NIS 2 Status Bulgarien

NIS 2 status in Bulgaria

What the directive requires, how Bulgaria carries it across, and where the State e-Government Agency sits in the picture.

Simon OrzelSimon Orzel·

Overview

The NIS 2 directive is the EU layer. It binds every member state, including Bulgaria, with one cybersecurity floor for essential and important entities. Bulgaria must put that floor into Bulgarian law and run a supervision regime under it.

Bulgaria transposes NIS 2 by amending its existing Cybersecurity Act (Закон за киберсигурност, ZKS), the same law that carried the NIS 1 regime. As of June 2026, transposition is not complete. The European Commission sent a reasoned opinion on 7 May 2025 for failure to notify full transposition, the step before a referral to the Court of Justice.

The State e-Government Agency (Държавна агенция Електронно управление, abbreviated SEGA or ДАЕУ) is the national single point of contact for NIS 2. The national CSIRT, CERT Bulgaria, operates at govcert.bg. Sector competent authorities are split across ministries: Energy, Health, Environment and Water, and Transport, Information Technologies and Communications, plus the Financial Supervision Commission for finance.

Where the rules live
Three layers anyone reading the Bulgarian version of NIS 2 has to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.

EU implementation

Commission Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Bulgaria without national transposition.

Bulgarian transposition

Cybersecurity Act (Закон за киберсигурност, ZKS), as amended to transpose NIS 2

Bulgaria carries NIS 2 across by amending the existing Cybersecurity Act rather than enacting a new statute. The Commission has confirmed transposition is incomplete: a reasoned opinion was issued on 7 May 2025. Until full notification, parts of the framework rely directly on the directive and on Implementing Regulation 2024/2690.

Three things to know
What is set and what is still open for entities operating in Bulgaria.
Transposition

Amended Cybersecurity Act (ZKS)

Bulgaria transposes NIS 2 by amending the Cybersecurity Act (Закон за киберсигурност). The amendment carries across the essential and important entity categories, the supervision powers, incident reporting duties and sanctions. As of June 2026 the Commission has not received full transposition notification; the legal text and any implementing acts should be read against the directive directly until that gap closes.

Authority

State e-Government Agency as single point of contact

The State e-Government Agency (ДАЕУ / SEGA) acts as the NIS 2 single point of contact. Sector competent authorities sit across line ministries: Energy (Ministry of Energy), Health (Ministry of Health), Drinking Water (Ministry of Environment and Water), Transport and Digital Infrastructure (Ministry of Transport, Information Technologies and Communications), and Banking and Financial Market Infrastructure (Financial Supervision Commission).

Deadlines

Registration and reporting

The directive required entities to be identifiable by Member States from 17 April 2025. In Bulgaria the registration channel runs through the State e-Government Agency as single point of contact; a dedicated public registration portal comparable to the French MonEspaceNIS2 has not been publicly documented in English at the EU level. Significant incidents follow the directive cadence: 24h early warning, 72h notification, one-month final report, to CERT Bulgaria and the relevant sector authority.

Two principles that decide every edge case
Use these before reading any Bulgarian commentary on NIS 2.

Local law applies inside Bulgaria

Operations on Bulgarian territory follow the Bulgarian transposition. A German Geschäftsführer running a Bulgarian subsidiary reads the amended Cybersecurity Act for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the single point of contact and the sanctions sit in Bulgarian law.

Bulgaria cannot go below the EU floor

The directive is a minimum harmonisation instrument. Bulgaria can go stricter. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability. Even where transposition is incomplete, the directive obligations apply from the deadline of 17 October 2024 forward, and entities should not wait for the final national text before preparing.

Who does what in Bulgaria
Three institutions that show up in almost every NIS 2 question.
BG

State e-Government Agency (ДАЕУ / SEGA)

National single point of contact for NIS 2. Coordinates with sector competent authorities across ministries and with the Financial Supervision Commission. Listed by the European Commission with seat in Sofia, contact NSPOC@e-gov.bg. The exact split of supervisory tasks between SEGA and line ministries is set by the Cybersecurity Act and its implementing acts.

