November 2025 – Nearly two years after the Digital Services Act (“DSA”) became applicable across the EU and amidst discussions on the “Digital Omnibus” simplification package announced by the European Commission, Bulgaria has finally aligned its national framework with DSA provisions.
On 6 November 2025, the Bulgarian parliament adopted amendments to the Electronic Communications Act (“ECA”), confirming the designation of the Communications Regulation Commission (“CRC”) as the Digital Services Coordinator, vesting it with supervisory powers and the authority to certify out-of-court dispute settlement bodies and award trusted flagger and vetted researcher status, while also introducing comprehensive enforcement architecture.
With the entry into force of the amendment as of 25 November 2025, the legislative delay that triggered infringement proceedings by the European Commission in December 2024 and prolonged uncertainty for businesses operating in Bulgaria is now behind us.
What stands out in Bulgaria’s approach
A legislative shortcut
Traditionally, the ECA governs electronic communications services, not content or platform governance. Bulgaria’s decision to use the ECA as a DSA national implementation tool was driven by a practical consideration - the CRC had already been designated as the Digital Services Coordinator in June 2024, and the Commission is regulated under the ECA. This shortcut consolidates supervisory powers under a single statute but also extends the scope of the act beyond its original technical focus to include content-relevant rules. While this may seem efficient in the short term, it creates a frag mented regulatory environment, as electronic communications-specific provisions now coexist with enforcement rules for intermediary services, which themselves interact with other sectoral laws governing video-sharing platforms, e-commerce and consumer protection.
Institutional setup and powers
The amendment to the ECA confirms the CRC as Bulgaria’s Digital Services Coordinator. It also designates both the CRC and the Council for Electronic Media (the national regulator for audio-visual media services and video-sharing platforms) as competent authorities responsible for supervising intermediary service providers and enforcing the DSA.
- CRC’s responsibilities
The CRC oversees intermediary service providers, excluding video-sharing services, that fall under the supervision of the Council for Electronic Media. Additionally, the CRC controls the obligations related to the online interface design and organisation and recommender system transparency across all intermediary services. This involves strict accountability rules - the CRC must publish on its website in a machine-readable format annual reports on DSA-related activities covering both its own work and that of the Council of Electronic Media and Commission for Personal Data Protection. It must also prepare and adopt report on the activities of the certified out-of-court dispute settlement bodies every two years.
- Responsibilities of the Council of Electronic Media
The Council of Electronic Media supervises intermediary services providers engaged in video-sharing services, except in relation to obligations concerning online interface design and recommender system transparency, which remain under CRC’s supervision.
- Additional enforcement powers
The ECA amendment grants the Commission for Personal Data Protection explicit enforcement powers under Article 51 and Article 56 of the DSA when supervising data processing activities under the DSA. These include the authority to request information and judicial approval for onsite inspections and to impose sanctions and periodic penalty payments.
This multi-authority model raises concerns about frag mented responsibilities and inconsistent enforcement. To mitigate these risks, the amendment foresees the issuance of a cooperation instruction between the CRC, the Council of Electronic Media and the Personal Data Protection Commission in order to clarify the division of responsibilities between the authorities involved. Despite this effort, the frag mented structure and overlapping mandates still have the potential to hinder the effective implementation of the DSA.
Highly structured certification and award procedures
The DSА introduces several EU-wide mechanisms aimed at enhancing accountability in the online environment. These include out-of-court dispute settlement bodies, trusted flaggers (experts/expert organisations that report illegal content) and vetted researchers (who access platform data to study systemic risks and assess the adequacy, efficiency and impacts of risk mitigation measures). While these mechanisms apply across the EU, Bulgaria’s implementation places particular emphasis on structured procedure, limited procedural extensions and transparency.
The CRC is designated as the competent authority for certifying out-of-court dispute settlement bodies and for awarding trusted flagger and vetted researcher status. These procedures follow a highly structured format and strict timelines. For instance, the CRC may request additional information only once, and decisions on certification and on awarding trusted flagger status must be adopted within two months, with the possibility of extension solely for the period required to receive the requested information.
Transparency is one of the key features applicable to the activities of the out-of-court dispute settlement bodies and trusted flaggers. Certified dispute settlement bodies must report detailed data annually, including dispute outcomes, platform names, and decision timeframes. The CRC then publishes aggregated information on its website in an open, machine-readable format. It also maintains a public electronic register of certified out-of-court dispute settlement bodies, accessible in the same format.
Similar information obligations apply in respect of trusted flaggers. The CRC collects, aggregates, and publishes annual data on reports submitted by trusted flaggers, who must report information such as the identity of the reporting organisation, the reason for the report, the platform involved, response times, and whether the report was accepted or rejected. This aggregated information is likewise made public in an open, machine-readable format.
