The deadline for Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2”) implementation passed on 17 October 2024, and Bulgaria is on the way to transposing NIS2 into the Cybersecurity Act. The draft bill is submitted to the Bulgarian Parliament and expected to be approved soon.
More detailed cybersecurity measures and obligations will be prescribed in the implementing regulation which should be adopted within 8 months after entry into effect of the amended Cybersecurity Act, i.e. expectedly, until June 2025.
Below is a brief overview of the major amendments proposed in the bill which will affect businesses:
1. Broader scope of entities subject to risk management and reporting obligations under the Cybersecurity Act
The bill introduces definitions of significant and important entities which broadens the scope of the businesses subject to cybersecurity compliance.
Significant entities:
- Entities exceeding the thresholds for medium-sized enterprises which operate in the energy, transport, banking, financial markets infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT management services and aerospace.
- Providers of qualified authentication services, domain name registries, and DNS services regardless of the size of the business.
- Providers of public electronic communications networks or services that qualify as medium-size enterprises.
- All entities conducting certain types of activities in the field of energy, transport, banking, financial markets infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT management services and other fields indicated in the NIS2.
- Entities been determined as essential entities based on the following criteria:
- act as a sole provider of a service that is essential for the maintenance of critical social and economic activities;
- a disturbance (for a specified time) in the service provided by the entity could have a significant impact on public security or public health;
- an interference with the service provided by the entity could cause significant systemic risk, in particular for sectors where such a disturbance could have cross-border impact;
- the entity is critical because of its specific importance at a national or regional level for the specific sector or type of service or for other interdependent sectors in Bulgaria.
- Entities qualifying as critical based on the assessment to be made by the Bulgarian authorities within 8 months after the implementation of the amendments in the Cybersecurity Act;
- Entities designated as operators of essential services under the existing rules.
Important Entities:
All entities which do not qualify as significant entities and conduct certain types of activities in the field of energy, transport, banking, financial markets infrastructure, healthcare, drinking water, wastewater, digital Infrastructure, ICT management services and other fields indicated in the NIS2or.
2. Cybersecurity risk management measures and reporting obligations for significant and important entities
According to the bill, significant and important entities will be required to ensure cybersecurity risk training for their management every 2 years and the management should provide such training to the employees.
In addition, significant and important entities will be required to implement appropriate measures to mitigate risks to their network and information systems. These measures must be proportional to the entity’s risk profile, considering factors such as the size of the entity, the likelihood of incidents, and potential societal and economic impacts.
The bill outlines only the general scope of such measures as defined also in the NIS 2 Directive, i.e.:
- policies on risk analysis and information system security;
- incident handling; business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
More detailed description of the relevant obligations is expected in a subsequent amendment of the Implementing Regulation for the Minimum Requirements to the Network and Informational Security to be further proposed by the Council of Ministers.
III. What business should be doing?
- It would be useful for companies to increase their awareness of the existing local cybersecurity legislation.
- Conduct internal analysis on their business activities to identify if they fall within the scope of NIS2.
- Consider the basic requirements that should be applied.
- Plan suitable measures to adopt the business processes in the organisation to meet the new standards under NIS2 (incl. audits, trainings, internal policies review, etc).
- Clients should be informed of the significant sanctions provided for in NIS2 and the applicable legal and administrative procedures.
Please note that this article is for informational purposes only and does not serve as legal advice. For further details on this topic, please reach out to Emil Lukaev at emil.lukaev@elukaev.com.