NIS2 is now law in Bulgaria. Is your business ready?
The EU's most significant cybersecurity regulation in a decade came into force in Bulgaria on 17 February 2026. Here's what it means for your organisation — in plain language.
Scope checker
Are you in scope for NIS2?
Answer 6 quick questions to find out whether NIS2 applies to your organisation — and which tier you fall under.
Does your organisation operate in Bulgaria or provide services to Bulgarian customers or infrastructure?
NIS2 applies to organisations established in the EU, or those outside the EU that offer services within it.
Which sector best describes your organisation's primary activity?
Select the closest match. If you operate across multiple sectors, choose the one that represents your core business.
How many employees does your organisation have?
Include full-time and part-time staff. If you are part of a larger group, use the group headcount.
What is your organisation's approximate annual turnover?
Use your most recent financial year. If part of a group, use consolidated group turnover.
Does your organisation provide or manage critical digital infrastructure or services for other organisations?
This includes managed IT or security services, cloud hosting, network management, data centres, or critical software platforms.
Would a significant disruption to your organisation's services affect public safety, the economy or other critical services?
Think about your downstream impact. Regulators consider this when assessing whether smaller organisations may still be in scope.
Your organisation is likely in scope as an Essential Entity.
Essential entities face the most rigorous NIS2 obligations and are subject to proactive supervision — meaning regulators can audit you at any time, without waiting for an incident to occur. Management can be held personally liable for compliance failures.
- Maximum fine: €10 million or 2% of global annual turnover
- Proactive (ex-ante) supervision by CERT Bulgaria and DANS
- Mandatory incident reporting: 24-hour early warning, 72-hour full report
- Senior management accountability — personal liability applies
This tool provides an indicative assessment based on the NIS2 Directive as transposed into Bulgarian law (effective 17 February 2026). It is not legal advice. Sunwell Solutions recommends confirming your compliance obligations with a qualified legal or compliance advisor.
Your organisation is likely in scope as an Important Entity.
Important entities must meet the same core NIS2 security obligations as essential entities. The key difference is supervision style — you will be subject to reactive oversight, meaning regulators typically act following an incident or complaint rather than conducting unprompted audits.
- Maximum fine: €7 million or 1.4% of global annual turnover
- Reactive (ex-post) supervision — but fines are still substantial
- Same incident reporting obligations: 24hr and 72hr deadlines apply
- All six obligation domains must be addressed
This tool provides an indicative assessment based on the NIS2 Directive as transposed into Bulgarian law (effective 17 February 2026). It is not legal advice. Sunwell Solutions recommends confirming your compliance obligations with a qualified legal or compliance advisor.
Your organisation appears to be outside the scope of NIS2.
Based on your answers, NIS2 does not appear to apply directly to your organisation. However, you may still be affected indirectly — if your customers or suppliers are in scope, they may require security assurances from you as part of their supply chain obligations.
- NIS2 supply chain rules mean in-scope customers may ask for your security posture
- Good cybersecurity practices remain important regardless of regulatory scope
- Your scope status should be reviewed if your sector, size or services change
This tool provides an indicative assessment based on the NIS2 Directive as transposed into Bulgarian law (effective 17 February 2026). It is not legal advice. Sunwell Solutions recommends confirming your compliance obligations with a qualified legal or compliance advisor.
Background
What is NIS2?
NIS2 is the EU's updated Network and Information Security directive. Think of it as a baseline set of cybersecurity rules every qualifying organisation must follow — or face serious fines.
An upgrade from NIS1
Expanded scope reaches roughly 10× more organisations than the original directive. If you weren't in scope before, you might be now.
EU-wide, locally enforced
In Bulgaria, CERT Bulgaria handles incident notifications and DANS (State Agency for National Security) acts as primary supervisory authority.
Management accountability
Senior management carries personal liability for cybersecurity compliance. They can be temporarily suspended from their role for serious or repeated failures.
Strict incident reporting
24-hour early warning to CERT Bulgaria, followed by a full incident report within 72 hours. Missing these deadlines is itself a compliance failure.
Scope
Which tier applies to you?
High-criticality sectors
Subject to proactive (ex-ante) supervision. Regulators can audit you at any time, without waiting for an incident.
Sectors
Size thresholds
- 250+ employees
- €50M+ annual turnover
- €43M+ balance sheet total
Other critical sectors
Subject to reactive (ex-post) supervision. Regulators investigate after incidents or complaints — but fines can still be significant.
Sectors
Size thresholds
- 50–249 employees
- €10M–€50M annual turnover
- Smaller essential-sector operators
What you must do
Key obligations
Implement a documented, risk-based cybersecurity policy covering your technology, people, and processes. Senior management must formally sign off and take accountability for the programme.