Taken together, these measures reflect a procedural model that gives priority to clarity, predictability, and accountability. This structured approach, combined with strict timelines and limited extensions, contributes to legal certainty for applicants and facilitates oversight by the public and relevant stakeholders.
A comprehensive enforcement architecture
Perhaps the most striking aspect of Bulgaria’s framework is its enforcement model, which departs from traditional administrative sanctioning process under the Bulgarian Administrative Offenses and Sanctions Act. Although not backed up with specific statistics or arguments, the legislator evidently considers the said process ineffective for enforcing the DSA. Therefore, to enable a more efficient process, the law provides for a single administrative procedure in which both the violation and the penalty are established through one document - a decision issued by the competent authority (the CRC or Council of Electronic Media, as the case may be).
The procedure of DSA enforcement outlines detailed process for conducting inspections, provisions for termination of the proceedings, including the applicable statute of limitations (three years as of committing the violation) as well as the methods and tools for collecting evidence. Investigative powers are extended to align with the DSA - officials of the competent authority can access the premises and facilities of the entity under investigation, request and examine all types of documents and records regardless of format and collect oral and/or written statements from the investigated party. Onsite inspections are subject to prior authorisation by the Administrative Court – Sofia Region.
In line with the DSA, service providers have the right to propose commitments aimed at remedying a violation. In such cases, the competent authority publishes its intention to terminate the proceedings and allows a period of up to 30 days for interested parties to comment. If the competent authority deems the commitments sufficient, it may approve the proposed commitments by decision, which will also terminate the proceedings without establishing an infringement.
In urgent cases where there is a risk of serious and irreparable harm, the competent authority may order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring it to an end, as well as to impose a periodic penalty payment. Such order is subject to appeal, but the appeal does not stop their enforcement. In certain cases, the competent authority may implement a temporary restriction on access to the digital service. These measures require judicial authorisation by the Administrative Court - Sofia Region and must comply with the proportionality and procedural safeguards under the DSA. Unfortunately, the lack of clear criteria for determining what constitutes “urgency” or “serious” or “irreparable” harm introduces a risk of subjectivity in the application of those measures. This could lead to inconsistent enforcement or disproportionate responses, particularly in politically or socially sensitive contexts.
Certain decisions of the competent authority are granted immediate enforceability by law. Examples include orders requiring the cessation of an infringement or mandating corrective actions. The purpose of immediate enforcement is to swiftly align the provider’s activities with the DSA and mitigate harmful consequences while ensuring the timely protection of affected individuals. Even in these cases, the rights of investigated entities are safeguarded through judicial review and appeal mechanisms.
While the newly introduced procedure is designed to be comprehensive, its practical application may raise concerns. The novelty of the enforcement model combined with the absence of judicial practice will inevitably create interpretative gaps, especially in the initial phase of implementation. During this period, providers may face challenges in foreseeing how the competent authority or courts will interpret key provisions and the scope of corrective measures.
Departure from traditional administrative sanctions
The sanctioning framework introduced by the ECA amendment reflects the thresholds under the DSA. It provides for:
- fines of up to 6% of the global annual turnover or income of the preceding financial year for breaches of obligations under the DSA;
- fines of up to 1% of the annual income or worldwide turnover for failure to provide information; the submission of incorrect, incomplete or misleading information, the failure to rectify such information or refusal to cooperate during onsite inspections;
- daily periodic fines of up to 5% of the average daily worldwide turnover or income for continued non-compliance, including failure to provide or correct information within the specified timeframe, failure to implement commitments approved by the authority, оr failure to comply with an order for the cessation of infringement.
In addition, periodic fines of up to 1% of the annual income or worldwide turnover may be imposed on other persons holding information relevant for the establishment of a violation who fail to comply with obligations to provide such information, cooperate during inspections or rectify inaccurate submissions.
This approach differs significantly from the traditional Bulgarian administrative sanctioning model, which typically defines violations in more specific terms, applies differentiated penalties based on severity and rarely exceeds tens of thousands of leva. While periodic penalties are not entirely new under the ECA, the extended liability scope combined with the scale of sanctions represent a notable development in the enforcement of compliance obligations.
What the ECA amendment means
Bulgaria’s implementation of the DSA combines EU-driven obligations with national procedural innovations that prioritise speed, transparency and regulatory certainty. By embedding these rules in the ECA, the country has opted for a prag matic but complex legislative solution that may shape future debates on content regulation. Its layered structure and multi-authority enforcement may prompt legal challenges, particularly in relation to the clarification of competences and coherent approach to sanctions. Whether this model will withstand judicial scrutiny remains an open question. For businesses, the scale of potential fines and the intended accelerated enforcement prompt the need for timely adaptation.