1. GOVERNING TEXTS
In Bulgaria, cybersecurity and personal data protection are mainly regulated by the following legislative instruments:
- The Cybersecurity Act 2018 (only available in Bulgarian here) ('the Cybersecurity Act');
- the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), directly applicable in Bulgaria; and
- the Protection of Personal Data Act 2002 (last amended in 2019) ('the Act') which was revised in 2019 to implement the GDPR.
The two legal frameworks apply in parallel. Their subject matter is related to the extent that the legislator has established formal mechanisms for cooperation between cybersecurity supervisory authorities and the Commission for Personal Data Protection ('CPDP') in cases where a security incident would also constitute a personal data breach.
Insufficient cybersecurity controls may lead to violations of legal duties related to personal data protection, as was the case in the 2019 personal data breach of the information systems of the National Revenue Agency, which saw the personal data of millions of individuals exposed. This resulted in a massive fine of approximately €2.6 million for the National Revenue Agency and remains Bulgaria’s most high-profile cybersecurity incident to date, as described in section 1.2 below.
In Bulgaria, the Cybersecurity Act implements the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive') with minimal derogations and deviations from the original text of the NIS Directive.
However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.
The Cybersecurity Act contains a substantive set of rules aimed to address the issue of cybersecurity through a holistic approach. It outlines the specific responsibilities and obligations that legal entities, regulatory bodies, and authorities must observe, and sets out prevention and response mechanisms in instances of cyber-attacks and other incidents.
The Cybersecurity Act identifies the main regulatory bodies and their area of expertise, introduces the category of operators of essential services and digital service providers, and defines their responsibilities and obligations in relation to the required security measures and procedures for notification of relevant authorities in case of cybersecurity incidents.
Decision 192 of 09.04.2019 of the Council of Ministers (only available in Bulgarian here) ('the Decision') provides for the creation of supplementary executive bodies responsible for network and information security in vital public sectors, such as the energy, transportation, healthcare, supply of fresh drinking water, and digital infrastructure. The Decision also outlines the methodology and specific criteria for determination of the essential public services to which the specific statutory requirements shall apply.
The Cybersecurity Act defines the specific powers of the regulatory authorities in charge of ensuring compliance with the Act, such as the Cybersecurity Council. It sets clear and detailed rules relating to the hierarchical position, cooperation, and communication with other government bodies, such as the State Agency for National Security ('the Agency'), the Minister of Defence, and the Minister of Interior.
Cooperation and coordination between different governmental institutions are fundamental mechanisms for developing а safe and resilient digital environment. Consequently, the Cybersecurity Act provides for the creation of the National Center for Incident Response in Information Security ('CERT Bulgaria'), as well as the Sectoral Divisions for Reaction in Cases of Computer Security Incidents ('the Sectoral CSIRTs') and a National Point of Single Contact for general monitoring of network and information security issues, as well as cross-border cooperation with the other EU Member States.
The Cybersecurity Act provides for full and complete implementation of the NIS Directive through the adoption of secondary legislative acts, such as the Ordinance for Minimal Requirements for Network and Information Security 2019 (only available in Bulgarian here) ('the Ordinance'). The Ordinance provides for the minimum specific requirements for network and information security which the obliged entities, providers of essential and digital services, public and regulatory authorities, and other providers of public services, must observe in order to create a resilient and stable digital environment.
At an EU-wide level, Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 establishes the objectives, tasks, and organisational matters relating to the European Union Agency for Cybersecurity ('ENISA') and a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services, and ICT processes in the EU, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the EU.
The closely related matter of personal data protection, and the respective requirements on the technical and organisational measures that controllers and processors must implement, as well as the notification regime applicable in the event of a personal data breach, are regulated by the GDPR. Locally, the Act received a complete overhaul in 2019 to address the new general regulatory framework and to implement the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680).
The following specific legal areas are out of the general scope of application of the Cybersecurity Act, and are regulated by sector-specific laws and regulations:
- The communication and information systems for processing of classified information within the meaning of the Classified Information Protection Act (only available in Bulgarian here), which establishes legal requirements for the protection of classified information from unauthorised access (including a notification regime in case of security accidents and a detailed security measure framework). The relevant supervisory authority is the State Commission on Information Security.
