Cybersecurity: Legal Obligations in Bulgaria

Published on October 1, 2025 and written by Cyril Jarnias

In Bulgaria, the digital era is increasingly imposing legal responsibilities for cybersecurity, a crucial domain as cyberattacks escalate globally. With the adoption of new regulations inspired by European and international frameworks, Bulgarian businesses and public institutions must comply with strict standards to protect their data and that of their users. This article explores the specific legal obligations governing cybersecurity in Bulgaria, highlighting the issues and challenges faced by IT managers in an ever-evolving environment. By analyzing the required compliance measures and the penalties incurred in case of negligence, we will provide a detailed overview of the best practices adopted by those successfully navigating this complex landscape.

Introduction to Cybersecurity in Bulgaria

The Cybersecurity Landscape in Bulgaria

Bulgaria is facing growing importance of cybersecurity, reflecting a global trend of increasing digital threats. The country has experienced a significant surge in cyberattacks, targeting both government institutions and private companies. This situation has highlighted the crucial need to strengthen the country’s digital defenses.

Key Players and Government Initiatives

The Bulgarian government has taken proactive measures to address these challenges. The Ministry of e-Government plays a central role in coordinating national cybersecurity efforts. It notably hosts the National Computer Security Incident Response Team (CERT Bulgaria), which is responsible for managing incidents and disseminating security alerts.

Bulgaria has also implemented a national cybersecurity strategy titled “Cyber Resilient Bulgaria 2020,” which aims to enhance the protection of citizens, businesses, and critical infrastructure against cyber threats. This strategy aligns with European Union directives and strengthens the country’s position in the European cybersecurity landscape.

International Collaboration and Regulatory Compliance

Bulgaria actively participates in international cybersecurity initiatives. The country has signed a memorandum of understanding with NATO to foster international collaboration in combating cyber threats, particularly through information sharing and joint participation in cybersecurity exercises.

On the regulatory front, Bulgaria has transposed the EU NIS Directive into its national legislation through the Cybersecurity Law adopted in 2018. The country is currently working to adapt its legal framework to comply with the NIS2 Directive, thereby strengthening its cybersecurity requirements for a broader range of entities.

Private Sector and Skills Development

The Bulgarian private sector plays an increasing role in the field of cybersecurity. Local and international companies are establishing Security Operations Centers (SOCs) in the country, contributing to job creation and the development of local expertise. For example, Atos recently opened a new SOC in Sofia, enhancing the country’s threat monitoring and detection capabilities.

Bulgaria also emphasizes cybersecurity talent development. The country organizes national cybersecurity competitions and participates in the European Cybersecurity Challenge (ECSC), thereby encouraging the training of the next generation of IT security experts.

Challenges and Prospects

Despite these advances, Bulgaria faces persistent challenges. Reports indicate that 99.9% of cyberattacks in the country are due to weak information security, highlighting the need to improve basic cybersecurity practices. The government has responded to this situation by announcing significant investments in combating botnets and regulating cyber threats.

The future of cybersecurity in Bulgaria appears promising, with increasing attention to this field at both the government and private sector levels. The country is positioning itself as an emerging player in the European cybersecurity landscape, striving to create a safer digital environment for its citizens and businesses.

Cybersecurity Standards and GDPR Compliance

The Growing Importance of Cybersecurity Standards in Bulgaria

Bulgaria, as a member of the European Union, is at the heart of rapid digital transformation, requiring particular attention to cybersecurity and data protection. The European regulatory framework, particularly the General Data Protection Regulation (GDPR), has significantly influenced Bulgarian legislation on digital security. This evolution reflects the country’s commitment to aligning its practices with European standards, while addressing the specific challenges of its expanding digital landscape.

Key Cybersecurity Standards in Bulgaria

Bulgaria has adopted several cybersecurity standards aligned with European directives. The State e-Government Agency (SEGA) plays a central role in implementing these standards. It oversees the national cybersecurity strategy and coordinates efforts among various government bodies.

Key standards include:

• The Cybersecurity Law, which transposes the EU NIS Directive
• The National Cybersecurity Framework, aligned with the NIST framework
• ISO/IEC 27001 and 27002 standards for information security management

These standards aim to strengthen the resilience of critical infrastructure and promote a cybersecurity culture in both public and private sectors.

