With the amendments to the Cybersecurity Act promulgated in the State Gazette (Issue No. 17 of February 13, 2026), Bulgaria officially implements the strict requirements of the European NIS2 Directive. The new legal framework significantly expands the scope of obligated entities, covering all medium and large enterprises in the “Energy” sector (the “Electricity” subsector). In the coming months, the Council of Ministers and the national competent authorities will determine the methodology for classifying companies as “significant” or “important” entities, which will be entered into a central register for the purposes of supervision and reporting. Organizations have a limited period for self-assessment and preparation before the secondary regulations defining the minimum scope of technical and organizational security measures come into force.
Affected companies are required to implement a comprehensive risk management approach, including cybersecurity policies, business continuity plans for crises, and enhanced supply chain security. A key element of the new law is the direct involvement of management bodies, which now bear personal administrative responsibility for approving and overseeing security measures. Management and employees will be subject to mandatory specialized training, and national authorities will have the power to impose severe sanctions and coercive administrative measures for non-compliance. This transition transforms cybersecurity from a technical task into a key corporate priority, ensuring the economic stability and sustainability of the energy sector.
>> The promulgated amendments can be read at the State Gazette