- The networks and information systems of the Ministry of Defence, the Ministry of Interior, the Agency, the State Intelligence Agency, the State Agency for Technical Operations, the Defence Intelligence Service, and the National Service for Protection, which is not related to the electronic administrative services and electronic document exchange between the administrative authorities. The respective networks and information systems requirements and their management and control are subject to terms and procedures set internally within these administrative bodies.
- Enterprises providing public electronic communication networks and/or services within the meaning of the Electronic Communications Act which establishes specific legal requirements for the protection of integrity and security of electronic communication networks and services, the confidentiality of communications, as well as for the protection of user data, including a notification regime in the event of security breaches or integrity violations. The relevant supervisory authority is the Communications Regulation Commission ('the CRC'). In 2021, the Electronic Communications Act was amended in order to introduce the new obligations and requirements under the Directive Establishing the European Electronic Communications Code (Directive (EU) 2018/1972) ('the Communications Code Directive')
- Trust service providers within the meaning of Article 3(19) of Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC which also contains requirements for the implementation of technical and organisational measures in relation to the provided trust services, as well as a notification regime in case of security breaches or loss of integrity. The relevant supervisory authority at the local level is the CRC.
Furthermore, subject to the requirements of the Law on Payment Services and Payment Systems (only available in Bulgarian here), providers of payment services which are generally not covered by the Cybersecurity Act must implement specific security measures and notify the supervisory authority in the event of significant operational or security incident. The relevant supervisory authority is the Bulgarian National Bank.
1.2. Regulatory authority
The Cybersecurity Council is the primary supervisory authority regarding issues of cybersecurity within the Republic of Bulgaria. Its members include 18 governmental officials including eight ministers and the heads of the main national security and law enforcement authorities. The Council functions as an advisory and coordinating body to the Council of Ministers and is tasked with analysing risks and cyber threats, developing methods of counteraction, and proposing concrete solutions. The prerogatives of the Council also include advancing the required expert capacity and developing existing human resources, alongside technological, infrastructural, financial, and organisational components.
The Cybersecurity Council is also tasked with creating and proposing a national cybersecurity strategy and a roadmap for its implementation.
The Council acts as a coordination body between the Council of Ministers, the national Single Point of Contact, and the Security Council to the Council of Ministers. It is also tasked with developing a national cyber crisis management plan and the harmonisation of sector policies.
National Cybersecurity Coordinator
The National Cybersecurity Coordinator is an individual nominated by the Prime Minister who performs an important supporting role to the Cybersecurity Council. Their main responsibilities include:
- drafting and proposing amendments to the National Cybersecurity Strategy and applicable roadmap;
- taking an active role in the development of the National Cybersecurity Coordination and Organization Network for Cybersecurity, along with the measures to ensure its reliability, security, and resilience;
- taking an active role in the creation and development of the National Cyber-situation Center and coordination of the actions and comprehensive response upon any cyber-crisis threat and threats of a hybrid nature; and
- providing support in cases of cyber or hybrid attacks.
Chairperson of the State E-Government Agency
The State E-Government Agency is a special administrative body responsible for providing electronic access to administrative services to the general public and overseeing the activity of other administrative bodies in that regard. The Chairperson of the State E-Government Agency ('the Chairperson') has a wide variety of executive powers pursuant to the E-Governance Act (available in Bulgarian only here), which are expanded further in the Cybersecurity Act.
The Chairperson is responsible for the implementation of the government policy, with respect to network and information security. They have the authority to issue methodological guidance and coordinate the implementation of the network and information security policies and may further certify the compliance of the information systems deployed by the administrative bodies with the network and information security requirements. The Chairperson is obligated to exercise control over the administrations to ensure compliance with these requirements.
In addition, the Chairperson is entitled to conduct (through authorised persons) information security audits of a specific information system or of the measures taken by an administrative body and may issue recommendations for their improvement. The national strategy for information and network security falls within the prerogatives of the Chairperson and is drafted and proposed to the Council of Ministers by them.
The Chairperson has further assessment and compliance monitoring obligations in terms of information security systems. Furthermore, the Chairperson is responsible for maintaining a non-public register of essential services.
