Cybersecurity is becoming an increasingly important aspect of our daily lives. This has led to the adoption of a more modern regulatory framework for cybersecurity within the EU.
As of January 2025, Directive (EU) 2022/2555 (NIS2) (“the Directive”) is set to be applied in EU countries that have transposed its provisions.
In Bulgaria, cybersecurity is regulated by the Cybersecurity Act. However, the Directive has not yet been transposed into this Act. At the end of 2024, a draft law amending and supplementing the Cybersecurity Act was submitted to incorporate the Directive. As of early March 2025, the draft law is still under review at the first reading in Parliament.
The Directive aims to achieve a high common level of cybersecurity across the EU, thereby improving the functioning of the internal market.
It introduces stricter requirements for risk management and incident reporting, as well as harsher penalties for non-compliance.
Who Falls Under the Directive?
The Directive applies to electricity producers that meet the criteria for medium-sized enterprises and that provide services or operate within the EU.
Under the Cybersecurity Act, energy enterprises that conduct supply activities as defined by the Energy Act are also covered by the Directive.
What is an “Energy Enterprise” and “Supply”?
The definition is provided in the Energy Act. An energy enterprise is an entity that carries out one or more of the following activities: generation, conversion, transmission, storage, distribution, aggregation, consumption optimization, supply, and provision of electricity, thermal energy, or natural gas based on a license issued under the law. It may also include entities involved in extraction of energy resources under a concession or those engaged in oil and petroleum product transportation via pipelines.
Supply refers to the sale, including resale, of energy or natural gas to customers.
What is Cybersecurity?
Cybersecurity is the state of society and the government in which, through a set of measures and actions, cyberspace is protected from threats related to its independent networks and information infrastructure, or threats that could disrupt their operation.
Cybersecurity encompasses network and information security, cybercrime prevention, cyber defense.
Network and information security refers to the ability of networks and information systems to withstand impacts that negatively affect the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, as well as related services provided by or accessible through these systems.
Electricity producers covered by the Directive must implement protection measures to prevent threats.
These include technical and organizational measures to prevent, detect, and respond to incidents that could jeopardize the security and continuity of energy supply.
Amendments to the Cybersecurity Act introduce obligations for management bodies to approve risk management measures in the field of cybersecurity.
Board members are required to undergo training every two years to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity.
Additionally, training programs should also be organized for company employees.
What Should the Measures Include?
The proposed amendments to the Cybersecurity Act provide general guidelines on the necessary technical and organizational measures.
These measures must be aligned with the latest advancements in information security, compliant with applicable European and international standards and cost-effective.
Some of the key measures listed include:
- Policies for risk analysis and information system security
- Business continuity strategies, such as backup management, disaster recovery, and crisis management
- Supply chain security, including security aspects related to interactions between each entity and its direct suppliers or service providers
- Basic cyber hygiene practices and cybersecurity training
- Human resources security, access control policies, and asset management
- And others
Incident Reporting Requirements
Any incident with a significant impact must be reported to the competent authority within 24 hours, including an initial assessment of its effects.
A full notification report must then be submitted within 72 hours, detailing the incident assessment, severity, and impact. One month after the incident, a final report must be submitted.
Sanctions for Non-Compliance
The amendments introduce severe penalties for failure to comply with the new requirements.
An energy enterprise that fails to implement the required measures or report an incident will face a sanction ranging from BGN 50,000 to 2% of its total worldwide annual turnover for the previous financial year, but no less than BGN 20 million.
What’s Next?
Within 8 months of the adoption of the amendments to the Cybersecurity Act, the relevant ordinance must be updated in line with the new legal requirements.
Until the new ordinance enters into force, the Rules on Minimum Security Requirements for Public Electronic Communication Networks and Services and Risk Management Methods for Their Security, issued by the Communications Regulation Commission, will continue to apply.
It is recommended that affected entities conduct a thorough analysis of their current state, including specific recommendations for measures that need to be implemented to demonstrate compliance with the requirements.
An important step is also the training of management bodies and staff, which can be time-consuming. Therefore, it is advisable to take timely action in organizing the necessary training for the relevant individuals.