Non-compliance
Penalties
€10 million
or 2% of global annual turnover — whichever is higher
Plus potential temporary suspension of management from their role in the case of serious or repeated failures.
€7 million
or 1.4% of global annual turnover — whichever is higher
Reactive supervision means enforcement typically follows an incident or complaint — but fines can still be substantial.
Scope checker
Are you in scope for NIS2?
Answer 6 quick questions to find out whether NIS2 applies to your organisation — and which tier you fall under.
Does your organisation operate in Bulgaria or provide services to Bulgarian customers or infrastructure?
NIS2 applies to organisations established in the EU, or those outside the EU that offer services within it.
Which sector best describes your organisation's primary activity?
Select the closest match. If you operate across multiple sectors, choose the one that represents your core business.
How many employees does your organisation have?
Include full-time and part-time staff. If you are part of a larger group, use the group headcount.
What is your organisation's approximate annual turnover?
Use your most recent financial year. If part of a group, use consolidated group turnover.
Does your organisation provide or manage critical digital infrastructure or services for other organisations?
This includes managed IT or security services, cloud hosting, network management, data centres, or critical software platforms.
Would a significant disruption to your organisation's services affect public safety, the economy or other critical services?
Think about your downstream impact. Regulators consider this when assessing whether smaller organisations may still be in scope.
Your organisation is likely in scope as an Essential Entity.
Essential entities face the most rigorous NIS2 obligations and are subject to proactive supervision — meaning regulators can audit you at any time, without waiting for an incident to occur. Management can be held personally liable for compliance failures.
- Maximum fine: €10 million or 2% of global annual turnover
- Proactive (ex-ante) supervision by CERT Bulgaria and DANS
- Mandatory incident reporting: 24-hour early warning, 72-hour full report
- Senior management accountability — personal liability applies
This tool provides an indicative assessment based on the NIS2 Directive as transposed into Bulgarian law (effective 17 February 2026). It is not legal advice. Sunwell Solutions recommends confirming your compliance obligations with a qualified legal or compliance advisor.
Your organisation is likely in scope as an Important Entity.
Important entities must meet the same core NIS2 security obligations as essential entities. The key difference is supervision style — you will be subject to reactive oversight, meaning regulators typically act following an incident or complaint rather than conducting unprompted audits.
- Maximum fine: €7 million or 1.4% of global annual turnover
- Reactive (ex-post) supervision — but fines are still substantial
- Same incident reporting obligations: 24hr and 72hr deadlines apply
- All six obligation domains must be addressed
This tool provides an indicative assessment based on the NIS2 Directive as transposed into Bulgarian law (effective 17 February 2026). It is not legal advice. Sunwell Solutions recommends confirming your compliance obligations with a qualified legal or compliance advisor.
Your organisation appears to be outside the scope of NIS2.
Based on your answers, NIS2 does not appear to apply directly to your organisation. However, you may still be affected indirectly — if your customers or suppliers are in scope, they may require security assurances from you as part of their supply chain obligations.
- NIS2 supply chain rules mean in-scope customers may ask for your security posture
- Good cybersecurity practices remain important regardless of regulatory scope
- Your scope status should be reviewed if your sector, size or services change
This tool provides an indicative assessment based on the NIS2 Directive as transposed into Bulgarian law (effective 17 February 2026). It is not legal advice. Sunwell Solutions recommends confirming your compliance obligations with a qualified legal or compliance advisor.
Readiness questionnaire
How ready is your organisation?
Answer 15 questions across six NIS2 obligation domains. Your results appear immediately — no sign-up required to see your score.
Loading…
Your results
NIS2 readiness summary
Based on your self-assessment across all six NIS2 obligation domains.
Full gap report
Get your detailed gap analysis
Enter your details and your personalised report appears on screen immediately. We'll also send a copy to your inbox.
Something went wrong — please try again.
Key dates
Timeline
January 2023
NIS2 Directive entered into force (EU)
Published in the Official Journal of the European Union.
October 2024
EU transposition deadline
Member states were required to transpose NIS2 into national law by this date.
17 February 2026
Effective in Bulgaria
NOWNIS2 obligations are enforceable. Organisations in scope must comply.
Ongoing
Enforcement & supervision begins
DANS and CERT Bulgaria begin active supervision. Audits, incident follow-ups, and penalties apply.
Find out if your organisation is in scope
Answer 5 quick questions — takes less than 2 minutes.
Check my scopeLooking for more detail? Browse our NIS2 guides, FAQ and official sources →