Minister of Defence, Minister of Interior and the State Agency for National Security
The Minister of Defence, the Minister of Interior, and the State Agency for National Security ('SANS') have the general responsibility for security in Bulgaria. Within their respective areas of competence, they are entitled to investigate, monitor, and adopt various preventive and protective cybersecurity measures in response to cyberattacks and threats.
Minister of Defence
The Minister of Defence oversees the state policy of defence and active counteraction of cyberattacks and hybrid interactions on the national defence and armed forces systems. They are responsible for creating and developing the resources and infrastructure for the protection of the defence and armed forces management systems, including the establishment of a cyber defence center.
In addition, the Minister coordinates the efforts on establishing a collective defence and a secured shared cyberspace as well as upholding the corresponding engagements within the North Atlantic Treaty Organization and the EU respectively.
Finally, the Minister of Defense determines the conditions and rules of building a designated cyber reserve, aimed at increasing the cyber-defence capacity in relation to scientific, research, and educational activities, as well as overall cybersecurity.
Minister of Interior
The Minister of Interior supervises the state policy of counteraction to cybercrimes. The Ministry of Interior conducts investigations on cybercrime activities that threaten the national security and public order and is also responsible for implementing its own resources and methods of protecting and preventing malicious and criminal activity performed within the cyberspace.
Along with investigating cybercrimes, the Ministry is responsible for establishing a designated Cybercrime Center within its General Directorate 'Combatting Organized Crime,' which conducts all investigations of cybercrimes and responds to all computer security incidents within the Ministry of Interior. The unit seems to be one of the most active law enforcement bodies in the cybersecurity field in Bulgaria in the last years.
State Agency for National Security
The principle prerogative of SANS is to oversee and execute the policy for protection from cyber incidents with respect to communication and information systems of strategic sites important to the national security as well as of critical governmental activities. To that extent, SANS operates a designated Monitoring and Response Center for cyber incidents, which impact communication and information systems. The Center itself is built and supported by the E-Governance Agency.
The Minister of Defence, the Minister of Interior, and SANS generally act within their respective area of competence as the Cybersecurity Act encourages cooperation between them taking into account the complex nature of cyber attacks. Accordingly, they coordinate the planning and adoption of response and preventive procedures for cyberattacks, execution of training exercises and drills, and oversee the allocation, development, and maintenance of strategic resources that can counteract threats in cyberspace.
The Council of Ministers is entitled to create internal bodies within public authorities, which are competent to make assessments, monitoring of compliance with cybersecurity laws, and coordinate cybersecurity actions at pan-European level.
National Point of Single Contact
The National Point of Single Contact coordinates all network and information security issues and all issues related to the cross-border cooperation with the respective authorities in other Member States of the EU.
The Sectoral CSIRTs are responsible for leading information campaigns on possible cyber threats and are also responsible in case of notifications for cyber breaches. They are entitled to advise the respective subjects on possible measures to limit the impact of a confirmed incident or how to prevent future incidents.
National Computer Security Incident Response Team
CERT Bulgaria operates as a point of contact for network and information security issues at the national level and operational issues at the international level. It oversees and supports the formation activities of the sector computer security response units. CERT Bulgaria is further involved in the National Computer Security Incident Response Team Network establishment and activities. It has some statistical and advisory obligations which include analysis of the information provided by the Sectoral CSIRTs.
CERT Bulgaria is obligated to inform the National Point of Single Contact on any notifications of cross-border incidents having a significant damaging impact and cross-border incidents having a substantial impact and in case this is necessary, may request assistance by the National Point of Single Contact for their resolution. CERT Bulgaria is also closely involved in international cooperation networks.
Commission on Personal Data Protection
The CPDP is the Bulgarian personal data protection supervisory authority responsible for monitoring the application of the GDPR and the Act. It has vast investigative and enforcement powers the exercise of which may result in significant administrative fines.
In August 2019 the CPDP imposed its highest to date administrative sanctions for the violation of Article 32 of the GDPR in relation to two major cybersecurity incidents. Most notably, a fine in the amount of BGN 5.1 million (approx. €2.6 million) was imposed on the National Revenue Agency (the Bulgarian tax control authority) for leakage of personal data of about 6 million persons in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. Additionally, the CPDP imposed a fine of BGN 1 million (approx. €511,000) on DSK Bank EAD for a personal data breach of over 23,000 credit records relating to over 33,000 bank customers including personal data such as names, citizenships, identification numbers, addresses, copies of identity cards, and biometric data. Similarly, the violation and sanction were for insufficient technical and organisational measures for the protection of personal data.
