DORA regulations in Bulgaria and impact for all industries

Category:

Reviewed by: Nojus (Noah) Bendoraitis

Bulgaria’s evolving financial sector—encompassing established banks, fintech ventures, and payment service providers—mirrors the broader European trend toward digitization. As organizations lean more on cloud technologies and digital workflows, robust cybersecurity and operational resilience become pressing needs. 

This is where the Digital Operational Resilience Act (DORA) steps in, setting uniform EU-wide requirements for how financial entities manage ICT risk, respond to incidents, and oversee third-party providers. In this post, I’ll explore how Bulgaria is adopting DORA, whether the process looks different compared to other member states, and which existing regulations in Bulgaria already reflect DORA-like goals. I’ll also outline a few audit firms that Bulgarian businesses may rely on to ensure compliance.

Why DORA matters in Bulgaria

Even though DORA specifically applies to financial institutions, its requirements extend to any entity delivering key IT services to these institutions. In Bulgaria, that means banks, insurers, fintech startups, consulting firms, and software providers all stand to be impacted. Bulgaria’s primary financial regulators, the Bulgarian National Bank (BNB) and the Financial Supervision Commission (FSC), have historically enforced rules around risk management, consumer protection, and data security. DORA reinforces these obligations while introducing uniform EU standards that streamline how organizations handle ICT incidents, assess vendors, and maintain resilience.

Comparing Bulgaria’s approach to other EU countries

All EU member states implement DORA under the same overarching framework, but local nuances can arise. In Bulgaria, the BNB oversees banking and payment services, while the FSC regulates insurance companies, pension funds, and capital markets. These bodies typically issue directives and guidelines tailored to the Bulgarian market. For instance, they may specify reporting timelines or define thresholds for what qualifies as a major incident, within the broader structure set by DORA.

Bulgaria’s regulatory environment is relatively centralized, which can help when incorporating new EU legislation. Countries with fragmented oversight might need more coordination to apply DORA consistently across multiple agencies. However, as with other states, Bulgarian businesses operating in different EU jurisdictions should watch for any variations in how local regulators interpret DORA’s requirements.

Bulgaria’s existing regulations aligning with DORA

Before DORA, Bulgaria had already taken steps to strengthen cybersecurity and operational continuity. The table below summarizes notable measures and how they parallel DORA’s core aims:

Bulgarian regulation or measureFocus areaHow it aligns with DORA
BNB ordinances and guidelines on risk managementSet internal control standards for banks and payment institutionsEmphasize ICT risk oversight and vendor due diligence, echoing DORA’s core principles
FSC directives for insurers and investment firmsMandate safeguards around operational continuity and data protectionReinforce DORA’s call for consistent incident handling and oversight of outsourced services
National Cybersecurity Act (implementing the NIS Directive)Establishes security obligations and incident reporting for essential service providersAligns with DORA’s emphasis on robust cyber risk management and mandatory incident notification processes

Because of these foundations, many Bulgarian financial entities already practice some of what DORA requires. However, DORA’s uniform standards—particularly around incident reporting formats and timelines—could lead organizations to adjust their current protocols and documentation to ensure full EU compliance.

Impact beyond finance

While DORA is officially directed at regulated financial firms, any third-party that touches critical data or services for those firms can also be affected. This might include software development agencies, cloud service providers, or even call centers that process transaction data. 

A security breach within one of these suppliers could trigger DORA’s incident reporting obligations for a bank or insurer, leading those institutions to demand stronger contractual commitments and technical safeguards. Bulgaria’s emerging fintech and startup scene may view this as both a challenge—requiring tighter security standards—and an opportunity to differentiate themselves through robust resilience practices.

List of DORA auditors in Bulgaria

DORA does not provide a formal list of approved auditors. However, several consultancies and audit firms in Bulgaria have experience with cybersecurity, ICT risk assessments, and EU regulatory compliance. Below is a brief overview of potential partners:

FirmPrimary expertiseAdditional notes
Deloitte BulgariaCyber risk, operational audits, governance, and complianceGlobal network with local expertise in Bulgarian financial regulations
KPMG BulgariaICT risk management, financial services audits, internal controlsRecognized for advising banks and insurers on complex EU directives
PwC BulgariaCybersecurity, data privacy, incident managementOffers tailored approaches for mid- to large-scale enterprises
EY BulgariaIT audits, digital transformation, GRC (governance, risk, compliance)Experienced in managing cross-border compliance and multi-jurisdictional projects
BDO BulgariaInternal controls, risk advisory, mid-market consultingOften works with smaller financial institutions and technology startups
BULPROSBulgarian-based IT consultancy and cybersecurity servicesSpecializes in technical audits, system integrations, and digital risk

When selecting an auditor, Bulgarian organizations should consider a firm’s familiarity with both local rules—like BNB or FSC requirements—and the broader EU context that shapes DORA.

Laying the groundwork for resilience

DORA arrives in Bulgaria at a time when digital transformation is gaining momentum. While this legislation mandates new layers of oversight and accountability, it also provides a clear framework for safeguarding consumer trust and maintaining operational continuity in an interconnected world. By weaving DORA’s standards into Bulgaria’s existing regulatory fabric, local businesses can turn compliance into a strategic advantage. Building robust cyber defenses and transparent incident reporting not only meets EU obligations but also positions Bulgarian organizations to thrive on the European stage.

Automate Your Cybersecurity and Compliance

It's like an in-house cybersec & compliance team for a monthly subscription! No prior cybersecurity or compliance experience needed.

Related articles