NIS2 in Bulgaria: now mandatory — what businesses must do

The NIS2 directive (Directive (EU) 2022/2555 on network and information security) is no longer an "upcoming" requirement — it has been transposed into Bulgarian law and is in force. The amendment to the Cybersecurity Act was promulgated in State Gazette No. 17 of 13 February 2026 and entered into force on 17 February 2026. The transitional period with fines reduced by 50% runs until 1 July 2026 — after that, penalties apply in full.

In other words: if your company is in scope, the obligations apply to you now, not "someday". Below we explain in plain language who is affected, what the law actually requires and where to start.

What NIS2 is, briefly

NIS2 is a pan-European cybersecurity framework that replaces the first NIS directive from 2016. Its goal is to raise the resilience of organisations that provide services important to society and the economy. Compared with the previous framework, NIS2 expands the scope from 6 to 18 sectors, introduces clear minimum measures, strict incident-reporting deadlines and tangible penalties for non-compliance.

Is your company in scope?

The law splits obligated organisations into two types — essential and important entities. The distinction depends mainly on the sector and the size of the enterprise:

• Essential entities — organisations with 250+ employees or annual turnover above EUR 50 million, operating in high-criticality sectors.
• Important entities — organisations with 50–249 employees or turnover between EUR 10 and 50 million.

Importantly, for some types of providers size does not matter — they are in scope regardless of how large they are. This includes DNS service providers, cloud computing providers, data centres, trust service providers and operators of electronic communications networks.

The sectors include energy, transport, banking and financial markets, healthcare, drinking and waste water, digital infrastructure and digital service providers, public administration, food production and distribution, waste management, chemicals, postal and courier services, space and others. Bulgaria's transposition is in places stricter than the directive's minimum — for example, in the food sector the scope is broader than Annex II of NIS2.

Even if you are not a directly obligated entity, you are very likely to feel NIS2 indirectly: obligated organisations must control the security of their supply chain. If you are a subcontractor or IT provider to an affected company, the requirements will reach you through contracts.

What the law actually requires

The core of NIS2 is a set of minimum cyber-risk-management measures that every obligated entity must implement. The main ones are:

• Risk analysis and information system security policies
• Incident handling — detection, response and recovery
• Business continuity — backups, disaster recovery and crisis management
• Supply chain security, including relationships with suppliers
• Security in acquisition, development and maintenance of systems, incl. vulnerability management
• Policies and procedures to assess the effectiveness of measures
• Basic cyber hygiene and cybersecurity training for staff
• Cryptography policies and, where applicable, encryption
• Human resources security, access control and asset management
• Multi-factor authentication (MFA) and secured communications

A key emphasis of NIS2 is management accountability. Management bodies are required to approve the risk-management measures and oversee their implementation — responsibility for cybersecurity can no longer be pushed entirely onto the IT department.

Incident reporting: 24 hours, 72 hours, 1 month

One of the strictest elements of NIS2 is the regime for reporting significant incidents. The deadlines are cascading:

• Within 24 hours — an early warning to the competent authority / national CSIRT
• Within 72 hours — a full notification with an initial assessment of the incident
• Within 1 month — a final report with causes, impact and measures taken

In practice this means you must have a process ready in advance: who detects the incident, who decides, who reports and in what format. 24 hours is a very short window if you only start building the procedure after something happens.

Penalties

The fines under the new law are significant and differentiated by entity type:

• Essential entities — up to BGN 20 million or 2% of annual worldwide turnover (whichever is higher)
• Important entities — up to BGN 14 million or 1.4% of turnover

Supervision is carried out by the Ministry of e-Government. For essential entities the oversight is proactive (planned inspections, audits, security scanning), while for important entities control is usually reactive — when there is evidence of a breach.

Where to start

NIS2 compliance is a process, not a one-off project. The practical first steps are:

• Determine your status — are you in scope and as what (essential, important, or a supplier in someone's chain).
• Run a risk assessment — where your assets are, what the threats are and which measures you already have.
• Close the obvious gaps — MFA, verifiable and isolated backups, controlled remote access, a segmented network, timely updates.
• Prepare an incident plan — with clear roles and a working process for reporting within 24/72 hours.
• Document everything — policies and measures must be written down and maintained, not "in someone's head".

Many of these measures overlap with the baseline security hygiene that is a good idea even without NIS2 — for example those described in 10 steps to a more secure IT environment. NIS2 simply makes some of them mandatory and auditable.

This article is informational and does not constitute legal advice. For a specific assessment of whether and how NIS2 applies to your organisation, consult a lawyer. We can help with the technical side — the measures, monitoring and incident-response process.