Due to the relatively recent adoption of the Cybersecurity Act, the Cybersecurity Council, along with the other regulatory authorities have yet to adopt formal guidance on the application of the Cybersecurity Act.
The CPDP issues, from time to time, binding or non-binding guidances on various matters related to personal data protection. At this point the local authority does not tend to be very active in that regard and mostly seems to rely upon and refer to the guidance issued by the European Data Protection Board ('EDPB'). Most notably, the CPDP issued binding guidance on the processing operations requiring data protection impact assessment (DPIA) pursuant to Art. 35, paragraph 4 of the GDPR.
2. SCOPE OF APPLICATION
The Cybersecurity Act, along with supplementary legal acts, transposes the NIS Directive and establishes the general cybersecurity framework within the Republic of Bulgaria. The Cybersecurity Act follows a general approach, which foresees the formation of several administrative bodies and cooperation between them and existing executive structures to create a wide and cohesive information network with adequate response and mitigation mechanisms.
The Act outlines the specific obligations and responsibilities of each category of obliged entity, pursuant to the differentiation within Article 4(1), as well as providing sanctions for various violations in Articles 28 to 31. The Cybersecurity Act does not include sector-specific regulations or requirements.
The definition of 'network and information systems' in the Cybersecurity Act to a large extent mirrors the definition contained in the NIS Directive. 'Network and information systems' are defined as:
- an electronic communication network within the meaning of the Electronic Communications Act (i.e. the totality of conveyance facilities and, where applicable, switching and/or routing facilities and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical, or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity distribution networks, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable electronic communications networks used for broadcasting of radio and television programme services, irrespective of the type of information conveyed);
- any device or any group of interrelated or interconnected devices, one or more of which are programmed to automatically process digital data; and
- any digital data stored, processed, retrieved, or transmitted by the elements covered in the above two categories for processing, use, protection, and maintenance purposes.
See section 3 for the applicable requirements.
The Cybersecurity Act lists the operators of essential services ('OES') identified and divided in groups by the nature of their business and the services provided by them. The Cybersecurity Act recognises the following sectors of essential services: banking, financial, energy resources, natural resources, transportation, utility companies, digital infrastructure, and healthcare.
Pursuant to the Cybersecurity Act and the Decision of the Council of Ministers, essential services are defined as services that support the functioning of one of the critical public or economic sectors outlined above. The Decision introduces an additional ten-step methodology for determining whether certain operators provide essential services, as follows:
- Identifying all the public and economic sectors and subsectors, which contain essential services;
- Determining whether the services in question fall within the scope of application of the Cybersecurity Act;
- Determining whether the services are essential pursuant to the legal definition of the Cybersecurity Act;
- Identifying the operators of essential services;
- Determining whether the provision of the service is dependent on network and information systems;
- Estimating the potential impact and effects of an incident in the network and information systems on the provision of an essential service;
- Consultation with another EU Member State, where relevant;
- Registration of OES;
- Informing OES of their status; and
- Updates of the requirements for OES for each respective sector every two years.
See section 3 for the applicable requirements.
The Cybersecurity Act defines 'cloud computing services' as any 'digital service that enables access to a scalable and elastic pool of shareable computing resources.'
In the Cybersecurity Act, providers of cloud computing services are regulated together with the providers of the other two types of digital services which fall within the scope of application of the Cybersecurity Act - online marketplaces and online search engines. See section 3 for the applicable requirements.
The Cybersecurity Act does not apply to DSPs with fewer than 50 employees and an annual turnover and/or value of assets not exceeding BGN 19,500,000 (approx. €10 million).
See section 3 for the applicable requirements. Furthermore, at EU-level the EU Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 lays down the rules regarding the elements to be taken into account by DSPs for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.
The Cybersecurity Act contains a comprehensive list of 36 separate legal definitions for various terms within the supplementary provisions of the Act. The majority of these definitions mirror those contained in the NIS Directive.