BG

CERT Bulgaria

The national CSIRT, operating at govcert.bg. Listed by the European Commission as the NIS 2 CSIRT for Bulgaria. Handles incident reporting under the Cybersecurity Act (Докладване на инцидент по ЗКС) and feeds into the EU CSIRT network.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Bulgarian entities; that role sits with the State e-Government Agency and the sector ministries.

Pitfalls
Mistakes we see when entities operating in Bulgaria first read NIS 2.

  • Bulgaria will look like Germany once it transposes.

    Bulgaria did not enact a standalone NIS 2 act in the style of the German NIS2UmsuCG. It amends the existing Cybersecurity Act and distributes competence across line ministries, with the State e-Government Agency as single point of contact. Procedural detail, sanction levels and the registration channel follow Bulgarian administrative practice, not the German pattern. Reading BSIG and assuming a one-to-one match will produce wrong answers about who supervises and where to file.

  • There is no Bulgarian portal, so registration does not apply yet.

    The directive obligation to be identifiable by the Member State from 17 April 2025 applies regardless of whether Bulgaria has published a polished web portal. The State e-Government Agency is the single point of contact and can be reached at NSPOC@e-gov.bg. Entities in scope should document scope, contact data and a designated responsible person now, and submit through whatever channel the agency operates, even if it is not as visible as MonEspaceNIS2 in France.

  • Our sector regulator is the only authority we need to talk to.

    Sector ministries hold competence for their sector, but the State e-Government Agency remains the single point of contact for NIS 2 and CERT Bulgaria is the national CSIRT for incident reporting. A significant incident in a regulated sector typically goes to the sector authority and to CERT Bulgaria, not to one or the other. Treating the sector ministry as the sole counterparty risks missing the incident reporting cadence and the single point of contact role.

Practitioner view

Most operators we see in Bulgaria are still waiting for a definitive national text before they start work. That is the wrong sequence. The directive obligations apply from the 17 October 2024 deadline; the Commission has already sent a reasoned opinion on 7 May 2025. The supervision channel and the CSIRT exist today, and the management body sign-off duty under Article 20 binds the Geschäftsführer-equivalent (управител, изпълнителен директор) regardless of where the national amendment lands.

The practical move is the same as everywhere else in the EU: confirm scope under the directive, contact the State e-Government Agency as single point of contact, set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. Once the amended Cybersecurity Act is fully in force, the work already done maps across; the directive is the constant.

How the platform helps

We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Bulgarian subsidiary under the amended Cybersecurity Act, a German parent under BSIG, and a French sister under Ordonnance n° 2024-1093. Article references switch per locale; the substantive obligations do not.

For Bulgarian scope you start with the applicability check, then move to incident reporting cadence into CERT Bulgaria, supply chain clauses and management body sign-off. Where the State e-Government Agency or a sector ministry publishes guidance, we reference it; we do not duplicate it.

Sources
  • Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
  • Commission Implementing Regulation (EU) 2024/2690
  • Cybersecurity Act of Bulgaria (Закон за киберсигурност, ZKS), as amended for NIS 2
  • European Commission, Digital Strategy — NIS 2 country page for Bulgaria (digital-strategy.ec.europa.eu/en/policies/nis2-directive-bulgaria)
  • European Commission reasoned opinion to Bulgaria, 7 May 2025 (failure to notify full NIS 2 transposition)
  • State e-Government Agency (Държавна агенция Електронно управление, ДАЕУ / SEGA) — national single point of contact
  • CERT Bulgaria — National CSIRT (govcert.bg)
Check your Bulgarian scope in under five minutes
The applicability check applies the directive's size and sector test. If your Bulgarian subsidiary is in scope, the next step is the State e-Government Agency as single point of contact.
Run the applicability check