On 5 February 2026, Bulgaria's Parliament adopted comprehensive amendments to the Cybersecurity Act (CA), transposing Directive (EU) 2022/2555 (NIS2), expanding the sectors, entities, and obligations covered, and granting more regulatory powers to competent national authorities, changes that affect a broad range of businesses operating in or serving the Bulgarian market. The amendments, which appeared in the State Gazette on 13 February 2026, require the Council of Ministers to adopt a new National Cybersecurity Strategy and Ordinance. Businesses operating in affected sectors should conduct scoping assessments promptly and determine whether they qualify as an essential or important entity, adopt appropriate and proportionate measures to manage cybersecurity risks, and prepare incident notification processes.
Expanded scope
The amendments replace the previous designation-based system with an automatic coverage model based on sector and enterprise size. In place of the previous "essential service operators" and "digital service providers", the new framework introduces categories for "essential entities" and "important entities", which brings substantially more organisations, including medium-sized enterprises in multiple sectors into the regulatory environment.
The CA has extended its coverage to sectors such as postal and courier services, waste-management, production, preparation and distribution of food and chemicals, enterprise-level ICT service management and industrial manufacturing.
Size thresholds
Entities fall within the scope of the CA if they qualify as medium-sized enterprises under the Small and Medium-Sized Enterprises Act (SME Act) or exceed that threshold, providing services or activities within the EU. Size thresholds do not apply where the entity is a provider of public electronic communications networks or services, a trust service provider, a top-level domain name registry, a DNS service provider, the sole provider of an essential service, or where disruption impacts public safety, security or health.
Risk management measures
Essential and important subjects must adopt appropriate and proportionate technical, operational, and organisational measures to manage risks to the security of network and information systems used in their core activities or service provision. Measures must be technology-neutral, account for the latest developments and relevant European and international standards and ensure security in line with the identified risk. The required measures should cover policies and practices relating to risk management and risk assessment, incident response, business continuity, supply chain and system security, cyber hygiene and staff training, and the use of encryption, among others.
Management body accountability
Management bodies of essential and important subjects must approve and oversee the implementation of cybersecurity risk-management measures. Members of management bodies are required to undergo cybersecurity training every two years and to organise regular trainings for their employees.
Incident reporting obligations
Essential and important entities must notify the sectoral Computer Security Incident Response Team (CSIRT) of any significant incident according to the following timeline:
- Within 24 hours of becoming aware of a significant incident: early warning indicating whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact;
- Within 72 hours of becoming aware of the incident: an incident notification must be submitted updating the early warning and providing an initial assessment of the incident, including its severity and impact, as well as any available technical information. Trust service providers must fulfil this obligation within 24 hours.
- Within one month of the incident notification, an interim report (if the incident is not yet resolved) or a final report must be submitted, containing a detailed description of the significant incident, its severity and impact, a root cause analysis, any cross-border impact, and the remediation measures applied. In any case, the final report must be submitted within one month of the incident resolution.
Control and sanctions
Control over compliance is exercised by state bodies, including the national competent authorities designated by the Council of Ministers, the Ministry of Defence, Ministry of Interior, and State Agency for National Security. Under the new amendments competent authorities may now issue binding instructions, mandatory security audit orders, and public disclosure requirements. For essential entities, authorities may seek court orders temporarily suspending licences, registrations, certificates, or authorisations, and prohibiting individuals from exercising management functions.
Non-compliance may result in significant fines for the organisation and its management. Essential entities may be sanctioned up to EUR 10 million or 2% of their global annual turnover, while important entities may face fines of up to EUR 7 million or 1.4% of their global annual turnover. Members of the management body may be held personally liable and fined up to EUR 5,000 for breaches of their obligations under the CA.
If the breach involves personal data, the Commission for Personal Data Protection may impose a sanction under data protection law. In such cases if the data protection authority has already imposed a financial penalty for the same infringement, the cybersecurity authority should not impose an additional fine for that same violation.
For further assistance under the new amendments of the Cybersecurity Act, contact your CMS client partner or the local CMS experts who wrote this article: Nevena Radlova, Lachezar Mikov and Elina Kostadinova.
