February 2026 – Across most of the European Union, the NIS2 Directive has already become operational reality. Bulgaria’s path to transposition, however, has been materially delayed. The Cybersecurity Act amendments intended to implement the NIS2 Directive were first submitted to the Parliament in September 2024, passed at first reading in February 2025 and reached final adoption in February 2026, with the new framework entering into force on 17 February 2026.
This delay has consequences that go beyond the mere legal uncertainty. While Bulgaria was still preparing its implementation framework, in January 2026 the European Commission proposed a new EU cybersecurity package, including amendments to the NIS2 Directive and a draft Regulation that will replace the Cybersecurity Act. As a result, Bulgarian in-scope entities will begin implementing a framework that is already being reconsidered and further developed at EU level.
Scope uncertainty - who will be regulated, often without expecting
One of the most significant effects of the Bulgarian transposition concerns the scope of regulation, because determining if an organisation qualifies as an in-scope entity will not be straightforward.
Expansion of sectors
The transposition follows the logic of the NIS2 Directive and significantly broadens the range of regulated sectors and entities. The law now applies not only to organisations operating in traditional sectors such as energy, transport, banking, healthcare and drinking water supply, but also to waste management, electronic communications networks/services, food production and distribution, data centres, trust services, content delivery services and others. This expansion alone will bring a large number of Bulgarian companies within scope for the first time.
Essential and important entities
There is also a new internal categorisation. In line with the NIS2 Directive, the Bulgarian law now distinguishes between essential and important entities, replacing the former concepts of “essential services providers” and “digital service providers”. As a rule, entities previously designated as essential services providers, public administration bodies, qualified trust service providers and entities identified as critical under Directive (EU) 2022/2557, among others, will fall within the essential category. By contrast, postal and courier operators, waste management companies, manufacturers of medical devices, food producers and distributors, research organisations, and a broad range of digital service providers will generally be classified as important entities.
Size is not a safe harbour
Size adds another layer of complexity. The Bulgarian law incorporates a size‑cap rule, under which entities operating in the listed sectors fall within scope if they qualify as medium-sized enterprises, meaning they have at least 50 employees or an annual turnover or balance sheet total above EUR 10 million. This threshold, however, is not conclusive. Several categories of entities fall within scope regardless of headcount or turnover, including trust service providers, electronic communications network/services providers and top-level domain registries. As a result, NIS2 exposure will not always be obvious and cannot be assessed solely by reference to sector, workforce size or revenue.
Administrative designation
The Bulgarian transposition further adds to the uncertainty surrounding the scope by preserving the existing administrative designation model. Organisations will not self - assess whether they qualify as essential or important entities. Instead, the process will unfold in stages:
- the Council of Ministers must first adopt a methodology for identification and designation of essential and important entities within six months of the law’s entry into force;
- once this methodology is adopted, the national competent authorities will have additional five months to identify and designate entities and to notify the Minister of e-Government, who is responsible for establishing and maintaining the national register of essential and important entities.
This centralised approach ensures regulatory oversight and consistency, but it also creates dependence on administrative processes and raises questions about the transparency of the designation criteria, the predictability for businesses and the availability and effectiveness of remedies against designation decisions. As a result, in the early implementation phase many organisations may face a period of prolonged uncertainty while awaiting formal designation.
Goldplating as a choice
The Bulgarian transposition does not merely follow closely the NIS2 Directive. In several areas the legislator has opted for a stricter national regime. Taken together, these deviations reveal a policy to expand scope, increase compliance obligations, and strengthen administrative control. Тhe most evident examples include the following:
Broader scope than required by NIS2 Directive
The Bulgarian transposition expands cybersecurity obligations in the food sector beyond the limits set forth in Annex II to the NIS2 Directive. While the Directive focuses on the wholesale distribution and industrial production and processing of food, the national law applies to all food businesses, defined as any undertaking involved at any stage of production, processing or distribution of food. For a significant number of Bulgarian in-scope entities, this will be their first encounter with a complex cybersecurity compliance framework.
