NIS2 in Bulgaria: What the 2026 Amendments to the Cybersecurity Act Mean
NIS2 is not a technological regulation. It is a regulation of governance accountability.
TL;DR
| Change | What It Means |
|---|---|
| NIS2 is implemented through amendments to the Cybersecurity Act | The requirements are now part of national law |
| The scope covers 18 sectors | Significantly more organizations fall under regulation |
| “Essential” and “Important” entities are introduced | Different levels of supervision and sanction thresholds |
| 24-hour notification requirement | Requires real monitoring and clear escalation |
| Formalized governance accountability | Executive management carries direct responsibility |
NIS2 does not introduce new technologies.
It introduces new expectations regarding how security is managed.
What Has Changed Legally
With the publication of the amendments to the Cybersecurity Act in February 2026, Bulgaria officially transposed Directive (EU) 2022/2555.
This is not a separate “NIS2 law.”
It is an expanded and structured national framework.
The key shift is that the regulation now requires security to be:
continuous
measurable
documented
governed at executive level
The focus moves from “Do we have tools?” to
“Do our processes function under pressure?”
18 Sectors Under Regulatory Scope
The law now covers 18 sectors, including:
Energy
Transport
Financial and banking services
Healthcare
Drinking and wastewater services
Digital infrastructure
Public administration
ICT services
Manufacturing of critical products
Postal and courier services
Food sector
Waste management
Chemical production and distribution
Digital service providers
This means that organizations previously outside direct regulatory focus are now within scope.
“Essential” and “Important” Entities
The new categorization determines the level of supervision and sanctions.
Essential entities
Typically large enterprises operating in critical sectors.
Subject to proactive and stricter supervision.
Maximum administrative fines may reach:
up to €10 million
or up to 2% of global annual turnover
Important entities
Organizations with significant economic relevance but outside the most critical categories.
Sanctions may reach:
up to €7 million
or up to 1.4% of global turnover
However, risk management requirements remain largely similar for both categories.
Sanctions are aligned with the thresholds introduced by NIS2, reaching up to €10 million or 2% of global annual turnover for essential entities.
24 Hours Is a Structural Test
Initial incident notification within 24 hours implies:
continuous monitoring
timely detection
clearly defined roles
documented actions
If visibility is not centralized, detection time increases.
If escalation is unclear, response slows.
If logs are fragmented, proving compliance becomes difficult.
The regulation makes these weaknesses measurable.
Governance Accountability Is Formalized
NIS2 formalizes executive responsibility for managing cyber risk.
In practice, this means:
regular reporting to the board
documented risk assessments
measurable performance indicators
periodic review of controls
Cybersecurity is no longer solely a technical function.
It is part of corporate governance.
What Regulators Will Likely Examine
In 2026, supervisory focus is expected to include:
actual detection and response times
testing of recovery plans
documented procedures
executive-level awareness and training
traceability of incident handling
Compliance will be assessed through operational behavior under pressure.
What This Means for Organizations in 2026
In 2026, organizations will face regulatory pressure that cannot be addressed through one-time projects.
A sustainable operational model is required:
centralized visibility
continuous monitoring
clear escalation
documented risk management
executive-level accountability
Organizations that have already structured security as an ongoing process will adapt more smoothly.
Those relying on isolated tools without integration and 24/7 monitoring will be forced to restructure their environments under pressure.
NIS2 is not a technological regulation.
It is a regulation of governance accountability.
Upcoming Webinar for Municipalities
In this context, DIAMATIX will host a dedicated webinar for municipalities and public organizations, covering:
the scope of the amendments for local administration
operational implications for municipal IT environments
a practical model for structuring monitoring and escalation
Additional sector-focused sessions for regulated industries will follow in 2026.
Trusted · Innovative · Vigilant.
