Current status of implementation

Not yet finalised.

Implementation Act

Ordinance provides for general requirements for security of network and information systems (in force since 2008, last amended on 17 January 2017). The ordinance was approved on the ground of Art. 43, par. 2 of the Electronic Government Act, which stipulates that the Council of Ministers adopts an ordinance to specify the general requirements for the NIS security.

Determination of operators of essential services (Art. 5 NIS)

No identification of the operators of essential services has been made yet. According to the ordinance, the NIS policies of the administrative bodies have to comply with the requirements of the NIS Directive.
Reporting obligations

Each administrative body which provides electronic administrative services shall designate a civil servant/unit to be responsible for network and information security. In case of a network and information security incident, the civil servant/unit must immediately document and report it to the administrative manager and the National Response Center for Network and Information Security Incidents at the Administrative Bodies Information Systems. The civil servant/unit periodically (not less than twice a year) reports to the head of the administrative body on the status of the network and information security (Appendix 2 to the Ordinance).
Sanctions regime

Article 64 of the Electronic Government act provides for administrative fines ranging from BGN 500 up to BGN 3,000 in case of a violation of network and information security measures, committed or admitted by civil servants. In case of repeated violations the fines increase and shall range from BGN 1,000 up to BGN 5,000.
Competent authorities

The Network and Information Security Directorate shall provide support to the State e-Government Agency by developing and implementing the functions of a National Information Security Incidents Response Center in the event of accidents affecting the information security, as well as in carrying out the state policy in the field of network and information security. The Directorate coordinates the performance of the network and information security policies, related to the e-government functioning.  The Head of each administrative body is directly responsible for the network and information security.
Jurisdictional applications

More details to follow.
Remarks (if any)

According to the Director of the Network and Information System Security Direction, a general overview of the legislation for compliance with the NIS Directive has been completed and a detailed analysis will be prepared. The analysis of  Bulgarian law has been finalised and the second stage will be a comparative  analysis of foreign legislation with respect to the implementation of the NIS Directive.

Last reviewed 28.02.2018