The Cybersecurity Act identifies network and information security measures as the fundamental components of cybersecurity. The term 'cybersecurity' is legally defined in Article 2(1) of the Cybersecurity Act as, 'that state of society and government, whereto cyberspace is protected from threats to its independent networks and information infrastructure or their functionality through a set of applicable measures and actions.'
Furthermore, measures for network and information security are classified by the Act as organisational, technological, and technical, whereto their character and extent of application is determined by the nature of the obliged entities and the information structure they are designated for. The Cybersecurity Act contains four categories of operators (obliged entities) which must comply with the cybersecurity requirements:
- Administrative bodies;
- OES and DSPs;
- Entities designated with public functions, which they perform through electronic means, but are not recognised as OES;
- Entities, which provide public services through electronic means, but are not recognized as OES or DSPs.
The Cybersecurity Act establishes two general obligations for each category of obliged entities. First, each category of obliged entities must implement adequate and proportional measures, which shall ensure a level of network and information security corresponding to the respective risk applicable to the processed information. Second, whilst aiming for uninterrupted activity, they must further adopt adequate measures, which limit the impact of possible security breaches with regards to network and information security.
Similarly, under Article 32 of the GDPR controllers and processors have a general obligation, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to implement appropriate technical, and organisational measures to ensure a level of security appropriate to the risk.
In addition, the Cybersecurity Act stipulates that each obliged entity must adopt special measures and policies in terms of network and information security for their respective category, as outlined in the Ordinance for the minimal requirements for network and information systems.
To mitigate any losses related to accidents by reducing the response and resolution time, as well as to reduce the likelihood of incidents caused by human error, the obliged entities under the Cybersecurity Act must maintain certain internal documentation, including:
- description of information assets;
- connectivity physical scheme;
- information flows logical scheme;
- documentation on the structural cable system;
- technical, operational and user documentation of information and communication systems and their components;
- internal rules for any activity related to the administration, usage, and maintenance of hardware and software;
- internal rules for employees indicating their rights and obligations as users of services provided through information and communication systems, such as the use of personal computers, access to corporate network resources, password generation and storage, Internet access, email, document management systems and other interdepartmental systems, printing, faxing, use of removable media in electronic form, use of portable recording devices, etc.
All categories of obliged entities pursuant to the Cybersecurity Act must regularly conduct and update existing risk assessments (at least once a year) and adopt a plan for risk mitigation. In addition, compliance with cybersecurity requirements must be ensured with regular (again, at least once a year) audits.
Obliged entities must implement specific measures, in particular regarding:
- classification of information;
- management of IT assets;
- HR resource security;
- management of third party relations;
- information assets change management;
- development and acquisition of communication assets;
- physical and logical infrastructure segregation;
- traffic filtering;
- unauthorised usage of devices;
- administration of information and communication systems;
- administration environment;
- access management;
- remote access/work from home security;
- hardware device security;
- software and firmware security;
- protection from malware;
- webserver security;
- DNS security;
- physical security;
- industrial control systems security;
- management of network and information security incidents;
- backups and archiving; and
- continuity plans.
The Cybersecurity Act provides for specific procedures for the appropriate manner of notification of cybersecurity incidents, depending on the category of obliged entities indicated in Section 3.1. In general, the obligation is to notify the sectoral CSIRTs and a designated administrative body within the specific sector of the subject. A parallel notification regime is established in the GDPR in cases where the cybersecurity incident has affected personal data records. Furthermore, there are similar notification rules in applicable sectoral laws as mentioned in Section 1.1 above.
Notification requirements for cybersecurity incidents involving administrative bodies, entities designated with public functions, which they perform through electronic means and entities providing public services through electronic means
Administrative bodies must notify the respective Sectoral CSIRTs in instances of computer security incidents which impact their uninterrupted activity. The initial notification must be made within two hours of establishing of the respective incident. The information must be sufficient for the respective Sectoral CSIRT to evaluate the possible cross-border impact of the incident. The initial notification must contain the following information regarding the incident:
- date and hour of the incident;
- type of the incident;
- short description of the incident;
- cross-border impact;
- impact on other essential services;
- affected system;
- actions taken; and
- public disclosure of the incident according to the communication strategy of the administration.
