On 27 June 2018, the Bulgarian parliament adopted a draft bill on cyber security after its first reading, which introduces a new legal framework for a higher level of protection from cyber risks and incidents. The bill was mandated by EU Directive 2016/1148 of 6 July 2016 ("NIS Directive") that addresses the problem of uneven levels of protection and establishes a common instrument for timely and adequate sharing of information in the battle against cyber attacks in the EU.

The bill introduces the following significant changes:

  • creating an unified legal framework in the area of cyber security, and in the prevention of and fight against cybercrimes;
  • establishing and organising specific competent authorities, and defining their functions and powers [i.e. National Unified Contact Unit, National Cyber-Security System, National Cyber-Security Coordinator, computer security incident response teams (CSIRTs) and National Computer Security Incidents Response Team (CERT)];
  • regulating the network and informational security of the administrative authorities, and setting and controlling the requirements that must be met to ensure network security on their systems;
  • establishing the status and functions of operators of essential services and digital services providers in vital sectors like public administration, energy, transport, banking, health services, drinking water supply, digital infrastructure, etc.

For not non-compliance with the bill where the violation does not constitute a crime, fines will be imposed of between approximately EUR 500 and EUR 5,000, or pecuniary sanctions of between approximately EUR 750 and EUR 7,500. In case of repeated violations, fines will be levied of between approximately EUR 1,000 and EUR 10,000, or pecuniary sanctions of between approximately EUR 2,500 and EUR 12,500.

The implementation of the bill should lead to more effective and timely cooperation among authorities in Bulgaria and EU member states while transforming the fragmented legislation on this issue into a unified act. This unification should decrease documentation, speed up collaboration time, and implement a standard form of cyber incident notification, which will result in a lower administrative burden for both citizens and authorities.

After passing a mandatory procedure of approval at second reading in the Bulgarian parliament, the new bill will enter into force.