	NIS2 Implementation in the EU
	Bulgaria
	(Europe) Firm Penkov, Markov & Partners Contributors Nikolay Cvetanov Updated 27 Jan 2026
Status of the legislative process	Ongoing
Status of the NIS2 Implementation Act	Instead of adopting an entirely new piece of legislation, the Bulgarian authorities chose to amend and supplement the existing local Cybersecurity Act which already introduces certain general concepts under NIS2 (such as the National Cybersecurity Strategy, the so-called National Single Point of Contact, measures for mitigating risks of cyber incidents, etc.). Accordingly, the local NIS2 Implementation Act, intended to amend and supplement the existing Cybersecurity Act, has been adopted at first reading by the Bulgarian National Assembly on 20th February 2025. It was subsequently reviewed by the competent parliamentary committees in June and July 2025. As part of this process, opinions were collected from relevant institutions such as the Bulgarian Cybersecurity Association, the Ministry of Internal Affairs, the Ministry of e-Governance, etc. As of January 2026, the second reading and voting on the Bulgarian NIS2 Implementation Act has not yet been conducted. Respectively, its final adoption, approval by the President, and publication in the State Gazette remains pending. Minding that the government has resigned at the end of 2025 and new parliamentary elections shall be carried out this year, the process of adopting the legislative changes could be further delayed. Within eight months of the entry into force of the NIS2 Implementation Act, the Bulgarian government shall adopt secondary legislative act - an ordinance, to be issued pursuant to and in fulfillment of the main law. This ordinance will lay down in detail the technical, operational, and organizational measures that the obliged entities must implement for achieving network and information security in their activity.
Significant deviations of the National Implementation Act from the NIS2 Directive, if any	The draft National Implementation Act, approved at first reading, to great extent mirrors the structure of the NIS2 Directive, i.e. most of its provisions are aligned with the legal effect and wording of the NIS2 Directive. We can reasonably expect this status quo to be maintained after the second reading, and the new piece of legislation to be adopted close to its current form, fully consistent with the NIS2 Directive's concept and language.
Date of entry into force of the Implementation Act	As commented above, in the context of the current unstable political situation in the state and the recent resignation of the government, it is difficult to determine when the second-reading vote on the Implementation Act will take place. It is not entirely excluded that, following the formation of a new government and a new parliament, an entirely new draft law to be proposed, although such an approach would not be expedient nor practical. In view of the already missed deadlines for the transposition of the NIS2 Directive, the reasonable expectation is that the process will nevertheless be finalized within the course of 2026.

NIS2 Implementation in the EU

Back XLS

Status of the legislative process

Ongoing

Status of the NIS2 Implementation Act

Instead of adopting an entirely new piece of legislation, the Bulgarian authorities chose to amend and supplement the existing local Cybersecurity Act which already introduces certain general concepts under NIS2 (such as the National Cybersecurity Strategy, the so-called National Single Point of Contact, measures for mitigating risks of cyber incidents, etc.).

Accordingly, the local NIS2 Implementation Act, intended to amend and supplement the existing Cybersecurity Act, has been adopted at first reading by the Bulgarian National Assembly on 20th February 2025. It was subsequently reviewed by the competent parliamentary committees in June and July 2025. As part of this process, opinions were collected from relevant institutions such as the Bulgarian Cybersecurity Association, the Ministry of Internal Affairs, the Ministry of e-Governance, etc.

As of January 2026, the second reading and voting on the Bulgarian NIS2 Implementation Act has not yet been conducted. Respectively, its final adoption, approval by the President, and publication in the State Gazette remains pending. Minding that the government has resigned at the end of 2025 and new parliamentary elections shall be carried out this year, the process of adopting the legislative changes could be further delayed.

Within eight months of the entry into force of the NIS2 Implementation Act, the Bulgarian government shall adopt secondary legislative act - an ordinance, to be issued pursuant to and in fulfillment of the main law. This ordinance will lay down in detail the technical, operational, and organizational measures that the obliged entities must implement for achieving network and information security in their activity.

Significant deviations of the National Implementation Act from the NIS2 Directive, if any

The draft National Implementation Act, approved at first reading, to great extent mirrors the structure of the NIS2 Directive, i.e. most of its provisions are aligned with the legal effect and wording of the NIS2 Directive. We can reasonably expect this status quo to be maintained after the second reading, and the new piece of legislation to be adopted close to its current form, fully consistent with the NIS2 Directive's concept and language.

Date of entry into force of the Implementation Act

As commented above, in the context of the current unstable political situation in the state and the recent resignation of the government, it is difficult to determine when the second-reading vote on the Implementation Act will take place. It is not entirely excluded that, following the formation of a new government and a new parliament, an entirely new draft law to be proposed, although such an approach would not be expedient nor practical. In view of the already missed deadlines for the transposition of the NIS2 Directive, the reasonable expectation is that the process will nevertheless be finalized within the course of 2026.