The new measures for a high general level of cyber security in Bulgaria are under discussion! (NIS2)

General information and purpose:

The bill, following the NIS2 Directive, provides an opportunity to achieve the common goal of increasing the level of protection against incidents, risks and threats to network and information security in the EU. The public consultations are scheduled within one month - from 04.07.24 to 03.08.24.

The general goal is to ensure the legal integration of Bulgarian cyber security with the European one, including through the introduction of improved European requirements in relation to risk assessment for example.

The specific objective is to fill the identified gaps and remove inconsistencies in the current Bulgarian legislation by introducing rules on risk assessment capacity, incident reporting, and testing, raising awareness and awareness of the fact that cyber incidents and the lack of an adequate response can threaten the stability of both public and private entities.

Competent authorities are given broad powers to manage and oversee cyber security policies in relation to designated entities – material and important. Competent authorities should be empowered to apply sanctions consisting of the suspension of certification or authorization in respect of part or all of the services in proportion to the gravity of the infringement. Competent authorities are required to supervise the entities covered by the directive and in particular to ensure their compliance with security and incident notification requirements.

With the change of the law, the sectors of impact are expanded, namely:

  1. Energy
  2. Transportation
  3. Banking sector
  4. Financial market infrastructures
  5. Healthcare
  6. Drinking water
  7. Wastewater
  8. Digital infrastructure
  9. Management of ICT services (business-to-business)
  10. Public Administration
  11. Outer space

Other critical sectors:

  1. Postal and courier services
  2. Waste management
  3. Production, preparation and distribution of chemicals
  4. Production, processing and distribution of food
  5. Production
  6. Digital Service Providers
  7. Scientific research

As a result of the adoption of the proposed amendments, it is expected:

  • creating conditions for building an effective system for preventing and combating cyberattacks;
  • limiting the scale, frequency and impact of incidents;
  • counteracting incidents that cause significant financial losses, undermine consumer confidence and cause serious damage to the state's economy;
  • limiting the transnational nature of incidents;
  • establishment of conditions for equality in relation to the control of essential and important entities and administrative bodies;
  • facilitating access to proper information regarding a service that is essential for the maintenance of particularly important public and/or economic activities;
  • increasing security by creating and maintaining a non-public register of the designated entities within the scope of the draft law, as well as of the essential services themselves;
  • introduction of a clear hierarchical structure in the management and organization of the national cyber security system;
  • improving the reliability, sustainability and efficiency of the networks and information systems of all entities within the scope of the law.

 

To which enterprises this draft law applies:

This draft law refers to the so-called "Essential and important entities", which are:

  1. For the purposes of the law, the following entities are considered essential entities:

entities of the types specified in Annex I, which exceed the ceilings for medium-sized enterprises established in Art. 3, para. 1 of the Law on Small and Medium Enterprises;

  Art. 3. (Amended - SG No. 59 of 2006) (1) The category of small and medium-sized enterprises includes enterprises that have:

  1. the average number of personnel is less than 250 people, and
  2. annual turnover not exceeding BGN 97,500,000 and/or asset value not exceeding BGN 84,000,000.

  (2) Of the enterprises under para. 1 small enterprises are those that have:

  1. the average number of personnel is less than 50 people, and
  2. annual turnover not exceeding BGN 19,500,000 and/or asset value not exceeding BGN 19,500,000.

  (3) Of the enterprises under para. 1 micro-enterprises are those that have:

  1. the average number of personnel is less than 10 people, and
  2. annual turnover not exceeding BGN 3,900,000 and/or asset value not exceeding BGN 3,900,000.

 

  1. Significant entities: For the purposes of the law, entities of the types specified in Annex I or II, do not meet the criteria for significant entities according to para. 1, are considered important subjects. The obligations and responsibilities of the draft law will apply in full force, both to the essential entities and to the important entities.

Duties and responsibilities:

  1. Registration with the Ministry of Electronic Government;
  2. Allocation of cybersecurity responsibilities;
  3. Application of policies for cyber security;
  4. Procedure for reporting an incident within 24 hours;
  5. Continuity of services and business activity;
  6. Supply chain security;
  7. Policies and procedures for assessing the effectiveness of risk management measures in the field of cyber security;
  8. NIS2 Training to increase the qualifications of all employees in the company;
  9. Annual audits;
  10. Security of human resources;
  11. Access Control and Asset Management Policies;
  12. Multi-invoice authentication solutions;
  13. Interactions with Third Parties 

Violations and penalties:

An administrative body that fails to implement a coercive administrative measure shall be fined BGN 10,000 to BGN 100,000.

(2) In case of repeated violation under para. 1 the penalty is a fine of BGN 20,000 to BGN 200,000.

The pecuniary sanctions imposed on the essential and important entities under this Article in relation to violations of the law shall be effective, proportionate and dissuasive, taking into account the circumstances of each specific case.

A significant entity that fails to fulfil its obligations is punished with a pecuniary penalty of BGN 200,000 to 2% of the total global annual turnover for the previous financial year of the enterprise to which the significant entity belongs, but not less than BGN 20,000,000.

An important entity that fails to fulfil its obligations is punished with a pecuniary penalty of BGN 100,000 to 1.4% of the total global annual turnover for the previous financial year of the enterprise to which the important entity belongs, but not less than BGN 14,000,000.

In case of violation of Art. 21, the managers or members of the management bodies of the essential and important entities are subject to a property sanction in the amount of BGN 1,000 to BGN 100,000.

Coercive administrative measures are imposed on a substantial or important subject in order to stop a violation of the law in accordance with a previous decision of the competent authority.

In case of failure to comply with any of the imposed measures, periodic property sanctions are imposed on a substantial or important entity in the amount of BGN 5,000 for each day of failure.

If you have any questions or need advice about NIS 2, please contact us.