More prescriptive risk-management and governance obligations
The law introduces additional cybersecurity risk-management measures beyond those listed in Art. 21(2) of the NIS2 Directive (e.g., change management, cybersecurity risk management and notification obligations for the listed entities). It is not clear what these supplementary measures are intended to cover that is not already addressed by Art. 21(2), and this ambiguity creates real operational challenges for multinational groups. Such companies will need to decide whether to apply the more stringent Bulgarian requirements across all jurisdictions or to maintain country‑specific measures. Either approach will increase the complexity of internal policies and interactions with supervisory authorities
A similar approach is taken to governance obligations. While the NIS2 Directive requires management bodies to undergo cybersecurity training on a risk-based basis, the Bulgarian law mandates periodic training at fixed two-year intervals. Although defensible from a policy perspective, this approach risks turning a substantive governance requirement into a formalistic compliance and increases administrative burden on in-scope entities.
Stricter procedural and sanctions regime
The transposition provides for tighter procedural requirements for notifying changes to the registry information under Art. 27 of the NIS2 Directive. Changes to registered information must now be reported within two weeks, a significant departure from the three-month timeframe provided in the Directive. In sectors characterised by frequent restructurings, acquisitions and service changes, this compressed timeline may increase the risk of inadvertent non-compliance.
The sanctions framework is also more rigid. The law introduces explicit national minimum amounts for administrative fines based on the type of entity - essential or important - and provides that these fines are imposed independently of other corrective measures. The NIS2 Directive requires Member States to set maximum fines, but does not mandate minimum thresholds. The Bulgarian approach therefore reduces enforcement flexibility and may lead to disproportionate outcomes where sanctions are imposed irrespective of other corrective measures.
Additional national-security driven powers
The law also introduces a new mechanism which allows the Bulgarian government to restrict the use of specific technologies by essential and important entities. Such powers are not required under the NIS2 Directive, which primarily focuses on risk-management obligations rather than technology prohibitions. This mechanism appears to draw inspiration from the EU 5G Toolbox and represents a broader national security-driven extension of the regime, extending well beyond mobile networks and 5G providers.
A quiet revolution
Beyond questions of scope and national deviations, the most significant impact of the Bulgarian transposition lies in its intended effect on how cybersecurity is understood and managed within organisations. In line with the NIS2 Directive, cybersecurity is no longer considered a purely technical function, but rather a matter of corporate governance and management accountability. Management bodies are now expected to oversee cybersecurity matters and receive training on cybersecurity risk-management measures. Failures in this area may lead not only to administrative fines but, in certain circumstances, to temporary bans on holding management positions. For many Bulgarian in-scope entities, this represents a significant change, as cybersecurity moves from the domain of technical specialists and compliance documents to the sphere of enterprise risk management and executive responsibility.
The strengthened focus on the supply chain further supports this change. In-scope entities are responsible not only for their own systems, but must also assess and manage the cybersecurity position of suppliers and service providers. In practice, this is often more difficult than securing internal infrastructure and requires contractual, operational and cultural adjustments. For many Bulgarian companies, where cybersecurity has traditionally been treated as a technical or operational matter, the new regime represents a significant organisational transformation and the NIS2 model is likely to be particularly challenging.
Early phase uncertainty
The amendments to the Cybersecurity Act enter into force on 17 February 2026, with no transitional compliance period. Although reduced sanctions will apply for breaches committed by 1 June 2026, the core obligations become immediately applicable.
For competent authorities, this means building the new institutional framework and adopting the implementing legislation while simultaneously developing supervisory practise within a compressed timeframe. For in-scope entities, the effect is equally challenging. Organisations must move toward compliance despite the evolving designation processes and limited practical guidance, often while still assessing whether and how the new regime applies to them.
The early implementation phase is therefore likely to be marked by uneven enforcement and interpretative uncertainty, creating a demanding starting point for Bulgaria’s NIS2 regime.