Within five days as of the date of the initial notification, the respective administrative body must provide the CSIRT with all available information regarding the incident. The follow-up notification must contain the following information:
- the mechanism of the attack;
- actions taken;
- description of the potential need of corrective actions;
- artifacts analysis; and
- public disclosure of the incident according to the communication strategy of the administration;
Where there is a reasonable assumption that the notified incident may be classified as a criminal offence (pursuant to the Bulgarian Criminal Code (only available in Bulgarian here)), the General Directorate Combating Organised Crime at the Ministry of Interior must also be notified.
The notification regime is the same for entities designated with public functions, which they perform through electronic means and entities providing public services through electronic means.
Notification requirements for cybersecurity incidents involving OES
OES are subject to the same notification procedure with respect to incidents which impact the uninterrupted provision of the respective essential services.
In the event that an OES relies on a DSP for the provision of the essential service, the OES is to notify the DSP of any significant adverse effect on the continuity of the essential service due to an incident affecting the DSP.
Notification requirements of cybersecurity incidents involving DSPs
DSPs are subject to the same notification procedure with respect to incidents which significantly impact the provision of their services. The assessment of the incident significance must take into account the following:
- the number of users affected by the incident and, more specifically, the number of users relying on the service to provide their own services;
- the incident duration;
- the geographical spread with regard to the area affected by the incident;
- the extent of service disruption; and
- the extent of the impact on economic and societal activities.
The rules of EU Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 should also be taken into consideration in this assessment.
Personal data breach notification requirements for data controllers
The general EU-wide framework on personal data breach notifications established in the GDPR is applicable in Bulgaria in parallel with the notification regime under the Cybersecurity Act. Within 72 hours of having become aware of a personal data breach, the controller must notify the CPDP. The notification must describe at least the following:
- the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or another contact point where more information can be obtained;
- the likely consequences of the personal data breach; and
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.
Such notification is not required in cases where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. However, in case the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate the personal data breach to the affected data subjects without undue delay.
The Cybersecurity Act stipulates that the Chairperson of the E-Governance Agency must maintain a register with the essential services pursuant to the Cybersecurity Act. The register includes:
- categories of essential services;
- a list of operators of essential services and their individual information;
- sector or area of service;
- estimated number of users of the respective service; and
- estimation of the geographic area, which may be impacted by an incident.
The information within the register must be reviewed and updated every two years. The register is not available to the general public.
The OES have no obligations with respect to the registration process. Instead, the respective administrative bodies act ex officio in identifying the OES and notifying the Chairperson of the E-Governance Agency, as well as the respective OES. The notification to the OES would include information regarding the OES status, the obligations under the Cybersecurity Act, as well as the contact points for the relevant national body and the relevant CSIRT.
The obliged entities under the Cybersecurity Act must appoint an officer or a department responsible for network and information security, directly responsible before the top management. More than one officer may be required in cases where there are different territorial administrative structure/information systems.
The recommended functions of the security officer are as follows:
- managing the activities related to achieving a high level of network and information security and the goals set in the internal policies;
- participating in the drafting of policies and documented information;
- monitoring compliance with the internal rules, as well as the applicable laws and standards related to network and information security;
- advising the management in connection with information security;
- managing the periodic risk assessments for network and information security;
- periodically (not less than once a year) preparing reports on the state of network and information security;
- organising training related to network and information security;
- reviewing and updating incident and disaster response plans;
- maintaining relations with other administrations, organisations, and experts working in the field of information security;
- monitoring the internal register of incidents;
- carrying out incident notifications to the respective Sectoral CSIRT;
- analysing network and information security incidents;
- monitoring the software and firmware updates;
- monitoring the emergence of new cyber threats (viruses, malicious code, spam, attacks, etc.) and proposing adequate measures to counter them;
- organising tests for detection of vulnerabilities in the information and communication systems and proposing measures for their elimination;
- organising and assisting in conducting audits, inspections, and surveys and in sending the results to the relevant national competent authority; and
- proposing sanctions for those who violate network and information security measures.
