Amendments to the Cybersecurity Act transposing NIS 2 Directive (EU) 2022/2555 are subject to public consultation until 3 August 2024

Amendments to the Cybersecurity Act transposing NIS 2 Directive (EU) 2022/2555 are subject to public consultation until 3 August 2024

On 4 July 2024, the Minister of e-Government proposed a bill for amendment to the Cybersecurity Act transposing NIS 2 Directive (EU) 2022/2555. All interested parties may publish their comments on the bill in the public consultation process until 3 August 2024. The amendments in the Cybersecurity Act provide only general risk management and reporting obligations for the businesses and are expected to be adopted until 17 October 2024. More detailed cybersecurity measures and obligations will be prescribed in the implementing regulation which should be adopted within 8 months after entry into effect of the amended Cybersecurity Act, i.e. expectedly, until June 2025.

Below is a brief overview of the major amendments proposed in the bill which will affect businesses:

I. Broader scope of entities subject to risk management and reporting obligations under the Cybersecurity Act

The bill introduces definitions of significant and important entities which broadens the scope of the businesses subject to cybersecurity compliance.

Significant entities:

  1. Entities exceeding the thresholds for medium-sized enterprises (i.e. at least 250 employees and an annual turnover of at least BGN 97 500 000 /or an asset value of at least BGN 84 000 000 on a consolidated basis) which operate in the Energy, Transport, Banking, Financial Markets Infrastructure, Healthcare, Drinking Water, Wastewater, Digital Infrastructure, ICT Management Services and Aerospace.
  2. Providers of qualified authentication services, domain name registries, and DNS services regardless of the size of the business.
  3. Providers of public electronic communications networks or services that qualify as medium-size enterprises.
  4. All entities:
  1. conducting certain types of activities in the field of Energy, Transport, Banking, Financial Markets Infrastructure, Healthcare, Drinking Water, Wastewater, Digital Infrastructure, ICT Management Services and Aerospace or in the Postal and Courier Services, Waste Management, Chemical Production and Distribution, Food Manufacturing and Distribution, Manufacturing of medical devices, computers and electronic optical products, electrical equipment, machinery, motor vehicles or other transportation equipment, Digital Services Providers (Online marketplaces, online search tools, social media platforms), Scientific Research; AND
  2. which have been determined as essential entities based on the following criteria:
  1. act as a sole provider of a service that is essential for the maintenance of critical social and economic activities;
  2. a disturbance (for a specified time) in the service provided by the entity could have a significant impact on public security or public health;
  3. an interference with the service provided by the entity could cause significant systemic risk, in particular for sectors where such a disturbance could have cross-border impact;
  4. the entity is critical because of its specific importance at a national or regional level for the specific sector or type of service or for other interdependent sectors in Bulgaria.

5. Entities qualifying as critical based on the assessment to be made by the Bulgarian authorities within 8 months after the implementation of the amendments in the Cybersecurity Act;

6. Entities designated as operators of essential services under the existing rules.

Important Entities:

All entities which do not qualify as significant entities and conduct certain types of activities in the field of Energy, Transport, Banking, Financial Markets Infrastructure, Healthcare, Drinking Water, Wastewater, Digital Infrastructure, ICT Management Services and Aerospace or in the Postal and Courier Services, Waste Management, Chemical Production and Distribution, Food Manufacturing and Distribution, Manufacturing of medical devices, computers and electronic optical products, electrical equipment, machinery, motor vehicles or other transportation equipment, Digital Services Providers (Online marketplaces, online search tools, social media platforms), Scientific Research.

II. Cybersecurity risk management measures and reporting obligations for significant and important entities

According to the bill, significant and important entities will be required to:

  1. ensure cybersecurity risk training for their management every 2 years and the management should provide such training to the employees;
  2. implement appropriate measures to mitigate risks to their network and information systems, focusing on technology neutrality and adherence to established standards. These measures must be proportional to the entity’s risk profile, considering factors such as the size of the entity, the likelihood of incidents, and potential societal and economic impacts. The bill outlines only the general scope of such measures as defined also in the NIS 2 Directive, i.e.:
  • policies on risk analysis and information system security;
  • incident handling;
  • business continuity, such as backup management and disaster recovery, and crisis management;
  • supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  • basic cyber hygiene practices and cybersecurity training;
  • policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  • human resources security, access control policies and asset management;
  • the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

iii. notify the Sector Computer Security Incident Response Teams (SCSIRT) of any significant incident within 24/72 hours. They must also notify the users if there is a risk to them.

The Council of Ministers may determine certain ICT services, systems or supply chains which will be deemed to ensure compliance with the requirements of the Cybersecurity Act.

More detailed description of the relevant obligations is expected in a subsequent amendment of the Implementing Regulation for the Minimum Requirements to the Network and Informational Security to be further proposed by the Council of Ministers.

III. Significantly increase of the administrative fines

The bill increases significantly the administrative fines for violations by significant and important entities of their requirements to ensure the required cybersecurity measures and reporting.

The range of the administrative fines for important entities is from BGN 100,000 to up to 1,4% of the total worldwide annual turnover for the previous financial year of the undertaking to which the entity belongs. The NIS 2 Directive provides for a maximum amount of the proportionate fine of at least EUR 7 mil, which in the bill seems to be determined as a minimum amount of the proportionate fine of BGN 14 mil (approx. EUR 7mil).

The range of the administrative fines for significant entities is from BGN 200,000 to up to 2% of the total worldwide annual turnover for the previous financial year of the undertaking to which the entity belongs. The NIS 2 Directive provides for a maximum amount of the proportionate fine of at least EUR 10 mil which in the bill seems to be determined as a minimum amount of the proportionate fine of BGN 20 mil (approx. EUR 10mil).

The vagueness in the maximum limit of the proportionate fines in the bill should be overcome in the process of public consultation and discussion of the bill before its adoption by the National Assembly.

IV. Obligations of companies which are part of large economic groups to be further refined

The obligations under the Cybersecurity Act will apply to the entitles established in Bulgaria, or entities:

  1. Rendering services in Bulgaria as providers of public electronic communications networks or as providers of publicly available electronic communications services; or
  2. Whose “main establishment” is in Bulgaria AND operate as DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms.

Art. 26, para. 2 of the NIS 2 Directive specifies how “main establishment” under p. ii. should be determined and refers to the jurisdiction in which decisions related to cybersecurity risk-management measures are predominantly taken. However, this paragraph is missing in the bill but can be added subsequently in the legislation process until adoption of the bill by the National Assembly.

For further information contact:

Iva Georgieva, Managing Associate
iva.georgieva@kdp-law.com

Ivan Draganov, Legal Assistant
ivan.draganov@kdp-law.com