EU DORA Regulation Amendments submitted to Bulgarian Parliament

The EU’s Digital Operational Resilience Act (DORA) began applying across Member States on 17 January 2025. The EU Regulation aims to strengthen the resilience of financial entities such as banks, payment service providers, insurance companies and investment firms across the EU in the event of severe operational disruptions. On 31 December 2024, the Bulgarian government submitted a bill introducing the necessary amendments to synchronise local legislation with the new EU legal regime.

The amendments will be implemented through the transitional and final provisions of the proposed Markets in Crypto-Assets Act, which introduce changes to a wide range of legal acts, as well as through the Bill Amending and Supplementing the Payment Services and Payment Systems Act, with both yet to be voted on by the legislature.

Amendments to the Credit Institutions Act, the Bulgarian National Bank (BNB) Act and the Financial Supervision Commission (FSC) Act detail the powers of the BNB and the FSC to enforce the new requirements over the entities under their supervision. The DORA compliance of credit institutions, payment institutions and administrators of critical benchmarks will be monitored by the BNB, while that of investment firms, crypto-asset service providers, management companies, insurers and others will be supervised by the FSC. The two authorities will have the right to carry out inspections (including on-site), impose fines and property sanctions, and implement administrative penalties and remedial measures, such as orders to cease breaching activities, measures ensuring compliance, and others.

The legislative changes to the Payment Services and Payment Systems Act introduce the relevant requirements for payment service providers. Payment institution applicants and account information service provider applicants need to implement reliable payment services provision rules which will now have to include:

• DORA-compliant mechanisms for using information and communication technology (“ICT”) services;
• a procedure for monitoring, processing and tracking security-related incidents and customer complaints, including an incident reporting mechanism;
• business continuity measures, including the identification of critical operations, ICT business continuity policies and plans, ICT response and recovery plans, and a procedure for regularly testing such plans.

Payment institutions and electronic money institutions licensed by the BNB that wish to participate in a settlement finality payment system will have to provide a description of their ICT risk management framework and internal control mechanisms related to the services that they intend to offer.

All payment service providers will need to apply ICT risk management measures in compliance with the Regulation.

As per the planned amendments to the Credit Institutions Act, the management bodies of banks must adopt and periodically update rules and procedures regarding network and information systems established and managed in accordance with DORA. On a regulatory note, the BNB will now be also authorised to request documents and information and carry out inspections of ICT service providers who deliver such services to banks, financial holding companies, mixed-activity financial holding companies, or mixed-activity holding companies.

DORA requirements will also be introduced in the amended Recovery and Resolution of Credit Institutions and Investment Firms Act. Both recovery and resolution plans will have to include rules and measures ensuring the continuity of operational processes in the relevant institution, with resolution plans also providing a justification of the adopted approach for the separation of critical functions and main economic activities from other functions of the institution, so as to ensure business continuity and operational resilience in the event of a default by it. Additionally, resolution authorities will need to be provided with information on the owners of the main management information systems, the critical operations, and the main economic activities of the institution, as well as the identity of third parties (critical ICT service providers) and the results of testing the operational resilience of the institution’s digital technologies.

In addition, the assessment of resolution opportunities for an institution or a group will now include reviewing the extent to which ICT service agreements entered into by the institution are robust and enforceable in a resolution, as well as the level of operational resilience of the systems that support critical functions and main business activities, taking into account reports of significant ICT incidents and results of operational resilience testing under the Regulation.

The amended Markets in Financial Instruments Act will in turn introduce DORA obligations for investment firms and regulated markets. The proposed legal text details the procedure for conducting penetration testing at the request of the FSC, and stipulates personal liability for persons who hold management positions in investment firms, central securities depositories or several other categories of market entities and perform or allow for breaches of the Regulation to occur.

Similar obligations, testing and personal liability, are also envisaged in planned amendments to the Collective Investment Schemes and Other Undertakings for Collective Investments Act, the Insurance Code and the Social Insurance Code concerning management firms, persons managing alternative investment funds, insurance and reinsurance companies, insurance intermediaries, and pension insurance companies.

Penetration testing at the initiative of the FSC is also envisaged for crowdfunding service providers under proposed amendments to the Public Offering of Securities Act.

For more information on this regulation, contact your CMS client partner or these CMS experts: Elitsa Ivanova, Konstantin Stoyanov, and Christian Milev.