GDPR Impact on Data Security in Bulgaria

The GDPR has had a significant impact on personal data management in Bulgaria. Bulgarian companies are required to implement appropriate technical and organizational security measures to protect personal data. This includes:

• Appointing a Data Protection Officer (DPO) in certain cases
• Conducting Data Protection Impact Assessments (DPIAs)
• Establishing procedures to manage data breaches
• Obtaining explicit consent from individuals for processing their data

Companies must also be able to demonstrate their GDPR compliance, which requires detailed documentation of their data processing practices.

Challenges and Compliance Examples in Bulgaria

Many Bulgarian companies have faced significant challenges in complying with the GDPR. For example, a major Bulgarian bank heavily invested in overhauling its customer data management systems to ensure compliance. It implemented a portal allowing customers to easily manage their privacy preferences.

However, some companies have faced fines for non-compliance. In 2022, the Bulgarian data protection authority imposed a fine of 150,000 leva (approximately €76,000) on a telecommunications company for failing to properly secure its customers’ personal data.

Common challenges include:

• The complexity of managing user consent
• Updating existing IT systems
• Training staff on new data protection procedures

Bulgarian Legal Specificities Influencing Compliance

Bulgaria has adopted a relatively strict approach in interpreting the GDPR. The Commission for Personal Data Protection (CPDP) has issued specific guidelines that sometimes go beyond the minimum GDPR requirements. For example, the CPDP requires companies to obtain explicit consent for almost all types of data processing, even in cases where other legal bases might be applicable under the GDPR.

Additionally, Bulgarian legislation imposes additional data retention requirements, particularly for companies operating in regulated sectors like finance and telecommunications.

Future Trends in Cybersecurity and Compliance

The future of cybersecurity and compliance in Bulgaria is moving towards deeper integration of European standards. The Bulgarian government is currently working on a new national cybersecurity strategy that will focus on:

• Strengthening cyber incident response capabilities
• Improving cooperation between public and private sectors
• Investing in cybersecurity training and education

Furthermore, discussions are underway to introduce specific legislation on artificial intelligence, aligned with the proposed European AI Regulation. This evolution reflects Bulgaria’s ongoing commitment to staying at the forefront of technological developments while ensuring the security and privacy of its citizens’ data.

Data Protection Strategies in Bulgaria

Legal Framework for Data Protection in Bulgaria

Bulgaria, as a member of the European Union, has been implementing the General Data Protection Regulation (GDPR) since May 2018. Additionally, the country has adopted the Personal Data Protection Act (PDPA), which specifies certain aspects of the GDPR and transposes the Data Protection Directive in the criminal field. This legislation establishes a robust framework for protecting the personal information of Bulgarian citizens and residents.

Required Technical and Organizational Measures

Companies operating in Bulgaria must implement appropriate security measures to protect the personal data they process. This notably includes:

– Encryption of sensitive data, both at rest and in transit – Use of firewalls and intrusion detection systems – Implementation of rigorous identity and access management – Conducting security audits and regular penetration testing – Ongoing employee training on cybersecurity best practices

Government Cybersecurity Initiatives

The Bulgarian government has launched several initiatives to strengthen data security in the country:

• Creation of a National Cybersecurity Incident Response Center
• Establishment of a public-private partnership for sharing cyber threat information
• Public awareness campaigns on data security risks

Penalties for Non-Compliance

Violations of the GDPR and PDPA can result in heavy penalties in Bulgaria. The Commission for Personal Data Protection can impose fines of up to €20 million or 4% of global annual turnover, whichever is higher. In 2019, the Bulgarian National Revenue Agency was fined €2.6 million following a major data leak affecting over 5 million citizens.

Best Practices Adopted by Companies

Many Bulgarian companies have implemented exemplary practices to ensure compliance and data security:

– Appointment of qualified Data Protection Officers – Implementation of “privacy by design” policies in product development – Conducting Data Protection Impact Assessments for high-risk processing – Adoption of advanced technologies like artificial intelligence for threat detection – Close collaboration with cybersecurity experts to maintain up-to-date defenses

These efforts demonstrate the growing commitment of the Bulgarian private sector to a data protection culture, essential in the modern digital economy.