo, Bulgaria has a comprehensive draft plan that mirrors the structure and spirit of the NIS2 directive. The devil, however, lies in the timeline.
The NIS2 Bulgaria timeline and next expected steps
Bulgaria’s legislative progress has been constrained by political transitions, including the dissolution of its 50th National Assembly and the subsequent installation of a caretaker government in March 2025. While this interim cabinet has expressed commitment to resubmitting the draft law, parliamentary review is still pending and highly dependent on post-election developments.
Date | Milestone | Status |
7 Aug 2024 | Draft law posted on strategy.bg | ✔︎ |
10 Sep 2024 | Consultation closed with 57 submissions | ✔︎ |
Oct 2024–Jan 2025 | National Assembly dissolved | ✔︎ |
Mar 2025 | Caretaker cabinet confirms intention to resubmit | ✔︎ |
H2 2025 | Potential submission to 51st Parliament | ⏳ |
Q1 2026 | Optimistic timeline for adoption | ⏳ |
Mid-2026 | Potential entry into force | ⏳ |
In short, mid-2026 is the earliest realistic timeframe for Bulgaria NIS2 implementation, assuming political stability returns. Until then, the EU may initiate infringement proceedings, putting pressure on Bulgarian legislators.
PRO TIP
Don’t wait for Parliament—launch your readiness plan during the legislative limbo. The EU has fined other countries for similar delays, and enforcement may arrive swiftly once the law is passed.
How Bulgaria plans to implement the NIS2 directive
The proposed amendments to the Cyber-Security Act take a one-act approach, replacing the 2018 framework wholesale. It adopts NIS2’s dual classification model—”основни субекти” (essential entities) and “важни субекти” (important entities)—based on size and sectoral importance.
SEGA remains the central authority, coordinating with sector-specific regulators like the Energy and Water Regulatory Commission (EWRC), Bulgarian National Bank (BNB), and others. Sector-specific risk management, incident reporting, and supervisory protocols are closely modeled on NIS2 articles.
Chapter | Key Provisions |
Articles 1–15 | Broadens scope to cover all 18 NIS2 sectors; includes size thresholds. |
Articles 16–28 | Implements risk-management mandates; aligned with NIS2 Article 21. |
Articles 29–35 | Defines incident notification process (24h/72h/30d), mandates user notification for high-risk events. |
Articles 36–45 | Establishes oversight roles and cost-recovery audits. |
Articles 46–55 | Outlines sanctions: fines, daily penalties, and potential director disqualification. |
Transitional | Entities under NIS1 automatically shift to “essential”; others have 6 months post-registration to comply. |
PRO TIP
If you’re already regulated under the 2018 Cyber-Security Act, you’ll automatically transition to the ‘essential’ category. Start planning for the expanded obligations now—especially incident reporting and board accountability.
What industries need to know
The Bulgaria NIS2 directive will affect several sectors with broadened definitions and deeper regulatory obligations. For many industries, especially those previously untouched by cybersecurity regulation, this marks a significant shift.
Sector | Impact Summary |
Manufacturing | Newly added: firms in chemicals, pharma, electronics classified as “important”. Need for IT/OT separation and supplier risk evaluation. |
Energy & utilities | Expanded to include LNG, hydrogen, district heating. Required to maintain Software Bill of Materials (SBOM) and report to SEGA. |
Healthcare | Scope widens from 60 to over 250 hospitals/providers. Required to maintain ISO 27001 alignment and conduct backup drills. |
Digital infrastructure | Includes cloud, DNS, and data centers regardless of size. Must adopt zero-trust architecture and maintain EU-based SOC. |
Finance | Remains under BNB and FSC supervision. Alignment with the DORA regulation takes precedence. |
Public sector | Municipalities over 50,000 people are classified as essential; however, only corrective actions (no fines) apply. |
Industries with complex supply chains and sensitive data will face heightened responsibilities, including multi-factor authentication (MFA), structured backup policies, and comprehensive incident playbooks.
Sanctions and enforcement
The fines proposed under the Bulgaria NIS2 transposition mirror EU expectations but introduce tiered penalties to reflect the varying significance of breaches. The State e-Governance Agency will lead enforcement, with the power to issue daily penalties and even disqualify non-compliant executives.
Entity Type | Max Fine | Additional Measures |
Essential | €10 million or 2% of worldwide turnover | Daily penalties (up to BGN 200,000); executive disqualification (3 years) |
Important | €7 million or 1.4% of worldwide turnover | Same structure, lower thresholds |
Procedural breaches | €0.2–2 million | Applies across both categories |
Public bodies | No financial penalties | Subject to corrective orders only |
Companies would be wise to start laying the groundwork now, even before the law formally passes.
PRO TIP
The daily fines can stack up quickly. If you don’t have an executive-approved cyber strategy, you’re not just exposed—you’re personally liable. Treat board-level engagement as a compliance control.
What companies should do now
While Bulgaria NIS2 implementation is delayed, organizations shouldn’t wait to act. The draft law is public, detailed, and unlikely to change drastically upon final adoption.
To get started, Bulgarian companies should:
- Download and review the draft law to determine whether they fall into the essential or important category.
- Map their current cybersecurity posture against NIS2 Article 21, with a focus on backups, MFA, and supply-chain risk.
- Develop a comprehensive incident response playbook that includes 24-hour initial alerts and aligns with GDPR requirements.
- Engage top-level executives to secure buy-in, document cybersecurity strategies, and plan for independent audits.
Accelerate Bulgaria’s NIS2 readiness with CyberUpgrade
Bulgaria’s Cyber-Security Act amendments (draft ЗИД ЗКС) will bring 10,000–12,000 entities into scope by mid-2026, with SEGA’s registration portal and secondary norms expected H2 2025 and first audits soon after. CyberUpgrade aligns its out-of-the-box workflows directly to Bulgaria’s essential/important entity thresholds, 24 h/72 h/30-day reporting ladders, and SEGA’s risk-management catalogue—so you can start closing gaps today, not tomorrow.
Our Slack and Teams chatbot guides every team member through live, Article 21–aligned checks keyed to your CUI and CAEN codes, automatically capturing evidence in a central, regulator-ready vault. Layer in continuous vulnerability scans, penetration tests, SBOM exchanges, and real-time monitoring, and you’ll detect and contain threats long before they result in fines up to €10 million, daily penalties or director disqualification.
Combine that with our EU-based CISO-as-a-Service for hands-on support—from gap analyses and board-level policy sign-off to pre-built incident-response playbooks—and you’ll offload 80 % of your compliance work, save over €60 K annually, strengthen your security culture, and keep your focus on growth while Bulgaria’s NIS2 enforcement looms. Let CyberUpgrade turn Bulgaria’s NIS2 compliance complexity into your compliance advantage.
Are Bulgarian businesses prepared for what’s next?
Bulgaria’s prolonged delay in transposing NIS2 into national law puts it at risk of EU penalties—but it’s the businesses themselves that face the greater practical risk. A cyber incident doesn’t wait for legislative timelines, and without legal clarity, companies are caught between outdated mandates and looming obligations.
The best course of action? Treat the draft as near-final and begin internal readiness efforts now. From legal teams to IT departments, readiness is no longer optional—it’s an operational necessity.
For those watching the regulatory horizon, Bulgaria NIS2 transposition might seem far off. But in cybersecurity, early adaptation often makes the difference between resilience and regret.