Guides, checklists & official sources

NIS1 (2016) applied to a narrow set of operators. NIS2 dramatically expands scope — covering many more sectors and removing thresholds that exempted most medium-sized companies. It also significantly increases penalties, adds management accountability, and tightens incident reporting timelines. If your organisation wasn't in scope under NIS1, it may well be under NIS2.

Two bodies. CERT Bulgaria (national CSIRT, under the State e-Government Agency) is the primary point of contact for incident notifications. DANS (State Agency for National Security) is the competent supervisory authority, particularly for essential entities. Some sector-specific regulators (energy, finance) may also have oversight responsibilities.

Yes, if your organisation processes personal data and is in scope for NIS2, both frameworks apply. They overlap significantly — both require risk-based security, incident response and management accountability. A well-structured NIS2 programme will address many GDPR security requirements simultaneously. The key difference: GDPR protects personal data; NIS2 covers network and information system security more broadly.

Yes, in certain circumstances. NIS2 can apply to organisations established outside the EU if they provide services within the EU. If a non-EU company provides services to Bulgarian customers or operates covered infrastructure in Bulgaria, it may need to designate a legal representative within the EU and comply with the relevant obligations.

Both must meet the same core obligations. The difference is supervision. Essential entities (high-criticality sectors, 250+ employees or €50M+ turnover) face proactive ex-ante supervision — audits at any time. Important entities face reactive ex-post supervision — regulators act after incidents or complaints. Penalties also differ: up to €10M or 2% of turnover for essential, €7M or 1.4% for important.

NIS2 generally excludes micro and small enterprises (fewer than 50 employees and under €10M turnover) unless they operate in particularly critical areas. Exceptions include electronic communications networks, trust service providers, TLD registries and DNS providers — in scope regardless of size. Sole suppliers of societally critical services may also be pulled in by national authorities.

Two-stage timeline from the moment you become aware. Early warning to CERT Bulgaria within 24 hours — no full analysis needed, just notification that an incident is underway. Full incident notification within 72 hours, including initial severity assessment and indicators of compromise. Final report within one month covering root cause and remediation.

An incident is significant if it causes or is capable of causing serious operational disruption or financial loss, or could cause considerable damage to others. In practice: major ransomware, prolonged outages, significant data breaches, or attacks on critical infrastructure. When in doubt, notify — late or missed reporting is treated more seriously than an over-cautious early warning.

Not directly — NIS2 does not place obligations on vendors unless they are themselves in scope. However, you are responsible for managing supply chain cybersecurity risks. This means assessing key suppliers' security practices, including security requirements in relevant contracts, and demonstrating that supply chain risk is addressed in your overall risk management approach.

NIS2 has been in force in Bulgaria since 17 February 2026 — there is no further grace period. Regulators have signalled a pragmatic approach for organisations actively working toward compliance in good faith. The highest risk is for organisations that have taken no action, or that fail to report a significant incident. Priority: document your current position, identify your biggest gaps, build a remediation plan you can show a regulator.