In addition, under the GDPR there is a generally applicable requirement for the mandatory appointment of a data protection officer ('DPO') in cases where:
- the processing of personal data is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
The DPO has at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to the GDPR and the applicable national data protection provisions;
- to monitor compliance with the GDPR, with the applicable national data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the Data Protection Impact Assessment and monitor its performance;
- to cooperate with the supervisory authority; and
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.
The DPO does not receive any instructions regarding the exercise of their tasks and shall not be dismissed or penalised by the controller or the processor for performing their tasks. The DPO directly reports to the highest management level of the controller or the processor.
Not applicable in this jurisdiction.
4. SECTOR-SPECIFIC REQUIREMENTS
See section 1.1 above.
Cybersecurity in the health sector
Cybersecurity in the financial sector
In the financial sector, the matters of cybersecurity are regulated mostly at EU-level. The European Banking Authority ('EBA') adopts guidelines and recommendations under Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC. The competent authorities and financial institutions must make every effort to comply with those guidelines and recommendations.
In relation to cybersecurity, the EBA has adopted and may update from time to time guidelines related to the required level of cybersecurity and reporting obligations in case of incidents, such as the Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (revised version is applicable from 1 January 2022) and the Guidelines on ICT and security risk management.
Cybersecurity practices for employees
There are significant technical requirements related to the information system used by the employer to create and/or store electronic documents in the employment file, such as two-factor authentication, specific log requirements, usage of electronic registered delivery service, usage of qualified electronic time stamp certificate, etc. Those requirements are regulated in the Ordinance on the type and the requirements for the creation and storage of electronic documents in the employment file of the employee (only available in Bulgarian here).
Cybersecurity in the education sector
Cybersecurity in the electronic communications sector
With the implementation of the changes under the Communications Code Directive, the security requirements for providers of public electronic communications networks and for providers of publicly available electronic communications services have been revised. Providers of public electronic communications networks / services are required to perform a risk assessment and implement appropriate and proportional organisational and technical measures (such as encryption) that can properly address the level of identified risk, pursuant to their own evaluation. The adopted organisational and technical measures must adhere to the rules on the minimum security requirements for public electronic communications networks and services, and the methods for security risk management established by the CRC (the regulator aims to have a draft version for public consultation in December 2021).
Incidents that have had a significant impact on the operation of networks or services must be immediately brought to the attention of the CRC, which in turn informs the Minister of Transport, Information Technology and Communications, as well as CERT Bulgaria. The criteria for significance of impact, the required information and the manner of notification shall be specified within the aforementioned rules that are yet to be adopted by the CRC.
Providers of public electronic communications services may request information pertaining to outstanding pecuniary obligations of the end-user to other providers, pursuant to the rules adopted by CRC and the CPDP. A draft version of these rules, which contain specific information security requirements, has been published within a public consultation procedure (only available in Bulgarian here), however, the final text remains to be adopted by the two regulators.
Violation of the provisions of the Cybersecurity Act may lead to legal liability for legal entities and administrative bodies. The liability is administrative. The sanctions for such violations are categorised in three groups, as follows:
Violation of responsibilities relating to notification for cyber incidents
Non-compliance with the obligation for notification to Sectoral CSIRTs for cyber incidents could result in fines to the obliged entities under the Cybersecurity Act in the amount of up to BGN 10,000 (approx. €5,000) for administrative bodies, respectively up to BGN 15,000 (approx. €7,500) for other entities. The same sanction could be imposed for violating an obligation to provide the information requested officially or for non-compliance with official instructions under the Cybersecurity Act. The maximum amount of the respective sanctions is higher for repeated violations (respectively about €10,000 and €12,500).
Non-compliance with other obligations under the Cybersecurity Act could result in fines for the responsible officials in the amount of up to BGN 10,000 (approx. €5,000) or up to BGN 15,000 (approx. €7,500).
These violations are sanctioned administratively only in instances where the activity does not constitute a crime pursuant to the Criminal Code.
Violation of the applicable personal data protection rules
For violations of the GDPR and the Act, the CPDP may impose administrative fines of up to €20 million, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Following the provisions of the Budapest Convention on Cybercrime 2001, which is ratified by the Republic of Bulgaria, the Bulgarian Criminal Code contains a number of provisions relating to computer-related crimes as established within the Convention.
6. OTHER AREAS OF INTEREST