Bulgaria Advances Cybersecurity Law Changes as NIS2 Enforcement Begins
Date: February 5, 2026
The Bulgarian Parliament has adopted amendments to the Cybersecurity Act at second reading, aligning national legislation with Directive (EU) 2022/2555 (NIS2). The move marks a shift from delayed transposition toward active enforcement and regulatory oversight.
Although Bulgaria missed the original EU transposition deadline of October 17, 2024, the newly adopted framework signals the start of a practical enforcement phase rather than continued regulatory preparation.
What Actually Changes
The amended law significantly expands the scope of regulated entities. Beyond public authorities, the framework now applies to a broad range of public and private organizations, including ICT service providers, domain registrars, research institutions with critical activities, and judicial bodies.
The number of regulated sectors increases from eight to eighteen, covering manufacturing, postal and courier services, waste management, food and chemical production, digital services, and scientific research.
Incident reporting obligations become more stringent. Significant incidents must be reported within 24 hours of detection, updated within 72 hours, and followed by a final report within one month. This raises the bar for detection, escalation, and response maturity.
Technology Restrictions and Supply Chain Risk
A key provision allows the Council of Ministers, based on risk assessments and EU-level supply chain evaluations, to restrict the use of specific ICT technologies, products, or services, including those originating outside the EU.
Organizations already using restricted technologies may be required to phase them out within three years, or sooner in cases of elevated national security risk. This directly affects long-term IT planning and supplier strategies.
Impact on Businesses and MSPs
For organizations, cybersecurity is no longer solely an IT concern. It becomes a governance, contractual, and operational issue requiring clear asset mapping, supplier oversight, and continuous security monitoring.
For MSPs and MSSPs, client expectations will shift. Customers will increasingly require:
demonstrable 24/7 operational security capability
structured incident response and reporting processes
transparency across supply chains
audit-ready security operations
Service models built around limited hours or reactive support will struggle under the new enforcement conditions.
The DIAMATIX Perspective
From an operational standpoint, these changes do not introduce new security principles. They formalize expectations that regulators already apply in practice.
Organizations that treat NIS2 as a documentation exercise will face difficulties during inspections or real incidents. Those that invest in continuous monitoring, defined escalation paths, and clear ownership models will navigate enforcement with less disruption.
For the MSP ecosystem, this is a moment to reassess delivery models. Not tools, but how security operates day to day.
Update – The Law Is Now in Force. What This Means in Practice
With the amendments officially published in the State Gazette, Bulgaria has formally transposed Directive (EU) 2022/2555 (NIS2) and moved from political debate to enforceable regulatory framework.
This is not a symbolic change. The law:
• Expands scope to 18 sectors
• Introduces “essential” and “important” entity classification
• Requires 24-hour initial incident notification
• Establishes board-level accountability
• Enables restrictions on high-risk technologies and supply chains
Regulatory focus now shifts toward operational risk management, supply chain resilience, and demonstrable incident response processes.
Although Bulgaria was among the later EU member states to transpose NIS2, it is now entering the enforcement phase. This implies active oversight and expectations for structural readiness, not declarative compliance.
What This Means for Businesses
Organizations must:
• Map critical ICT assets and processes
• Determine their regulatory classification
• Establish 24/72-hour reporting workflows
• Conduct structured supply chain risk assessments
• Implement governance accountability mechanisms
By the end of 2026, authorities will expect measurable preparedness, not paper compliance.
What This Means for MSPs
MSPs are no longer purely technical providers. They are now embedded in their clients’ regulatory posture.
This requires:
• Clear contractual incident responsibilities
• Documented monitoring and response capabilities
• Demonstrable operational maturity
• Transparency regarding technology stacks and supply chains
MSPs that can provide structured, auditable security operations will gain strategic advantage.
DIAMATIX Perspective
This law shifts cybersecurity in Bulgaria from technical implementation to governance-driven accountability.
NIS2 is not an IT upgrade. It is a structural transformation of risk ownership.
Organizations that treat it as strategic modernization will build resilience. Those that delay adaptation will face regulatory exposure.
The enforcement phase has begun. Preparedness is now measurable.
Conclusion
With these amendments, Bulgaria moves decisively from delayed alignment toward active NIS2 enforcement. The coming months will reveal which organizations are prepared to demonstrate control, resilience, and accountability under regulatory scrutiny.
Related resource
For additional context on how NIS2 fits alongside ISO 27001, DORA, and GDPR at EU level, see our analysis:
ISO 27001, NIS2, DORA and GDPR. Mapping the EU Cybersecurity Landscape
NIS2 in Bulgaria: What the 2026 Amendments to the Cybersecurity Act Mean
Sources
National Assembly of the Republic of Bulgaria. Legislative decisions
Directive (EU) 2022/2555 (NIS2)
European Commission. NIS2 transposition and enforcement data
Bulgarian national media, February 5, 2026
