The New Bulgarian Cyber-security Act Goes Live

On 13th November 2018, the new Cybersecurity Act (the CA) was promulgated in State Gazette. The CA is the first comprehensive piece of Bulgarian legislation in the area of cybersecurity.

It was adopted in order to implement the requirements under Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU.

The CA imposes obligations on the following subjects: (i)    administrative bodies; (ii)  operators of essential services (e.g. key undertakings acting in sectors such as energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, digital infrastructure - as listed in Appendix to the CA); (iii) digital service providers (digital services are defined as online marketplace, online search engine, cloud computing); (iv)  persons exercising public functions when they provide electronic administrative services (e.g. notaries, private enforcement agents, state and municipal educational institutions, state and municipal medical institutions, etc.); (v)  organizations providing public services (such as educational, health, water supply, sewerage, heat supply, electricity, gas supply, telecommunications, postal, banking, financial services, etc.) that are not designated as (iii) or (iv), when such organizations provide administrative services electronically.

Providers of digital services that are micro and small enterprises are among the subjects excluded from the scope of the CA.

The obligations imposed by the CA vary depending of the type of obligated persons, but worth mentioning are:

  •  ensuring and being responsible for the network and information security (NIS);
  • notifying sector response teams for computer security incidents that have an impact on the continuity of the electronic services provided by the obligated persons; 
  • implementing appropriate and proportionate technical and organizational measures to:
    • manage the risks to NIS; 
    • prevent and minimize the impact of accidents affecting the NIS in order to ensure the continuity of the services provided.

The CA imposes severe administrative sanctions and fines which may go up to BGN 25,000  in case of repeated violations.

Dimitrov, Petrov & Co.'s lawyers Hristo Nihrizov and Nikola Stoychev were among the leading experts who participated in the elaboration of this new piece of legislation and most of their proposals and comments had been reflected in the promulgated CA. The DPCo.’s team of prominent technology lawyers led by Prof. Dr. George Dimitrov provides tailored legal solutions to various companies which will help businesses to comply with the constantly evolving legal environment in various sectors of the industry.