When the European Union introduced the NIS2 directive—short for Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union—many of us in cybersecurity circles saw it as both a much-needed evolution and a daunting benchmark. For Bulgaria, though, the journey from intention to implementation has been particularly tangled. Political instability has collided with complex regulatory reform, creating a limbo that leaves critical sectors vulnerable and organizations uncertain.
Without further ado, let me walk you through where Bulgaria stands on its NIS2 directive journey, what’s planned, what businesses should be bracing for, and what timelines actually look like.
Key takeaways on NIS2 Bulgaria as of April 2025
As things stand, Bulgaria has not yet transposed the NIS2 directive into national law. While a draft Law amending the Cyber-Security Act (ЗИД ЗКС) was published in August 2024, the country’s drawn-out election cycle has kept it from progressing further in Parliament. That leaves the existing Cyber-Security Act of 2018, which was built on the first NIS directive, as the current regime in force.
Here’s a snapshot of the current regulatory state:
Overview of NIS2 Bulgaria status
| Theme | Where Things Stand |
| Transposition status | No NIS2 law yet; draft amendment published in August 2024 but not submitted to Parliament. |
| Current legal framework | Cyber-Security Act 2018 still governs ≈1,000 entities designated under NIS1. |
| Planned reform | Draft introduces two categories: “essential” and “important” entities, in line with NIS2. |
| Supervision | National lead: State e-Governance Agency (SEGA); daily oversight by sector regulators. |
| Penalties (proposed) | Up to €10 million or 2% of global turnover for essential entities; scaled penalties for others. |
| Incident reporting | Draft proposes 24-hour alert, 72-hour detailed report, 30-day follow-up via SEGA portal. |
| Public sector scope | All ministries and municipalities >50,000 people to be classified as essential (non-financial sanctions only). |
Despite its current limbo, Bulgaria has a comprehensive draft plan that mirrors the structure and spirit of the NIS2 directive. The devil, however, lies in the timeline.
The NIS2 Bulgaria timeline and next expected steps
Bulgaria’s legislative progress has been constrained by political transitions, including the dissolution of its 50th National Assembly and the subsequent installation of a caretaker government in March 2025. While this interim cabinet has expressed commitment to resubmitting the draft law, parliamentary review is still pending and highly dependent on post-election developments.
NIS2 Bulgaria transposition timeline
| Date | Milestone | Status |
| 7 Aug 2024 | Draft law posted on strategy.bg | ✔︎ |
| 10 Sep 2024 | Consultation closed with 57 submissions | ✔︎ |
| Oct 2024–Jan 2025 | National Assembly dissolved | ✔︎ |
| Mar 2025 | Caretaker cabinet confirms intention to resubmit | ✔︎ |
| H2 2025 | Potential submission to 51st Parliament | ⏳ |
| Q1 2026 | Optimistic timeline for adoption | ⏳ |
| Mid-2026 | Potential entry into force | ⏳ |
In short, mid-2026 is the earliest realistic timeframe for Bulgaria NIS2 implementation, assuming political stability returns. Until then, the EU may initiate infringement proceedings, putting pressure on Bulgarian legislators.
How Bulgaria plans to implement the NIS2 directive
The proposed amendments to the Cyber-Security Act take a one-act approach, replacing the 2018 framework wholesale. It adopts NIS2’s dual classification model—”основни субекти” (essential entities) and “важни субекти” (important entities)—based on size and sectoral importance.
SEGA remains the central authority, coordinating with sector-specific regulators like the Energy and Water Regulatory Commission (EWRC), Bulgarian National Bank (BNB), and others. Sector-specific risk management, incident reporting, and supervisory protocols are closely modeled on NIS2 articles.
Table 3: Draft law highlights and structure
| Chapter | Key Provisions |
| Articles 1–15 | Broadens scope to cover all 18 NIS2 sectors; includes size thresholds. |
| Articles 16–28 | Implements risk-management mandates; aligned with NIS2 Article 21. |
| Articles 29–35 | Defines incident notification process (24h/72h/30d), mandates user notification for high-risk events. |
| Articles 36–45 | Establishes oversight roles and cost-recovery audits. |
| Articles 46–55 | Outlines sanctions: fines, daily penalties, and potential director disqualification. |
| Transitional | Entities under NIS1 automatically shift to “essential”; others have 6 months post-registration to comply. |
What industries need to know
The Bulgaria NIS2 directive will affect several sectors with broadened definitions and deeper regulatory obligations. For many industries, especially those previously untouched by cybersecurity regulation, this marks a significant shift.
Table 4: Sector-specific impact of Bulgaria NIS2 directive
| Sector | Impact Summary |
| Manufacturing | Newly added: firms in chemicals, pharma, electronics classified as “important”. Need for IT/OT separation and supplier risk evaluation. |
| Energy & utilities | Expanded to include LNG, hydrogen, district heating. Required to maintain Software Bill of Materials (SBOM) and report to SEGA. |
| Healthcare | Scope widens from 60 to over 250 hospitals/providers. Required to maintain ISO 27001 alignment and conduct backup drills. |
| Digital infrastructure | Includes cloud, DNS, and data centers regardless of size. Must adopt zero-trust architecture and maintain EU-based SOC. |
| Finance | Remains under BNB and FSC supervision. Alignment with the DORA regulation takes precedence. |
| Public sector | Municipalities over 50,000 people are classified as essential; however, only corrective actions (no fines) apply. |
Industries with complex supply chains and sensitive data will face heightened responsibilities, including multi-factor authentication (MFA), structured backup policies, and comprehensive incident playbooks.
Sanctions and enforcement
The fines proposed under the Bulgaria NIS2 transposition mirror EU expectations but introduce tiered penalties to reflect the varying significance of breaches. The State e-Governance Agency will lead enforcement, with the power to issue daily penalties and even disqualify non-compliant executives.
Table 5: Proposed NIS2 Bulgaria fines and enforcement
| Entity Type | Max Fine | Additional Measures |
| Essential | €10 million or 2% of worldwide turnover | Daily penalties (up to BGN 200,000); executive disqualification (3 years) |
| Important | €7 million or 1.4% of worldwide turnover | Same structure, lower thresholds |
| Procedural breaches | €0.2–2 million | Applies across both categories |
| Public bodies | No financial penalties | Subject to corrective orders only |
Companies would be wise to start laying the groundwork now, even before the law formally passes.
What companies should do now
While Bulgaria NIS2 implementation is delayed, organizations shouldn’t wait to act. The draft law is public, detailed, and unlikely to change drastically upon final adoption.
To get started, Bulgarian companies should:
- Download and review the draft law to determine whether they fall into the essential or important category.
- Map their current cybersecurity posture against NIS2 Article 21, with a focus on backups, MFA, and supply-chain risk.
- Develop a comprehensive incident response playbook that includes 24-hour initial alerts and aligns with GDPR requirements.
- Engage top-level executives to secure buy-in, document cybersecurity strategies, and plan for independent audits.
Are Bulgarian businesses prepared for what’s next?
Bulgaria’s prolonged delay in transposing NIS2 into national law puts it at risk of EU penalties—but it’s the businesses themselves that face the greater practical risk. A cyber incident doesn’t wait for legislative timelines, and without legal clarity, companies are caught between outdated mandates and looming obligations.
The best course of action? Treat the draft as near-final and begin internal readiness efforts now. From legal teams to IT departments, readiness is no longer optional—it’s an operational necessity.
For those watching the regulatory horizon, Bulgaria NIS2 transposition might seem far off. But in cybersecurity, early adaptation often makes the difference between resilience and regret.
