The NIS2 Directive in Bulgaria: telcos may face overlapping rules and be subject to multiple supervisory authorities
Violetta Kunze
Djingov, Gouginski, Kyutchukov & Velichkov, Sofia
violetta.kunze@dgkv.com
Georgi Sulev
Djingov, Gouginski, Kyutchukov & Velichkov, Sofia
georgi.sulev@dgkv.com
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148, commonly referred to as the NIS2 Directive, was due to be transposed into law and applied in Bulgaria by 17 October 2024. However, delays in the transposition of the law have been observed across most EU Member States.[1] As of June 2025, Bulgaria’s transposition of the NIS2 Directive remains in the final stage of the legislative process before the national parliament.[2]
The transposition of the NIS2 Directive in Bulgaria
Providers of public electronic communications networks or services operating in the territory of Bulgaria should be aware of certain specifics in regard to the national transposition of the NIS2 Directive that may lead to the parallel application of multiple regulatory regimes on cybersecurity at the same time.
The security of public electronic communications networks or services used to be regulated under the European Electronic Communications Code (Directive (EU) 2018/1972, EECC). One of the NIS2 Directive’s objectives, as outlined in the preamble, is to streamline the obligations imposed on such providers. Consequently, the relevant provisions in the EECC concerning security and the related notification requirements have been repealed. Going forward, cybersecurity measures imposed on these entities will be governed solely by the NIS2 Directive.
The transposition of the NIS2 Directive into national law in Bulgaria introduces certain national elements, particularly through the envisaged new secondary legislation that will define the minimum cybersecurity measures to be implemented by in-scope entities. The following two ordinances are set to be adopted:
- an ordinance detailing the minimum cybersecurity measures to be adopted by all in-scope entities, excluding:
- providers of public electronic communications networks or services; and
- entities subject to lex specialis cybersecurity regulations (eg, the EU Digital Operational Resilience Act (DORA) and the European Commission’s implementing regulation on critical entities and networks);[3] and
- a separate ordinance detailing the minimum cybersecurity measures for providers of public electronic communications networks or services.
In addition, providers operating in the digital infrastructure sector and digital services providers will be subject to the requirements established by the European Commission’s implementing regulation on critical entities and networks.[4]
The above-described two ordinances will constitute secondary legislation and will be adopted by the Council of Ministers (ie, the Bulgarian Government). The broader ordinance will be proposed by the Ministry of Electronic Governance, while the sector-specific ordinance applicable to electronic communications providers will be jointly proposed by the Ministry of Electronic Governance and the Communications Regulation Commission (the national telecom regulatory authority or CRC).
Furthermore, the national transposition of the NIS2 Directive in Bulgaria retains a distributed governance framework. Under this framework, the Council of Ministers will designate a separate supervisory authority for each sector designated in the Directive.
At this stage, the exact scope and content of the two ordinances remain unclear. Until their formal adoption, the existing national cybersecurity framework continues to apply, including the following pieces of secondary legislation:
- the Ordinance on the Minimum Requirements for Network and Information Security, adopted by the Council of Ministers to implement the original Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. This ordinance is largely based on the ISO/IEC 27001 and ISO/IEC 27002 standards and allows for a high degree of flexibility with regard to the appropriate cybersecurity measures; and
- the Rules on the Minimum Security Requirements for Public Electronic Communications Networks and Services and the Methods for Managing their Security Risk, adopted by the CRC. These rules closely align with the EU Agency for Cybersecurity’s (ENISA) Guideline on Security Measures under the EECC[5] and are more prescriptive, for example, by requiring a specific level of security measures depending on the type of service and number of users.
The existing secondary legislation is grounded on international standards and best practices and enjoys broad industry support. It is expected that it will remain in force, subject to future revisions and alignment with the transposition of the NIS2 Directive.
However, the continued existence of separate secondary legislation applicable to providers of public electronic communications networks or services may lead to duplicated or overly burdensome regulation, especially for providers that also operate in other sectors that fall within the scope of the NIS2 Directive. For example, a major telecommunications provider that, alongside its core services, offers managed services (including managed security services) would need to comply with:
- the European Commission’s implementing regulation on critical entities and networks; and
- the ordinance setting out the cybersecurity measures for electronic communications providers.
Further complexity arises if such a provider is also active in other regulated sectors, such as financial services or even energy, each of which may fall under different cybersecurity secondary legislation and under the purview of different regulatory authorities. The risk here is the creation of a fragmented regulatory landscape, with diverse supervisory approaches and potentially conflicting compliance obligations. This could significantly increase the compliance burden for cross-sector entities and hinder the goal of achieving harmonised cybersecurity requirements across the EU.
What’s next?
The transposition of the NIS2 Directive into Bulgarian legislation is expected to be finalised in the coming months and, upon its entry into force, the revised cybersecurity law will be immediately applicable.
[1] European Commission press release ‘The Commission calls on 23 Member States to fully transpose the NIS2 Directive’ dated 28 November 2024, https://digital-strategy.ec.europa.eu/en/news/commission-calls-23-member-states-fully-transpose-nis2-directive last accessed on 10 July 2025.
[2] National Assembly of the Republic of Bulgaria, a record of the legislation as it goes through the legislative process, https://www.parliament.bg/bg/bills/ID/165851 last accessed on 10 July 2025.
[3] EUR-Lex, Commission Implementing Regulation (EU) …/... laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=intcom:C%282024%297151 last accessed on 10 July 2025.
[4] EUR-Lex, Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers, https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj last accessed on 10 July 2025.
[5] ENISA Guideline on security measures under the EECC, July 2021, https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20-%20Guideline%20on%20Security%20Measures%20under%20the%20EECC-%204th%20edition.pdf last accessed on 10 July 2025.